The new GFSC cyber security rules: What the GFSC demands of you and why you cannot simply pass it to IT
This week the Guernsey Financial Services Commission (GFSC) published their anticipated Cyber Security Rules and Guidance that come into operation immediately, however firms have until August 2021 to ensure compliance. The rules are consistent with our firm belief that cyber and information security requires aligned controls across people, operations and technology that are owned and governed by the board
CYBER security is one of the biggest business risks because it causes catastrophic damage to companies worldwide, and yet most boards do not have the knowledge and experience to appropriately manage these risks.
A sign of maturity in this space is when the firm decouples cyber security from IT and manages it as an organisation-wide risk.
Based on our experience with the GFSC Cyber Security Rules, we help business leaders understand how to achieve compliance by the August 2021 deadline, and to avoid the pitfalls.
In this article, we highlight quotations from the Cyber Security Rules and Guidance 2021 and our views on the key actions required of firms in Guernsey.
(Page 3) ‘… it remains the responsibility of the Board to ensure that the Firm complies with the Rules’
The board cannot simply assume that cyber security is being managed correctly in their firm. As our founding director Tony Cleal highlights, the new GFSC rules came into force for the very reason that many firms are gapped on basic cyber security controls.
Some firms may be surprised that Cyber Essentials and Cyber Essentials Plus accreditations do not fulfil the GFSC requirements because they do not address the need for detection and
response capabilities for example.
The board cannot pass this matter to IT as a one-stop-shop to achieve compliance. The IT provider would be unable to demonstrate the necessary objective assurance of their own controls, or address the people and operational controls required by the rules.
(Page 6) ‘…Boards should report to their shareholders that they are comfortable with their cyber policies, controls and reporting on an annual basis’
This underlines the importance of the board ensuring it understands the fundamentals of cyber security, working with independent trusted advisors as appropriate.
If there is a cyber incident, the shareholders and the GFSC will expect the individual directors (executive and non-executive) to show evidence that they had responsibly evaluated the risks and controls, and that they challenged the information from their providers in board meetings just as they would with other business risks.
(Page 9) ‘A firm should document how it has assessed the appropriateness of these controls, and its approach to mitigation’
When we conduct a gap analysis for our clients, we often find a significant misalignment between the client’s understanding of the IT controls in place and the services offered by the outsourced provider. This misunderstanding is not deliberate but is often because the client mistakenly believes that cyber security and IT are the same thing, and that there is therefore a
universal standard of service by IT providers that takes care of security completely.
In the same way as the firm manages other established risks, the board should engage the necessary support from external independent advisors who are appropriately skilled in controls across technology, people, administration and governance.
(Page 13) ‘Firms should ensure that reporting to the board, or the relevant board committee, on cyber matters is fit for purpose’
The board needs to ensure it requests and understands the
appropriate management information to demonstrate sound governance.
This requirement cannot be achieved by the board asking the IT provider to design the controls on behalf of the firm, and to also define the metrics that will be used to judge their own performance.
The GFSC suggests that management reports should include information on why existing controls were not successful in preventing an incident and whether this is indicative of a wider risk. The board should be able to challenge whether the provider who designed and manages the controls would be impartial in their assessment if those controls did not work and whether the wider firm is at risk.