Cybersecurity Statement of Guidance for Regulated Entities

Weekly insights from CIMA’s Cybersecurity Guidance

Insight #11 | Section 14: Data Protection

Regulated entities are required to comply with applicable local and international data protection laws and regulatory requirements such as the Cayman Islands Data Protection Law (DPL) and the General Data Protection Regulation (GDPR).

Regulated entities should:

  1. Implement policies, procedures, internal control mechanisms that support the protection and privacy of clients’ Personal Data (PD) and Sensitive Personal Data (SPD);
  2. Assess the cyber risks that may result in a failure to protect the privacy of PD;
  3. Establish suitable response measures when a failure to protect the privacy of PD occurs, including notifications to the Ombudsman (within 5 days of becoming aware of the breach) and the affected clients (where the breach is likely to prejudice the rights and freedoms of the affected clients); 
  4. Ensure that endpoint devices (e.g., laptops, workstations, Universal Serial Bus (USB) drives etc.) used to store Confidential Information (CI) are encrypted;
  5. Avoid the use of unsafe internet services such as social media sites, cloud-based internet storage sites and web-based emails to communicate or store CI;
  6. Take appropriate measures to send CI via encrypted channels or via encrypted e-mails (where the encryption key is shared via a separate medium);
  7. Use other secure means to exchange CI with their intended recipients; 
  8. Ensure that CI stored on Information Technology (IT) systems, servers and databases are encrypted and protected via strong access controls and least privilege access (where users are given only the permissions required to perform their job functions);
  9. Assess various methods in which data can be securely removed from storage media and implement measures to prevent the loss of CI through the disposal of IT systems;
  10. Ensure that SPD/CI stored and accessed on mobile devices are encrypted to ensure its confidentiality and integrity;
  11. Ensure that processing of SPD/CI and customer information occurs in a secure environment; and
  12. Take steps to educate customers on security measures to protect their mobile devices from viruses and other malicious software.

Next week, we discuss:
Requirements of Section 13: IT Outsourcing Arrangements

Did you find this useful?