THE Financial Services Commission (FSC) has brought its long-awaited cyber governance rules into force, effective October 1, 2025, placing insurers, pension funds, and securities dealers under the strictest cybersecurity accountability framework in Jamaica’s history.

The new Industry Guidance on the Management of Cyber Risks imposes formal obligations such as reporting material breaches within 72 hours to both the FSC and the Bank of Jamaica (BOJ), ensuring board-level oversight of cybersecurity controls, and requiring mandatory external audits at least every other year. The framework closes a significant regulatory gap, extending the cyber resilience standards first applied to banks by the BOJ in 2023 across the entire financial system.

Even before the rules took effect, major financial groups had begun embedding board-level cyber oversight. Corporate disclosures suggest the sector will not be caught unprepared. VM Investments Limited reported that all its directors underwent cybersecurity training in 2024, while Sagicor Group Jamaica’s board committees already integrate cyber-threat monitoring into their risk reports — clear steps toward pre-emptive regulatory alignment.

This move by the FSC creates a unified national defence posture, mandating a consistent approach to identifying, managing, and mitigating cyber risk. The guidance enshrines a “Four Lines of Defence” model, making senior management and boards directly responsible for cyber strategy and culture, with independent audit functions providing mandatory assurance to the regulator.

The new policy aims to harden Jamaica’s financial system against rising cyberattacks targeting banks, insurers, and pension administrators. It comes amid what global cybersecurity experts describe as an “arms race” between regulators and hackers, as financial systems across small economies become increasingly digitalised.

Industry readiness

The Private Sector Organisation of Jamaica (PSOJ) has welcomed the new framework as “timely and necessary,” but warns that readiness is not uniform across the sector. According to the PSOJ, the country’s larger, well-resourced financial groups had largely aligned with the standards ahead of the deadline, but many smaller and mid-tier firms are still struggling to build the technical skills and governance structures needed to meet the new standards.

“Readiness is not uniform across the private sector,” the PSOJ noted. “Policy success will depend on how well businesses are supported in bridging those governance and technical gaps.”

The organisation also highlighted the cost of compliance as a potential hurdle, especially for smaller institutions that may find the audits, testing and staff training requirements financially burdensome. It called for fiscal incentives, shared compliance services, or phased implementation to help level the playing field.

Yet it stressed that strong cyber governance should not be viewed as a cost, but as “an investment in trust, operational continuity, and competitiveness in the digital economy.”

How cyber resilience strengthens trust

The FSC’s framework mandates this shift from theoretical plans to active testing. Technology specialists like Fujitsu Caribbean’s chief executive Mervyn Eyre explain that tabletop simulations — where managers simply discuss what to do in a cyber crisis — are no longer enough.

“Adversarial attack simulations demonstrate what a hacker can actually achieve, while tabletop exercises only show how an organisation might react,” Eyre said. “Institutions who regularly perform attack simulations tend to be more prepared, because they’ve stress-tested their entire coordination and recovery efforts.”

He warned that the most common vulnerabilities the framework aims to root out in Jamaican institutions are misconfigured systems, weak access controls, and unpatched software, problems that affect both large and small financial firms and require continual monitoring.

Governance culture shift

Financial analysts view the rules as part of a broader redefinition of corporate accountability. By binding cybersecurity directly to board oversight, the FSC is requiring directors to understand digital risk in much the same way they understand balance sheet risk. The PSOJ has backed this approach, describing it as a “cultural shift toward modern governance,” noting that boards must evolve to include digital competence alongside financial expertise.

To enforce this, the FSC’s model places responsibility in four connected layers — from operational teams through to external assurance and cross-sector coordination. Regulators say that approach will make firms more resilient and improve public confidence in the financial system.

Broader national impact

Cyber governance now joins data protection, anti-money-laundering, and prudential standards as the fourth pillar of Jamaica’s financial integrity framework. It also supports the country’s National Cybersecurity Strategy and dovetails with reforms such as the Data Protection Act and digital identity initiative.

The ultimate goal, policymakers say, is to foster a trusted digital economy where ordinary Jamaicans can feel secure storing, transferring, and investing money online.

The implementation makes it clear: securing Jamaica’s cyber future will rely as much on boardroom leadership and public-private collaboration as on firewalls and encryption.

The Financial Services Commission (FSC) building in New Kingston, Jamaica. The regulator has enacted new mandatory cyber rules for the non-bank financial sector.

Private Sector Organisation of Jamaica (PSOJ) headquarters. The industry group has called the FSC’s new cyber rules “timely and necessary,” while warning that compliance costs pose a challenge for smaller firms. (Photo: PSOJ)