Cyber Security: GFSC releases proposed Cyber Security Rules and Guidance Consultation Paper

The Guernsey Financial Services Commission (GFSC) has issued proposed Cyber Security Rules (Rules) and Guidance Consultation Papers applying to all licensees licensed under the GFSC Regulatory Laws. The issuance of the Rules follows on from the Commission’s 2019 Cyber Risk Thematic, which was presented to industry during Q4 2019. The GFSC consultation period closes on November 2nd.

The Rules and accompanying guidance adopt the 5 core principles of Identify, Protect, Detect, Respond and Recover which are found within the U.S. Department of Commerce, National Institute of Standards and Technology (NIST) framework. This was established in 2014 in order to reduce cyber risk to critical infrastructure.

Those tasked with compliance should now assess the extent to which their organizations meet these proposed new regulatory obligations, and consider preparing a road map of activities necessary to complete in order to meet those requirements in a timely manner.

The key features of the Rules require licensees to "have in place appropriate policies, procedures and controls to mitigate the risk posed by cyber security events”. Within the guidance there is emphasis that the Rules are not intended to be prescriptive, but rather a pragmatic, risk-based approach has been adopted. Accordingly, the methods that a licensee uses to establish, implement and maintain its cybersecurity framework in compliance with the Rules are expected to take into consideration the size and complexity of their business and the nature of their cyber risk exposure.

There is an expectation that licensees will have in place measures that not only identify assets at risk and protect and mitigate those cyber risks, but to also detect when events occur and allow for licensees to respond to and recover from cyber attacks effectively. This aligns with the NIST framework and allows organisations to develop a response based on established standards and best practice.

At the outset there is an obligation on licensees to be able to provide evidence that they have considered and implemented the requirements contained in the Rules. Importantly, those measures which are then adopted must also be reviewed periodically, and in response to a trigger event or an identified cyber security event.

Cybersecurity framework

The Rules and guidance set out a non-exhaustive list of factors that should be included in the Identify, Protect, Detect, Respond and Recover categories. The main areas of focus follow the logical flow of the framework.

The identification of material systems, people and data assets is identified as a key requirement, along with subsequent risk assessment considering the potential damage that may occur in the event of a loss of confidentiality, integrity or availability related to those assets. This is set out as an asset-based risk assessment, with explicit recognition that cyber risk extends beyond those classic IT-assets that might historically have been considered.

There is a need to retain documentation that is sufficient to illustrate how the risk treatment options were assessed and how the appropriate selection of controls to address the cyber security risks was undertaken. This to span a range of control areas including certain technical controls, people controls and administrative policy/ governance controls.

Amongst the technical controls that are identified for consideration are network monitoring tools; vulnerability management, patch management, two/multi factor authentication; Email protection tools; anti-malware; mobile device management and data loss prevention. The people controls called out within the guidance include the routine provision of end user awareness cyber security training and phishing testing. Finally, the administrative policy and governance controls require creation and maintenance of a set of policies and procedures, covering at a minimum nine core identified elements; the periodic review of tools, products and services; and the production of management information reporting to the Board, to include specific metrics and overall compliance status.

There is contemplation that elements of control operation be outsourced internally or externally with responsibility and accountability retained by the licensee.

In addition, there is a need for the licensee to establish clear, documented and effective processes for responding to, containing and recovering from cyber attacks, breaches and incidents. This necessitates the creation, maintenance, exercising and rehearsal of documented Cyber Incident Response and Recovery plans and playbooks based on prioritised cyber scenarios. Complementing those requirements is the related obligation to have a demonstrable understanding of the steps needed to be taken in order to restore business capabilities following a cyber security event.

Management of outsourcing risks

Under those circumstances where a licensee outsources its IT functions, either externally to a third party or internally to an affiliated group entity, there remains the requirement to have a demonstrable understanding of the steps needed to be taken in order to restore business capabilities follow a cyber security event and a requirement to ensure that plans are in place from that third party or third parties that are appropriate to the licensee. An applicable Business Impact Analysis, specific to the entity, with accompanying recovery planning is the likely expectation.

Notification requirements

When a licensee becomes aware of a cybersecurity incident which is either deemed to have a material impact, or has the potential to become a material incident, there is a requirement to notify the Commission. The notification requirements under the Rules do not replace any separate notification requirements that a licensee may have.

Responsibility

The Rules make it clear that it is the Board of Directors, or equivalent, that is responsible for ensuring that the Cyber Rules are followed. The specific obligations of the Board or equivalent span the lifecycle from evaluation of cyber risk and impact through to periodic review of compliance and assessment of associated management information reporting of cyber risk.

Next steps

The GFSC has selected an established framework as the basis of the proposed Rules. GFSC licensees should take the opportunity to review the maturity of current cyber security programs relative to the NIST standard as part of their broader risk management processes, identify any potential gaps and plan for remediation ahead of the implementation date.

The proposed Rules and guidance can be found here.

For further information, or to discuss specific requirements, please contact your usual PwC contact or one of the Risk Assurance team listed.