Cybersecurity for Regulated Entities

CIMA has issued a Statement of Guidance – Cybersecurity for Regulated Entities that offers direction to regulated entities regarding the creation and upkeep of a secure and strong cybersecurity framework. Additionally, CIMA has provided a Rule – Cybersecurity for Regulated Entities template to make sure that regulated entities have resilient cybersecurity measures in position to recognize, shield, discover, respond to, and recuperate from cybersecurity-related risks, occurrences, and breaches.
The guidance covers various aspects of cybersecurity, including employee selection, training, and awareness, accountability, IT outsourcing arrangements, notification requirements, and cybersecurity framework review by the Authority.
Regulated entities are expected to take steps to educate customers on security measures to protect their own mobile devices from viruses and other errant software that could lead to malicious damage and have harmful consequences. The Authority incorporates cybersecurity and IT system reviews in its examination/inspection procedures.
In the case of loss of financial assets, personally identifiable data, or any other information covered under an applicable data protection Act, regulated entities should communicate to affected individuals, the Authority, and the Ombudsman, where applicable, as quickly as possible or within appropriate time standards established by the regulated entities or applicable data protection Acts.
Regulated entities that rely on a group cybersecurity framework should receive written confirmation of certain details regarding the framework, including a declaration that an appropriate cybersecurity framework has been implemented that considers and mitigates any risks to the regulated entities. The governing body and senior management should ensure that a sound and robust cybersecurity framework is established and maintained and take accountability for and ownership of the framework and the financial resources for the framework.
—
The aforementioned template entitled „Rule – Cybersecurity for Regulated Entities“ applies to entities regulated by the Authority, including controlled subsidiaries. The Rule aims to ensure that regulated entities have robust cybersecurity measures in place to identify, protect, detect, respond to, and recover from cybersecurity-related threats, incidents, and breaches. The Rule requires regulated entities to establish, implement, and maintain a documented cybersecurity framework that addresses all material cybersecurity risks to which they are likely to be exposed based on their business activities and use of technology.
Regulated entities must define incident criticality in their incident management framework and immediately notify the Authority in writing of an incident when it is deemed to have a material impact or has the potential to become a material incident, and no later than 72 hours following the discovery of said incident. Incidents should be reported to the Authority if they fall under one or more of the following categories: material impact to the regulated entity’s internal operations, unauthorised dissemination of any personal data, significant operational impact to internal users that is material to customers or business operations, extended disruptions to critical business systems or internal operations, significant or growing number of external customers impacted, potential reputational impact, loss of any card payment information, beneficial owner details, or any personally identifiable information, and loss or exposure of any data in violation of any applicable data protection Acts and other regulatory requirements both foreign and domestic.
Regulated entities‘ governing bodies are ultimately responsible for cybersecurity and must approve a written cybersecurity risk management strategy aligned with the overall business strategy and risk tolerance, as well as a comprehensive cybersecurity framework. The cybersecurity framework should be implemented on a consolidated basis and must cover the requirements noted in the present Rule. Regulated entities that are managed by entities licensed by the Authority must make appropriate enquiries, through their governing body, to satisfy themselves with the level of cybersecurity applied by that service provider.