Cybersecurity Statement of Guidance for Regulated Entities

Weekly insights from CIMA’s Cybersecurity Guidance

Insight #10 | Section 12: Employee Selection, Training and Awareness

Regulated entities are required to implement measures to ensure that the Confidentiality, Integrity and Availability (CIA) of their data and systems are maintained.

Selection of Employees and Third-Party Service Providers

Regulated entities should implement a comprehensive and effective screening process, with stringent selection criteria to ensure careful selection of staff, vendors and contractors who support technology functions and minimise cyber risks due to system failure, internal sabotage or fraud.

Senior Office Appointment (Chief Information Security Officer (CISO) / Chief Information Officer (CIO))

Regulated entities should appoint a suitable senior officer such as a CISO / CIO or some other similar position:

  1. To oversee the cybersecurity framework of the regulated entity and liaise with the governing body, following best practices and staying current with all related technologies and cybersecurity trends;
  2. Who is suitably qualified, experienced and has a good understanding and knowledge of IT systems and cybersecurity; and 
  3. Who is provided with sufficient delegated operational authority to carry out his or her role.

Training and Awareness

Regulated entities should ensure that:

  1. A formalised plan is developed to provide ongoing technical training to their cybersecurity personnel and IT unit / team on IT systems, current and emerging cybersecurity subject areas as well as security principles to ensure that they are knowledgeable and aptly trained for their specific IT or cybersecurity roles and functions;
  2. Cybersecurity information is regularly disseminated to their clients or any other action to help increase their clients’ level of cybersecurity awareness;
  3. All staff are trained to understand at a minimum the cyber risks to which the entity is exposed and the mitigating measures employed to reduce the occurrences of cyber incidents;
  4. There is enterprise-wide on-going training to new and existing staff on cybersecurity to ensure increased awareness and enterprise-wide efforts to prevent or minimise cyber-attacks and cyber-incidents;
  5. Their governing bodies are equipped with the requisite knowledge to competently exercise the oversight function and appraise the adequacy and effectiveness of the regulated entities’ overall cyber resilience programmes; and
  6. Cybersecurity policies and procedures are communicated to senior management and staff at all levels and training is conducted on a regular basis.

Did you find this useful?