Financial Services

Financial services organisations are an attractive target for cyber attackers.

These organisations hold data about hundreds of clients. This includes financial data, personal information and copies of identity and address documents. Even if an attacker targeted just one business, they could gain access to a lot of information. A successful attack would likely lead to a significant loss of revenue for that business.

This could be devastating for that business, but it could also affect the Island more generally. The clients and staff of financial organisations rely on a range of services. This includes professional and personal services from a range of local businesses. If the financial services industry contracts, it will affect these service providers and, in turn, the Island’s economy.

We’re here to offer information, advice and support. For more information, contact us, or check our Advice and Guidance page for the latest information.

If you have any questions, you can contact us:

• by phone on 01534 500050
• via email (hello@jcsc.je)
• or by booking a meeting with the team

How a cyber attack could affect your financial services organisation

A cyber attack could affect your financial services organisation in many ways. How it affects you will depend on the type of attack, and what the attackers have managed to access.

This page gives examples of some of the issues you might face.

Access to basic functions

Many of the basic functions of your organisation need a safe internet connection. If your staff use online tools in the course of their work, they might not be able to access them after a cyber attack. This includes online banking, transaction systems, online transaction management systems, and Client Relationship Management systems (CRMs).

In some cases you might be able to find offline alternatives. But you will likely experience a drop in productivity if you rely on these alternatives. In other cases, offline alternatives may not be available. This means that some staff may not be able to perform their core functions.

Loss of communication with clients

Depending on the nature of the attack, you could access to your email, and your CRM. This will leave you unable to speak with clients about your day-to-day business. An attack could also affect your website or social media channels.

Taken together, this would mean that you have no way of informing clients about the attack. You will also have no way of reassuring them about the scale of the attack, or the work you’re doing to respond to it.

A key part of responding to a cyber security attack is communication: a silence is likely to cause unease and even distrust for your clients.

Reputational damage

The financial services sector is successful because clients trust organisations, and the Island. Your  reputation is built on the trust clients have in your staff and your organisation.

A cyber attack could damage your reputation long after it’s dealt with. This will depend on the cause of the attack, the scale of the attack, and how you respond. But it is very likely that this reputational damage will have a longer-term effect on your income.

Staff impacts 

A successful cyber attack will mean that staff will have to adapt and change how they do their job. This is likely to cause a short term loss of productivity.

If the attack targets your HR or payroll systems, you may be unable to pay staff salaries in good time.

How to protect your financial services organisation

Potential cyber criminals are always developing new techniques and approaches. This means that there’s no way to guarantee that your financial services organisation is safe from every cyber attack.

However, there are several steps you can take to reduce how likely you are to be victim of a cyber threat.

Backup important information

• Identify which information is critical and make sure that you have a segregated backup. This backup can be online, for example, through a cloud-based service. It can also be offline: on a USB stick, an external hard drive, or a computer which is not connected to the internet. You can also use cloud-based services to backup your information.
• Schedule regular backups of your data. This will mean that you have access to the most recent version of your critical information.
• Test your backups regularly. This will mean you know if the backups are working. It will also mean that you understand how to recover the information if you need to.

Keep your devices and software up to date

• You should update all your IT devices regularly. This process is called patching. It means that the developer of your device has identified security issues and fixed them.
• We recommend that you aim to install patches no more than 14 days after they’re released by the developer.

Protect against malware

Malware is a piece of software which is designed to damage, disrupt, or gain access to your systems.

• You should install antivirus software and firewalls on all devices. This includes on any personal devices that staff use as part of their work.
• Antivirus software detects and removes any malicious software or viruses from your computer.
• Firewalls create a protective barrier between your network and external networks.

Use strong passwords

• Turn on password protection wherever it is available: this includes across your devices and the services you use.
• Make sure that all staff are using strong passwords. The National Cyber Security Centre (NCSC) suggest using a combination of three random words.
• Use extra security protections, including 2 step verification wherever it is available. You can find more guidance on this via the National Cyber Security Centre (NCSC)

Be wary of phishing attacks

• Cyber attackers use phishing as a way into a system or network. They will often send an email to trick a user into clicking a link or downloading an attachment. The attachment or link will allow the attackers to steal the user’s information.
• Ensure that staff are aware of this risk, and that they remain vigilant.

Have a plan

• If you develop and test an incident response plan, it won’t prevent a cyber attack. But if you have an incident response plan, it’ll help you respond if you do experience an attack.
• An incident response plan sets out what you would do in the event of a cyber attack. This includes who will make decisions, how you can contact them, and what process you will follow.
• An incident report will also set out when to seek legal or HR support.
• You can find more information about incident response plans via the UK’s National Cyber Security Centre (NCSC).

Cyber Essentials

Cyber Essentials aims to protect organisations against a range of cyber attacks. The scheme is backed by the UK Government and is available in Jersey.

Cyber Essentials is a certification scheme. To be certified, you need to have basic cyber security measures in place. This scheme focuses on preventing the most common types of cyber attacks. These attacks are usually targeted at organisations that have no basic protections.

Once you’ve introduced these measures, then you can become certified. There are two different levels of certification.

Cyber Essentials (CE). To reach this level, you take part in a self-assessment. This process is easy-to-follow so that even small organisations can take part. This level of certification costs from £320 (from 2nd April 2024).

Cyber Essentials Plus (CE+). This level builds on the CE accreditation. We recommend this certification if your organisation uses technology to deliver your service. We also recommend this for organisations that process confidential data. What you pay for CE+ will depend on how big your organisation is.

Find out more about on-Island providers of Cyber Essentials.

Jersey Cyber Shield

Jersey Cyber Shield is a free service offered by JCSC for organisations. We have designed it to give you extra protection by working with the security measures you already have in place.

We use four methods to find security weaknesses which an attacker could target. If we find weaknesses, we tell you what they are so that you can address them.

Jersey Cyber Shield is suitable for different sizes of organisation and is free to join. (There are some optional elements which are more complex. Because of this, we may need to request a contribution if you want access to these services.)

You can find out more about Jersey Cyber shield on this page.

National Institute of Standards and Technology (NIST) Cyber Security Framework

NIST’s Cyber Security Framework helps organisations manage cyber security risks. The framework includes five sections which – used together – will help you manage risks over time.

The Framework is completely voluntary and is designed to guide how you approach cyber security. It does not set out steps to follow, but gives an outline of the things you need to consider. It gives guidance on the types of controls you can put in place, and what practices you can adopt.

You can read the full Framework here. There are also Quick Start Guides for different types of organisations.

International Organisation for Standardisation (ISO) Guidelines

The International Organisation for Standardisation (ISO) sets out best practices on a range of topics in Guidelines. These Guidelines are flexible so that organisations of different sizes can use them.

There are two Guidelines that can help you improve cyber security in your financial services organisation. You should review which standard is most relevant to you. It may be that a combination of the standards is most useful.

ISO/IEC 27032:2023 is for any organisation which uses the internet as part of its day-to-day-work. ISO/IEC 27032:2023 includes guidance on:

• the links between internet security, web security, network security and cyber security
• how to address common internet security issues
• how to work with your stakeholders to resolve cyber security issues

ISO/IEC 27001:2022 is for companies of any size that own or manage data as part of their day-to-day work. ISO/IEC 27001:2022 includes guidance on:

• how to vet people, policies and technologies to ensure they are secure
• how to establish an Information Security Management System (ISMS)
• how to develop policies procedures and controls as part of your ISMS

Please note that the standards are updated from time to time to reflect the latest practice.

Useful resources

If you need more information about cyber security, your IT provider should be your first contact.

The UK’s National Cyber Security Centre (NCSC) has produced advice and guidance that can support you. This includes:

• A toolkit that Boards can use to discuss cyber security in the organisation. This toolkit gives Board members a summary of key issues and examples of good practice. It also includes a way to measure the organisation’s performance.

• Exercise in a Box. This online tool allows you to test and practice your response to a cyber attack. There are exercises of different types and sizes which you can use for free.

• Infographics about key issues. You can share these with managers and staff to provide a clear starting point for discussion and training.

You can also find more information and guidance on our website.

Reporting an Incident

Who you need to contact will depend on the type of attack you experience.

Jersey Financial Services Commission (JFSC). Registered persons are required to disclose information about cyber security incidents. A full list of the report requirements is available via the JFSC website.

The States of Jersey Police (SoJP). You should contact the SoJP where a crime has taken place, or if you suspect that a crime has taken place. They have the ability to handle digital forensic investigations. More information on how to report a crime is available via the SoJP website.

Jersey Office of the Information Commissioner (JOIC). You should report the incident to JOIC if the cyber attack has led to a personal data breach. You can find more information on when and how to report a breach via the JOIC website.

Action Fraud. Action Fraud is the UK reporting centre for fraud and cybercrime. You can make a report via the Action Fraud website.

Although you aren’t legally required to do so, you can also report an incident to us

If you experience a major cyber security incident and report it to us, we can help you in several ways. We can provide technical advice and guidance to help you respond. We can also use our access to intelligence and expertise to help inform how you respond.

In some circumstances, we can provide direct technical support, and help you communicate.

• by phone on 01534 500050
• via email (incidentreports@jcsc.je)
• online via this form

Find out more about how we can help.