More than a third of financial services businesses in Jersey aren’t prepared for a “cyber-security incident”, a recent survey carried out on behalf of the island’s regulator has revealed.
According to the Jersey Financial Services Commission (JFSC), 32% of local financial services companies which responded to its survey “do not have a cyber incident response plan in place”, while around a third of the respondents were found to lack a documented risk-assessment of cyber-security risks for their firm.
The survey, which was completed by 129 firms, also revealed what those companies surveyed regarded as the five threats they most feared: unintentional information leaks; deliberate information leaks; fraud; malicious code; and social engineering attacks.
Ahead of conducting the survey, the JFSC identified a cross-section of 75 licensed firms that it required, as a condition of their being licensed, to participate. A further 54 entities volunteered to respond to the 42 questions, the JFSC said.
The JFSC said it plans to use the research findings to further develop its own cyber-security strategy, as well as to help it devise “a bespoke toolkit for its supervisors so that they can better oversee and monitor local firms in this regard”.
The commission also said it would also provide “some guidance” to those firms “unfortunate enough to be subject to an incident” as to where they might obtain help if they needed it.
Sound cyber-security ‘vital’
JFSC director general John Harris said that it was “vitally important
to ensure that Jersey has, and maintains, a reputation for sound cyber-security”, given the increasing frequency, sophistication and impact of cyber-attacks.
“We do not explicitly regulate local firms’ cyber-security practices, but we do monitor how companies are assessing and mitigating risks to their businesses, and we expect them to notify us if a cyber incident has taken place,” he added.
“On the whole, the findings of our survey were mainly positive. The areas of concern are the relatively large proportion of firms that are yet to make cyber-security a business priority, and the significant number that are not implementing controls around third parties, such as contractors, suppliers and customers.”
Darren Boschat, head of supervisory risk at the JFSC, noted that the findings of the Jersey regulator’s survey were “very much” in line with the results of a recent UK government survey.
The fact that those conducting the research on the JFSC’s behalf ensured that a wide spectrum of firms, both in terms of size and regulated sectors, were surveyed, “naturally led to a spread in the level of cyber-security maturity” found among the respondents, Boschat added.
“While we recognise that the results are not necessarily representative of the industry as a whole, overall they do suggest that Jersey’s financial services sector has a reasonably high level of cyber-security maturity, albeit developing.
“It is positive to note that more than two-thirds of those companies surveyed do expect to spend more money on cyber-security in the coming year, so it is clearly becoming more of a priority.”
To view and download a copy of a 13-page summary report on the cyber-security survey, click here.
To view and download a two-page summary of the report’s key findings, click here.