We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
18 September 2020
The Cayman Islands Monetary Authority (CIMA) has updated its Rule and Statement of Guidance – Cybersecurity for Regulated Entities following feedback received during a private sector consultation. The rule, which sets out CIMA's requirements in relation to the management of cybersecurity risks, is a clear and precise directive that creates binding obligations, the breach of which may lead to a fine or regulatory action being taken by CIMA. The statement of guidance (SOG) is intended to assist relevant entities in their compliance with the rule and represents a measure against which CIMA will assess such compliance and implementation. The rule and SOG will come into effect on 27 November 2020.
The rule applies to entities regulated by CIMA (including controlled subsidiaries) under:
Investment funds are not within the scope of the rule or the SOG.
The rule requires regulated entities to:
establish, implement and maintain a documented cybersecurity framework that is designed to promptly identify, measure, assess, report, monitor and control or minimize cybersecurity risks as well as responding to and recovering from cybersecurity breaches that could have a material impact on their operations.
A 'cybersecurity framework' is defined as "a complete set of organizational resources including policies, staff, processes, practices and technologies used to assess and mitigate cyber risks; and respond to and recover from cyber attacks".
CIMA's feedback statement, published following the private sector consultation, emphasises that the rule and the SOG are not intended to be prescriptive regarding the methods that a regulated entity uses to establish, implement and maintain its cybersecurity framework. Rather, regulated entities are expected to develop a cybersecurity framework that takes into consideration the size and complexity of their business and the nature of their cyber-risk exposures.
In addition, CIMA has clarified that it expects regulated entities to have in place measures that not only mitigate cyber risks and cybersecurity breaches, but also allow regulated entities to respond to and recover from cyberattacks effectively.
The rule sets out a non-exhaustive list of factors that should be included in a regulated entity's cybersecurity framework. These include:
A cybersecurity framework can be implemented on a consolidated basis across a corporate group. In such instances, the framework can be applied to the regulated entity, its parent company and its subsidiaries (as applicable) as long as it covers, at a minimum, the requirements set out in the rule.
As part of its overall cybersecurity risk management strategy, a regulated entity should ensure that the following key components are taken into consideration:
Regular self-assessments should be conducted by the relevant entity, at least annually, taking into account the requirements of the rule and the SOG, as well as any other relevant frameworks and emerging trends in cybersecurity.
The governing body of a regulated entity has ultimate responsibility for its cybersecurity, including the following duties:
The SOG indicates that regulated entities should appoint a suitable senior officer (eg, a chief information officer (CIO) or chief information security officer (CISO)) to:
Senior management is also responsible for developing, implementing and monitoring the cybersecurity framework and ensuring that the appointed senior officer (CIO or CISO) has access to the governing body.
If a regulated entity outsources its IT functions (either externally to a third party or internally to an affiliated entity), it remains ultimately responsible for such outsourced functions and its cybersecurity. It is the regulated entity's responsibility to assess the relevant service provider's compliance with the rule and related SOG (in particular, SOG – Cybersecurity for Regulated Entities and SOG – Outsourcing: Regulated Entities).
Regulated entities should establish a comprehensive cybersecurity training and awareness programme that is reviewed and maintained on an ongoing basis. Internal IT systems and controls should be established and documented. Where financial services are provided online or clients transact online (including by mobile platforms and other emerging technologies), policies and controls should be established around internet usage. The SOG also recommends that regulated entities maintain inventories of all relevant cybersecurity risks and applicable controls.
The rule requires regulated entities to demonstrate that data protection is taken into account in their risk strategy and cybersecurity framework. More specifically, the rule states that the cybersecurity framework must consider the provisions of the Data Protection Law (Revised) and guidance issued by the Ombudsman on data protection.
If a regulated entity becomes aware of a cybersecurity incident which is deemed to have a material impact or has the potential to become a material incident, it must notify CIMA in writing immediately (and in any case no later than 72 hours) following the discovery of the incident. If such incident results in the breach of non-public information or disrupts services, the regulated entity must notify the affected persons.
Cybersecurity risks are constantly changing and there may be further developments in this area before the rule and the SOG take effect. CIMA-regulated entities should take the opportunity to review all information technology associated risks as part of their broader risk management processes and consider any potential gaps in existing policies and procedures ahead of the implementation date.
For further information on this topic please contact Bradley Kruger or Louise Mulè at Ogier by telephone (+1 345 949 9876) or email (email@example.com or firstname.lastname@example.org). The Ogier website can be accessed at www.ogier.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.