Entities regulated under the Insurance Law will need to implement cybersecurity measures in proportion to their cyber risk profile by 27 November 2020 following the release of the Rule and Statement of Guidance on Cybersecurity for Regulated Entities (the “Guidance”) by the Cayman Islands Monetary Authority (the “Authority”) on 27 May 2020.
The Authority has acknowledged the benefits that technology offers but notes that a significant compromise in the use of technology could impact the ability of regulated entities to meet overall business objectives or result in significant liability and reputational damage. Accordingly, the Authority is of a view that it is important for regulated entities to ensure that robust cybersecurity measures are in place and that such licensees can appropriately identify, protect, detect, respond to and recover from such cybersecurity-related threats, incidents and breaches which is why the new Rule and Statement of Guidance has been introduced.
Management must implement a business-aligned proportionate cybersecurity program consisting of (i) a cybersecurity framework; (ii) information technology (“IT”) policies and procedures; (iii) clear, documented processes for responding to, containing and recovering from cyber breaches; and (iv) a risk-management strategy which addresses all potential cybersecurity risks to which the regulated entity might be exposed based on their particular business activities and use of technology. Managerial responsibilities and controls must be clearly identified to ensure policies and procedures are maintained and followed. A Senior Officer must also be appointed to oversee the cybersecurity framework. Comprehensive training must also be endorsed by senior management and regularly reviewed and maintained by suitable personnel to ensure it takes into account the evolving nature of technology and relevant emerging risks. A regulated entity may adopt its parent company’s cybersecurity framework however, the regulated entity must assess and document that an appropriate framework meeting the Authority’s requirements is in place on a group wide and legal entity level.
If a regulated entity outsources its IT functions, the entity remains ultimately responsible for those functions and their cybersecurity. It Is incumbent upon the entity to ensure that their service provider is in compliance with the Authority’s Rule and Guidance and that the entity has oversight and clear accountability for the outsourced functions as if it was performing the functions itself.