JERSEY's new cyber security law targets “financial services” and other “essential services” [OES].

Providers of banking and financial services and other industry sectors have been classified as Operators of Essential Services (OES) in the new draft Cyber Security (Jersey) Law, the White Paper for which was put out for consultation by the Government of Jersey on 4 March 2024 (the draft law).

1. CONSULTATION https://www.gov.je/SiteCollectionDocuments/Industry%20and%20finance/C%20Cyber%20Security%20Law%20Consultation%20March%202024.pdf
2. DRAFT LAW https://www.gov.je/SiteCollectionDocuments/Industry%20and%20finance/L%20Draft%20Cyber%20Security%20Jersey%20Law%20202-.pdf

The consultation window is only open for 2 weeks, closing on 19 March 2024. Interested islanders, organisations and stakeholders are being asked to give feedback on a draft law outlining several changes relating to Jersey's Cyber Security Centre, established by the Council of Ministers in 2021 and currently operates within the Economy Department.

SO, WHAT ARE THE CHANGES?

1. Under the new law, the JCSC would be established as an independent advisory and emergency response body operating at arm’s length from regulators, law enforcement officers and the government.
2. It would also become a grant-funded body and be required to produce an annual report and strategic plan available to the public.
3. Additionally, the law would require Operators of Essential Services (OES) to take appropriate steps to improve and secure their cybersecurity and notify their customers and JCSC if they experience a significant cyber incident.
4. An OES is defined as "any service which is essential for the infrastructure of Jersey or the maintenance of critical societal or economic activities in Jersey".

OPERATORS OF ESSENTIAL SERVICES.

1. Either be providing
1. Banking and credit services (registered under Part 2 of the Business Banking (Jersey) Law 1991 and regulated by the Jersey Financial Services Commission (JFSC)) OR
2. Financial service business (as defined by Article 2 of the Financial Services (Jersey) Law 1998 and regulated by the JFSC).
1. The definition of "financial service business" covers any "person" carrying on (amongst other things) investment business, trust company business, general insurance mediation business, money service business and fund services business.
2. Provide those services in reliance upon network and information systems (THERE IS no minimum value threshold applicable to those services AS PROVIDED TO some other OES,  -  Article 24 and Part 3 of Schedule 3 of the draft Law]
1. This is likely to encompass all Banking and Financial Service Providers.

THE DRAFT LAW PROPOSES,

• Several new measures to protect against the cybercrime threat to OES by addressing the cyber security measures they are expected to adopt. Part 5 articles 29-33 of the draft Law
• It also proposes establishing a NEW Jersey Cyber Security Centre, Commissioner for Cyber Security and Technical Advisory Counsil to advise the Commissioner. – Article 2,2&4 of the draft Law
• All such businesses are to notify the Minister within 28 days of the draft law coming into force. - Article 24(3) – (4) of the draft Law
• Where the OES has its head office outside Jersey, it must nominate an authorised person in Jersey to act on its behalf. - Article 26 of the draft Law

PART 5 IS CRITICAL

The OES is under a duty to: [article 29 of the draft Law] to:-

[29] Implement measures that are appropriate and proportionate for–

• [a] identifying cyber threats to the security of the network and information systems on which the provision of their essential service relies.
• [b] reducing the risk of incidents affecting the security of those network and information systems occurring.
• [c] preparing for the occurrence of such incidents and preventing and minimising their impact; and
• [d] ensuring the continuity of their essential service". - Article 29 of the draft Law

While many banking and financial service providers already have robust measures to prevent cyber security breaches, there are a few points of note.

• As noted, the draft law proposes enhanced administrative obligations on OESs. It places them under an obligation to keep appropriate and proportionate measures in place to identify, prepare for and reduce the risks of cybercrime.
• What is "appropriate and proportionate" is not defined in the draft law, but guidance may be [should be] issued.
• If the measures are not deemed adequate, the Minister can specify further measures to be taken by the OES. 
• The Commissioner should be given the power to set or adopt standards about cybersecurity, which the affected persons should then apply. 
• The Minister may require an OES to take further specified measures that they consider appropriate and proportionate. - Article 30 of the draft Law

In the event of a cyber security incident, the OES is under a duty to:-

• Notify the Commissioner for Cyber Security (article 31),
• Inform service users (article 32) and
• Take any steps mandated by the Minister in response to a significant cyber security incident and the adverse effects of that incident  (article 33)

Sources

• CONSULTATION https://www.gov.je/SiteCollectionDocuments/Industry%20and%20finance/C%20Cyber%20Security%20Law%20Consultation%20March%202024.pdf
• DRAFT LAW https://www.gov.je/SiteCollectionDocuments/Industry%20and%20finance/L%20Draft%20Cyber%20Security%20Jersey%20Law%20202-.pdf
• https://www.bailiwickexpress.com/jsy/business/cyber-defence-legislation-consultation-launched/