
ASK MAT – I have been appointed as a Cyber Incident Officer at a JFSC-regulated firm. What do I need to know?
23/09/2025
ASK MAT – I have been appointed as a Cyber Incident Officer at a JFSC-regulated firm. What do I need to know?
MAT SAYS – Congratulations! In the first instance, consider creating a training plan (Comsure can assist with this). In the meantime, I would like to offer the following thoughts.
Firstly, set up a Policy Statement for the Jersey Cyber Incident Officer (Financial Services Firm, JFSC-Regulated).
POLICY EXAMPLE
Here’s a DRAFT EXAMPLE policy statement for a Jersey Cyber Incident Officer at a JFSC-regulated financial services firm, explicitly referencing the Jersey Cyber Security Centre (JCSC), reporting, and the Jersey Cyber Incident Classification Guide, along with JFSC responsibilities.
Introduction: Policy Statement for the Jersey Cyber Incident Officer (JFSC-Regulated Financial Services Firm)
- As a regulated financial services firm in Jersey, we are committed to maintaining the highest standards of cyber resilience and regulatory compliance.
- In recognition of the evolving cyber threat landscape and the requirements set by the Jersey Financial Services Commission (JFSC), this policy establishes the role and responsibilities of the Cyber Incident Officer.
- The Cyber Incident Officer is responsible for leading the firm’s response to cyber incidents, ensuring that all incidents are identified, classified, and managed in accordance with the Jersey Cyber Security Centre (JCSC) Jersey Cyber Incident Classification Guide.
- The JCSC acts as a trusted advisor, providing technical support and intelligence to help mitigate risks to the firm, its clients, and the wider Jersey community.
- The JSSC guide provides a structured approach to assessing the severity and impact of cyber incidents, ensuring consistent and effective escalation and response.
- In line with best practice and regulatory expectations, the Cyber Incident Officer will
- Coordinate the reporting of significant incidents, specifically those classified as Category 4 or above, to the JCSC.
- Also ensure that all relevant notifications are made to the:-
- JFSC,
- The Jersey Office of the Information Commissioner (JOIC)(if personal identifiable date is involved in an incident), and
- Other authorities as required by law.
- This policy underlines our commitment to:
- Protecting client, employee, business data and assets,
- Minimising the impact of cyber incidents,
- Fostering a culture of cyber awareness,
- Ensuring timely and transparent communication with regulators and the JCSC,
The Jersey Cyber Incident Classification Guide
The Jersey Cyber Incident Classification Guide is a framework used by the Jersey Cyber Security Centre (JCSC) to assess and categorise the severity of cyber incidents affecting organisations in Jersey.
Here’s what you need to know:
Purpose and Use:
- The guide helps classify incidents based on their potential impact on the Island, the community, and specific organisations.
- It is used to determine how significant an incident is and what level of response or support may be needed from the JCSC.
How Incidents Are Classified:
- Incidents are categorised from
- Category 1 (least severe) to
- Category 5 (most severe).
- Category 4 or higher incidents are considered significant and should be reported to the JCSC.
- These are incidents that pose a risk to customers, employees, suppliers, or public services in Jersey.
- The classification considers factors such as:
- The number of people or organisations affected.
- The type of data or systems compromised.
- The potential for disruption to essential services.
- The likelihood of the incident spreading or escalating.
Reporting and Support
- Reporting to JCSC is voluntary (unless you are an Operator of Essential Services, in which case new laws may require reporting within 24 hours).
- The JCSC acts as a “critical friend” and trusted advisor, not a compliance authority.
- Reporting helps JCSC provide technical advice, share intelligence, and issue warnings to protect others.
- Information shared with JCSC is treated confidentially and is not shared with regulators or law enforcement unless there is a clear public interest or national security concern.
Operational vs. Regulatory Reporting
- Operational reporting to JCSC is quick, factual, and designed to help the community respond to threats.
- Regulatory reporting (e.g., to JFSC, JCRA, or JOIC) is formal, legal, and often slower, with specific requirements for content and timing.
- Embedding JCSC reporting into your incident management process is encouraged for timely support.
Where to Find the Guide
- The full Jersey Cyber Incident Classification Matrix can be found here (PDF)
- https://cms.jcsc.je/wp-content/uploads/2024/04/Incident-Classification-Matrix-1.pdf
Jersey Cyber Incident Classification Guide categories, + advice on how to embed it into your incident response process
Here is a summary of the Jersey Cyber Incident Classification Guide categories, followed by advice on how to embed it into your incident response process.
Jersey Cyber Incident Classification Categories
The guide classifies incidents from Category 1 (least severe) to Category 5 (most severe):
Category 1 – Minor Incident
- Minimal impact.
- No data loss or service disruption.
- Handled internally without external support.
Category 2 – Low Impact
- Affects a small number of users or systems.
- Limited data exposure.
- May require internal escalation but no external reporting.
Category 3 – Moderate Impact
- Noticeable disruption to operations.
- Sensitive data may be at risk.
- Could affect customer trust or reputation.
- Consider notifying JCSC if there's potential for escalation.
Category 4 – Significant Incident
- Affects multiple systems or departments.
- Confirmed data breach or service outage.
- Risk to customers, suppliers, or public services.
- Must be reported to JCSC.
Category 5 – Critical/National Impact
- Major disruption to essential services or infrastructure.
- Large-scale data breach or ransomware.
- National security or public safety risk.
- Immediate coordination with JCSC and possibly law enforcement.
Embedding the Classification Guide into Your Incident Response Process
Here’s how to integrate it effectively:
1. Update Your Incident Response Policy
- Include the classification matrix as part of your incident severity assessment.
- Define clear thresholds for escalation based on category.
2. Train Your Team
- Ensure staff understand how to assess and classify incidents.
- Use real-world examples to practice categorisation.
3. Automate Initial Classification
- Use your SIEM or incident management system to flag incidents based on impact indicators (e.g., number of affected users, data types involved).
4. Establish Reporting Protocols
- For Category 4+, define a process to notify JCSC promptly.
- Include contact details and reporting templates in your playbooks.
5. Coordinate with Regulators
- Align classification with regulatory reporting (e.g., JOIC for data breaches, JFSC for operational disruptions).
- Use the classification to prioritise which incidents require formal notification.
6. Review and Improve
- After each incident, review the classification and response.
- Update your matrix usage based on lessons learned.
Incident Response Policy Template
This Incident Response Policy outlines the procedures and responsibilities for identifying, classifying, responding to, and reporting cyber incidents that affect the organisation.
It incorporates the Jersey Cyber Incident Classification Guide to ensure consistent and effective incident management.
1. Objectives
-
- Ensure timely detection and response to cyber incidents.
- Minimise impact on operations, data, and reputation.
- Comply with Jersey Cyber Security Centre (JCSC) guidance and regulatory requirements.
- Facilitate continuous improvement of incident response capabilities.
2. Roles and Responsibilities:
-
- Incident Response Team (IRT): Lead investigation and resolution.
- IT Department: Provide technical support and containment.
- Compliance Officer: Coordinate regulatory reporting.
- Communications Team: Manage internal and external communications.
3. Incident Classification (JCSC Guide)
Incidents are classified from Category 1 (least severe) to Category 5 (most severe):
-
- Category 1: Minor incident, no data loss or disruption.
- Category 2: Low impact, limited exposure.
- Category 3: Moderate impact, potential reputational risk.
- Category 4: Significant incident, confirmed breach or outage (report to JCSC).
- Category 5: Critical incident, national impact or public safety risk.
4. Incident Response Workflow
The following flowchart outlines the steps for assessing and escalating incidents:
1. Detect incident → 2. Assess severity → 3. Classify using the JCSC guide →
4. Contain and mitigate → 5. Notify JCSC (Category 4+) → 6. Report to other regulators →
7. Recover systems → 8. Review and improve
5. Reporting Protocols
-
- Category 4 and 5 incidents must be reported to JCSC promptly.
- Regulatory bodies (e.g., JOIC, JFSC) must be notified as per legal requirements.
- Use standardised templates for incident reporting.
6. Review and Improvement
-
- Conduct post-incident reviews.
- Update classification and response procedures.
- Train staff and test response plans regularly.
SOURCES
- Managing A Cyber Security Incident | Jersey Cyber Security Centre - jcsc.je https://jcsc.je/about-jersey-cyber-security-centre/cyber-security-incident/
- JERSEY JCSC want to hear about your CYBER incidents “NOW” https://www.comsuregroup.com/news/jersey-jcsc-want-to-hear-about-your-cyber-incidents-now/
The Team
Meet the team of industry experts behind Comsure
Find out moreLatest News
Keep up to date with the very latest news from Comsure
Find out moreGallery
View our latest imagery from our news and work
Find out moreContact
Think we can help you and your business? Chat to us today
Get In TouchNews Disclaimer
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.