Matthew Shaxson
Group Partner, Ogier Legal L.P. | Legal
Jersey
Group Partner, Ogier Legal L.P.
Jersey
No Content Set
Exception:
Website.Models.ViewModels.Components.General.Banners.BannerComponentVm
The Government of Jersey Department for the Economy has completed its consultation process on the new draft Cyber Security (Jersey) Law 202-.
This follows receipt of feedback from a range of entities that are proposed to be Operators of Essential Services under the draft law, along with other stakeholders and interested parties.
This article is an update to our previous article from 11 March 2024: Latest news on the draft cyber security law for Jersey. Please refer to that article for background on the policy motivation behind the draft law, the proposals in the draft law and our summary of how the draft law is proposed to be engaged in the event of a cyber incident.
In this article, co-chair of Ogier's Regulatory group in Jersey Matthew Shaxson, managing associate Tom Hall and associate Michael Ogilvy Watson explore the draft law in light of the consultation response and its implications for banks, trust company service providers and fund services businesses providing a service of that kind in Jersey. They will be referred to in this article as Banking and Financial Service Providers.
The Department for the Economy specifically requested feedback on the following areas during the consultation process:
The consultation response has recently been published and a number of amendments have been proposed to the draft law by the Department for the Economy in light of the consultation response, to be incorporated in the draft law before it is laid before the States Government in the near future.
The following three changes have been proposed for the draft law in the consultation response:
Despite what we understand to be relatively strong opposition from industry in the consultation feedback, Banking and Financial Services Providers remain designated as OES.
There was a feeling that provision could be made to require Banking and Financial Services Providers to enhance their cyber security resilience by bolstering their existing regulatory duties, rather than creating further duties pursuant to the draft law.
However, it seems that they will nonetheless remain designated as OES, but it remains to be seen how the Banking subsector threshold will be refined and when a further consultation process might take place in relation to the appropriate threshold for the Financial Services subsector. For now, it seems that they will be included without a minimum threshold.
Under the draft law, professional services firms (other than those falling within the definition of Banking and Financial Service Providers) were not included as OES.
It was felt by a number of respondents to the consultation response that the professional services sector, notably accountants and law firms, ought to be included as OES. This is presumably on the basis that the professional services sector makes a significant economic contribution, may (in the event of a cyber incident) have an adverse reputational impact on Jersey and / or holds special category data – these factors appear to be the practical (if not technical) thresholds applied for determining OES.
There are no current proposals to update the draft law to include the professional services sector. However, it is important to note that, as acknowledged by question one of the consultation response, the Minister may by Order (after enactment of the draft law) amend the definition of a cyber threat, and thus the scope of OES, albeit that this would likely only follow further round(s) of consultation with key stakeholders.
The consultation response acknowledges that it is not currently the policy intent to adopt a similar reporting policy as is seen in other jurisdictions, which requires a shorter time frame for the initial response and an obligation to submit updated information and a final report, again within specified time frames. This will be welcome news to prospective OES as this will reduce the reporting burden. Should the policy intent change, it would be subject to further consultation.
Similarly, the consultation response acknowledges a duty to report to the JCSC will overlap with existing reporting requirements, for example to the JFSC and the Information Commissioner for Jersey. It is proposed that guidance will be developed and published before the draft law is enacted as to how OES ought to comply with these overlapping reporting requirements.
The consultation response clarifies that whilst there is an attraction to a "report once" approach (that is to say, one report to satisfy all legal and regulatory reporting requirements), that is not currently envisaged albeit the Department for the Economy may consider this further in the future.
After divisive feedback about the appropriate deadline for self-reports in the event of a "significant" cyber incident, the deadline will remain 48 hours after the OES identifies that the cyber incident is "significant". The JCSC intends to host a number of workshops to assist OES to understand what "significant" means.
The JCSC remains of the view that a self-report within the first 12 hours of identifying a "significant" cyber security incident is likely to be of greatest benefit to monitor the scale and impact of the incident, and most effectively combat it.
It is proposed that the duties on OES will take effect three months after the draft law is enacted. This should provide OES with some time to consider guidance that is likely to be issued in short order by the JCSC post-enactment of the draft law to better understand how the duties will impact on their specific sector.
The consultation response highlights (among others) the following eight amendments to the draft law following the consultation:
If you have any questions about the draft cyber security law, please do not hesitate to contact any of the authors of this briefing.
Matthew Shaxson
Group Partner, Ogier Legal L.P. | Legal
Jersey
Group Partner, Ogier Legal L.P.
Jersey
Tom Hall
Managing Associate | Legal
Jersey
Managing Associate
Jersey
Michael Ogilvy Watson
Associate | Legal
Jersey
Associate
Jersey
Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.
This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.
Regulatory information can be found under Legal Notice
Sign up to receive updates and newsletters from us.
Sign up
No Content Set
Exception:
Website.Models.ViewModels.Blocks.SiteBlocks.CookiePolicySiteBlockVm