Insight #9 | Section 11: Intra-Group
When regulated entities are a part of a group structure, the CIMA Statement of Guidance requirements may be addressed within group wide processes, policies or plans, provided that any specific cybersecurity risks that the regulated entities are exposed to are properly mitigated, and the governing body is able to fulfil its accountabilities under Section 8 of the CIMA Statement of Guidance “Review of the Information Systems and Cybersecurity Framework” and to its clients.
Regulated entities that rely on a group cybersecurity framework, should receive written confirmation of certain details regarding the framework, at a minimum:
- A declaration that an appropriate cybersecurity framework has been implemented that considers and mitigates any risk to the regulated entity;
- An agreement that the regulated entity can provide input in developing or revising the framework in respect of their needs and the needs of their clients, as necessary;
- A receipt of sufficient information to satisfy themselves that the group’s framework aligns with their business strategy, risk tolerance, clients’ needs and that the cybersecurity risks and threats are properly assessed, monitored, managed and mitigated and allow for appropriate containment and recovery;
- An ability to request additional information, as necessary to identify and monitor any group wide risk that may impact the regulated entity as well as their own identified cybersecurity risks;
- An agreement that protective technologies will be made available to assist with monitoring, assessing, and detecting, as necessary;
- Details of any outsourced IT or cyber–related matters that may directly impact the regulated entity’s business and cybersecurity risks including pertinent details as outlined in Section 13 “IT Outsourcing Arrangements” of the CIMA Statement of Guidance;
- The end of support dates or replacement of any technology that may directly impact the regulated entity’s cybersecurity; and
- Appropriate third–party contracts and service levels agreements are in place.
For regulated entities that are branches:
The oversight of outsourcing arrangements in relation to regulated entities that are branches, may differ from arrangements in other regulated entities, given the different legal structure of a branch;
Branches may be covered by outsourcing arrangements entered into by their head office. However, the regulated entity remain ultimately responsible for their cybersecurity;
Regulated entities should assess the applicability of the various elements of the CIMA Statement of Guidance and the corresponding CIMA Rule bearing in mind the cybersecurity risks posed to their operations and clients by the outsourcing arrangement and ensure compliance with Section 13 “IT Outsourcing Arrangements” of the CIMA Statement of Guidance; and
Regulated entities should maintain an inventory of their own assets and a log that confirms their cyber-incidents, threats and attacks so that they can properly assess the group wide mitigation, containment and recovery efforts to allow them to mitigate their cybersecurity risks and enhance their preventative efforts in the future.