Against a alarming four-fold surge in cyber attack attempts targeting Jamaica over the past two years, the Jamaican government has launched a comprehensive national initiative to strengthen the country’s cyber defenses, including a binding new cybersecurity law and a dedicated coordination council.
The alarming escalation of threats saw more than 49 million attempted cyber intrusions recorded across Jamaica last year, a sharp jump from just 12 million documented attacks in 2022. Critical government systems have been the primary target of bad actors, with one high-profile breach of a major government digital platform already exposing the sensitive personal data of hundreds of thousands of Jamaican citizens.
Dr. Andrew Wheatley, Jamaica’s Minister with oversight for science, technology and special projects, outlined the full scope of the government’s response during an address to the House of Representatives on Tuesday, as part of the body’s annual sectoral debate. Central to the new plan is the creation of the National Cybersecurity Coordination and Assurance Council (NCCAC), a time-bound central authority embedded within the Office of the Prime Minister that will operate with a 24-month mandate, reporting to the Prime Minister through Wheatley.
Wheatley emphasized that the new body is not intended to expand government bureaucracy, but to act as a unifying engine to align existing national cybersecurity resources. “Its specific mandate is to take every cybersecurity asset Jamaica already possesses — every standard, every plan, every unit, every dollar of investment — and convert them into a coordinated, accountable, measurable national capability,” he explained to lawmakers.
Foundational work on the new national Cybersecurity Act is already complete, with a full legislative drafting matrix finalized in July 2024 as part of preparations for a multi-million dollar investment programme backed by the Inter-American Development Bank (IDB) and the United States Agency for International Development (USAID). Under the government’s rolling implementation timeline, a full policy and legislative gap assessment will be wrapped up within the first four months of the new governance framework, with final drafting instructions completed by month six. Cabinet is scheduled to receive the full legislative package for review between months nine and 12.
Once enacted, the new law will formally codify the existence of the National Cybersecurity Directorate, enshrining Jamaica’s permanent cybersecurity authority in statute. This legal foundation ensures that “no future change in Administration can quietly dismantle” the country’s core cyber defense infrastructure, Wheatley noted. The legislation will also introduce a formal regulatory framework for identifying and protecting critical information infrastructure — the digital systems whose disruption would cause catastrophic harm to core national functions including energy distribution, banking, telecommunications, public health services and government operations.
Key provisions of the new law will require all regulated sectors to meet mandatory minimum cybersecurity standards, grant the directorate enforcement authority to ensure compliance, mandate timely reporting of cyber incidents, establish rules for responsible disclosure of system vulnerabilities, and formalize regulation for private cybersecurity service providers operating within Jamaica’s borders.
The urgency of the reforms is underscored by long-standing gaps in Jamaica’s cyber maturity. A 2012 national assessment rated the country’s cyber defense capacity at just 40% of the maximum benchmark score, a stark contrast to the 70% score achieved by the region’s leading cyber-secure nation. “The gap is real, it is structural and it must be closed,” Wheatley told the House.
In recent years, the government has already laid critical groundwork for the overhaul: the Jamaica Cyber Security Standards Framework is complete, the National Cyber Instant Response Plan has undergone successful testing and is ready for deployment, and US$10 million in funding has been secured through the IDB- and USAID-backed Strengthening Cyber Security in Jamaica Project. The initiative is formally approved and will roll out through 2029.
With the expiration of the 2021-2025 National Cyber Security Strategy, the government is preparing to launch its third iteration of the national strategy, replacing the outgoing plan that succeeded the 2015 framework and “has served Jamaica well,” according to Wheatley. The original five-pillar structure focused on protection, deterrence, capacity building, cross-sector partnership and governance, but the evolving threat landscape demands a revised approach.
“Artificial intelligence is now being weaponised by attackers; supply chain compromise has become the primary concern of large organisations globally; critical information infrastructure protection has moved from aspiration to operational necessity,” Wheatley said. He also highlighted that extreme weather events like Hurricane Melissa have made clear that cybersecurity and national disaster resilience are inextricably linked, not separate policy areas.
Closing his address, Wheatley assured lawmakers that Jamaica is on track to launch its third national cybersecurity strategy built on stronger institutional foundations, clearer governance structures, and anchored by a permanent, statutory national cybersecurity directorate leading the country’s defense against growing digital threats.