Cayman Islands regulator releases updated cybersecurity rules and guidance
The Cayman Islands Monetary Authority (CIMA) has updated its Rule and Statement of Guidance – Cybersecurity for Regulated Entities following feedback received during a private sector consultation. The rule, which sets out CIMA's requirements in relation to the management of cybersecurity risks, is a clear and precise directive that creates binding obligations, the breach of which may lead to a fine or regulatory action being taken by CIMA. The statement of guidance (SOG) is intended to assist relevant entities in their compliance with the rule and represents a measure against which CIMA will assess such compliance and implementation. The rule and SOG will come into effect on 27 November 2020.
The rule applies to entities regulated by CIMA (including controlled subsidiaries) under:
- the Banks and Trust Companies Law (Revised);
- the Insurance Law (Revised);
- the Mutual Funds Law (Revised) (with the exception of regulated mutual funds);
- the Securities Investment Business Law (Revised);
- the Building Societies Law (Revised);
- the Cooperative Societies Law (Revised);
- the Development Bank Law (Revised);
- the Money Services Law (Revised);
- the Companies Management Law (Revised);
- the Directors Registration and Licensing Law (Revised); and
- the Private Trust Companies Regulations (Revised).
Investment funds are not within the scope of the rule or the SOG.
The rule requires regulated entities to:
establish, implement and maintain a documented cybersecurity framework that is designed to promptly identify, measure, assess, report, monitor and control or minimize cybersecurity risks as well as responding to and recovering from cybersecurity breaches that could have a material impact on their operations.
A 'cybersecurity framework' is defined as "a complete set of organizational resources including policies, staff, processes, practices and technologies used to assess and mitigate cyber risks; and respond to and recover from cyber attacks".
CIMA's feedback statement, published following the private sector consultation, emphasises that the rule and the SOG are not intended to be prescriptive regarding the methods that a regulated entity uses to establish, implement and maintain its cybersecurity framework. Rather, regulated entities are expected to develop a cybersecurity framework that takes into consideration the size and complexity of their business and the nature of their cyber-risk exposures.
In addition, CIMA has clarified that it expects regulated entities to have in place measures that not only mitigate cyber risks and cybersecurity breaches, but also allow regulated entities to respond to and recover from cyberattacks effectively.
The rule sets out a non-exhaustive list of factors that should be included in a regulated entity's cybersecurity framework. These include:
- a well-documented cybersecurity risk management strategy which addresses all material cybersecurity risks relevant to the regulated entity;
- cybersecurity and IT security policies and procedures adequate to identify, assess, mitigate, control, monitor and report on such risks;
- clearly identified managerial responsibilities and controls; and
- clear, documented and effective processes for responding to, containing and recovering from cyberattacks, breaches and incidents.
A cybersecurity framework can be implemented on a consolidated basis across a corporate group. In such instances, the framework can be applied to the regulated entity, its parent company and its subsidiaries (as applicable) as long as it covers, at a minimum, the requirements set out in the rule.
As part of its overall cybersecurity risk management strategy, a regulated entity should ensure that the following key components are taken into consideration:
- risk identification;
- risk assessment and protection;
- risk monitoring and reporting; and
- policies and procedures for incident responses and containment and recovery.
Regular self-assessments should be conducted by the relevant entity, at least annually, taking into account the requirements of the rule and the SOG, as well as any other relevant frameworks and emerging trends in cybersecurity.
The governing body of a regulated entity has ultimate responsibility for its cybersecurity, including the following duties:
- approving a written cybersecurity risk management strategy and a comprehensive cybersecurity framework;
- conducting appropriate oversight of the risk management framework and periodic reviews of such framework;
- approving a cybersecurity audit plan (which must be driven by the regulated entity's existing internal audit policies and procedures); and
- ensuring that a formal, independent cybersecurity and cyber resilience review or audit of the organisation is carried out periodically, taking into consideration its size, nature and complexity.
The SOG indicates that regulated entities should appoint a suitable senior officer (eg, a chief information officer (CIO) or chief information security officer (CISO)) to:
- oversee the cybersecurity framework;
- liaise with the governing body; and
- create a feedback loop to ensure that decisions made by the governing body and senior management are monitored and remain appropriate and up to date.
Senior management is also responsible for developing, implementing and monitoring the cybersecurity framework and ensuring that the appointed senior officer (CIO or CISO) has access to the governing body.
Management of outsourcing risks
If a regulated entity outsources its IT functions (either externally to a third party or internally to an affiliated entity), it remains ultimately responsible for such outsourced functions and its cybersecurity. It is the regulated entity's responsibility to assess the relevant service provider's compliance with the rule and related SOG (in particular, SOG – Cybersecurity for Regulated Entities and SOG – Outsourcing: Regulated Entities).
Regulated entities should establish a comprehensive cybersecurity training and awareness programme that is reviewed and maintained on an ongoing basis. Internal IT systems and controls should be established and documented. Where financial services are provided online or clients transact online (including by mobile platforms and other emerging technologies), policies and controls should be established around internet usage. The SOG also recommends that regulated entities maintain inventories of all relevant cybersecurity risks and applicable controls.
The rule requires regulated entities to demonstrate that data protection is taken into account in their risk strategy and cybersecurity framework. More specifically, the rule states that the cybersecurity framework must consider the provisions of the Data Protection Law (Revised) and guidance issued by the Ombudsman on data protection.
If a regulated entity becomes aware of a cybersecurity incident which is deemed to have a material impact or has the potential to become a material incident, it must notify CIMA in writing immediately (and in any case no later than 72 hours) following the discovery of the incident. If such incident results in the breach of non-public information or disrupts services, the regulated entity must notify the affected persons.
Cybersecurity risks are constantly changing and there may be further developments in this area before the rule and the SOG take effect. CIMA-regulated entities should take the opportunity to review all information technology associated risks as part of their broader risk management processes and consider any potential gaps in existing policies and procedures ahead of the implementation date.