According to a cyber-security survey conducted by the Jersey Financial Services Commission, 32% of financial service companies which responded did not have a cyber-incident response plan in place.

Equally, one-third of respondents did not have a written risk-assessment of cyber-security risks for their firms. The frequency, sophistication and importance of cyber-attacks is increasing. The JFSC does not explicitly regulate local firms’ cyber-security practices but it does keep track of the ways in which they are assessing and offsetting risks to their businesses and it expects them to notify it whenever a 'cyber-incident' takes place. A good many firms have yet to make cyber-security a business priority and the regulator is keen to see them exercise controls that concentrate on contractors, suppliers and customers alike.

The survey, which 129 firms completed, also revealed the top five threats that they feared:

• unintentional information leaks;
• deliberate information leaks;
• fraud;
• malicious code; and
• social engineering attacks.

The findings of the survey are in line with the results of a recent survey by HM Government on the mainland. Some guidelines are in the pipeline.

Only 27% of firms shared information about cyber-security threats and 'vulnerabilities' (presumably their own weaknesses - not to be disclosed over an open telephone line) with other bodies, industry alliances and CERTS (the Consortium for Electric Reliability Technology Solutions). The survey also indicates that:

• 57% did not have written risk appetites for cyber-security-related risks;
• 40% did not include cyber-security-related incidents in their "disaster recovery and contingency" arrangements;
• 63% did not have dedicated cyber-security insurance policies;
• 60% did not educate their contractors about cyber-security;
• 59% did not require their service providers to do anything to manage cyber-risks in their contracts.

There is some good news, however:

• 73% measure their performance against a standard of some kind, e.g. Cyber Essentials (9%), ISO270001 (36%) or NIST (the National Institute of Standards and Technology) (8%);
• 80% have a cyber-security review at least once a year; and
• 68% expect their spending on the problem to increase in the next financial year;
• 43% provide external users with guidance about good security practices; and
• 77% of all employees are trained to know about cyber-security.

About 42% of firms spend 2% or less of their budgeted annual expenditure on cyber-security. About 18% spend 3-5%; about 5% spend 6-8%; and a thin sliver of perhaps 2% spend a gargantuan 9-11% on it.

Recent incidents

The JFSC has had its hands full with cyber-problems in the last few months. At the end of June it said that it was monitoring an outbreak of the Petya/NotPetya ransomware that had hit the island. This strain of malware is designed to encrypt the file system of an infected Windows system, denying the user access to data. It also replaces the master boot record of the computer with code to display a ransom demand for US$300 in bitcoins. Thereafter, it spreads aggressively in the local network environment.

Things went better in mid-August, when the regulator became aware of three cases where locally registered businesses were the subject of "impersonation attacks." These happen when fraudsters register a domain name that is almost identical to the target firm’s and then sent bogus emails to the firm’s customers asking for large sums of money.

Fraudsters tried to extort more than £450,000 in one of the cases reported to the JFSC, but someone detected them in time. The fraudulent emails also included legitimate signatures to make them appear more authentic. The domain name that the criminals used looked like the local company’s but had an extra letter which recipients might easily have overlooked at first glance.