Time to get your ducks in a row!

The GFSC Cyber Security Rules seek a pragmatic risk-based approach and if you have read the document they may look a little light at first glance, but as the saying goes, ‘the devil is in the detail’, which is the Guidance to the Rules. From our experience the Rules cannot be taken lightly and the level of governance, having access to the evidence and finding a way to do this as efficiently as possible, is a pretty big task. We strongly encourage you not to underestimate the work involved.

We would like to briefly share some of our experience that we hope you will find helpful.

The Rules must be implemented by 9th August 2021 (and yes, that’s including the changes to your internal controls).

You need to share the Rules with your Board and ensure your NEDs (non-execs) are on board with what is needed. Simply put, between now and 9th August your Board need to understand its responsibilities, what needs to be provided to it so that they can be satisfied that the Rules have been implemented and have evidence in support too. 

That is not as straight forward as it sounds, especially if you are part of a Group and relying on Group services because you will still need to provide evidence locally.

You will need to make sure that you have identified your material assets, which include technology and data assets. Then conduct a risk assessment on the assets as prescribed by the Commission – which in itself will require effort to complete.

The identification phase extends to knowing your essential services and critical infrastructure, documenting them and ensuring you have plans for mitigation for disruption in place.

All your technology, operations and administrative controls, as well as your associated policies and procedures need to mitigate the risks identified as well as ensuring (evidencing) that you do have solutions in place to protect your business.

In addition, you need a robust cyber incident response plan and recovery plan. You may have them already, but have you tested them recently? Where relevant, has your Group tested these plans recently and can you evidence that the results are as expected for your business locally?

This is a brief walkthrough of some of the aspects you need to resolve between now and the 9th August. In that time is also three weeks of Easter holidays, bank holidays and then summer breaks will hopefully commence in July. The impact? There is now probably less than 70 working days to achieve compliance with the new Cyber Security Rules.

If you feel a little daunted and overwhelmed by these new Rules or simply feeling that on top of other Regulatory work pieces that are in motion right now you just don’t have the capacity for this too, then please get in touch with us at www.centricalcyber.com or reach out to us at [email protected]. We would love to help.