No safe havens in an online world: Jersey’s proposed new cyber security law enters final stages

As an independent jurisdiction, Jersey faces a unique blend of risks. It manages its own critical infrastructure (power, water supplies, and healthcare), and the island’s economy relies heavily on professional industries that handle sensitive information, making it a potential target for cyber attacks with far-reaching consequences.

Jersey’s financial regulator (the Jersey Financial Services Commission) was rudely reminded of this in January 2024, when it discovered a bug had compromised its online registry system. The bug had been on the system for three years – that is, ever since the system was installed in January 2021.

As a result, users of the registry search portal could see the names and addresses of 67,000 beneficial owners, controllers, directors, members, nominated persons, and company secretaries that were not supposed to be made public. It is still not known whether threat actors have used this information.

Meeting the challenges

The Government of Jersey established the Jersey Cyber Security Centre (JCSC) in 2021 as part of the Department for the Economy. The JCSC works to prevent, protect, and defend the island against cyber threats. Jersey is now establishing a legal framework to support the JCSC’s aims without imposing ‘undue burdens on industry’ – the Cyber Security (Jersey) Law (CSJL).

Consultations and reporting standards

The law introduces reporting standards for operators of essential services (OES), i.e., the critical organisations obligated to enhance cyber security and promptly notify JCSC and customers of significant cyber incidents.

To ensure broad stakeholder engagement, the Government and JCSC are conducting consultations, with specific focus on OES requirements. Feedback from these consultations will inform the final version of the CSJL, which is intended to be the product of a collaborative effort.

The second round of consultation on the proposed CSJL closed at the end of April 2024. That consultation sought feedback from OES, and the next consultation phase (scheduled for Q3 2024) will focus on how OES are going to implement the requirements ​of Part 4, Part 5, and Schedule 3 of the CSJL.

The draft legislation defines the role and accountability of the JCSC as an operationally independent body, empowered to collaborate with organisations in confidence in the event of cyber incidents. Additionally, it establishes a Technical Advisory Council (TAC) to provide expert guidance, and mandates regular reporting to ensure transparency.

Who are the OES and who will be most affected?

For the purposes of the CSJL, an OES is defined as, “any service which is essential for the infrastructure of Jersey or the maintenance of critical societal or economic activities in Jersey.”

This includes utilities such as water and power, and infrastructure services like transport and communication. Crucially, it also covers financial services.

The list extends to all financial service establishments engaged in trust companies, investment businesses, money services, fund services, and general insurance mediation, along with banks. All must incorporate the anti-cyber-crime measures outlined in the CSJL for their network and information systems.