Key Learnings: Cyber Security and Resilience in Financial Services
In an informative lunch and learn session, Matt Palmer, Director of the JCSC and GCSC, delivered a briefing on Jersey’s evolving cyber security strategy. He outlined the forthcoming Cyber Security (Jersey) Law and shared practical guidance for financial services organisations on strengthening resilience in the face of emerging digital threats.
Building Strong Foundations
The JCSC was established in 2021 and formally launched in 2023 as the Island’s central cyber defence capability. With the new Cyber Security (Jersey) Law expected in 2026, Jersey aims to be internationally recognised as a safe and secure jurisdiction to live and do business online.
Key features of the new law include:
- Formalising JCSC’s role and accountability
- Obligations for Operators of Essential Services (OES) including utilities, transport, health, public administration and certain digital services
- Mandatory incident reporting for OES organisations within 24 hours of significant incidents
Understanding the Threat Landscape
The cyber threat environment is increasingly complex, shaped by geopolitical tensions, organised cybercrime groups using AI, rising risks in supply chains and cloud reliance.
In 2024, JCSC handled 45 cyber incidents, three of which were significant. A recurring issue was unpatched systems, underlining the importance of robust vulnerability management.
Key Lessons for Financial Services
Financial services organisations, while often mature in their cyber practices, remain attractive targets.
Lessons highlighted include:
- Even large organisations are vulnerable, as demonstrated by the JFSC incident
- Data has value – organisations should protect it as if attackers value it more
- Supply chain risk needs thorough assessment, especially with APIs and client access points
- Testing incident response plans is critical to ensuring effective action during a real event
The UK’s new Cyber Governance Code of Practice was recommended as a board-level tool that aligns with global frameworks.
Responding to Emerging AI-Enabled Threats
The rise of deepfakes, AI-driven scams and highly convincing fraud means that traditional indicators such as spelling errors or poorly formatted emails are no longer reliable. Attacks increasingly exploit emotional manipulation, urgency and impersonation of trusted contacts.
Practical Steps for Organisations
Matt Palmer shared clear, actionable recommendations for financial services organisations:
- Adopt Cyber Essentials controls across the business
- Use multi-factor authentication (MFA) on all staff and client portals
- Encrypt communications, including emails (Mail Check – NCSC.GOV.UK)
- Avoid requesting sensitive information by email
- Prepare for AI-driven threats and adapt defences accordingly
- Don’t just rely on employee training or phishing simulations
- Embed JCSC reporting into incident response plans and ensure these are regularly tested
Looking Ahead
Collaboration and proactive reporting will be central to Jersey’s cyber strategy. While not all financial services organisations are designated OES, early engagement with JCSC and adoption of best practices can significantly strengthen resilience.
To stay ahead of developments, organisations are encouraged to subscribe to updates via the JCSC.
The JCSC are hosting a free Cyber Simulation event for financial services on 13 October 2025.
Other useful resources
Report a cybersecurity incident
Incident Classification Matrix
Jersey Cyber Shield
Jersey Evening Post Cyber Matters JCSC Update
JCSC free Cyber Simulation event
Matt PalmerDirector, Jersey & Guernsey Cyber Security Centres
