Cybersecurity Statement of Guidance for Regulated Entities

Weekly insights from CIMA’s Cybersecurity Guidance

Insight #4 | Section 7: Cybersecurity Risk Management

Regulated entity’s cybersecurity risk management strategy is required to include measures to ensure Confidentiality, Integrity and, Availability (known as ‘CIA triad’) of their data and systems. 

The following key requirements should be considered:

Risk Identification
  1. Define and implement an information classification scheme; 
  2. Maintain an up-to-date inventory of all assets (e.g., servers, workstations, network devices, etc.); and
  3. Maintain a risk register showing cybersecurity threats, risks, vulnerabilities, impact, probability and applicable controls. 
Risk Assessment and Protection
  1. Establish and conduct a comprehensive cybersecurity risk assessment annually;
  2. Assess cyber threats to the operations resulting from internally managed functions / outsourced arrangements / IT service providers;
  3. Consider cyber insurance against the cybersecurity risks;
  4. Implement protection mechanisms based on the risk and criticality of the information system; and
  5. Develop and implement appropriate mechanisms to ensure the availability of critical products/services and the ability to prevent, mitigate, or contain the impact of a potential cybersecurity event. 

Next week, we discuss:
Other requirements (i.e., Risk Monitoring and Reporting, Incident Response, and Containment and Recovery) will be discussed in the next issue of our weekly Insights.

Did you find this useful?