Without modifying any existing requirements or imposing any additional obligations on regulated entities, the Isle of Man's Financial Services Authority has published a compendium of guidance on the subject of cyber-security.

The FSA is at pains to point out that "the guidance is not law, however it is persuasive [because] where a person follows guidance this would tend to indicate compliance with associated legislative provisions, and vice versa."

The document refers to hacking (including password cracking, Trojan horses and key loggers), phishing, malware (malicious software such as encryption/lockscreen ransomware) including viruses, worms, adware and spyware, and denial-of-service attacks. It is full of the regulator's expectations and opinions about the nature of 'good practice' and contains sanitised case-studies.

Regardless of regulatory requirements, the FSA says that it expects regulated entities to promptly notify it of any serious or significant incident involving data loss, financial loss, disruption to services or denial of services type attacks.

The isle's regulators are all too well aware of the recent cybercrime on the English mainland at Tesco Bank, which the Westminster Treasury Select Committee thought was 'unprecedented.' Instead of locking the bank out of its own systems or stopping people from obtaining access to their accounts for a while, the hackers stole something from one in seven out of 140,000-odd accounts. The institution reinstated the lost monies swiftly, but this was not by any means the heart of the Financial Conduct Authority's concern. Instead, the regulator was worried about broader threats and went so far as to involve GCHQ, the UK's online spy centre which is notorious for committing cybercrimes itself.