The Institute of Risk Management defines cyber risk as “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”
Cybercrime is a risk that continues to increase. As more systems and processes digitise, there is an increasing number of criminals who look to exploit weaknesses in systems, policies, and individuals.
Cybercrime is a broad term used to cover all crimes that take place online, are committed using computers or are facilitated by online technology.
The UK's National Crime Agency (NCA) describes the threat of ransomware deployment as "the greatest cyber serious and organised crime threat to the UK; its use threatens Critical National Infrastructure and poses a risk to national security. Ransomware attacks can have a significant impact on victims due to financial, data and service losses, which can lead to business closure, inaccessible public services and compromised customer data."
Other cyber risks include:
- Malware, such as software being installed on a system to gather confidential information, or ransomware locking information and threatening access denial or deletion unless the illicit actor receives payment.
- Phishing, such as phony emails being sent requesting personal, business, or banking details.
- Hacking, which includes attacks such as Distributed Denial of Service (DDoS) and the infection of devices with malware.
- Physical breaches, such as an illicit actor gaining unauthorised access to an office or home and stealing physical devices or directly implanting malware into systems.
The NCA and the UK's National Cyber Security Centre provide details regarding the risk from cybercrime and how to protect yourself and your business against it.
Technology risks including information security, cyber security and data privacy are all key considerations for entities and persons (“Firms”) regulated by the the Commission and should also be considered by other interested parties.
The Commission applies a pragmatic, risk-based approach to regulating the Bailiwick’s financial services sector and this is reflected in the Cyber Security Rules and Guidance, 2021 (“the Rules”). Firms licensed by the Commission must be able to demonstrate compliance with the Rules.
As with other material risks, Firms are required to have robust policies, procedures and controls in place to identify, assess and manage cyber security risks on an ongoing basis consistent with the minimum licensing requirements. In line with section 7.1 of the Rules, Firms regulated by the Commission must notify the Commission of cyber security events by submitting this Excel form (via Form 200 on the Commission's Online Submissions Portal) which have resulted in:
(a) any loss of significant user data;
(b) significant loss of availability to IT systems;
(c) significant cost to the business;
(d) significant loss of business capability;
(e) significant loss of service to users.
The Rules focus on five core principles outlined in a number of international cyber security frameworks:
Identify, Protect, Detect, Respond and Recover.
The Commission recognises that there is no 'one size fits all' approach to addressing cyber risks with specific business circumstances varying greatly from firm to firm. It may be appropriate for Firms to consider accreditation or certification from a recognised body, such as Cyber Essentials, Cyber Essentials Plus or ISO270001. These accreditations may help Firms in meeting some of the requirements set out in the Rules, however, accreditation alone is unlikely to result in full compliance.
Firms are encouraged to check that emails purporting to be from the Commission are using the correct domain gfsc.gg and if in any doubt of the legitimacy of an email or website, to get in contact with us directly - do not contact the Commission via, or otherwise click on, any link in the suspicious email.
Further information
The Financial Action Task Force (FATF) provided a report on Countering Ransomware Financing which provides a list of potential risk indicators that can help public and private sector entities identify suspicious activities related to ransomware. FATF also produced a report which focuses on illicit financing arising from fraud that is enabled through or conducted in the cyber environment.