Cybersecurity Statement of Guidance for Regulated Entities

The ultimate responsibility and accountability for outsourcing arrangements and other third-party dependencies remains with regulated entities. However, material outsourcing arrangements, including critical Information Technology (IT) service providers should be approved by their governing body.

Where regulated entities outsource to a professional security service provider (e.g., Security as a Service (SaaS) firm), mechanisms should be in place to allow the governing body and senior management to ensure that cybersecurity is properly monitored in a secure manner, and that deficiencies are addressed in a timely manner. Regular reports by third-party service providers should be circulated to the governing body and senior management on a regular basis for review and compliance checks.

The following steps should be considered:

1. Due diligence must be carried out prior to the appointment of a service provider. The due diligence process should include any related subcontracting arrangements;
   
2. Contractual terms and conditions governing the roles, relationships, obligations and responsibilities of all service providers should be set out in formal agreements;
3. Contractual agreements with the service provider should confirm that CIMA or its authorised agent can perform an assessment of the service provider’s IT systems and cybersecurity control environment associated with the outsourced service(s) being carried out on behalf of the regulated entity;
4. Regulated entities should require the service provider to have or implement cybersecurity policies, procedures and controls that are at least as stringent as it would expect for its own operations;
5. Regulated entities should monitor and review the cybersecurity policies, procedures and controls of the service provider on a regular basis;
6. Outsourcing agreements should require the service provider to have or develop and establish a cybersecurity incident recovery contingency framework which defines its roles and responsibilities for documenting, maintaining and testing its contingency plans and recovery procedures; 
7. The service provider’s disaster recovery plan (DRP) for regulated entities should be reviewed, updated and tested periodically to reflect changes in technology, cybersecurity and operational requirements; 
8. Regulated entities should ensure that the DRP is shared with relevant stakeholders (e.g., relevant business units, call centres, senior management, governing body, etc.) and that stakeholders are sufficiently trained on the recovery plan execution steps; and
9. Regulated entities should ensure that there is an exit strategy in place in the event that the relationship with the service provider is terminated.