Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
The Board, not IT, is responsible for Cyber and Information Security
Welcome to this week's Black Arrow Cyber Tip Tuesday.
In our articles in Business Brief magazine and the Guernsey Press, we have consistently highlighted that the Board, not IT, is responsible for Cyber and Information Security.
The financial services regulators in the Channel Islands have also made that very clear.
The GFSC has warned that “Cyber and information security should be taken seriously by the Board and included along with more established risks within a firm’s overall strategy for risk management”.
And the JFSC has told businesses that “As a registered person, the Codes of Practice require you to understand and manage risks, including cyber-security risks, which could affect your business or customers”.
Welcome to this week's Black Arrow Cyber Tip Tuesday.
In our articles in Business Brief magazine and the Guernsey Press, we have consistently highlighted that the Board, not IT, is responsible for Cyber and Information Security.
The financial services regulators in the Channel Islands have also made that very clear.
The GFSC has warned that “Cyber and information security should be taken seriously by the Board and included along with more established risks within a firm’s overall strategy for risk management”. And the JFSC has told businesses that “As a registered person, the Codes of Practice require you to understand and manage risks, including cyber-security risks, which could affect your business or customers”.
There is no room for misunderstanding there.
So, if a cyber incident happened, the Regulator would say to each Director “show us the evidence that you had taken cyber and information security seriously. Show us that you had understood and managed your risks properly, just as we had warned you to do”.
If you are a Director, including a Non-Executive Director, and you had to get that evidence ready for tomorrow morning, would you be able to?
To be clear, it would not be appropriate to say that you handed it over to IT and thought they had sorted it.
Our Black Arrow website contains videos and articles that help Directors understand the basics of cyber and information security.
It is really important that the Board should be an educated customer of cyber security providers, including any outsourced IT providers, to be able to scrutinise and challenge what they are being told. You don’t need to be an expert, but have a good understanding of the basics, and your independent trusted advisors can support you on the details.
Have a look at the information on our site or contact us to see how we can help you achieve what the regulators require of you.
Article in the current edition of the Guernsey Chamber of Commerce Contact magazine - 'Uncomfortable Truths: How any Director or NED poses a major Information Security Risk'
Article in the current edition of the Guernsey Chamber of Commerce Contact magazine - 'Uncomfortable Truths: How any Director or NED poses a major Information Security Risk'