New GFSC regulations have raised the bar for cyber security. Is your business ready?
The GFSC’s Cyber Security Rules and Guidance require financial services organisations to demonstrate that their cyber security attack safeguards and response plans are fit for purpose. Are yours?
The new GFSC regulations came into force in February. As a licensed financial services (FS) organisation, you now have until August to show that you "have in place appropriate policies, procedures and controls to mitigate the risk posed by cyber security events”.
While the GFSC started work on the new regulations before the outbreak of COVID-19, the intensity of scrutiny and enforcement is bound to reflect the heightened cyber risk vulnerabilities we’ve seen since. Increased digital engagement and the proliferation of remote working have stretched cyber defences. Moreover, your organisation is only as secure as its weakest link, which could be either a poorly protected third party or an inattentive employee.
Five principles
The GFSC rules are modelled on the five best practice Functions developed by the US National Institute of Standards and Technology – Identify, Protect, Detect, Respond and Recover.
Rather than being prescriptive, the GFSC Cyber Rules are largely principle-based, providing for adoption based on the size, nature and complexity of your particular business. While this flexibility is sensible, it puts the onus on you to work out the most effective approach, and demonstrate that the Rules have been considered and implemented in accordance with your specific facts and circumstances.
Accountability rests firmly with your Board or equivalent. Crucially, this includes outsourced as well as in-house operations. For example, what are your plans for restoring business capabilities following a cyber security event in an IT supplier?
Compliance is not a one-off. Measures should be reviewed periodically, and in response to an identified cyber security event.
Cyber Risk Engine assessment
Our Cyber Risk Engine is a cloud-based tool which captures security maturity assessment data from around the globe, benchmarks against other organisations and allows for dynamic visualisation of results. This provides the capability to reassess over time and, critically, capture and report on changing maturity.
The tool dynamically assesses and benchmarks the maturity of your cyber security controls, and quantifies your cyber risk exposure, putting transparency and agility at its core. This means SMEs are freed from admin heavy tasks associated with data gathering and reporting to focus on high value analysis.
We’re now making this Cyber Risk Engine available to Channel Islands’ clients to assess their compliance readiness and pinpoint areas in need of work ahead of regulatory review.
Compliance gaps
So with the August deadline coming up fast, how can your organisation ensure that your cyber security posture is fit for purpose?
Many of the basics such as identifying and protecting the ‘crown jewels’ are already likely to be in place. But many of the GFSC’s more exacting expectations may not be met, especially within smaller and mid-size businesses.
Drawing on both our Cyber Risk Engine assessments and our close understanding of the GFSC rules, four common compliance gaps in need of further work stand out:
1. Ready to act
The GFSC regulations follow the logical flow of the Five Function framework. This not only includes measures to identify assets at risk and protect against and mitigate these potential vulnerabilities, but also detect when events occur and make plans to respond to and recover from attacks effectively.
2. Look beyond IT
The asset-based risk assessment extends beyond the classic IT focus to include material systems, people and data assets, along with the potential damage that may occur in the event of a loss of confidentiality, integrity or availability related to these assets.
3. Plan your incident response
To comply, you need to establish clear, documented and effective processes for responding to, containing and recovering from cyberattacks, breaches and incidents. This calls for the creation, maintenance, exercising and rehearsal of documented Cyber Incident Response and Recovery plans, along with playbooks based on prioritised cyber scenarios.
4. Check your controls
Documentation demands include how you assessed the risk treatment options and how you undertook the appropriate selection of controls to address the cyber security risks. In practice, these demands span a range of control areas including technical controls (e.g. patch management and two/multi-factor authentication), people controls (e.g. employer awareness and training), and administrative policy/governance controls (e.g. compliance review and effective MI reporting to the Board).
Here to help
This isn’t a comprehensive list. The Cyber Risk Engine will identify any specific weaknesses within your particular business and serve as an ongoing platform to meet the ongoing monitoring and periodic review requirements. Bridging these gaps would not only help you to meet the demands of the coming GFSC assessment, but also improve your ability to operate safely and protect your reputation in today’s increasingly digitised world.
If you would like to know more about Cyber Risk Engine assessment or how to comply with the GFSC’s cyber regulations, please feel free to get in touch.
Contact us
Advisory Director, Head of Risk Assurance, PwC Channel Islands
Tel: +44 7797 900015
