Part 4: Jersey's New Cyber Security Law and the obligation that already applies to JFSC-registered persons
06/07/2026
Introduction to the RISQED newsletter series
- This is part 4 of 5 in a series on risk management for Jersey-registered persons.
- This piece covers cyber security, which connects directly to Part 3's data protection obligations.
- Whether it is a financial services firm or not.
- Cyber risks explicitly fall within the code's requirement to have specifically considered the risk of a cyber security incident and have
- A corresponding documented policy to: identify, protect, detect, respond, recover from an incident
- It applies to any business in Jersey that is defined as an Operator of Essential Services (OES).
- However, the obligation covered here already exists for JFSC-registered persons because
Introduction to Jersey's New Cyber Security Law
- On 22 January 2026, the States Assembly unanimously approved the Cyber Security (Jersey) Law.
- It received Privy Council approval on 3 June 2026, in the same window as the JFSC Compliance Monitoring Guidance revision this series started with.
o Exact current status (as of 6 July 2026)
- Adopted by the States Assembly: 22 January 2026
- Sanctioned by Order of His Majesty in Council (Privy Council approval): 3 June 2026
- Registered by the Royal Court: 5 June 2026
- Officially enacted: Listed on the Jersey Law website as the Cyber Security (Jersey) Law 2026 (L-22-2026), with enactment date 9 June 2026.
- It's a genuinely new statutory regime, not a restatement of something firms already had to do.
- But it doesn't apply the way most people assume, and for some (JFSC REGISTERED PERSONS) the risks have always been with them, so understanding the gap is the point of this piece.
The new Law: mandatory for OES, narrower in scope than earlier proposals
- The Cyber Security Law establishes the Jersey Cyber Security Centre (JCSC) in statute and creates a category of regulated entity: Operators of Essential Services (OES).
- Once the Law is in force, OES will face real, hard obligations to implement appropriate and proportionate security measures to identify threats, reduce risk, prepare for incidents, and maintain continuity, plus mandatory reporting of significant cyber incidents to JCSC within 24 hours of becoming aware of them.
- Non-compliant OES will face civil financial penalties of up to £10,000 under the Law.
- The Law has been adopted by the States Assembly and sanctioned by the Privy Council, but as of this piece, its commencement date when these obligations actually bite is still a ministerial decision that hasn't been made public.[1]
- Within financial services, the entities designated OES are deposit-takers registered under Part 2 of the Banking Business (Jersey) Law 1991,
- In practice, banks. Schedule 3 of the Law, under "Financial Services Sector," lists only the banking subsector.
- That's narrower than the scope discussed at earlier consultation stages:
- Material from the 2024 consultation round described a broader financial services scope that would have captured trust company business, fund services, investment business, and money service business alongside banking.
- By the time the Law was formally lodged with the States Assembly in November 2025, that scope had already been reduced to banking specifically.
- If you're not a bank, you're unlikely to be an OES under this Law.
- That's where this piece needs to be precise, not reassuring.
The obligation that already existed, for JFSC registered persons
- Being outside OES scope doesn't mean cyber risk is optional.
- The JFSC's Codes of Practice already require it, and have for years, through Principle 3, the same principle covered in Parts 1 and 3 of this series for governance and risk management generally.
- Across the sector Codes (Trust Company Business, Fund Services, Investment Business, and others), the JFSC's expectation is stated in near-identical terms: a registered person must
- Have specifically considered the risk of a cyber security incident and have
- A corresponding documented policy to identify assets and risks, to protect them, to quickly detect potential cyber security incidents, to respond to contain the impact of an incident and to recover from it.
- That's a five-part discipline: identify, protect, detect, respond, recover, and it applies to every registered person regardless of OES status.
- Banks get a second, statutory layer on top of it. Everyone else still has the first layer, and the JFSC's own language makes clear it isn't optional or aspirational: it's an existing Code obligation, not best practice offered as a suggestion.
Where cyber, data protection, and the JFSC itself all meet
- This is worth stating precisely rather than leaving implicit, because it changes how a firm should structure its response to an incident, not just its paperwork and the full picture has three channels, not two.
- A cyber incident that exposes personal data can trigger up to three separate notifications, to three different regulators, on three different clocks.
- If you're an OES bank, JCSC needs to know within 24 hours.
- Under the Data Protection (Jersey) Law 2018 (Part 3 of this series),
- JOIC needs to know within 72 hours if the breach poses a risk to individuals a duty that falls on every controller in Jersey, regardless of sector or size.
- But there's a third channel that applies to every JFSC-regulated firm specifically, whether it's an OES bank or not. It's easy to miss because it isn't badged as a "data protection" or "cyber" requirement; it's a general disclosure obligation under the Codes of Practice and the underlying financial services laws.
- The JFSC's own guidance sets out, as a minimum, that a registered person should report any cyber-security incident that:-
- Results in or risks client information being accessed by third parties without appropriate authorisation,
- Involves "a significant or widespread compromise of the registered person's computer systems, or
- May have a material detrimental impact on the registered person or the jurisdiction.
- A personal data breach involving client records will very often meet that first test on its own.
- This obligation isn't limited to OES status; it applies to trust company business, fund services, investment business, and every other registered person, not just banks.
- Put together:
- A non-bank JFSC-regulated firm with a client-data breach isn't looking at one notification or even two.
- It's looking at both JOIC (data protection law) and the JFSC (Codes of Practice), running in parallel, with different tests and different expectations before a bank's additional JCSC obligation even enters the picture.
- Treating a breach as one event with three possible reporting lines to check, rather than assuming it's "a JOIC thing" or "a cyber thing," is the difference between a firm that's prepared and a firm that's improvising during an actual incident.
One structure, not a fifth spreadsheet
- RISQED's approach here is consistent with the rest of this series:
- CYBER RISK
- Sits in the same taxonomy as financial crime, data protection, and the other categories,
- Is scored on the same probability-and-impact basis, tested through the same CMP-aligned effectiveness process, and
- Is owned by a named person whoever holds the cyber security responsibility in your firm rather than existing as a policy document nobody revisits until the next incident forces the question.
The pattern holds across this whole series.
- Financial crime, data protection, and cyber security are three different obligations from three different sources.
- Still, each one fails the same way when a firm can't show, in one place, what the risk is, what's mitigating it, whether that mitigation has been tested, and who's accountable for it.
The point of this series
- Isn't it that financial crime, data protection, cyber security (Part 4), and sustainability (Part 5) are the same risk? They're not.
- It's that they all fail the same way when nobody has one place to keep them current, connected, and owned and that a firm that's built that structure for one regulatory obligation doesn't need to rebuild it from scratch for the next one.
Book a demo:
- yes@comsuregroup.com [Comsure is the distributor of RISQED] | Sunil 07797 936464 | Mathew 07797 747490
RISQED is BETA, in active development, and now being used. If you're evaluating it against a specific regulatory requirement, we're happy to walk through exactly how it maps to your framework.
¹ A note on sourcing and legislative status:
- The Article and Schedule references in this piece (including the £10,000 civil penalty figure and the banking-only scope of financial services OES designation) are drawn from the Cyber Security (Jersey) Law as lodged with the States Assembly on 24 November 2025.
- The Law was adopted by the States Assembly on 22 January 2026 and sanctioned by the Privy Council on 3 June 2026.
- As of this piece, we have found no confirmation that the Law has been registered and brought into force; commencement depends on a ministerial decision on timing that had not been made public as of our most recent sources.
- We have not cross-checked the lodged text against a post-sanction consolidated version, and provisions can change up to registration. Firms should confirm current status and requirements directly with JCSC (jcsc.je) before relying on specific figures, thresholds, or commencement assumptions cited here.
SOURCES:
- Official enacted
- The States Assembly proposition.
- SUPPORTING SOURCES
- Official enacted law page: https://www.jerseylaw.je/laws/enacted/Pages/L-22-2026.aspx
- JCSC Cyber Security Law Information Hub: https://jcsc.je/about-jersey-cyber-security-centre/cyber-security-jersey-law-information-hub/ (explicitly references Privy Council approval and autumn 2026 expectation)
- Walkers overview (4 June 2026): https://www.walkersglobal.com/en/Insights/2026/06/Cyber-Security-Jersey-Law-An-overview — notes Privy Council approval on 3 June 2026 and that obligations apply “once in force”
- JFSC
- https://www.jerseyfsc.org/industry/risk/cyber-security/understanding-your-regulatory-obligations/ = source for the three-channel JFSC notification triggers
- . https://www.jerseyfsc.org/industry/risk/cyber-security/
- https://www.jerseyfsc.org/media/ek1hb0k3/cop-trust-company-business-code-of-practice.pdf = TCB Code, Principle 3 cyber policy language
- https://jcsc.je/about-jersey-cyber-security-centre/cyber-security-jersey-law-information-hub/ = JCSC’s own official hub
- OTHERS
- https://www.walkersglobal.com/en/Insights/2026/06/Cyber-Security-Jersey-Law-An-overview = Walkers, post-Privy-Council
- https://www.comsuregroup.com/news/jersey-cyber-law-is-approved-jan-2026/ = Comsure, post-States-Assembly-approval
- https://www.islandfm.com/news/jersey/cyber-security-law-passed/ = independent local news, corroborates the £10,000 figure
- https://channeleye.media/states-assembly-approves-cyber-security-law/ = independent local news, corroborates the passage date
EARLIER NEWSLETTERS - Read – 3,2 and BELOW
No.3 - RISQED -: Data Protection: Two regulators want you to show your risk approach
Introduction+
- This is part 3 of 5 in a series on risk management for Jersey-registered persons.
o This piece covers data protection specifically. It's the one part of the series that applies whether you're JFSC-regulated but shows how RISQED can help
- Everything in Parts 1 and 2 of this series was triggered by something the JFSC published.
- This part is different, deliberately.
- The obligation covered here exists independently of JFSC regulation (albeit it is an inherent risk for all Registered firms and therefore falls within the code's requirement to manage ALL risks).
- It applies to any business in Jersey that holds personal data, whether or not it is a financial services firm.
The law requires an assessment before you process, not after an issue arises.
- Under Article 16 of the Data Protection (Jersey) Law 2018:
- "Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, a controller must carry out an assessment of the impact of the envisaged processing operations on the protection of personal data before the processing."
- That's the Data Protection Impact Assessment (DPIA), and it's mandatory, not best practice, wherever high-risk processing is involved.
- The law is specific about what has to be in it.
- A DPIA must include a systematic description of the processing and its purpose, an assessment of whether the processing is necessary and proportionate to that purpose, an assessment of the risk to individuals, and the measures put in place to address that risk.
- If, after those measures, the residual risk is still high, Article 17 requires the controller to consult the Jersey Office of the Information Commissioner (JOIC) before processing begins at all, not after.
- Read structurally, that's the same shape as everything else in this series:
- a risk position before mitigation, the controls applied, and a residual position that determines what happens next.
- The law doesn't use that language; this is our reading of the statute's structure, not JOIC's framing of it, but the underlying logic holds regardless of which risk category you're assessing.
This isn't a regulated-firms-only problem.
- JOIC's own guidance for SMEs is explicit that it's written for organisations
- "Who may not have access to extensive planning and legal resources"
- This obligation was never designed with the assumption that only well-resourced, regulated firms would need to meet it.
- If your business processes personal data in Jersey customer records, employee data, marketing lists- the DPIA requirement can apply to you regardless of what your regulator (if you have one) asks for.
- JOIC also makes the practical case directly:
- Maintaining a data protection risk register lets a business identify and mitigate data protection risks and demonstrate compliance if a regulatory investigation happens.
- That's the same argument underlying the JFSC's compliance monitoring guidance in Parts 1 and 2:
- The risk isn't just in what could go wrong; it's in not being able to show you'd already thought about it.
When something goes wrong: breach notification
- Everything above is about assessing risk before processing begins.
- The law also covers what happens after something goes wrong.
- Under Article 20 of the DPJL, a controller must notify JOIC of a personal data breach "without undue delay, within 72 hours of becoming aware of the breach, not after investigation," unless the breach is unlikely to pose a risk to individuals' rights and freedoms.
- As JOIC's own reporting guidance puts it:
- "Not every breach needs to be reported to our office (although you should keep a record of them). We only need to know about breaches which constitute 'a risk' to the rights and freedoms of individuals."
- If the breach is likely to result in a high risk to individuals, the controller must also notify the affected individuals directly, and a log of all breaches, reportable or not, must be kept regardless.
- This isn't a theoretical obligation.
- In January 2024, the JFSC's own Data Protection Officer notified JOIC of a personal data breach affecting the JFSC's Companies Registry portal a software flaw,
- Dating back three years, that had put the "restricted data" of nearly 67,000 individuals at risk.
- JOIC investigated and ultimately didn't fine the JFSC, citing full cooperation and completed remediation.
- Worth noting for what comes next in this series: even the regulator's own breach went to JOIC, not to itself.
- For JFSC-regulated firms specifically,
- JOIC notification is very often not the only call to make.
- Part 4 covers what else a breach can trigger.
Where this sits in one structure, not a separate one
- RISQED's risk taxonomy already includes the ability for a user to set up records for GDPR-aligned risk categories alongside financial crime, operational, and other registers, so a firm's data protection risk doesn't need its own disconnected spreadsheet.
- The same probability-and-impact scoring, the same before-and-after-controls structure, and the same named ownership model that Parts 1 and 2 describe for financial crime risk applies here too. Whoever holds the data protection officer role (where one is appointed) is visibly attached to the risks they own, rather than the DPIA living in a folder nobody revisits until the next audit.
The point of this series
- Isn't that financial crime, data protection, cyber security (Part 4), and sustainability (Part 5) are the same risk. They're not.
- It's that they all fail the same way when nobody has one place to keep them current, connected, and owned and that a firm that's built that structure for one regulatory obligation doesn't need to rebuild it from scratch for the next one.
Book a demo:
- yes@comsuregroup.com [Comsure is the distributor of RISQED] | Sunil 07797 936464 | Mathew 07797 747490
RISQED is BETA, in active development, and now being used. If you're evaluating it against a specific regulatory requirement, we're happy to walk through exactly how it maps to your framework.
SOURCES
- Data Protection (Jersey) Law 2018, official text. This is where Article 16 (DPIA required for high-risk processing) and Article 17 (prior consultation with the Authority) are found:-
- JOIC's guidance for SMEs. This is the source of both JOIC quotes in the piece: the "may not have access to extensive planning and legal resources" framing and the point that a data protection risk register demonstrates compliance during an investigation.
- JOIC's breach reporting page (72-hour clock, risk threshold).
- This is where the "if there is any doubt, report it" quote and the Article 20(1) citation actually come from.
- Two independent outlets agreeing gives me more confidence in the facts than either alone, but neither was a full direct fetch.
READ PARTS 2+1 BELOW
No.2 - RISQED - Is Your RISK Framework Built to Address the JFSC Financial Crime Feedback
Introduction+
- This is part 2 of 5 in a series on risk management for Jersey-registered persons; it looks at Financial Crime Risk and how RISQED can help
- Part 1 of 5 of a RISQED series on risk management for Jersey-registered persons [below this part] provides an overview of how it provides a solution to risk management; later pieces go in depth on financial crime, data protection, cyber, and sustainability.
Financial Crime Risk
- On 29 June 2026, the JFSC published its 2025 Financial Crime Examination Feedback, five days after quietly revising its Guidance Note on Compliance Monitoring for the first time since 2013.
- Read together, the message is consistent:
- firms can usually point to the individual pieces of a financial crime framework, but struggle to show the pieces are connected, current, and owned.
- That's the gap RISQED is built to close, not by replacing judgement, but by giving the business risk assessment (BRA), the controls that mitigate it, and the people accountable for it, a single structure to live in.
The BRA needs a methodology, not a moment in time
- The JFSC found BRAs
- Hadn't been reviewed as the business changed,
- That omitted risks the Handbook requires (proliferation financing came up repeatedly), and
- That recorded a risk without recording what mitigated it or how risks compounded together.
- Tellingly, the revised Compliance Monitoring Guidance names the enterprise-wide risk assessment (EWRA) specifically as the risk assessment type "required under AML/CFT/CPF regulations to identify and mitigate financial crime risks at an organisational level";
- This isn't a rebrand of the BRA,
- It's the JFSC being explicit about what a firm-wide financial crime risk assessment needs to achieve.
- RISQED is built as a BRA methodology first, rather than a template that goes stale the day it's signed off; RISQED will
- Provide a consistent structure for identifying inherent risk and the risk owners,
- Document (and link) the controls that mitigate it
- Allow you to revisit both through your integrated CMP and as the business or its environment changes,
Control effectiveness is where "adequate" becomes evidenced.
- The JFSC doesn't prescribe a specific scoring model for control effectiveness; it never has. What its revised Compliance Monitoring Guidance does require is that
- Firms can show controls are "operating as intended" and
- That testing surfaces the "strengths and weaknesses across the control framework."
- Where firms fell short in the 2025 examinations,
- It was rarely that they'd misidentified a risk.
- It was that their policies didn't explain how to apply the control.
- Their compliance monitoring plan (CMP) couldn't evidence the control had been tested.
RISQED scores risk on probability and impact
- The same two factors the JFSC uses in its own risk-based supervision approach, starting from the gross position, adjusting for the controls and treatment applied, and then moving again once CMP testing confirms whether those controls are actually working.
- A test result doesn't just get filed; it visibly moves the risk position it relates to.
- We haven't built this because the JFSC mandated a formula; it hasn't. We built it to meet guidance proportionately and defensibly for every firm, at a price point designed for firms replacing spreadsheets, not for those budgeting for enterprise GRC builds.
Risk owners need to be named, not implied
- The JFSC's MLCO/MLRO findings weren't about competence; they were about visibility.
- Conflicts of interest that existed but weren't logged. Resourcing gaps nobody had formally assessed. Board reporting that happened but was never documented so that oversight couldn't be evidenced after the fact.
RISQED addresses this structurally:
- Risks in the platform sit against clear ownership: who's responsible, accountable, consulted, and informed, so your MLCO and MLRO aren't just named somewhere in a P&P; they're visibly attached to the risks they own, with conflicts, resourcing, and reporting sitting alongside them.
The pattern the JFSC keeps describing is
- A financial crime framework in which the BRA, the controls, and the people responsible for both aren't visibly connected.
- RISQED's job is to make that connection structural, rather than something you reconstruct manually when an examiner asks for it.
- We'll go deeper on DATA PROTECTION AND SUSTAINABILITY in the updates that follow this update.
Book a demo:
- yes@comsuregroup.com [Comsure is the distributor of RISQED] | Sunil 07797 936464 | Mathew 07797 747490
RISQED is BETA, in active development, and now being used. If you're evaluating it against a specific regulatory requirement, we're happy to walk through exactly how it maps to your framework.
Part 2 (sources):
- RISQED website and brochure below
- JFSC 2025 Financial Crime Examination Feedback (published 29 June 2026)
- Guidance Note: Compliance Monitoring, revised 4 June 2026 (7-step CMP cycle, EWRA definition, probability/impact language)
- Trust Company Business Code of Practice (Principle 3, "all the risks... as a business enterprise")
- Guidance Note: Sustainable Finance (Principle 3 climate risk, Principle 7 fair claims, baseline good practice)
- JFSC's Risk-Based Supervision framework (inherent/causal/impact risk, impact × probability)
- Codes of Practice landing page
- JFSC Cyber-security - All financial services businesses are exposed to cyber risks. They need to be aware of the threats and defend themselves effectively if a cyber event occurs.
READ PART 1 BELOW
Part 1: RISQED - One Methodology for Every Risk (JFSC's Summer 2026 Guidance)
Introduction
- This Part 1 of 4 of a RISQED series on risk management for Jersey-registered persons
- This Part 1 provides an overview of how it provides a solution to risk management; later pieces look at financial crime, data protection, and sustainability risks and how RISQED helps.
ALL RISKS
Between 4 and 29 June 2026, the JFSC did two things worth reading together.
- It revised its Guidance Note on Compliance Monitoring for the first time since 2013, and
- It published its 2025 Financial Crime Examination Feedback.
Please read them separately; they look like two documents on the same topic. Read together, the pattern is broader than financial crime:
- Firms can usually point to the individual pieces of a risk framework, but struggle to show the pieces are connected, current, and owned, whichever risk you're looking at.
That's not a financial crime-specific problem, and the Codes of Practice for registered persons, not just Schedule 2 persons, say so directly.
- Principle 3 requires a registered person to
- "Organise and control its affairs effectively... and
- Be able to demonstrate the existence of adequate risk management systems."
- The Code is explicit about scope: in this context,
- "risk" refers to all the risks a registered person faces, or may face, "as a business enterprise" not a named subset of them.
- The Code mentions Cyber risks, and this year the JFSC has issued documents that address other risks; two prominent ones include
- Financial crime
- Sustainability risks
- What is important is that these are not the only Risks Principle 3 covers.
Why one methodology, not four
- The instinct, when a new risk category demands attention, is to build a new spreadsheet for it.
- That's how firms end up with a financial crime risk register, a separate data protection tracker, a sustainability questionnaire from last year's consultation, and no single view of where any of them stand relative to each other or to the board.
RISQED is built the other way round:
- One methodology: probability and impact scored from gross risk, through the controls and treatment applied to a residual position once compliance monitoring plan (CMP) testing confirms whether those controls are actually working, applied consistently across risk categories, with named ownership (who's responsible, accountable, consulted, informed) attached to each one.
- The same structure that answers a financial crime finding answers a data protection or sustainability finding, because it's the same underlying question every time: what's the risk, what's mitigating it, has that mitigation been tested, and who owns it.
A quick tour of Risks that the JFSC talk about (sources below)
- Financial crime.
- The JFSC's 2025 examinations found BRAs that hadn't kept pace with the business, risk appetites that weren't consistently applied, and MLCO/MLRO conflicts and oversight gaps that weren't documented.
- We go deep on this in the next piece in this series.
- Data protection.
- This one isn't a direct JFSC obligation at all (albeit it is a regulated firm risk), which is exactly the point; it applies whether or not you're JFSC-regulated.
- Under Article 16 of the Data Protection (Jersey) Law 2018, any organisation carrying out processing likely to result in high risk to individuals' rights and freedoms must complete a Data Protection Impact Assessment before that processing begins.
- The JFSC's own guidance even acknowledges the overlap, noting that a firm's CMP "may also extend beyond the financial services and countering financial crime legislation to include areas such as... data protection laws."
- Sustainability and climate risk.
- Principle 3, assessing and managing climate-related risk, and
- Principle 7, ensuring sustainability-related claims are fair, clear, and not misleading.
- The JFSC's Guidance Note on Sustainable Finance sets a baseline under two principles:
- Its baseline good practice is proportionate by design: assess climate risk as part of ordinary risk management, document it proportionately, and escalate to the board, which can conclude risk is immaterial and take no further action beyond periodic review.
- Climate risk is meant to sit inside existing risk registers and categories, not stand apart from them.
- Cyber security.
- The Codes require a documented policy to identify assets and risks, protect them, detect incidents, respond, and recover.
- All financial services businesses are exposed to cyber risks. They need to be aware of the threats and defend themselves effectively if a cyber event occurs.
- Also anchored in JFSC cyber web pages and Principle 3 of the codes are the following statements:
- There are many more.....
Four do go into one.
- Four categories, four different regulatory sources, one requirement running underneath all of them: a documented, proportionate, board-visible view of the risk, the controls, and who's accountable for both.
- RISQED's job is to be that one structure, not four separate tools, each answering a different examiner's question.
- We'll go deeper on financial crime, data protection, and sustainability in the pieces that follow this update.
Book a demo:
- yes@comsuregroup.com [Comsure is the distributor of RISQED] | Sunil 07797 936464 | Mathew 07797 747490
RISQED is BETA, in active development, and now being used. If you're evaluating it against a specific regulatory requirement, we're happy to walk through exactly how it maps to your framework.
For Part 1 (sources):
- RISQED website and brochure below
- JFSC 2025 Financial Crime Examination Feedback (published 29 June 2026)
- Guidance Note: Compliance Monitoring, revised 4 June 2026 (7-step CMP cycle, EWRA definition, probability/impact language)
- Trust Company Business Code of Practice (Principle 3, "all the risks... as a business enterprise")
- Guidance Note: Sustainable Finance (Principle 3 climate risk, Principle 7 fair claims, baseline good practice)
- JFSC's Risk-Based Supervision framework (inherent/causal/impact risk, impact × probability)
- Codes of Practice landing page
- JFSC Cyber-security - All financial services businesses are exposed to cyber risks. They need to be aware of the threats and defend themselves effectively if a cyber event occurs.
The Team
Meet the team of industry experts behind Comsure
Find out moreLatest News
Keep up to date with the very latest news from Comsure
Find out moreGallery
View our latest imagery from our news and work
Find out moreContact
Think we can help you and your business? Chat to us today
Get In TouchNews Disclaimer
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.