Jamaica’s financial sector just entered a new era of digital accountability. As of October 1, 2025, all non-bank financial institutions — including insurers, securities firms, and pension administrators — are now bound by an unprecedented set of cybersecurity governance rules enforced by the Financial Services Commission (FSC).
This isn’t a suggestion. It’s a regulatory overhaul.
The new directive establishes board-level responsibility for digital risk, mandates independent cyber audits every two years, and enforces breach-reporting protocols within a strict 72-hour window. Both the FSC and the Bank of Jamaica (BOJ) must be notified in the event of a material compromise. The aim? Lockstep cyber resilience across every corner of Jamaica’s financial apparatus.
Closing the Gaps Left by the BOJ’s 2023 Framework
Until now, the BOJ’s cyber rules applied almost exclusively to banks. The FSC’s new policy levels the playing field, plugging critical gaps in oversight. It’s a strategic move, transforming fragmented cyber readiness into a unified defensive perimeter.
For some, the adjustment is evolutionary. Large firms like Sagicor Group Jamaica and VM Investments Limited have already integrated cyber-threat oversight into their board agendas. Others — especially smaller outfits — are scrambling to catch up, now facing the costly realities of compliance: audits, breach simulations, software patching, and staff upskilling.
A Four-Tiered Chain of Command
The FSC’s guidance enshrines a “Four Lines of Defence” architecture:
- Operational Management – ensuring basic hygiene: secure configurations, patching schedules, and access control.
- Internal Oversight – risk teams embedded within firms to challenge and validate technical controls.
- Independent Auditors – required to provide external assurance on cyber resilience.
- Regulatory Coordination – linking the FSC and BOJ into incident response cycles.
Boards can no longer delegate digital risk blindly. They are expected to interpret it, plan for it, and defend against it — just like credit risk or liquidity exposure.
The Rise of Active Resilience
Fujitsu Caribbean’s CEO Mervyn Eyre issued a blunt warning: “Tabletop exercises are obsolete.”
Under the new paradigm, cyber governance isn’t theoretical. It’s kinetic. Real-time breach simulations and red-team attacks are now the gold standard. These stress-test institutional nerve systems under fire — exposing weak access controls, misconfigured environments, and legacy vulnerabilities.
Firms that limit themselves to policy documents and roleplay are already behind.
Trust as a National Asset
The Private Sector Organisation of Jamaica (PSOJ) supports the shift, describing it as “urgently necessary.” But it’s also sounding the alarm: readiness is not universal.
Mid-sized and boutique firms face the dual challenge of building digital competence while shouldering the rising cost of compliance. PSOJ has floated the idea of shared cybersecurity infrastructure, fiscal incentives, and phased rollouts to avoid a “compliance cliff.”
But one thing is clear — Jamaica’s future as a digital financial hub hinges on trust. That trust will not be built with firewalls alone. It requires leadership in the boardroom, credible assurance mechanisms, and relentless operational vigilance.
Cybersecurity Joins the Pillars of Financial Integrity
With this move, Jamaica’s financial regulatory regime now rests on four interconnected legs:
- Prudential Oversight
- Anti-Money Laundering
- Data Protection
- Cyber Governance
The FSC’s rules directly complement the Data Protection Act, the upcoming national digital ID rollout, and the government’s broader National Cybersecurity Strategy.
The New Standard Is Set
This isn’t just compliance theatre. It’s a structural reset — one that elevates cybersecurity from the basement server room to the boardroom. Financial firms unwilling to evolve may soon find themselves out of step with not just regulation, but relevance.
Jamaica’s message is unmistakable: Cyber risk is systemic risk. And systemic risk now requires systemic control.
