Are you feeling a false sense of security?

Our 2021 KPMG Guernsey Fiduciary Industry Survey* saw that 96% of the participants considered themselves to be compliant to the latest GFSC Cyber Security Rules. However, achieving compliance is not the end of journey; it requires continuous monitoring and assessment of the measures implemented. Contrary to the confidence demonstrated by the respondents to the survey, the reality on the ground suggests otherwise.

Research across the Crown Dependencies (Guernsey, Jersey and the Isle of Man) revealed a variety of common weaknesses we consider are fundamental to cyber security hygiene, effective risk management and compliance against industry standards and regulation; which for Guernsey would be the GFSC Cyber Security Rules. We share some key areas that are worthy of consideration and review:

Since the 2021 survey, research showed that around a third of organisations across the Crown Dependencies were assessed to be falling below the mark on applying software upgrades and fixes to the live environment; in 2020 it was just under a quarter. The common themes were (1) system developers having access to the live environments and being able to migrate changes; and (2) lack of restrictions to ensure only authorised IT personnel have the requisite system privileges.

Controls to ensure segregation of duties were also highlighted as lacking across our research. In most cases, this was a consequence of small IT teams. Whilst segregation of duties may be impractical with small IT teams, the relevant risk should be recorded, and additional controls (such as independent reviews) be implemented.

Poor change management processes can lead to exploitable vulnerabilities or system bugs.

In the 2021 KPMG Guernsey Fiduciary Industry Survey, 23% of respondents had prioritised investment in cloud-based technologies and services to date, with further 42% looking to do so within 12 months. Local businesses in the trust and corporate services sector are adopting cloud-based software through local IT providers for their administration and financial reporting purposes.

We are seeing continued transition to cloud-based services following the COVID pandemic aligned with the increase in hybrid working; thus resulting in a very different IT environment of home and/or remote working, bring your own devices and use of virtual private networks (VPNs) to years prior.

Cloud environments present their own unique cyber challenges such as supply chain and access risks; the most frequent being susceptibility to phishing attacks with business email compromised. Utilising Multi Factor Authentication (MFA) techniques, commonly deployed via a token or texts sent to a mobile phone app are one measure to reduce risks. Protecting the business with MFA and routinely updated guidance are simple measures that can help prevent a well-crafted phishing attack being successful.

Additionally, deploying role-based access measures can help ensure that only the appropriate and authorised users access the services and data that they require for their roles. Key is also ensuring that privileged access is also controlled and monitored across the IT systems and support staff.

Of late, there is an evident increase in supply chain attacks leading to attackers gaining unauthorised access to critical business systems. Generally, supply chain risks occur due to one or a combination of the following elements:

• insufficient third-party vendor risk management
• unresolved software vulnerabilities in third party software
• weak network defences across the supply chain and;
• an over reliance on relational trust between a supplier and customer.

With these an attacker may be able to access business systems and networks by gaining access at any point in the supply chain network.

Failure to appropriately assess and manage the supply chain has had, on occasion, dramatic impacts for companies in recent years. 

For Guernsey, information security and user awareness programmes are stipulated within the GFSC Cyber Security Rules and have been in place for a year (compliance by 9 August 2021 was mandated under the transitional arrangements of the Rules). Although not specific to Guernsey, we were surprised to find that in 2022, our research indicated that a small number of firms were still in the process of developing procedural documentation and awareness programmes.

Establishing a policy framework can be readily done by applying a suitable framework, for Guernsey this would be NIST, ISO27001 or Cyber Essentials. Additionally, user awareness training can be rolled out both expediently and efficiently, in a variety of formats, tailored or generic, both in-person and or virtually, with optional (but advised) phishing exercises included. 

Following the introduction of the GFSC Cyber Security Rules and as the technology landscape transitions, it is imperative that Boards of regulated entities ensure proactive and effective risk governance, with control measures that are both in-place and can be demonstrated to relevant stakeholders, including regulators.

At KPMG we recognise the challenges being faced by Boards and IT teams and our experienced advisory professionals are perfectly placed to work with local firms to help navigate the regulatory and cyber security landscape. To find out more, contact Bryan Beesley, Head of Digital at KPMG in the Crown Dependencies, on bbeesley@kpmg.co.im or Arthur Mainja, IT Audit Associate Director, on amainja@kpmg.com.