The Cyber Security (Jersey) Law was lodged NOV 21 -  FIND OUT MORE + 20  FAQ

A draft Law designed to improve Jersey’s cyber security has been lodged with the States Assembly today, ahead of a debate early next year.

Where to find out more

To stay up to date with progress on the Law, including engagement with industry and consultation activity, JERSEYGOV recommend subscribing to a monthly newsletter here.

20  Frequently Asked Questions.

1. Who can I contact if I have questions about the proposed Cyber Security (Jersey) Law?
   1. Jersey Cyber Security Centre: Steph Luce, s.luce@jcsc.je, Government of Jersey: Elisabeth Blampied, e.blambied@gov.je
2. What Consultations have been undertaken on the Cyber Security (Jersey) Law?
   1. 2022 Consultation on proposed cyber defence legislation - https://www.gov.je/Government/Consultations/Pages/ProposedCyberDefenceLegislation.aspx , 2023 Consultation on the Cyber Security Law - https://www.gov.je/Government/Consultations/pages/cybersecurity.aspx
3. Why is the Financial Services sector not included?
   1. Banks are included in the definition of OES providers.
   2. The original policy intent was to include the entire financial services sector, but following industry and JCSC feedback, this was amended.
   3. The Government has expressed an intent to broaden the definition in the future and potentially include certain other types of Financial Services providers.
4. Why are private medical providers not included?
   1. Only the Government of Jersey Medical Services are currently included in the Health sector. JERSEYGOV recognise the depth of feeling in the private medical industry and the strongly expressed views that these services are also essential for islanders.
   2. The Government has the option, if it wishes, to amend the definition in the future to include private medical providers.
   3. In the meantime, JCSC will support private medical providers, and JERSEYGOV will encourage such organisations to register for the Jersey Cyber Shield.
5. Where can I read the proposed legislation?
   1. JERSEYGOV are currently awaiting a revised version of the legislation following consultation and feedback.
   2. The last published version is available here: https://www.gov.je/SiteCollectionDocuments/Industry%20and%20finance/L%20Draft%20Cyber%20Security%20Jersey%20Law%20202-.pdf.
   3. Key changes since this version include a) the removal of requirements on OES organisations to report cyber incidents to customers, and b) the removal of financial services organisations (other than banks) from the definition of EOS providers.
6. How does this affect me as an individual resident in Jersey?
   1. There are no requirements for residents under the Cyber Law.
   2. The goal of the Law is to protect islanders from cyber incidents by creating a practical framework for cyber resilience in the island.
   3. Therefore, as individual islanders, you will benefit from the work of JCSC and improvements in the cybersecurity of the industry and OES organisations.
7. Will JCSC publish Guidance to support the industry in implementing the Law?
   1. Yes. There are specific provisions in the Law for the JCSC to produce guidance.
   2. JERSEYGOV will commence this process once the law is published (lodged) with a view to having guidance in place before the law comes into effect.
8. Who will regulate cybersecurity?
   1. No cybersecurity regulator has been proposed.
   2. The law anticipates the need for clear expectations for industry, but without creating unnecessary or additional burdens. For that reason, a non-regulatory approach has been developed that will require JCSC to actively work with industry and Government to ensure a cyber-aware culture and behaviours, and to create voluntary information sharing to the fullest extent possible.
   3. The law therefore establishes JCSC as an advisory and support body and technical authority, on the basis that it will work closely with existing regulators, and existing regulators will work closely with JCSC.
9. What approach will JCSC take to Standards and Guidance?
   1. JCSC will be required to consult before issuing guidance or standards under the Law. It is not possible to provide complete information until the law is published.
   2. However, the current Director intends that JCSC will focus on extending existing UK standards (such as Cyber Essentials and the UK Cyber Governance Code of Practice) and explaining where they apply in Jersey, rather than developing a separate local approach.
   3. There is no enforcement provision in the law, so Standards issued by JCSC would be enforceable only through existing provisions and to the extent existing Regulators adopt them.
10. What is the definition of a significant incident that would be reportable by an OES?
    1. It is recognised that the criteria used to define a significant incident will impact the volume of reportable incidents as well as the value of the information received by JCSC.
    2. It is intended that JCSC will produce further guidance to support decision-making by OES, which will build on guidance currently issued in the Jersey Cyber Incident Matrix. An alternative approach considered was to define a `significant incident` in Law rather than Guidance.
    3. However, it was believed that this may make it difficult to respond effectively to industry feedback and changes in future risks.
11. Will the draft law change before it is lodged?
    1. Yes. JERSEYGOV expect changes to the law before lodging to take account of consultation responses and Ministerial feedback.
    2. The overall intent, however, has not changed, and the Government has confirmed its commitment to lodging a law within the current term.
12. How will you ensure that information shared with JCSC remains confidential?
    1. Consistent feedback from responding to real-life incidents, as well as from consultations on the law, has highlighted the need to ensure that JCSC processes information confidentially. Predominantly, concerns raised have been about
       • Potential sharing of confidential incident or vulnerability information with Government, Regulators, Law Enforcement or competitors, and
       • Ensuring the ongoing confidentiality of commercially confidential information shared in forums such as the Cyber Technical Advice Cell (CTAC) in the event of an incident, given that some participants are subject to Freedom of Information legislation.

1. 2. To ensure this, it is the intent that
      • The Director (and therefore JCSC) will be a separate legal entity from the Government, with a separate registration under the Data Protection (Jersey) Law, and
      • The Director will be designated as a security body alongside NCSC in the Freedom of Information Law, such that information is absolutely exempt. This will also enable JCSC to exchange information on threats and vulnerabilities with its international counterparts. Finally, JCSC team members will be subject to a Code of Conduct that sets out their obligations. This Code of Conduct is already available on our website.

13. JERSEYGOV are an OES. What actions do you think JERSEYGOV should take now?
    1. There are several actions you can take now to prepare for the law. These include
       • Registering for the Jersey Cyber Shield as a future OES,
       • Embedding incident notifications to JCSC into your incident response process, and
       • Reviewing your cybersecurity controls to ensure they are appropriate. For guidance on any of these matters, please get in touch with JCSC, and JERSEYGOV will be happy to advise you.

14. Who will maintain the OES register?
1. Under the Law, the register is the responsibility of the Minister.
2. The Minister has expressed an intent to delegate this to JCSC, as JCSC already maintains suitable records.
15. When is the Law expected to come into effect?
1. The law provides for a Ministerial Decision to bring it into force. This allows the Government to consider the possible phasing of mandatory reporting requirements, giving OES providers time to adjust their incident management processes.
16. How did the Government determine that 24 hours is the appropriate timeline for OES incident reporting?
1. The Government initially consulted on a 48-hour timeline but amended it to 24 hours to take account of consultation feedback, industry needs from JCSC, and Ministerial input.
2. Twenty-four hours is becoming an emerging global norm, led by developments in the EU.
3. Careful consideration has also been given to the operational aspects of reporting, and it is essential to note that the reporting period does not begin until the incident is identified.
17. How will the Law affect our existing regulatory obligations?
1. The Cyber Security Law is not regulatory in nature and will not change any existing regulatory obligations.
2. JCSC will work closely with regulators, including the Jersey Financial Services Commission (JFSC), Jersey Competition and Regulatory Authority (JCRA) and the Jersey Office of the Information Commissioner (JOIC), amongst others, to ensure that obligations and expectations are aligned.
3. To ensure JCSC is trusted to maintain sensitive information in confidence, JCSC will not share commercially confidential information, such as incidents or vulnerabilities, with regulators.
18. Where can I read a copy of the legislation?
1. JERSEYGOV will post a link to the legislation here as soon as it is available on the State Assembly website.
19. Stay informed and safeguarded –
1. Sign up for our newsletter to receive security news, expert tips, security alerts and the latest insights from the JCSC. Sign up now

SOURCE

• https://jcsc.je/about-jersey-cyber-security-centre/cyber-security-jersey-law/
• https://jcsc.je/latest/news/law-lodged-to-improve-jerseys-cyber-security/
• https://www.linkedin.com/posts/certjersey_were-pleased-to-announce-that-the-cyber-activity-7397685653309784064-VXP8?utm_source=share&utm_medium=member_ios&rcm=ACoAAAA_6EIB0wPAWyjQcuq_XiD3asUV8xpMeZ0
• News Release – Draft Cyber Security Law and Framework
• CyberSecurityLaw202-v28