Article

Cybersecurity Statement of Guidance for Regulated Entities

Weekly insights from CIMA’s Cybersecurity Guidance

Insight #14 | Section 15: Cybersecurity Framework Review by the Authority and Section 16: Notification Requirements

Regulated entities are required to implement measures to ensure Confidentiality, Integrity and, Availability (CIA) of their data and systems.

Cybersecurity Framework Review by the Authority

CIMA incorporates cybersecurity and IT system reviews in its examination / inspection procedures.

Notification Requirements

  1. Regulated entities should communicate to the affected individual(s), CIMA and the Office of the Ombudsman (as applicable) in the event of the loss of financial assets, personal data, or sensitive personal data as soon as possible or within appropriate time standards as established within the applicable laws. The Cayman Islands Data Protection Law requires that personal data breaches are reported to the Office of the Ombudsman within five (5) working days and to the affected individual(s) where the breach is likely to prejudice their rights and freedoms;
  2. Regulated entities should provide regular updates to CIMA as new information becomes available, and until all material details about the incident have been provided;
  3. Regulated entities should provide situation updates to CIMA, including any short term and long-term remediation actions and plans until the incident is contained or resolved;
  4. Regulated entities may be required to report to CIMA using a specific method and at a specific frequency, depending on the severity, impact and velocity of the incident;
  5. Regulated entities should complete a post incident review documenting lessons learnt and the action plan to address identified deficiencies and IT controls once they have contained and recovered from the incident. This documented review should be made available to CIMA upon request; and
  6. Notification of internal business systems, may, at the discretion of the regulated entities, be withheld providing such lack of notification has no financial or personal impact on the regulated entities’ customers.

Read last week's Insight on IT Outsourcing Arrangements

Did you find this useful?