Cybersecurity Statement of Guidance for Regulated Entities
Weekly insights from CIMA’s Cybersecurity Guidance
Insight #3 | Section 6: Cybersecurity Framework
The Information Systems and Cybersecurity Framework. Regulated entities are required to implement measures to ensure Confidentiality, Integrity and, Availability (CIA) of their data and systems.
Regulated entities are required to establish, implement, and maintain a risk–based cybersecurity framework that identifies, measures, assesses, reports, monitors and controls or minimizes cyber risks and complies with the related requirements at a minimum.
A cybersecurity framework must include the following key areas:
- A well-documented cybersecurity risk management strategy approved by the governing body and aligns with their risk appetite and risk tolerance levels and consumer/client protection responsibilities;
- Documented cybersecurity and IT security policies and procedures (e.g., Information Security Policies, Acceptable Use Policies, Incident Management Policy, etc.);
- Clearly identified managerial responsibilities and controls; and
- Clearly documented processes for responding to, containing and recovering from cyber attacks (e.g., Cyber Incident Response Playbooks for Data Breaches, Phishing Attacks, Malware Attacks, etc.).
In addition, the regulated entities must ensure that an internal audit function or alternative option is in place to provide an independent assurance of their cybersecurity framework, regularly and in a timely manner.
