Please ensure Javascript is enabled for purposes of website accessibility

People

Big things are happening at Ogier. Change is embedded in everything we do. It is redefining our talent, our ways of working, our platforms of delivery, our culture.

Expertise

Services

We have the expertise to handle the most demanding transactions. Our commercial understanding and experience of working with leading financial institutions, professional advisers and regulatory bodies means we add real value to clients’ businesses.

View all Services

Employment law

Intellectual Property

Listing services

Restructuring and Insolvency

Business Services Team

Executive Team

German Desk

Accounting and Financial Reporting Services

Cayman Islands AML/CFT training

Corporate Services

Debt Capital Markets

Governance Services

Investor Services

Ogier Connect

Private Wealth Services

Real Estate Services

Regulatory and Compliance Services

Ogier Global

Consulting

View all Consulting

Sustainable Investment Consulting

LexTech - Technology Consultants

Business Services Team

View all Business Services Team

Sectors

Our sector approach relies on smart collaboration between teams who have a deep understanding of related businesses and industry dynamics. The specific combination of our highly informed experts helps our clients to see around corners.

View all Sectors

Aviation and Marine

BVI Law in Europe and Asia

Energy and Natural Resources

Family Office

Foreign direct investment (FDI)

Funds Hub

Private Equity

Real Estate

Restructuring and Insolvency

Sustainable Investing and ESG

Technology and Web3

Trusts Advisory Group

Locations

Ogier provides practical advice on BVI, Cayman Islands, Guernsey, Irish, Jersey and Luxembourg law through our global network of offices across the Asian, Caribbean and European timezones. Ogier is the only firm to advise on this unique combination of laws.

News and insights

Keep up to date with industry insights, analysis and reviews. Find out about the work of our expert teams and subscribe to receive our newsletters straight to your inbox.

Fresh thinking, sharper opinion.

About us

We get straight to the point, managing complexity to get to the essentials. Our global network of offices covers every time zone. 

No Content Set
Exception:
Website.Models.ViewModels.Components.General.Banners.BannerComponentVm

CIMA Thematic Cybersecurity Review – key points for regulated entities

Insight

12 July 2023

Cayman Islands

2 min read

ON THIS PAGE

Good practices and areas of concern were identified within the key elements of the Cayman Islands Monetary Authority's Thematic Cybersecurity Review, issued at the end of June 2023. We recommend that all regulated entities (excluding funds) read the report and table it for consideration by their respective boards or governing bodies.

Background

The Cayman Islands Monetary Authority (CIMA), commenced cyber risk regulation in May 2020 when it issued a binding Rule and related Statement of Guidance on Cybersecurity for Regulated Entities in May 2020 for adoption by regulated entities across all sectors.

The Rule and Statement of Guidance set out the regulatory requirements and minimum expectations for managing cyber risks, to ensure that robust cybersecurity measures are in place to appropriately identify, protect, detect, respond to, and recover from cyber-related threats, incidents and breaches. The Rule was necessary to address cyber risk which had been identified as the key emerging threat for business and society.

Of course the Covid-19 pandemic necessitated and increased remote working environments using technology, thereby increasing cybersecurity exposures and risks. CIMA responded commendably to issue the Rule almost immediately after the pandemic resulted in global lock downs, including a complete and strict lock down in the Cayman Islands.

CIMA subsequently commenced supervision conducting a cybersecurity thematic review and the resultant report was issued at the end of June 2023. The thematic review involved 12 regulated entities from the banking, insurance and securities sectors.

The findings

Good practices and areas of concerns identified include cybersecurity framework, risk management and IT systems controls and use of internet.

Some areas are useful to highlight and provide comment on and proposed solutions:

  • Employee Selection, Training and Awareness: One can see positive compliance rates among regulated firms regarding IT/cyber (assuming that the 12 firms sampled are representative of all). Cayman has aligned itself with more advanced jurisdictions and is showing maturity by proactively self-assessing progress of a very delicate and complex area of compliance.

  • While we understand the insurance market to be hard in relation to cyber risk insurance, there are confident statements in the ‘Summary of Overall Best Practices’ which include “Adequate cyber risk insurance coverage”. Of late we have seen insurers being extremely scrutinising over cyber controls to the point that being able to obtain insurance coverage may be taken as a positive assessment of those controls.

  • The report suggested that we have advanced beyond the adoption stages of Cybersecurity best practices, with the 2020 guidance that was provided earlier having been for the most part adopted. Most of these are investment related, infrastructure building to NIST/ISO standards and implementing new training and IT solutions. While there are areas for improvement, with risk assessment and management a common theme, the indications are that the groundwork has mostly been done and that long-term processes now need to worked on.

  • The most challenging and complex aspect to address is the relationship between the entities and outsourced providers. Most Cayman-based firms use some form of outsourcing whether it's at the cyber level, email or hosting. Since Microsoft 365 and AZURE products touch most of the regulated firms in Cayman and it is possible that many companies do not have any relationship documentation or, if they do, it does not align to the internal standards with the outsourced firms. Firms need to execute appropriate outsourcing agreements. The problem with all specialist support, including compliance, is that firms seek to rely on the specialist by outsourcing functions to it, yet it is the entities' responsibility to ensure standards within the company ICT environment and ensure outsourced environments are similar or rationalised if different.

How can Ogier help?

Ogier Regulatory Consulting can assist, be it by audits, GAP analysis, solutions advice and road mapping or continual review of:

  • governance oversight of cybersecurity, including its management framework and reporting structures

  • cybersecurity strategies to promote and enhance cyber resilience

  • adequacy of the cybersecurity risk management policies and procedure

  • effectiveness of internal controls

  • internal and external audits and assessments, including vulnerability assessments and/or penetration tests and other audits performed on cybersecurity

  • adequacy of incidence management and response plans and processes

  • employee selection and resourcing of key IT and cyber related personnel

  • adequacy of cybersecurity training and awareness programs

  • compliance with relevant Data Protection Act and regulatory requirements

  • outsourced cybersecurity and IT related functions

  • the overall effectiveness of the cybersecurity framework

For further information, please feel free to contact the authors of this article.

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice

No Content Set
Exception:
Website.Models.ViewModels.Blocks.SiteBlocks.CookiePolicySiteBlockVm