AGAINST the background of more than 49 million cyber attack attempts in Jamaica last year, up from the 12 million recorded in 2022, the Government is moving to develop a new cyber security law.

Minister with responsibility for science, technology and special projects Dr Andrew Wheatley made the announcement in the House of Representatives on Tuesday during his contribution to the sectoral debate.

Wheatley also announced the establishment of a National Cybersecurity Coordination and Assurance Council (NCCAC) to serve as the central coordination and delivery authority for Jamaica’s national cybersecurity posture.

“NCCAC is lean and time-bound, a 24-month mandate housed within the Office of the Prime Minister reporting through me to the prime minister,” Wheatley said.

“It is not a new bureaucracy. It is the engine of coherence. Its specific mandate is to take every cybersecurity asset Jamaica already possesses — every standard, every plan, every unit, every dollar of investment — and convert them into a coordinated, accountable, measurable national capability,” added Wheatley.

He told the House that the groundwork for the new cybersecurity law has been laid, and reminded that in July 2024 a comprehensive legislative drafting instructions matrix for Jamaica’s Cybersecurity Act was completed, it being one of six documents produced to strengthen Jamaica’s national cybersecurity ecosystem in preparation for the Inter-American Development Bank (IDB) and the United States Agency for International Development (USAID) investment programme.

Wheatley said a cybersecurity policy and legislative gap assessment will be completed within the first four months of the new national governance framework, drafting instructions will be finalised by month six, while Cabinet submissions on the full legislative package are targeted for months nine through 12.

Among other things, the new law will establish the National Cybersecurity Directorate in statute, giving Jamaica’s permanent cybersecurity authority a legal foundation that Wheatley said “no future change in Administration can quietly dismantle”.

According to the technology minister, it will create a formal framework for designating and protecting critical information infrastructure — the systems whose failure would cause serious harm to national life, energy, banking, telecommunications, health, and government.

“It will mandate minimum cybersecurity standards across regulated sectors, with the authority to enforce compliance. It will create clear obligations for incident reporting, responsible disclosure of vulnerabilities, and the regulation of cybersecurity service providers operating in Jamaica,” he said.

Regarding the near 50 million cyber attack attempts in 2025, Wheatley noted that critical government systems and institutions have been targeted. He reminded that a data breach on a major government digital platform exposed the personal information of hundreds of thousands of Jamaicans.

“These are not warnings, these are results,” he said.

The minister shared that a 2012 assessment of Jamaica’s cyber maturity rated the country at just 40 per cent of the maximum score. This, he said, “contrasts with the regional leader who is at 70 per cent. The gap is real, it is structural and it must be closed”.

Wheatley noted that the Government has been responding and has already completed the Jamaica Cyber Security Standards Framework. Additionally, the National Cyber Instant Response Plan has been tested and ready. With US$10 million secured through the Strengthening Cyber Security in Jamaica Project, which is backed by the IDB and USAID, the project is approved and ready for deployment through 2029.

Meanwhile, Wheatley said the Administration is about to embark on its third cybersecurity strategy, after the 2021-2025 plan expired. It replaces the 2015 plan and, as noted by the minister, “has served Jamaica well”. He said the strategy built on the five strategic goals — to protect, deter, build, partner, and govern — must evolve, especially since the current threat landscape is not the same as it was in 2021.

“Artificial intelligence is now being weaponised by attackers; supply chain compromise has become the primary concern of large organisations globally; critical information infrastructure protection has moved from aspiration to operational necessity,” he said.

“Hurricane Melissa reminded us that cybersecurity and resilience are not separate disciplines — they are one,” Wheatley argued.

He assured the House that Jamaica is committed to entering its third National Cyber Security Strategy cycle built on stronger foundations, clear governance, and a permanent national cybersecurity directorate at the helm.