Cyber security law passed

Essential services in Jersey, including banks, utilities, GPs and government services, will be legally obliged to report significant cyber security incidents.

They could otherwise be fined up to £10,000 under new legislation approved by the States Assembly.

The Cyber Security Law was proposed in November, as a framework for strengthening the island's resilience against cyber threats and safeguarding critical infrastructure.

It makes the existing Jersey Cyber Security Centre a national authority that will issue guidance and standards organisations should follow.

The biggest impact of the proposed law will be on organisations which are deemed to provide "essential services" for the island, including energy, transport, finance, health, water, telecoms/public communications, digital services, food production and retail.

They will be required to take "appropriate and proportionate" security measures to identify threats, reduce risk, prepare for incidents and keep services running.

They will also have to report significant cyber incidents to JCSC within 24 hours of becoming aware of them.

Initially, non-ministerial government departments - such as the Bailiff's department, States Greffe and Law Officers' department - will not be included in the obligations but are under consideration for future inclusion.

Deputy Moz Scott, Assistant Economic Development Minister with delegated responsibility for cyber security, told the States the threat and risks of cyber attacks are ever-growing:

"It is only a matter of time before Jersey's critical services are targeted.

"We, as the States Assembly, must do all we reasonably can to raise our island's cyber resilience by providing early warnings and helping people to recover quickly from attacks.

"A single vulnerability can lead to a total business collapse. This is why every Jersey business - large or small - needs to be encouraged and supported in taking proactive steps to protect itself."

The law, which was passed unanimously, is expected to come into force later this year.

JCSC director Matt Palmer said any organisation that thinks it may be affected by the proposed law can contact them for advice.

"We recognise that it’s Operators of Essential Services who will be most affected by the Cyber Security (Jersey) Law, and we will be running workshops to develop appropriate, useful guidance. 

"I would urge any businesses who think that they may qualify as an OES to contact JCSC so they can understand what they’ll need to do once the law comes into force."