Regulatory Expectations around Cyber and Information Security - Cyber Tip Tuesday video for 11 August 2020

Welcome to this week's Black Arrow Cyber Tip Tuesday.

We have talked before about how the regulators like the Guernsey GFSC and the Jersey JFSC expect Boards to take Cyber and information security seriously by the Board just as they do with more established risks, and that Directors are required to understand and manage those risks.

So, how can a Board evidence this.

The clearest way is to schedule a regular review of a cyber security report at Board meetings. That report should contain a few sections with brief and focused content that is explained in terminology that all business leaders can understand. One of those sections is a dashboard with key indicators about the risks that the business faces, and the controls that are in place to mitigate those risks to match the organisation’s risk appetite.

We recommend that organisations structure their risks and controls based on one of the globally recognised frameworks, for example NIST or ISO 27001. In fact, the forthcoming regulations from the GFSC are based on the NIST framework. So, the dashboard would also be structured to match that same framework, to ensure everything this covered.

The Board members should be sufficiently knowledgeable about these topics to be able to question whether things are as good as the dashboard says they are, and whether the rating should be Amber instead of Green. Or, whether the RAG threshold is appropriate for their business. And that challenge in the Board room should be minuted for future reference.

You don’t need to be an expert, but you do need to have a good understanding of the basics, and your independent trusted advisors can support you on the details.

Contact us to see how we can help you achieve what the regulators require of you.