Cybersecurity Statement of Guidance for Regulated Entities

Weekly insights from CIMA’s Cybersecurity Guidance

Insight #13 | Section 13: IT Outsourcing Arrangements (continued)

We continue to discuss other requirements for regulated entities with IT Outsourcing Arrangements.

Regulated entities should:

  1. Apply the Rule and the Statement of Guidance to any of their material outsourcing arrangements including their critical Information Technology (IT) service providers as if it were not an outsourced function or service;
  2. Implement processes to monitor the levels of cyber risk preparedness for material outsourcing arrangements and critical IT service providers;
  3. Have processes in place to ensure the timely notification of cyber-incidents from their IT service providers with which they have one or more material or critical outsourcing arrangements;
  4. Conduct a risk assessment with respect to the jurisdiction(s) that potential material outsourcing arrangements and critical IT service providers are in, if outside the Cayman Islands, and appropriately mitigate any identified cyber risks, as necessary;
  5. Regularly assess their aggregate exposures relating to material outsourcing arrangements and critical IT service providers, and effectively mitigate and manage any vulnerabilities, threats and cyber risks that may result from the outsourcing arrangement or critical IT service provider(s);
  6. Maintain a centralised log of all their material outsourcing arrangements and critical IT service providers, which should be updated on an ongoing basis. CIMA should have access to the log at any time upon request; and
  7. In all cases of outsourcing, satisfy itself that the IT service provider is carrying out its functions in compliance with applicable laws, regulations, and relevant regulatory measures, where applicable (e.g., the Cayman Islands Data Protection Law (DPL)).
Cloud Computing IT Service Providers

Regulated entities who rely on cloud computing IT service providers should:

  1. In the progress of performing their due diligence, be aware of cloud computing’s unique attributes and risks especially in areas of data integrity, sovereignty, commingling, platform multi-tenancy, recoverability and confidentiality, regulatory compliance, auditing and data offshoring;
  2. Consider the cloud computing IT service provider’s abilities to isolate and clearly identify their customer data and other information system assets for protection where the cloud computing IT service provider adopts multi-tenancy and data commingling architectures to process data for multiple customers; 
  3. Have the contractual power and means to promptly remove or destroy data stored at the cloud computing IT service provider’s systems and backups in the event of contract termination with a cloud computing IT service provider (either on expiry or prematurely); and
  4. Verify the cloud computing IT service provider’s ability to recover the outsourced systems and IT services within the stipulated recovery time objective prior to contracting with the cloud computing IT service provider. 
Clarifications from CIMA regarding Section 10

In Weekly Insight #8, we highlighted that CIMA did not need to approve the appointment of the senior officer responsible for overseeing the cyber security framework of the regulated entity. A clarification from CIMA revealed that a senior officer’s appointment approval is dependent on the relevant regulated entity’s applicable regulatory law(s) (e.g., Banks and Trust Companies Law). 

Additionally, in the event that a senior officer has been appointed prior to the effective date of the CIMA Cybersecurity Statement of Guidance, the regulated entity is required to apply the criteria defined in the relevant regulatory law to determine whether the officer is a senior officer and whether CIMA notification and/or appointment approval is required.  

Next week, we discuss:
Section 15, “Cybersecurity Framework Review by the Authority” and Section 16, “Notification Requirements”

Did you find this useful?