JFSC - Jersey International Business School

Cyber Security: Challenges for the Regulator
JFSC COO Mike Jeacock and
JFSC Head of ICT Denis Philippe
› JFSC Chief
Operating Officer
Mike Jeacock
› Introduction
› An evolving Commission
› An agile and open regulator
› Technology
› To fulfil international responsibilities
› To protect and defend our systems
› An active Cyber Programme
› Ownership of risks and obligations
› What happens to the JFSC
› Subjected to approximately 3,800
network security attack attempts DAILY
› Process over 5,000 emails per day with
up to 34% of inbound traffic being
rejected due to identified threats
› Website screening prevents access to
high risk content (< 0.1% traffic)
› Executive
32%
of Boards do not
receive information
security updates
45%
of Boards do not
believe it is important
› Fire Metaphor
Owns
everything
Opportunistic
Threat
Fire
Exploits
vulnerability
Indiscriminate
› Human
› Vigilant
› More complex
› Vulnerable
50%
of people take some form of
confidential information with them
when they leave an organisation
› Human factors
Case Studies
›Sleeper
›Chinese restaurant
›Starbucks
›Me
› JFSC Head of ICT
Denis Philippe
› Cyber-Security Mission Statement
“Commission held information1, in all its forms,
written, recorded electronically or printed, will be
protected from accidental or intentional
unauthorized access, modification, or destruction
throughout its life cycle”
1This
includes all information created or owned by the Commission as well as information collected by or
provided to the Commission by external parties for the execution of the Commission’s activities
› What?
› Definitions of what we protect:
› Private and personal information
› Legal definition versus what people actually value
Gap
Extended
Reputational
Risk
› Why?
› Mitigate Risk – “data is a commodity of interest to many”
› Extensive investment in providing an interconnected and
online mode of stakeholder engagement is being balanced
with a significant effort and investment in our security to
protect the systems and data we are collecting and holding
› How?
› The JFSC Gold Standard
5 Pillars based on a blend of NIST and ISO27001
Identify
Protect
Detect
Respond Recover
› This blend of NIST and ISO allows us to speak to other regulators and registries in
security terms they understand
› Governance and
Landscape
› Governance
Policy framework from 125 to 12
› Understanding the landscape
› The JFSC holds diverse sets of information:
› Market sensitive information
› Incorporations
› Mergers and Acquisitions
› Fund Products
› Beneficial ownership information
› Security Interest information
Manage the value equation, it is about delivering value
Cyber-security should be seen as a business benefit and not just a cost
› Protect
› Building new systems
› Building walls is not enough
› Flexibility and collaboration are key
› Improved intelligence will improve
detection
› Understand the landscape threats
› Building an
e-Enabled JFSC
› Building new systems – changing risks
› Developing a new platform
environment with security
baked in from the start
› Delivering joined up services
› Delivering new Registers
from a common platform
(SIR, JAR)
› Move to more services
online
› Increased surface area
requires a different
approach to security
› Detect
› Detect
› Behavioural analytics – not magic
› Real-time visibility
› 7.6 million network / data events per day at JFSC
“If the product doesn't give you a
why, it is only an illusion of security.”
Amit Yoran – President, RSA
› Humanware
› Understanding the landscape
› Focus is turning to people
› Soft targets = weak link in the chain
People
Skills
Knowledge
Humanware
2.0
› Cultural evolution through training and secure behaviours
› Habits
40% of daily actions are
driven without thinking:
›Changing gear
›Tying shoe laces
›Locking the front door
Bad habits include:
› Writing down passwords
› Leaving screens unlocked
› Clicking on emails and links
without knowing what they are or
where they go
“Evidence has shown that a large number
of cyber hygiene issues have become bad
habits.”
Bikash Barai
› Habits
Two areas of the brain we are interested in:
› Goal directed part (Pre-frontal cortex)
› Responsible for conscious and deliberate
activity
› Slower functioning
› Habit part (Basal Ganglia)
› Fast
› Near automatic function
› Does not require thought
› Changing habits
Trigger
Routine
Reward
› Example 1: Stop writing down passwords
Trigger:
Old Routine:
New Routine:
Password
expiry
Write down
password
Write down a
clue
Rehearse and repeat at least 20 times
Reward:
Feeling secure
› Example 2: Stop clicking on Phishing links
Trigger:
Legitimate entity
asking for
personal details
Old Routine:
Share details
New Routine:
Validate
legitimacy of
entity
Reward:
Feeling secure
› Malicious
› IP theft or sabotage for their own benefit or that of others
50%
of those who steal data do so in their last month of work
70%
of those who steal data do so two months before leaving
› Have a training and awareness plan
Ref: Dawn Cappelli
› Island opportunity
› What about the local aspect?
Is there a need to ensure that cyber-security is embedded as a
pre-requisite to doing business?
Is there a place for cyber in the regulatory framework?
Who should set and monitor any local standards?
Should the standards be scalable?
› Key discussion points
›An agreed cyber standard for financial services sector
›Apply existing international standards
›Guidelines for consumers and industry
›The need for a minimum standard
›Build a collaborative environment to discuss real-time cyber
incidents and issues
› Closing remarks
› Things to spend time on
Communicating through collaboration
Targeting resources where they are most effective
Patching people as well as systems people, Humanware 2.0
Follow us at @JerseyFSC
Like us at Jersey Financial Services Commission
Follow us at Jersey Financial Services Commission
JFSC COO Mike Jeacock- [email protected]
Head of ICT Denis Philippe- [email protected]