Cybersecurity Statement of Guidance for Regulated Entities

Weekly insights from CIMA’s Cybersecurity Guidance

Insight #8 | Section 10: Accountability

The duties and responsibilities of the governing body and senior management regarding cybersecurity should include, but not be limited to:

  1. Ensuring that a sound and robust cybersecurity framework is established and maintained; 
  2. Approving appropriate programmes, policies and procedures for cybersecurity, cyber resilience and IT management;
  3. Ensuring that effective internal controls and cybersecurity risk management practices are implemented;
  4. Properly assessing cost–benefit issues regarding investment in controls and security measures for computer systems, networks, data centres, operations and backup facilities;
  5. Ensuring that management supports the senior officer accountable for cyber resilience; and
  6. Ensuring that a formal, independent cybersecurity and cyber resilience review/audit of the regulated entity is carried out periodically.
Governing body 

The governing body refers to the board of directors for companies, general partners for partnerships and management committee or body (beyond local management) for branches or entities incorporated or established outside of the Cayman Islands. 

The governing body is responsible for:

  1. Establishing a well-documented comprehensive cybersecurity training programme;
  2. Overseeing cybersecurity and cyber resilience;
  3. Having a good command of cyber risks and the cybersecurity environment; 
  4. Ensuring that one senior officer is appointed who is accountable for reporting on the regulated entity’s implementation of the cybersecurity framework and cyber resilience programme;
  5. Ensuring that management integrates cyber resilience and cyber risk assessments into the overall business strategy and risk management;
  6. Annually defining and quantifying the business risk tolerance relative to cybersecurity and cyber resilience; and 
  7. Carrying out periodic reviews of its own performance in the implementation of the cybersecurity framework and cyber resilience. 
Senior management

Senior management is responsible for:

  1. Developing, implementing and monitoring the cybersecurity framework; and 
  2. Ensuring that the appointed senior officer (e.g., Chief Information Officer (CIO) or Chief Information Security Officer (CISO)) has access to the governing body.

Note: CIMA does not need to approve the appointment of the senior officer.

Next week, we review:
What regulated entities can expect when they are a part of a group structure.

Did you find this useful?