Cybersecurity Statement of Guidance for Regulated Entities
Weekly insights from CIMA’s Cybersecurity Guidance
Insight #5 | Section 7: Cybersecurity Risk Management (cont'd)
We continue to discuss the requirements for Regulated entities’ cybersecurity risk management strategy. In addition to the requirements discussed last week (i.e., Risk Identification and Risk Assessment and Protection),
the following key requirements should be considered:
Risk Monitoring and Reporting
Regulated entities should:
- Document and implement monitoring/surveillance and detection policies, techniques and systems (e.g., firewalls, anti–virus, Security Information and Event Management (“SIEM”), etc.);
- Ensure that cybersecurity metrics are developed and monitored;
- Perform ongoing reporting to the governing body (Board Members) of significant risks, status of containment and recovery actions and plans; and
- Ensure periodic reviews and updates of cybersecurity risk management processes are carried out.
Incident Response
Regulated entities should:
- Document policies and procedures for responding to cybersecurity incidents (e.g., Cyber Incident Response Playbooks for data breaches, phishing attacks, malware attacks, Denial of Service (“DoS”), etc.);
- Maintain an appropriate log or enable audit trails;
- Establish a post–incident response review process for material cybersecurity incidents; and
- Document, implement and communicate to staff an escalation process for reporting IT and cybersecurity issues/incidents.
Containment and Recovery
Regulated entities should:
- Establish containment and recovery policies and procedures (e.g., Backup and Test Restore, Disaster Recovery Plan, etc.); and
- Ensure that the containment and recovery plan enables the resumption of operations responsibly.
Recommendations
Opens in new window
