ASK MAT – I have been appointed as a Cyber Incident Officer at a JFSC-regulated firm. What do I need to know?

ASK MAT – I have been appointed as a Cyber Incident Officer at a JFSC-regulated firm. What do I need to know?

MAT SAYS – Congratulations! In the first instance, consider creating a training plan (Comsure can assist with this). In the meantime, I would like to offer the following thoughts.

Firstly, set up a Policy Statement for the Jersey Cyber Incident Officer (Financial Services Firm, JFSC-Regulated).

POLICY EXAMPLE

Here’s a DRAFT EXAMPLE policy statement for a Jersey Cyber Incident Officer at a JFSC-regulated financial services firm, explicitly referencing the Jersey Cyber Security Centre (JCSC), reporting, and the Jersey Cyber Incident Classification Guide, along with JFSC responsibilities.

Introduction: Policy Statement for the Jersey Cyber Incident Officer (JFSC-Regulated Financial Services Firm)

• As a regulated financial services firm in Jersey, we are committed to maintaining the highest standards of cyber resilience and regulatory compliance.
• In recognition of the evolving cyber threat landscape and the requirements set by the Jersey Financial Services Commission (JFSC), this policy establishes the role and responsibilities of the Cyber Incident Officer.
• The Cyber Incident Officer is responsible for leading the firm’s response to cyber incidents, ensuring that all incidents are identified, classified, and managed in accordance with the Jersey Cyber Security Centre (JCSC) Jersey Cyber Incident Classification Guide. 
  • The JCSC acts as a trusted advisor, providing technical support and intelligence to help mitigate risks to the firm, its clients, and the wider Jersey community.
  • The JSSC guide provides a structured approach to assessing the severity and impact of cyber incidents, ensuring consistent and effective escalation and response.
• In line with best practice and regulatory expectations, the Cyber Incident Officer will
  • Coordinate the reporting of significant incidents, specifically those classified as Category 4 or above, to the JCSC.
  • Also ensure that all relevant notifications are made to the:-
    • JFSC,
    • The Jersey Office of the Information Commissioner (JOIC)(if personal identifiable date is involved in an incident), and
    • Other authorities as required by law.
• This policy underlines our commitment to:
  • Protecting client, employee, business data and assets,
  • Minimising the impact of cyber incidents,
  • Fostering a culture of cyber awareness,
  • Ensuring timely and transparent communication with regulators and the JCSC,

The Jersey Cyber Incident Classification Guide

The Jersey Cyber Incident Classification Guide is a framework used by the Jersey Cyber Security Centre (JCSC) to assess and categorise the severity of cyber incidents affecting organisations in Jersey.

Here’s what you need to know:

Purpose and Use:

• The guide helps classify incidents based on their potential impact on the Island, the community, and specific organisations.
• It is used to determine how significant an incident is and what level of response or support may be needed from the JCSC.

How Incidents Are Classified:

• Incidents are categorised from
• Category 1 (least severe) to
• Category 5 (most severe).
• Category 4 or higher incidents are considered significant and should be reported to the JCSC.
• These are incidents that pose a risk to customers, employees, suppliers, or public services in Jersey.
• The classification considers factors such as:
• The number of people or organisations affected.
• The type of data or systems compromised.
• The potential for disruption to essential services.
• The likelihood of the incident spreading or escalating.

Reporting and Support

• Reporting to JCSC is voluntary (unless you are an Operator of Essential Services, in which case new laws may require reporting within 24 hours).
• The JCSC acts as a “critical friend” and trusted advisor, not a compliance authority.
• Reporting helps JCSC provide technical advice, share intelligence, and issue warnings to protect others.
• Information shared with JCSC is treated confidentially and is not shared with regulators or law enforcement unless there is a clear public interest or national security concern.

Operational vs. Regulatory Reporting

• Operational reporting to JCSC is quick, factual, and designed to help the community respond to threats.
• Regulatory reporting (e.g., to JFSC, JCRA, or JOIC) is formal, legal, and often slower, with specific requirements for content and timing.
• Embedding JCSC reporting into your incident management process is encouraged for timely support.

Where to Find the Guide

• The full Jersey Cyber Incident Classification Matrix can be found here (PDF)
• https://cms.jcsc.je/wp-content/uploads/2024/04/Incident-Classification-Matrix-1.pdf

Jersey Cyber Incident Classification Guide categories, + advice on how to embed it into your incident response process

Here is a summary of the Jersey Cyber Incident Classification Guide categories, followed by advice on how to embed it into your incident response process.

Jersey Cyber Incident Classification Categories

The guide classifies incidents from Category 1 (least severe) to Category 5 (most severe):

Category 1 – Minor Incident

• Minimal impact.
• No data loss or service disruption.
• Handled internally without external support.

Category 2 – Low Impact

• Affects a small number of users or systems.
• Limited data exposure.
• May require internal escalation but no external reporting.

Category 3 – Moderate Impact

• Noticeable disruption to operations.
• Sensitive data may be at risk.
• Could affect customer trust or reputation.
• Consider notifying JCSC if there's potential for escalation.

Category 4 – Significant Incident

• Affects multiple systems or departments.
• Confirmed data breach or service outage.
• Risk to customers, suppliers, or public services.
• Must be reported to JCSC.

Category 5 – Critical/National Impact

• Major disruption to essential services or infrastructure.
• Large-scale data breach or ransomware.
• National security or public safety risk.
• Immediate coordination with JCSC and possibly law enforcement.

Embedding the Classification Guide into Your Incident Response Process

Here’s how to integrate it effectively:

1. Update Your Incident Response Policy

• Include the classification matrix as part of your incident severity assessment.
• Define clear thresholds for escalation based on category.

2. Train Your Team

• Ensure staff understand how to assess and classify incidents.
• Use real-world examples to practice categorisation.

3. Automate Initial Classification

• Use your SIEM or incident management system to flag incidents based on impact indicators (e.g., number of affected users, data types involved).

4. Establish Reporting Protocols

• For Category 4+, define a process to notify JCSC promptly.
• Include contact details and reporting templates in your playbooks.

5. Coordinate with Regulators

• Align classification with regulatory reporting (e.g., JOIC for data breaches, JFSC for operational disruptions).
• Use the classification to prioritise which incidents require formal notification.

6. Review and Improve

• After each incident, review the classification and response.
• Update your matrix usage based on lessons learned.

Incident Response Policy Template

This Incident Response Policy outlines the procedures and responsibilities for identifying, classifying, responding to, and reporting cyber incidents that affect the organisation.

It incorporates the Jersey Cyber Incident Classification Guide to ensure consistent and effective incident management.

1. Objectives

• • Ensure timely detection and response to cyber incidents.
  • Minimise impact on operations, data, and reputation.
  • Comply with Jersey Cyber Security Centre (JCSC) guidance and regulatory requirements.
  • Facilitate continuous improvement of incident response capabilities.

2. Roles and Responsibilities:

• • Incident Response Team (IRT): Lead investigation and resolution.
  • IT Department: Provide technical support and containment.
  • Compliance Officer: Coordinate regulatory reporting.
  • Communications Team: Manage internal and external communications.

3. Incident Classification (JCSC Guide)

Incidents are classified from Category 1 (least severe) to Category 5 (most severe):

• • Category 1: Minor incident, no data loss or disruption.
  • Category 2: Low impact, limited exposure.
  • Category 3: Moderate impact, potential reputational risk.
  • Category 4: Significant incident, confirmed breach or outage (report to JCSC).
  • Category 5: Critical incident, national impact or public safety risk.

4. Incident Response Workflow

The following flowchart outlines the steps for assessing and escalating incidents:

1. Detect incident → 2. Assess severity → 3. Classify using the JCSC guide →
4. Contain and mitigate → 5. Notify JCSC (Category 4+) → 6. Report to other regulators →
7. Recover systems → 8. Review and improve

5. Reporting Protocols

• • Category 4 and 5 incidents must be reported to JCSC promptly.
  • Regulatory bodies (e.g., JOIC, JFSC) must be notified as per legal requirements.
  • Use standardised templates for incident reporting.

6. Review and Improvement

• • Conduct post-incident reviews.
  • Update classification and response procedures.
  • Train staff and test response plans regularly.

SOURCES

• Managing A Cyber Security Incident | Jersey Cyber Security Centre - jcsc.je https://jcsc.je/about-jersey-cyber-security-centre/cyber-security-incident/
•  JERSEY JCSC want to hear about your CYBER incidents “NOW” https://www.comsuregroup.com/news/jersey-jcsc-want-to-hear-about-your-cyber-incidents-now/