Cyber Security Rules and Guidance Consultation Paper

Closed 2 Nov 2020

Opened 21 Sep 2020

Overview

Introduction

Purpose of the Consultation Paper

The Commission seeks to regulate and supervise financial services in the Bailiwick of Guernsey, with integrity, proportionality and professional excellence, and in so doing help to uphold the international reputation of the Bailiwick of Guernsey as a finance centre.

The purpose of this Consultation Paper is to seek feedback from all interested parties and stakeholders on the introduction of a set of Cyber Security Rules under section 16 of The Protection of Investors (Bailiwick of Guernsey) Law, 1987; sections 33A and 33B of The Banking Supervision (Bailiwick of Guernsey) Law, 1994; sections 31A and 31B of The Regulation of Fiduciaries, Administration Businesses and Company Directors, etc (Bailiwick of Guernsey) Law, 2000; sections 38A and 38B of The Insurance Business (Bailiwick of Guernsey) Law, 2002 and sections 18, 18AA and 18AB of The Insurance Managers and Insurance Intermediaries (Bailiwick of Guernsey) Law, 2002 (“the Regulatory Laws”).

In addition the Commission also welcomes feedback on the “Home Working – Information Security Risks” self-assurance paper published on 7th July 2020.  This paper provided a non-exhaustive summary of areas for licensees to consider when reviewing their home working arrangements.

Please find copies of the above referenced, proposed Cyber Security Guidance Paper and Consolidated Rules, the proposed Cyber Security Rules, 2020 and the Home Working – Information Security Risk paper published on the Commission’s website.

The Consultation Paper is a working document and does not prejudge any final decision to be made by the Commission.

Why We Are Consulting

Principles Based Rules

The findings of the Commission’s 2019 Cyber Risk Thematic, presented to industry throughout Q4 2019, suggested that Firms throughout the Bailiwick were supportive of the Commission’s intention to issue a set of rules and accompanying guidance that followed 5 core principles: Identify, Protect, Detect, Respond and Recover.

Industry feedback, during the Thematic process and following the feedback sessions, encouraged the Commission to produce Rules that were principles based and proportionate, allowing for flexibility in relation to the different sizes and complexity of regulated firms in the Bailiwick.  It is the Commission’s intention that the attached Rules clearly articulate its expectations in relation to the principles and approach that firms should take when managing the Cyber Risk faced by its business, while retaining the flexibility to be applicable to all regulated entities. 

The Guidance that accompanies the Rules provide examples of how firms should apply the Rules, proportionately given the size, nature and complexity of its business.  The Guidance recognises the speed at which Cyber Risk evolves and consequently suggests some minimum requirements but does not provide an exhaustive list of controls and mitigants.

Audiences

  • Anyone from any background