When regulated entities are a part of a group structure, the CIMA Statement of Guidance requirements may be addressed within group wide processes, policies or plans, provided that any specific cybersecurity risks that the regulated entities are exposed to are properly mitigated, and the governing body is able to fulfil its accountabilities under Section 8 of the CIMA Statement of Guidance “Review of the Information Systems and Cybersecurity Framework” and to its clients.
Regulated entities that rely on a group cybersecurity framework, should receive written confirmation of certain details regarding the framework, at a minimum:
For regulated entities that are branches:
The oversight of outsourcing arrangements in relation to regulated entities that are branches, may differ from arrangements in other regulated entities, given the different legal structure of a branch;
Branches may be covered by outsourcing arrangements entered into by their head office. However, the regulated entity remain ultimately responsible for their cybersecurity;
Regulated entities should assess the applicability of the various elements of the CIMA Statement of Guidance and the corresponding CIMA Rule bearing in mind the cybersecurity risks posed to their operations and clients by the outsourcing arrangement and ensure compliance with Section 13 “IT Outsourcing Arrangements” of the CIMA Statement of Guidance; and
Regulated entities should maintain an inventory of their own assets and a log that confirms their cyber-incidents, threats and attacks so that they can properly assess the group wide mitigation, containment and recovery efforts to allow them to mitigate their cybersecurity risks and enhance their preventative efforts in the future.
Next week, we review:
Section 12: Employee Selection, Training and Awareness