JERSEY's new cyber security law targets “financial services” and other “essential services” [OES].
11/03/2024
Providers of banking and financial services and other industry sectors have been classified as Operators of Essential Services (OES) in the new draft Cyber Security (Jersey) Law, the White Paper for which was put out for consultation by the Government of Jersey on 4 March 2024 (the draft law).
- CONSULTATION https://www.gov.je/SiteCollectionDocuments/Industry%20and%20finance/C%20Cyber%20Security%20Law%20Consultation%20March%202024.pdf
- DRAFT LAW https://www.gov.je/SiteCollectionDocuments/Industry%20and%20finance/L%20Draft%20Cyber%20Security%20Jersey%20Law%20202-.pdf
The consultation window is only open for 2 weeks, closing on 19 March 2024. Interested islanders, organisations and stakeholders are being asked to give feedback on a draft law outlining several changes relating to Jersey's Cyber Security Centre, established by the Council of Ministers in 2021 and currently operates within the Economy Department.
SO, WHAT ARE THE CHANGES?
- Under the new law, the JCSC would be established as an independent advisory and emergency response body operating at arm’s length from regulators, law enforcement officers and the government.
- It would also become a grant-funded body and be required to produce an annual report and strategic plan available to the public.
- Additionally, the law would require Operators of Essential Services (OES) to take appropriate steps to improve and secure their cybersecurity and notify their customers and JCSC if they experience a significant cyber incident.
- An OES is defined as "any service which is essential for the infrastructure of Jersey or the maintenance of critical societal or economic activities in Jersey".
OPERATORS OF ESSENTIAL SERVICES.
- Either be providing
- Banking and credit services (registered under Part 2 of the Business Banking (Jersey) Law 1991 and regulated by the Jersey Financial Services Commission (JFSC)) OR
- Financial service business (as defined by Article 2 of the Financial Services (Jersey) Law 1998 and regulated by the JFSC).
- The definition of "financial service business" covers any "person" carrying on (amongst other things) investment business, trust company business, general insurance mediation business, money service business and fund services business.
- Provide those services in reliance upon network and information systems (THERE IS no minimum value threshold applicable to those services AS PROVIDED TO some other OES, - Article 24 and Part 3 of Schedule 3 of the draft Law]
- This is likely to encompass all Banking and Financial Service Providers.
THE DRAFT LAW PROPOSES,
- Several new measures to protect against the cybercrime threat to OES by addressing the cyber security measures they are expected to adopt. Part 5 articles 29-33 of the draft Law
- It also proposes establishing a NEW Jersey Cyber Security Centre, Commissioner for Cyber Security and Technical Advisory Counsil to advise the Commissioner. – Article 2,2&4 of the draft Law
- All such businesses are to notify the Minister within 28 days of the draft law coming into force. - Article 24(3) – (4) of the draft Law
- Where the OES has its head office outside Jersey, it must nominate an authorised person in Jersey to act on its behalf. - Article 26 of the draft Law
The OES is under a duty to: [article 29 of the draft Law] to:-
[29] Implement measures that are appropriate and proportionate for–
- [a] identifying cyber threats to the security of the network and information systems on which the provision of their essential service relies.
- [b] reducing the risk of incidents affecting the security of those network and information systems occurring.
- [c] preparing for the occurrence of such incidents and preventing and minimising their impact; and
- [d] ensuring the continuity of their essential service". - Article 29 of the draft Law
While many banking and financial service providers already have robust measures to prevent cyber security breaches, there are a few points of note.
- As noted, the draft law proposes enhanced administrative obligations on OESs. It places them under an obligation to keep appropriate and proportionate measures in place to identify, prepare for and reduce the risks of cybercrime.
- What is "appropriate and proportionate" is not defined in the draft law, but guidance may be [should be] issued.
- If the measures are not deemed adequate, the Minister can specify further measures to be taken by the OES.
- The Commissioner should be given the power to set or adopt standards about cybersecurity, which the affected persons should then apply.
- The Minister may require an OES to take further specified measures that they consider appropriate and proportionate. - Article 30 of the draft Law
In the event of a cyber security incident, the OES is under a duty to:-
- Notify the Commissioner for Cyber Security (article 31),
- Inform service users (article 32) and
- Take any steps mandated by the Minister in response to a significant cyber security incident and the adverse effects of that incident (article 33)
Sources
- CONSULTATION https://www.gov.je/SiteCollectionDocuments/Industry%20and%20finance/C%20Cyber%20Security%20Law%20Consultation%20March%202024.pdf
- DRAFT LAW https://www.gov.je/SiteCollectionDocuments/Industry%20and%20finance/L%20Draft%20Cyber%20Security%20Jersey%20Law%20202-.pdf
- https://www.bailiwickexpress.com/jsy/business/cyber-defence-legislation-consultation-launched/
The Team
Meet the team of industry experts behind Comsure
Find out moreLatest News
Keep up to date with the very latest news from Comsure
Find out moreGallery
View our latest imagery from our news and work
Find out moreContact
Think we can help you and your business? Chat to us today
Get In TouchNews Disclaimer
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.