Cybersecurity Statement of Guidance for Regulated Entities

Weekly insights from CIMA’s Cybersecurity Guidance

Insight #5 | Section 7: Cybersecurity Risk Management (cont'd)

We continue to discuss the requirements for Regulated entities’ cybersecurity risk management strategy. In addition to the requirements discussed last week (i.e., Risk Identification and Risk Assessment and Protection), the following key requirements should be considered:

Risk Monitoring and Reporting

Regulated entities should:

  1. Document and implement monitoring/surveillance and detection policies, techniques and systems (e.g., firewalls, anti–virus, Security Information and Event Management (“SIEM”), etc.); 
  2. Ensure that cybersecurity metrics are developed and monitored; 
  3. Perform ongoing reporting to the governing body (Board Members) of significant risks, status of containment and recovery actions and plans; and
  4. Ensure periodic reviews and updates of cybersecurity risk management processes are carried out.
Incident Response

Regulated entities should:

  1. Document policies and procedures for responding to cybersecurity incidents (e.g., Cyber Incident Response Playbooks for data breaches, phishing attacks, malware attacks, Denial of Service (“DoS”), etc.);
  2. Maintain an appropriate log or enable audit trails;
  3. Establish a post–incident response review process for material cybersecurity incidents; and
  4. Document, implement and communicate to staff an escalation process for reporting IT and cybersecurity issues/incidents. 
Containment and Recovery

Regulated entities should:

  1. Establish containment and recovery policies and procedures (e.g., Backup and Test Restore, Disaster Recovery Plan, etc.); and 
  2. Ensure that the containment and recovery plan enables the resumption of operations responsibly.  

Next week, we review the Information Systems and Cybersecurity Framework.
Regulated entities are required to implement measures to ensure Confidentiality, Integrity and, Availability (CIA) of their data and systems.

Did you find this useful?