Cybersecurity Statement of Guidance for Regulated Entities

In light of the growing cyber threats to financial industry, the Rules and Statement of Guidance requires entities regulated by the CIMA to establish a cybersecurity program and comply with the related requirements.

Statement of Guidance

The Statement of Guidance emphasises the importance for the regulated entities to ensure that robust cybersecurity measures are in place and that they can appropriately identify, protect, detect, respond to and recover from such cybersecurity-related threats, incidents and breaches.

Regulated entities should:

1. Implement the Statement of Guidance in proportion to their cyber risk profile (size, nature and complexity of their business), following an appropriate assessment of their Information Technology (IT) and cybersecurity risks; 
2. Ensure that the governing body (Board of Directors) and senior management are aware of their duties and responsibilities relating to cybersecurity;
3. Notify CIMA in writing of an incident when it is deemed to have a material impact or has the potential to become a material incident, no later than 72 hours following the discovery; and
4. Demonstrate that data protection is part of their strategy and cybersecurity framework taking into consideration the provisions of the Cayman Islands Data Protection Law (DPL) and guidance issued by the Office of the Ombudsman on data protection.

Rules

The cybersecurity framework of regulated entities must include, but is not limited to the following:

1. A well-documented cybersecurity risk management strategy approved by the governing body;
2. Cybersecurity and IT security policies and procedures (e.g., Information Security Policy, Acceptable Use Policy etc.);
3. Clearly identified managerial responsibilities and controls; and
4. Clear, documented and effective processes for responding to, containing and recovering from cyber-attacks, breaches and incidents as quickly as possible (e.g., Cyber Incident Response Playbooks for Data Breaches, Malware Attacks, Phishing Attacks etc.).

Whenever there has been a breach of these Rules and Statement of Guidance, CIMA’s policies and procedures as contained in its Enforcement Manual will apply, in addition to any other powers provided in the regulatory laws and the Monetary Authority Law (MAL).