Security and data protection related incidents

Summary

The requester asked for a breakdown of security and data protection incidents reported to the Isle of Man Financial Services Authority since 2015, but the Authority refused the request due to the substantial effort required to collate non-centralized data and lack of reporting obligations for certain sectors prior to 2019. However, the Authority voluntarily disclosed that 13 cyber-security incidents were reported in 2018 with no recorded losses.

Key Facts

• The Authority is not required to fulfill the request because compiling the data would involve substantial effort searching individual entity records.
• Reporting requirements for material failures under the Financial Services Act 2008 have existed since 2008, but similar rules for insurers only started in 2019.
• There are no specific reporting requirements for non-material matters or for entities under the Retirement Benefits Schemes Act 2000.
• Data is not held centrally but is filed by individual entity or group across approximately 430 regulated entities.
• The Authority voluntarily provided data showing 13 cyber-security incidents (including phishing and denial of service) were reported in 2018 with no losses sustained.

Data Disclosed

• 2019-03-25
• 2019-04-12
• 2015
• 2018
• 2008
• 2000
• 13 incidents
• 200 entities
• 180 entities
• 50 entities
• 773865

Exemptions Cited

• Substantial compilation or collation of information (not required to do under the Act)
• Information not held by the Authority

Original Request

Please provide the total number of security and data protection related incidents which were reported to the Isle of Man Financial Services Authority, broken down by year since 2015. I am seeking information about entities regulated by the Isle of Man FSA, which have been reported to the Authority. In terms of the nature of security incidents, I am seeking all types of security incidents. These could be but not limited to, IT-related security incidents, such as instances of unauthorised access to entities IT systems or failure to maintain adequate physical security to client records.

Data Tables (1)

Full Response Text

Isle of Man Financial Services Authority PO Box 58, Finch Hill House, Bucks Road, Douglas, Isle of Man, IM99 1DT Tel: +44 (0)1624 646000 Website: www.iomfsa.im

Our ref: 773865 12 April 2019

Dear ###

This request is being handled under the Freedom of Information Act 2015.

We write further to your request which was received on 25 March 2019 and which states:

"Please provide the total number of security and data protection related incidents which were reported to the Isle of Man Financial Services Authority, broken down by year since 2015. I am seeking information about entities regulated by the Isle of Man FSA, which have been reported to the Authority. In terms of the nature of security incidents, I am seeking all types of security incidents. These could be but not limited to, IT-related security incidents, such as instances of unauthorised access to entities IT systems or failure to maintain adequate physical security to client records."

While our aim is to provide information whenever possible, in this instance, complying with your request for information would require Isle of Man Financial Services Authority (‘the Authority’) to undertake substantial compilation or collation of information that it holds, which the Authority is not required to do under the Act. In addition some of the information that you seek is not held by the Authority. Therefore, the Isle of Man Financial Services Authority is not obliged to comply with your request. The reason that some information is not held and that other information would require substantial effort to collate it is due to: (a) the statutory reporting requirements and (b) the way in which that information is held, as follows: • Entities regulated under the Financial Services Act 20081 are required by rule 8.20 of the Financial Services Rule Book to report material failures and losses. 1 All classes specified in the Regulated Activities Order to which the Financial Services Rule Book applies. Financial Services Act 2008: https://www.legislation.gov.im/cms/images/LEGISLATION/PRINCIPAL/2008/2008- 0008/FinancialServicesAct2008_15.pdf

• Entities regulated by the Authority under the Insurance Act 20082 have been subject to similar reporting requirements from this year, in paragraph 74 of the Corporate Governance Code of Practice for Commercial Insurers3. There was no reporting obligation of this specific nature for regulated insurance entities before 2019. • There are currently no reporting requirements of this specific nature for entities regulated by the Authority under the Retirement Benefits Schemes Act 2000. There is no requirement for regulated entities to report non-material matters because this may be a disproportionate burden on both the regulated entities and on the Authority. Additionally, in respect of each regulated sector, the information reported to the Authority is not held centrally, but instead is filed by entity/group, so a search of each entity/group’s records would be required in order to collate the data. There are around 200 entities that are regulated under the Financial Services Act 2008; 180 entities that are regulated under the Insurance Act 2008; and 50 entities that are regulated by the Authority under the Retirement Benefits Schemes Act 20004. As a result, we cannot provide all the information that you seek. However, as part of other work undertaken by the Authority, we collected and are able to provide you with some data on cyber-security incidents in regulated entities that were reported to the Authority in respect of 2018 as follows: 13 incidents were reported which included “phishing” and denial of service. We have no record that any losses were sustained as a result of these incidents. Please note that under the Data Protection Act 2018 entities are obliged to report certain data protection incidents to the Isle of Man’s Information Commissioner5. Therefore, you may also wish to contact that body for information. Please quote the reference number 773865 in any future communications.

Your right to request a review

If you are unhappy with this response to your freedom of information request, you may ask us to carry out an internal review of the response, by completing a complaint form and submitting it electronically or by delivery/post.

2 Insurance Act 2008: https://www.legislation.gov.im/cms/images/LEGISLATION/PRINCIPAL/2008/2008- 0016/InsuranceAct2008_12.pdf 3 Corporate Governance Code of Practice for Commercial Insurers:
https://www.iomfsa.im/media/2521/corporategovernancecodeofpracticeforcommercialinsurers. pdf 4 Retirement Benefits Schemes Act 2000: https://www.legislation.gov.im/cms/images/LEGISLATION/PRINCIPAL/2000/2000- 0014/RetirementBenefitSchemesAct2000_5.pdf 5 Information Commissioner: https://www.inforights.im/

An electronic version of our complaint form can be found by going to our website at https://services.gov.im/freedom-of-information/Review . If you would like a paper version of our complaint form to be sent to you by post, please contact me and I will be happy to arrange for this. Your review request should explain why you are dissatisfied with this response, and should be made as soon as practicable. We will respond as soon as the review has been concluded.

If you are not satisfied with the result of the review, you then have the right to appeal to the Information Commissioner for a decision on; 1. Whether we have responded to your request for information in accordance with Part 2 of the Freedom of Information Act 2015; or 2. Whether we are justified in refusing to give you the information requested.
In response to an application for review, the Information Commissioner may, at any time, attempt to resolve a matter by negotiation, conciliation, mediation or another form of alternative dispute resolution and will have regard to any outcome of this in making any subsequent decision. More detailed information on your right to a review can be found on the Information Commissioner’s website at www.inforights.im. Should you have any queries concerning this letter, please do not hesitate to contact me. Further information about freedom of information requests can be found at www.gov.im/foi.

I will now close your request as of this date.

Yours sincerely