The comments during the STEP conference were made in the context of the so-called Paradise Papers exposed in this week’s BBC Panorama programmes.
Panellists also referred to a recent cyber security survey carried out by the Jersey Financial Services Commission, which found that a third of 129 firms that responded did not have a cyber incident plan in place.
Law firm Appleby, which has offices on the Esplanade, last month sent out a news alert advising of a ‘data security incident last year’, during which some data was compromised.
However, global head of communications Lynne Capie has since confirmed that there was ‘no definitive evidence from the forensic investigation that any data on our Jersey server had been compromised’.
At the conference, STEP Jersey chairman Naomi Rive suggested that regardless of whether the breach occurred in another jurisdiction, all offshore jurisdictions were likely to be ‘tarred with the same brush’ in national media reports. ‘Nobody listens to reason when you try to put forward a rational perspective,’ said Mrs Rive.
She added that although the JFSC survey showed that 70% of boards now signed off their firm’s cyber security policy as a core business function, Jersey was a ‘friendly and trusting jurisdiction’ and this was an area that the trust sector needed to focus on. ‘We cannot just bury our heads in the sand,’ she said.
Panel member Tom Cowsill, until recently head of technical at Jersey Finance, said the survey showed there had been some local progress in cyber security, notably with 94% of banks now assessing their approach against a published standard, compared to 80% in 2011, when the previous review was carried out. However, with 32% of firms questioned still without a cyber response plan, there was more to do, he suggested.
The JFSC survey also found:
- 63% of firms do not have a dedicated cyber-security insurance policy.
- 40% do not include cyber-security incidents in their disaster recovery arrangements.
- 57% of organisations consider contractors/consultants/temp workers to pose the biggest insider threat.
- 43% of firms provide guidance to external users on cyber-security practice.
In one case study cited in the survey, a hacker using an employee’s username and password gained remote access to the group systems and obtained log-in details for an account with administrative privileges. The hacker had access to the group’s worldwide network and servers for up to five months prior to detection.
‘The survey results would appear to suggest that a significant proportion of firms still have further room for development in order to be cyber-resilient,’ the report concludes.
