Jersey's New Cyber Law
I’m hoping that anyone in the Channel Islands – and Jersey in particular – with an interest in cyber security is familiar with the “Cyber Security (Jersey) Law 202-“ (one hopes things don’t get dragged out and that the dash will become a 4 in due course), a new law that’s been drafted and is now out for consultation.
Now, I’ve said this before in articles I’ve written, but I’ve always been quite impressed with the Government’s record on consulting the populace when bringing in new laws, policies or standards. It’s refreshing that people with knowledge and valid opinions are asked to share what they think and know, and since the first consultation happened back at the beginning of 2022, it’s clear that the views given have been listened to.
Anyhow, I must stop bigging up the government and get back to the point. If you’re thinking that the new Cyber law is basically a copy-and-paste of the Data Protection laws with a few words changed, you’d be miles from the truth. The latter is liberally scattered with numbers like £5million and £10million for administrative fines handed to transgressors; the maximum fine for not doing as you ought in the new Cyber law is £10,000. Not quite peanuts, but not far from it.
And the point is that the primary purposes of the law are: (a) to establish the Jersey Cyber Security Centre (JCSC) as a thing in its own right, at arm’s length from the Government and with the powers it needs to help Jersey retain a good level of cyber security; and (b) to encourage organisations to report cyber breaches so JCSC has sight of what’s going on around the island, can see common threads to attacks that the island is suffering, and can do whatever’s feasible to try to reduce the risk or at least let organisations know what’s happening so they can take action themselves.
If all the law achieves is to get companies in Jersey to tell the JFSC about the attacks they’ve suffered, then it’s not a bad thing. I’m a massive believer in sharing experiences about cyber attacks they’ve suffered (either successful or otherwise) but it’s entirely understandable that companies don’t want to for fear of reputation damage or even regulatory or legal sanctions. It feels that openness is becoming more and more the norm (in fact I’ll be at a conference later this year run by an organisation whose raison d’être is to collate and share information on cyber threats in the global financial services industry) but there’s still a long way to go before we achieve proper information sharing in the Channel Islands.
Could the law be stronger? Should it, to come back from a concept mentioned earlier, be a cyber version of the Data Protection law? I’ve banged on about State of New York’s cyber law before – whose powers and requirements bear more than a passing resemblance to GDPR – which is impressive and scary in approximately equal measures. Should we be obliged by law to have a Chief Information Security Officer in certain circumstances? Should annual penetration tests on our internet-facing stuff be mandated? Should it be compulsory to encrypt data in transit and at rest? It probably should, to be fair, but as always the expression “it depends” is the starting point.
And “it depends” for two reasons. The first is size and nature of business: if you’re a bank then it would be pretty bonkers not to have a CISO, but what if you’re a small insurance brokerage? And the second reason is: even without a law, many of the organisations to which the law applies (“Operators of Essential Services”, or OESs as they’re called) already have to do a lot of cyber stuff in order to comply with the various other laws of the land, their internal policies, and the rules of their regulators. In my day-job as CISO of an arm of a global bank I have a barrage of Group-defined and regulator-inflicted requirements to abide by with regard to cyber risk, so I don’t really need them all repeated in a local law. But to add a thin layer of law – which empowers JCSC and encourages/mandates us to give them the information and intelligence they need in order to understand and improve Jersey’s level of cyber security – doesn’t sound like a bad thing.
Should the law become stricter over time? Yes, probably: cyber risk is only going one way and that’s up, and it’s highly likely that at some point in the future it’ll make sense to add stuff that nobody’s thought of (or which helps deal with threats to/from future technologies that don’t exist right now). Is it perfect in its current form? No, and the team running the consultation acknowledge this (hence the consultation!). But on balance it’s a good idea, and I encourage anyone with an interest to dip into the consultation and take the opportunity to say your bit.
--Dave Cartwright
