New cyber security rules that came into effect in Guernsey this month highlight the importance for financial services business to improve their cyber security to combat rising threats from phishing, hacking, and other fraud as more people work remotely.
All businesses licensed by the Guernsey Financial Services Commission (GFSC) must abide by new guidance tightening responsibility for good IT practices to minimise cyber vulnerabilities. The GFSC Rules draw on the NIST (National Institute of Standards and Technology) Cybersecurity Framework, following five principles: Identify, Protect, Detect, Respond and Recover.
Logicalis is working with financial services businesses in the Bailiwick to help them meet the new guidance before August when the transition period ends, and all changes must be implemented. The Logicalis Five-Step Defence Plan helps businesses work through the five key areas to improve security and achieve compliance.
Alex Colias, Information Security Consultant, Logicalis, said: “With record numbers of staff working remotely, businesses have experienced a rapid digital transformation that may normally have taken years. This brings great opportunities but also great risks. Every business has valuable assets which cyber criminals want to access. Businesses need to be able to monitor their systems 24/7 to know if a breach is happening, have proper logging systems to create audit trails to tackle a breach, and have the right back up to be able to recover assets. Security is about layers of defence and all five steps of the Framework are important”.
The Cyber Security Rules (2021), require businesses to provide the GFSC with evidence the licensees have considered and have in place ‘appropriate policies, procedures and controls to mitigate the risk posed by cyber security events.’
This means firms must identify cyber vulnerabilities and risks, train staff and use appropriate software to protect against cyber threats, have appropriate mechanisms in place to detect threats, and have a plan to respond to threats and recover from them.
Financial services firms will also be obliged to notify the Commission of significant losses of data or people assets and other impact on the business.
Alex said: “As cyber-attacks become more common, we all need to step up our procedures to try to prevent them from happening. The impact of a cyber-attack on a business, and on its customers when their data privacy is compromised, often far exceeds the initial damage perceived. The new Cyber Security Rules place the onus on businesses to improve their IT procedures and enhance training to minimise cyber vulnerabilities and monitor networks and systems so attacks can be detected as quickly as possible.
“Ransomware, phishing attacks and other hacks are part of the everyday arsenal of cyber criminals. A cyber assessment allows a business to find risks and find solutions to these risks. Often the solutions are surprisingly simple and cost-effective to implement if carried out the right way at the right time. Training plays a massive role in helping staff understand their role in the security of the business, and indeed, in maintaining its reputation”.