Case Study - Ravenscroft
Ravenscroft is an investment services group providing a range of investment services to both private and corporate clients. They have offices in Guernsey, Jersey, the Isle of Man, and the UK, with funds under management totalling ~£8.7bn. As such, cyber security and risk-prevention is a high priority.
Independent gap analysis
Ravenscroft initially engaged CentricalCyber to perform an independent gap analysis against the Guernsey Financial Services Commission (GFSC) Cyber Security Rules (the ‘Rules’).
Ravenscroft chose us because we are an independent company, and approached the engagement from an objective, non-technical point of view. They understood that any questions and challenges we have on a project always consider the information the company director and senior management will need when we talk about cyber risk.
In a cybersecurity context, a gap analysis enables organisations to identify and address any potential areas of vulnerability within their network and security controls. This shows what the organisation should be doing by comparing current practices against best practices. Through the analysis we highlighted a number of improvements that they should consider to implement in their cyber risk governance as well as in their current cyber security policies and processes.
Benchmarking for change and success
The first step in a gap analysis is establishing a baseline, essentially a starting point or ‘benchmark’ from which to measure change and success. A thorough, structured assessment of the gaps in Ravenscroft’s cyber security (and any associated risks) allowed for prioritisation to address the gaps to the Rules.
We had already mapped the Rules against the National Institute of Security and Technology (‘NIST’) Cybersecurity Framework and built the Rules into our specialist online assessment tool to make the process as straightforward as possible. This not only makes things simpler for ourselves in carrying out the assessment but made it easier for Ravenscroft responding to our questions during the ongoing assessment.
This gap analysis consisted of in-depth interviews with both Ravenscroft (the Chief Operating Officer, Chief Risk Officer and their Head of Information Systems), as well as engaging with their outsourced technology providers. We also completed a comprehensive review of key documents, including contracts, terms of reference, policies, and operational procedures.
Presented with the facts
Once the assessment data had been collated and analysed, we presented Ravenscroft with a detailed report. This report clearly highlighted where gaps were mapped against both the Rules and the NIST Cybersecurity Framework.
The report offered a jumping off point for remedial action against the current cybersecurity framework that was in place. It provided a detailed analysis of the areas that needed further attention, and that once addressed, would help close the majority of the gaps we identified in our analysis.
Don’t find fault, find a remedy
The logical next step was for Ravenscroft to close the gaps we identified in this initial analysis. We formed part of Ravenscroft’s delivery team for the remedial work.
Alongside the Ravenscroft team, we tracked progress through weekly project meetings with the project sponsor. This kept the lines of communication clear and ensured everyone was on the same page and on target to meet the project’s goals. Regular check-ins also ensured that Ravenscroft resolved all the gaps ahead of the regulatory deadline, as set out in the Rules.
The key items we helped Ravenscroft to deliver were:
A clear Cyber Risk Management Framework.
An asset register, with accompanying risk assessment.
Development of the management information required from the outsourced providers.
Creation of a Cyber Response and Recovery Plan.
Updated terms of reference for key committees, to include cyber risk.
Updated policies and procedures to align with best practice.
Independent oversight
CentricalCyber has been retained by Ravenscroft to provide ongoing, independent, cyber risk oversight. As part of our continuing work with Ravenscroft we review the monthly management information provided by their outsourced providers, discussing the information directly with the suppliers. From this information we prepare a monthly report and attend dedicated monthly cyber security committee meetings where cyber risks are reviewed in detail and discussed.
Compliant with regulations
Ravenscroft now has a Cyber Risk Management Framework in place, that provides consistency and supports their decision making. It also includes all necessary risk assessments to highlight the key risk areas, and detailed management information to ensure clear visibility over their outsourced suppliers.
Critically, Ravenscroft now has a coherent Incident Response and Recovery Plan, that acts as their playbook should they have a cyber incident in the future.
Through our cyber risk oversight service, we help Ravenscroft to keep all these documents both up to date and relevant. This also helps ensure that director level oversight exists over cyber risk management - essentially everyone who needs to be is ‘in the loop’ with cyber risk governance.
David McGall – Group Head of Governance, Risk & Compliance at Ravenscroft said:
“At Ravenscroft we consider Cyber Security to be of the utmost importance and employ the highest standards and technologies to ensure that our clients’ data and service levels are stringently preserved.
Ahead of the implementation of the Guernsey Financial Services Commission’s (“GFSC”) Cyber Security Rules at the beginning of August 2021, we took the decision to appoint an independent expert to review our entire Cyber Risk Framework and to assist us with identifying any areas of potential weakness in our systems and controls.
After a detailed tender process with a number of providers, we engaged with CentricalCyber to carry out a gap analysis process and provide a report on any suggested remediation points. CentricalCyber followed a ‘top-down’ approach to this project and engaged effectively with our board members and senior managers so that they were able to fully understand the process and approve any required outcomes. I’m pleased to say that we continue to work with CentricalCyber and have ingrained their support into our whole approach to Cyber Security.”
Collaborations and partnerships
At CentricalCyber, we’re currently exploring how we can further work alongside other consulting firms, both in collaborations and partnerships, to assist with engagements relating to independent cyber risk assessments against the GFSC Rules.
We are aware that the GFSC has asked firms to obtain independent assurance that their policies and processes are aligned with the GFSC Cyber Security Rules, and with the inclusion of GFSC Rules in our assessment tool, we are fully geared up for such assessments.
Project Duration:
Gap analysis: 10 working days
Remediations: 3 months
