JERSEY JCSC want to hear about your  CYBER incidents “NOW”

The Jersey Cyber Security Centre [JCSC]

• PROMOTES AND IMPROVES the cyber resilience across Jersey’s critical national infrastructure, business communities and citizens.
• WANT TO reduce the risk and impact of significant cyber incidents on the Island.
• WANT YOU TO THINK of them as your critical friend and trusted advisor in incident response, not a compliance authority.

Matt Palmer from the JCSC has outlined that reporting cyber incidents to the JCSC fulfils a very different purpose from regulatory incident reporting.

• https://jcsc.je/report-an-incident/

 The JCSC are interested in knowing about cyber incidents in two situations:

• Firstly, when you would like JCSCs help.
• JCSC may have access to additional information or intelligence, or
• You may ask JCSC to advise you on the best course of action, or help you communicate and collaborate with others.
• Secondly, when you think sharing with JCSC will be of help to others.
• Generally, this means when you think the incident is, or may become, a LEVEL 4 OR HIGHER ON THE JERSEY CYBER INCIDENT CLASSIFICATION GUIDE.
• https://cms.jcsc.je/wp-content/uploads/2024/04/Incident-Classification-Matrix-1.pdf

However, JCSC may not be the only organisation that needs to know.

Regulatory reporting

1. When a cyber incident occurs, regulated organisations often think early about their legal and regulatory obligations.
1. For certain types of incidents, regulators require formal notification — sometimes within a fixed timeframe, in a specified format, and with defined content.
2. This regulatory incident reporting exists for a specific purpose:
1. To allow regulators to exercise their oversight role, ensure compliance with legal requirements, and take action where breaches of law or regulation have occurred.
3. In Jersey, organisations may need to report incidents to an industry regulator such as
1. The Jersey Financial Services Commission (JFSC), or
2. The Jersey Competition & Regulatory Authority (JCRA).
4. You may also need to report certain types of incidents to
1. The Jersey Office of the Information Commissioner (JOIC) or
2. States of Jersey Police.
5. As many local organisations also operate in multiple jurisdictions, regulatory reporting obligations can become complex.

Regulatory reporting is generally expected to be:

1. Mandatory for certain incidents under specific laws or licence conditions.
2. Designed to meet compliance obligations — ensuring that an organisation demonstrates adherence to rules and can be held accountable for failures.
3. A legal process, often coordinated by legal and compliance teams to manage liability, language, and risk.
4. Formal and procedural — typically time-bound but paced, with controlled communications and sign-off before submission.
5. Regulatory reporting varies hugely by regulator and regulated entity, but an indicative reporting process might look something like this:

6. Such a multi-step process can ensure clear and consistent information flow, as well as management of regulatory risks to the organisation, but inevitably takes time to undertake with multiple internal stakeholders involved.
1. This can extend further if there is a need to consult external counsel or the board, notify customers, or provide various updates.
7. This reflects the breadth of associated risks to the organisation, which will be aware of both the regulatory risk associated with not being suitably forthcoming and also the operational costs of regulatory action if issues are overstated or miscommunicated.
1. Regulatory action can result in penalties or reputational impact, so organisations understandably proceed with caution and in a managed way.
8. Whilst regulatory reporting typically needs to be timely, as regulators are generally not part of the operational response to an incident, regulators also tend to welcome fully formed reporting over immediate visibility.
9. These are essential processes — but they serve a different end goal to operational cybersecurity.
10. The good news is that sharing incident information with JCSC can be much easier.

Reporting to JCSC

11. Reporting incidents to JCSC is currently purely voluntary.

1. Organisations that do report receive support and provide insights that help JCSC protect the community.
2. Their information is held in confidence, and there are no potential consequences to reporting.
3. However, not everyone feels comfortable doing so. In some cases, without a formal legal need to report, organisations can find client contract terms, group-level policies, legal concerns, or supplier restrictions that restrict them.
4. Recent experience of significant incidents, as well as community incident response exercises carried out by JCSC, highlights that for many organisations, good intent and a desire to support best practice are often not sufficient to enable a culture of sharing.
5. JCSCs need to provide them with the tools to share quickly, openly and safely.

12. For that reason, the Government’s proposed Cyber Security (Jersey) Law will provide for:

1. An information sharing gateway, making it legally possible for organisations to share incidents with JCSC, even if other restrictions such as client contractual terms apply;
2. A requirement on the most critical organisations (known as Operators of Essential Services), to share the most significant incidents within 24 hours of becoming aware;
3. Formal obligations to ensure that information shared with JCSC is protected and cannot be shared by the Government or regulators;
4. Provisions to protect personal information and ensure JCSC is covered by the Data Protection (Jersey) Law; and
5. Identification of JCSC as a security body in the Freedom of Information (Jersey) Law, so that organisations can have confidence in sharing commercially sensitive information rapidly in a crisis, without needing first to make complex legal assessments and ‘balance of risk’ judgements.
6. https://jcsc.je/about-jersey-cyber-security-centre/cyber-security-jersey-law/

13. This will formalise the practices JCSC have today, which is to hold incident information in the strictest confidence.
14. As a result, reporting to JCSC can be seen as:

1. Operational — designed to give JCSC a timely understanding of what’s happening locally so JCSC can provide advice, connect you with support, and help others prepare for similar threats.
2. Non-regulatory — JCSC have no enforcement powers and no mandate to pass your report to regulators, law enforcement, or government.
3. Supportive — you choose to tell JCSC quickly because you want to help JCSC strengthen the Island’s cyber resilience, or because you would like JCSCs assistance.
4. Confidential — the details you share stay between you and JCSC.

• • • JCSC use anonymised, aggregated data to identify trends and issue general warnings, but JCSC don’t issue public notices or identify impacted organisations.

15. This means a good process is quick and straightforward, for example:

16. You can think of JCSC as a critical friend and trusted advisor in incident response, not a compliance authority.
17. The sooner JCSCs are aware of an issue, the more helpful they can be. For example,

1. If you see a cyber-attack and report it to JCSC, and JCSC receive several similar reports in the same sector, JCSC can issue an advisory to protect that sector.

18. However, the timespan of such targeted attacks might be 24 hours or less: after a day, the information is less valuable, and the likelihood of others being impacted is increased.
19. Those other organisations could be your customers or suppliers, so everyone benefits when JCSCs respond quickly.

Why it matters to separate operational and regulatory incident reporting

20. Often, organisations say it is beneficial to have one reporting process, which can lead organisations to consider embedding notifications to JCSC in regulatory reporting processes.

1. 1. Can JFSC copy JCSC in a regulatory notification?
   2. Or could the regulator share with JCSC later?

21. However, if organisations route operational reporting to JCSC through the same legal/compliance processes as regulatory reporting, three things often happen:

1. 1. Delays — legal review and sign-off often slow the process, meaning JCSCs may not learn about threats until after they’ve already spread across the Island.
   2. Reduced detail — legal teams often filter out operationally useful information to manage liability risk.

• • • However, this risk does not arise with reporting to JCSC, and those details are frequently precisely what JCSCs need to spot patterns and share timely mitigations.

1. 3. Missed opportunities — by the time a report reaches JCSC, the window for proactive support may have passed.

• • • The ‘half life’ of incident reports can be 12 hours or less – if JCSCs know immediately, they may have information that helps you make better decisions and reduce the impact.
    • After a couple of days, the information is much less valuable, and your organisations or Islanders may have already incurred significant costs by the time JCSCs can help.

22. This is why JCSCs are not asking for a carefully lawyered statement.

1. 1. Instead, JCSCs are asking for quick, factual input so JCSCs can help you and protect others.
   2. Most organisations should find they can do this as part of their standard IT incident management process.

23. Operationally, reviewing an existing incident management process and embedding notifications to JCSC at an appropriate point is usually not difficult.

1. 1. However, there is often a need to demonstrate to legal and compliance specialists who are seeking to protect the organisation that notifying JCSC quickly will not pose a risk, but delaying the notification may.

24. Different organisations will approach this differently;

1. 1. JCSCs find that those who benefit the most are those who can embed an expectation with the operational teams managing cyber incidents that a quick call or email to JCSC at the earliest stage possible is the most appropriate course of action.

Where does JCSC reporting fit in your business processes?

25. Reporting to JCSC should be embedded in your operational incident response process, rather than your compliance reporting process.
1. As soon as your incident response team detects or confirms an incident of interest, they should share the basic facts with JCSC — even if the investigation is still ongoing.
2. Treat JCSC as you would a trusted industry ISAC (Information Sharing and Analysis Centre), or an outsourced incident response partner — a source of mutual aid, early warning, and shared situational awareness.
3. You can still follow your regulatory reporting process separately, on its timeline and with its governance.
26. Combined, this could look something like this:

The benefit to you:

27. By reporting quickly and operationally to JCSC, you can:

1. Gain access to relevant, real-time threat intelligence and local context.
2. Get tailored support from a team whose only interest is helping you manage and contain the incident.
3. Contribute to a collective defence model that benefits your peers and, ultimately, your organisation.

28. In short, Regulatory incident reporting is focused on compliance and learning from risk events.
29. However, reporting incidents to JCSC is about operational collaboration and response. They are complementary, but they are not the same thing, and so to get the most benefit for your organisation and the wider community, they should not be treated the same way.

SOURCE

https://jcsc.je/advice-and-guidance/best-practices-for-embedding-reporting-to-jcsc-in-your-incident-management-process/