The clock is ticking on cyber security – risk, rules and reputation management.
In conversation with Kyan Frith and Rudi Le Roux from CentricalCyber
Black Vanilla has been helping clients with cyber crisis response plans since 2018. In our latest blog, Agency Director Nichole Culverwell spoke to CentricalCyber about their risk-based approach to cyber security and what Guernsey-regulated firms need to do before the new Guernsey Financial Services Commission (GFSC) rules will become enforceable in August.
Nichole: With the 9th August deadline for the new cyber security rules fast approaching, can you explain the background to the rules and what they set out to achieve?
Rudi: The new Cyber Security Rules from the GFSC came about after a thematic review which showed that there are cyber security gaps in the Guernsey financial services industry which need addressing. Subsequently, the regulator has developed a set of rules to help the industry to take cyber security seriously.
The rules are based on the international NIST Cybersecurity Framework. The GFSC has developed a lighter touch version of that framework to basically allow the financial services industry to start off on the journey to become cyber secure.
The rules enable companies to give due consideration to the size, nature and complexity of their business. We work with clients of different sizes, and we help them to apply that proportionality to put the framework in place, with remediations that are appropriate to them.
Nichole: So you mentioned gaps there – do you think those gaps still exist now?
Rudi: Definitely. From what we’ve seen, not many of the local financial services firms have taken significant steps on their journey to cyber security maturity. At the moment, we’re not seeing enough of the right kind of action that boards need to take to fill those gaps and be ready for the GFSC deadline on 9th August 2021.
Nichole: I think when we talk about cyber risk, the first thing that springs to mind generally is, ‘that’s the IT department’s problem’ or ‘that’s an operations problem’. Instead, should we be talking about whose responsibility is it, and what actions they should take right now?
Kyan: In reality it is everybody’s problem, but if you read the GFSC rules, it is the board’s problem and their responsibility. The board sets the risk appetite and oversight of this risk and, culturally, the board sets the tone for the entire organisation.
Where should the board start? The best starting point is to do a gap analysis. Take the GFSC rules and read through them line by line, and establish to what extent you meet the regulations or not.
Nichole: Can you tell me a little bit more about the CentricalCyber gap analysis process?
Kyan: The gap analysis is an important aspect, and we try to make it a simple piece of work from the client’s perspective. We take time to sit down with the business leaders to start off with, because the way that we read the rules, and the way we believe that they should be interpreted, is that it’s a risk-based approach.
And so, it’s very important that we sit down with the key members of the board to start talking to them about their cyber risks.
We have a proprietary framework tool that is mapped to the GFSC Cyber Security Rules and underpinned with the NIST CSF framework. We walk through a question set with the business leaders, and then we also ensure that we involve other appropriate stakeholders, whether they are internal (compliance, IT etc), or external IT and cyber service providers.
Through the process, we capture a great deal of information and appropriate evidence. We can then identify where they’ve got gaps, especially the key gaps against the rules. We summarise all the findings in a user-friendly and conclusive report. We offer a way of remediating the gaps identified and utilising our specialist knowledge and tools to help them with the remediation work.
Nichole: CentricalCyber’s risk-based approach seems quite different from that of other service providers in the cyber security space, why have you developed this specific and unique way of addressing this issue?
Kyan: The GFSC rules are written from a risk perspective, and it’s a non-technical document. The GFSC wants to ascertain that entities understand their cyber risks and are addressing them, and they’re taking appropriate steps to make sure that they mitigate those risks as far as possible. So we take a non-technical approach to our gap analysis and yes, it is different from what others are doing but we believe that it’s the right approach because it’s based on understanding the interpretation of the rules. It also means that we can engage better with board members who probably aren’t the most technically minded and maybe aren’t actively involved in IT or cyber security day to day, but it still enables them to understand about their cyber risk posture; we talk to them in a language that they understand.
Nichole: You mentioned the NIST framework, are there any areas that you’re seeing within those frameworks that companies are particularly lacking in?
Kyan: That’s a really interesting question because so far, in the work that we’ve been doing with clients in the gap analysis, you can pretty much guarantee what the key gaps are going to be.
One area where a gap is expected to be is their asset (hardware, software and data) register; understanding where their data is, particularly identifying the entities’ data ‘crown jewels’, then performing and evidencing an appropriate risk assessment.
We expect issues surrounding the rules’ requirement for management information, whether internal, from group services or external service providers.
The preparations for dealing with a cyber security event also appear to have gaps. It is likely that an entity has an old BCP plan in place, they have some documents, but they’ve not tested them recently, and they’re not developed for the cyber world, or prepared for a cyber event.
They may not have the appropriate comms in place, so if a cyber security event were to happen, they would not be able to deal with things swiftly and efficiently.
Nichole: Speed is definitely critical in a cyber event, and it certainly pays to be prepared, across the board and obviously from a cost perspective as well. Organisations locally might say ‘it’s okay, our group HQ has got the comms plan covered’. But that’s not going to meet the GFSC’s requirements.
Rudi: I think we both agree that that’s not the most sensible of approaches to take, and indeed the GFSC is expecting the local licensees to take local responsibility and have clarity on their position locally, and not be wholly reliant on a group HQ. Entities need to be able to stand ready to recognise and meet their responsibilities.
Nichole: The other scenario that I often hear is that companies might think they have crisis comms under control in-house, and they may well do so. But I don’t know many local companies here in Guernsey that have very experienced communications teams in-house, or who have crisis communications experience. My concern is that boards do not understand they have a skills gap, or they believe that a skills gap can be filled by a marketing team based in a different jurisdiction.
I understand that a firm might want to avoid hiring another consultant to do the work but it’s a specialist area, and it’s expensive to get it wrong. Why would you suggest an organisation comes to someone like CentricalCyber for help with meeting the GFSC rules?
Rudi: I suppose one of the key things for us is that we are non-technical, we’re not looking to sell any cyber security software or any technology, so we can review things independently.
We are risk based, which is very different to most people out there. And all we’re going to do is help people to really understand what their gaps are to help them meet the rules and work with them to remediate the gaps. In essence that is our focus.
We’re objective, pragmatic and independent, and we approach cyber security in the context of risk, and addressing risk is a core board responsibility.
For organisations which have a group structure, they need someone to come in and look at that situation independently, rather than someone just looking at it from a technical perspective.
Nichole: The deadline is fast approaching for the GFSC rules to be put into place. What do we expect to happen on that day in August?
Kyan: The clock is ticking. For organisations that haven’t done anything yet, that have not started a gap analysis or embarked on a programme of remediation, the timeframes are pretty tight.
When the GFSC does come knocking in the months to come, whether it’s through a PRISM review or through some other regulatory visit, they’re going to ask, ‘what evidence do you have to show that you had implemented the rules by 9th August?’ They might expect to see that the appropriate board meeting minutes in the run-up to 9th of August show that the board has considered the rules and implemented them.
Nichole: Looking beyond that August deadline, how do you think the cyber rules might mature, or be enforced over time?
Kyan: Well, that’s a really interesting one, because the rules are about protecting Guernsey, they’re about protecting the reputation and the image of the island as well as individual entities.
So, these rules are a great first step. But there are other offshore jurisdictions that are also implementing some measure of cyber security rules. And there are some that are far more stringent than Guernsey so you can expect that if Guernsey wants to compete on a level playing field with other jurisdictions, then it’s going to have to continue to mature and enhance its cyber rules.
I think that we need to be prepared that there will be a maturing of these rules and that there will be greater requirements.
Plus, if they’re part of group structures, then you can expect that the group is going to have to start adhering to different sets of rules and frameworks. And so actually having people on board who understand gap analysis and can help with the remediation across jurisdictions is going to be very helpful.
Nichole: You made a really interesting point there about reputation and I think it’s particularly important in financial services as of course Guernsey sells itself on being a trusted, reliable, safe place to do business. If cyber breaches start to happen more frequently, and if they’re more widely broadcast across the world, then the trust in the jurisdiction will start to erode.
It seems quite a small price to pay to get your house in order and to get ready to respond well, to communicate well, to protect our reputation as a trusted and first-class provider of financial services, particularly in a world where the playing field is being levelled more and more.
Jurisdictions are becoming more and more homogenised; it’s incredibly important that Guernsey maintains its reputation for security in a very insecure and unstable world.
Cyber risk is one of the biggest risks that should be on board risk registers right now, along with climate change, so it does make sense to be investing in being able to respond well to that risk and mitigate the likely reputation damage as well as ensuring business continuity.
Rudi: I would wholeheartedly agree with you about protecting the reputation of the island, and the entities’ reputations themselves.
A cyber event shows that an entity didn’t have proper controls in place, which perhaps means that personal data in its care is exposed. It’s too easy, I think, at the moment for boards to potentially just put their heads in the sand and hope that the situation is going to disappear, and unfortunately it’s not.
The rules are here, we’ve been given a transition period, they do need to be implemented by 9th August. But at the same time, we appreciate the sheer amount of pressure that entities are already under to meet all the various other regulatory requirements, and we know that resources are tight, and the associated timeframes are tight, and so another regulatory requirement makes it even harder.
That’s why we have a different approach, we are risk based and operate in the context of the broader risk agenda.
Nichole: I agree, everybody feels very busy, very under pressure right now. We’re trying to recover from the impacts of the pandemic, we’re still operating in a climate of instability and insecurity. But isn’t that the exact environment that cyber criminals love to take advantage of?
Financial services companies been praised for how well they’ve been able to adapt to hybrid working, and they’ve come through this last 18 months relatively well, but of course hybrid and agile approaches to work are a field day for cyber criminals.
Do boards understand the importance of internal communication in preventing a cyber attack? Particularly where teams are now split and often working away from the office.
Kyan: Almost certainly not. The cyber criminals are highly sophisticated, the image that we have, and the media has portrayed over the years, of geeky teenagers in hoodies trying to hack businesses couldn’t be further from the truth. These days, you’re talking about state-sponsored cyber-criminal activity. It’s on a big scale and we know the cyber-criminal world is willing to try and will do anything; it will just come out of nowhere.
Nichole: One of the points we emphasise to our clients is that you want to have the time and the headspace to get on with solving the problem, not to sit around the boardroom, debating about what you’re going to put into your first media statement. Or thinking about how you’re going to communicate with your clients or your different stakeholders or discussing how you’re going to use your social media channels effectively or what tweets to respond to and which to leave.
You need to know who is going monitor your social media channels and how you are going to use your website or databases.
You want to have got all of that stuff in the bag ready to pull out, adapt and use quickly so you can get on with the job in hand of getting back to business as usual, minimise any disruption and help your clients.
Doing this work doesn’t have to be that onerous, it’s not that expensive; we like to work with clients in a really collaborative way and have honed our crisis comms workshops over many years.
We have created a very efficient approach that shines a spotlight very quickly on where the gaps are and helps clients fill those gaps. At the end of the process, clients walk away with a ready-made response plan that will save them so much time and stress.
Business leaders who believe that an old, out-of-date business continuity plan will be effective or relevant to a cyber event are misguided.
I think that there is a misconception that it’s not going to happen here, or it’s okay, it’s in Guernsey, and our local media is not a problem, they’re not going to find out or it won’t spread any further, we can keep it contained. But you can never guarantee that; the interplay of social media, digital and print media and the wider political or business agenda can escalate even a minor breach.
The media landscape is so fast moving that you do need to be prepared for what you think might just be a small local story to hit the industry press or the national media.
It is also really important to remember is that reputations are about behaviour. It’s not necessarily the cyber incident itself that will damage an organisation’s reputation. It’s how it is seen to respond and behave that can actually create a secondary reputational problem.
If a company can’t respond well, or doesn’t behave well in its response, then that can be more damaging than the original cyber incident; it compounds the original issue. That’s what people forget about, the process of reputation management. And it’s particularly acute, I think, in a cyber incident where we don’t have all the facts, where we’re having to potentially communicate very, very quickly and maybe don’t understand everything that’s actually gone on, that makes people feel very uncomfortable. And that’s where we often get companies having a good old debate about what they’re going to do, and frankly there isn’t time for that in this kind of crisis situation.
Kyan: Definitely, you would hope that there was significant awareness of reputational risk but with the work that we’ve done so far, cyber risk isn’t acknowledged in the top five risks to the business. In the risk register, it’s possibly included as a subset of financial crime and that’s been a surprise for us, bearing in mind that the environment that we are now operating in, driven in part by what’s happened with the global pandemic and the greater reliance on technology, data protection laws etc.
Firstly, you get the boards that have it on the agenda, but then don’t know what to discuss or how to articulate or how to assess what the risk is. It’s there because they think it should be.
Secondly, we sometimes see it in the business risk assessment under the financial crime risk, but that type of risk isn’t what these rules are intended to cover.
Or thirdly it’s just nowhere to be seen, or it is maybe under consideration by the risk committee, or it’s mentioned somewhere in another document. I think the main reason is because nobody can decide what the risk is, or how can you mitigate or manage it. So therefore, it’s just best to leave it off.
Nichole: And obviously the GFSC sensed that this is happening and you mentioned the thematic that they did, so clearly they are concerned about it.
And we know that cyber incidents are on the rise, and that they can bring all sorts of other problems that you might not expect, such as what would you do in a ransomware attack? That’s a moral dilemma. Let’s think about a wealth management company, for example, which is perhaps handling very sensitive data about high net worth individuals. You know, how many do you talk to that have considered how they might respond to a ransomware attack?
Rudi: There are many who believe that the BCP plan they have is sufficient, but it’s not because those plans were historically written over the last 10 or 15 years to cover gas leaks, water leaks etc. It never considered cyber. Also, the type of people you need in the room to have the discussion around a cyber breach are not the same people who would respond to a physical BCP, because it’s a whole different cast of characters, and the person responding to that event is under phenomenal pressure. Every minute counts, because every minute that data is moving around the globe into somebody else’s hands.
Nichole: This goes back to the point that I’m making about preparation; have you actually sat around a boardroom table, and had a discussion about what we would do in that situation and, from an ethical standpoint, how we would respond based on our values? That’s a discussion that needs to be had when there is time for it, not in the heat of the moment.
Kyan: Yes, you need to consider, ‘is the criminal going to use you, or use one of your suppliers as a springboard to get to somewhere else?’ The best thing to do is just to sit around the room and talk through scenarios about what could happen. Asking, how valuable is our data? If criminals get their hands on it, what can they do with it? Who wants to buy it? Is it for extortion? Or to sell it on?
CentricalCyber has a no-fear, no-frills approach to cyber risk. What we mean by that is that cyber is a risk to manage, it’s not a risk to be scared of. There is help out there. And if you take a systematic approach to risk, which is where we step in, we come in and help you, and we approach it from a board perspective and we take you through the journey to get you compliant.