• Rule and Statement of Guidance
  • Complying with the Rule
  • CIMA framework

What is the
CIMA risk management framework?

The Cayman Islands Monetary Authority (CIMA) is the primary financial services regulator of the Cayman Islands, and is responsible for safeguarding the assets of all Cayman Islands banks, including their cybersecurity and risk management strategies. They do this through the Rule and Statement of Guidance (SOG), which consists of regulatory laws and guidelines to keep these entities cyber safe.

What is the Rule and Statement
of Guidance?

The Rule came into effect on November 27, 2020. CIMA’s cybersecurity framework outlines the minimum cybersecurity standards and best practices that regulated entities in the Cayman Islands must follow, in order to ensure that these institutions have strong cybersecurity measures in place to protect themselves and their customers from cyberattacks.

The SOG is a set of regulatory requirements that have been established to assist these regulated entities with compliance and implementation measures.

What are the types of entities that are regulated by the Rule?

The Rule applies to all financial institutions regulated by CIMA, such as banks, insurance companies, and investment firms. A regulated entity includes any entity that is governed by the following laws:

  • Banks and Trust Companies Law
  • Insurance Law
  • Mutual Funds Law
  • Securities Investment Business Law
  • Building Societies Law
  • Cooperative Societies Law
  • Development Bank Law
  • Money Services Law
  • Companies Management Law
  • Directors Registration and Licensing Law
  • Private Trust Companies Regulations

How can regulated entities
comply with the Rule?

Achieving total compliance with the Rule requires regulated entities to take a number of steps, such as considering reputed international cybersecurity standards, conducting regular self-assessments of their cybersecurity framework, and operating in a way that does not compromise the confidentiality and integrity of their clients' data.

Cybersecurity risk management

Regulated entities must put in place a strong cybersecurity risk management framework to ensure the security of its data and systems. Here are some key components that entities should consider as part of their cybersecurity risk management efforts.

  • Risk
    identification
  • Risk assessment and protection
  • Risk monitoring and reporting
  • Incident
    response
  • Containment
    and recovery

Risk identification

  1. Identification and criticality classification of information systems. Identify and maintain an up-to-date physical inventory of all assets, including computers, servers, routers, and switches, as applicable.
  2. Identification and assessment of current and emerging threats, risks, and vulnerabilities as well as the impact and likely impact on its IT environment, which comprises internal and external networks, hardware, software, applications, data, processes, systems interfaces, operations, and human elements.
  3. Maintenance of an inventory of cybersecurity risks and applicable controls.

Risk assessment and protection

  1. Establishment of appropriate policies and processes to conduct regular and comprehensive cybersecurity risk assessments that consider people (i.e., employees, customers, and other external parties), processes, data, and technology across all its business lines and geographies, as applicable.
  2. Analysis and evaluation of the probability of and potential impact and consequences of the identified cybersecurity risk exposure on regulated entities’ overall business and operations should an adverse event occur.
  3. The approach and key assumptions made when measuring cybersecurity risks should be clearly documented.
  4. Establishment of cybersecurity risk mitigation and control strategies that align with regulated entities’ business strategy, value of their information assets, risk tolerance, and client interests.
  5. Assessment of cyber threats to the continuity or operations of regulated entities resulting from internally managed functions, and outsourced arrangements and critical IT service providers.
  6. Consideration for securing insurance against various cybersecurity risks, including recovery costs and compensation.
  7. A clear policy should be in place to detail the level of protection required based on the risk and criticality rating of the information system. The police should consider appropriate safeguards to ensure critical products and services are available as well as the regulated entity’s ability to prevent, mitigate, or contain the impact of a potential cybersecurity event. Evidence of protection should be supported by risk or business impact assessments.

Risk monitoring and reporting

  1. Implementation of documented monitoring/surveillance and detection policies, techniques, and systems that allow real-time monitoring and detection of threats (examples include, but are not limited to, firewalls, web application firewalls (WAFs), network behavior analysis, anti-virus, and third-party monitoring tools).
  2. The monitoring/surveillance system should alert the regulated entity to any abnormal IT system activities, transmission errors, cyber attacks, or unusual online transactions.
  3. Continuous monitoring of emerging cybersecurity threats such as denial of service attacks, internal sabotage, and malware infestations to facilitate prompt detection of intrusion attempts, unauthorized or malicious activities by internal and external parties.
  4. Monitoring and development of cybersecurity metrics—considering such things as risk events, regulatory requirements, and audit findings—to highlight systems, processes, or infrastructure that have the highest risk exposure.
  5. Ongoing reporting to the governing body of significant risks, associated status of containment and recovery actions, and plans including recommendations on how to mitigate similar events in the future.
  6. Completing periodic reviews and updates of regulated entities’ cybersecurity risk management processes, re-evaluating past risk-control methods with improved testing, as well as assessing the adequacy and effectiveness of their cybersecurity risk management processes.

Incident response

  1. Documented policies and procedures for responding to cybersecurity incidents. In developing these policies and procedures, regulated entities should consider the four major phases of the incident response process: preparation; detection and analysis; containment, eradication, and recovery; and, post-incident activity.
  2. Incident response management should be designed to allow for rapid response to all levels of cybersecurity incidents, highlighting material cyber incidents, and it should include escalation criteria that align with its cybersecurity criticality classification. Appropriate response plans should be established for various cyber and data loss events, ranging from minor cyber incidents to major incidents that result in breached data, data loss, compromised data, or destroyed data.
  3. Appropriate response plans for incidents such as denial of service attacks that prevent end users from accessing an IT system.
  4. Incident management processes should ensure that the following tasks are fully completed before an incident is considered closed formally: (1) recovery from disruption of services from cybersecurity incident; (2) assurance of the IT system’s integrity following the cybersecurity incident; and (3) recovery of lost or corrupted data due to the cybersecurity incident.
  5. Clear roles and responsibilities of staff involved in the incident management process which includes recording, analyzing, remediating, and monitoring incidents.
  6. An appropriate log should be maintained (or an audit trail system implemented) that would allow for effective and efficient investigations relating to cybersecurity events.
  7. Establish a post-incident response review process for material cybersecurity incidents, which should include:
    • Conducting appropriate cyber forensic investigations.
    • Chronicling the events leading up to, during, and following the cybersecurity incident.
    • Identifying the root cause and controlling deficiencies.
    • Assessing any breakdown in the incident management process.
    • Establishing a plan of action to address the identified deficiencies.
  8. Document, implement, and communicate to relevant staff an escalation process for reporting on IT and cybersecurity issues within established timeframes. These timeframes should be driven by the severity and urgency of the identified issue.

Containment and recovery

  1. Establish appropriate containment and recovery policies and procedures to deal with cybersecurity events that may prevent access to data, disrupt the availability of the IT system, or results in data loss.
  2. Ensure that the containment and recovery plan allows regulated entities to resume operations responsibly while continuing their remediation efforts, including the:
    • Elimination of harmful remnants of the incident or event;
    • Restoration of systems and data to normal and confirming normal state;
    • Identification and mitigation of all vulnerabilities that were exploited;
    • Remediation of vulnerabilities to prevent similar incidents;
    • Appropriate internal and external communication.

Complying with CIMA's Cybersecurity Risk Management framework

With ManageEngine's comprehensive suite of IT management solutions, you can ensure that compliance requirements concerning risk assessment, monitoring, and recovery are met with the utmost care and attention to detail.

  • Risk identification
  • Risk assessment and protection
  • Risk monitoring and reporting
  • Incident response
  • Containment and recovery

Risk identification

How IT can help

Implement advanced monitoring tools that detect vulnerabilities and threats in real time. Proactively identify potential risks through automated systems and data analytics.

How ManageEngine can help

Endpoint Central

  • Regularly scan devices for known vulnerabilities and exploits.
  • Automatically identify and deploy necessary security patches based on the severity of the vulnerability.
  • Detect and flag potentially dangerous applications.

Vulnerability Manager Plus

Scan and discover exposed areas of all your local and remote office endpoints as well as roaming devices.

ADManager Plus

  • Monitor changes to user privileges.
  • Identify abandoned or unused user accounts.
  • Detect inappropriate access or permission to sensitive user data.
  • Assess password policies for weaknesses.

Log360

  • Collect and analyze logs from multiple sources for suspicious activity.
  • Generate real-time alerts based on threat patterns or anomalies.
  • Monitor user activities and detect abnormal behavior.

DataSecurity Plus

Monitor file access, modification, and sharing activities in real time, identifying abnormal actions such as sensitive information being copied or downloaded.

PAM360

  • Enforce least-privilege access to ensure that users have only the minimal access required for their tasks.
  • Continuously monitor and record privileged sessions in real time.
  • Analyze privileged user behavior to detect abnormal or unauthorized access patterns.

AD360

Monitor user activity for deviations and suspicious activity with real-time auditing of any changes in the Active Directory, including user logins, password changes, and permission modifications.

Risk assessment and protection

How IT can help

Deploy tools that continuously monitor, detect, and analyze vulnerabilities and threats across systems through security controls—such as firewalls, encryption, and access management—to mitigate identified risks and safeguard data.

How ManageEngine can help

AD360

Identify security risks through real-time auditing of Active Directory changes, user behavior analytics, and permission reviews, while enforcing policies such as the principle of least privilege and role-based access control to minimize vulnerabilities, protect sensitive data, and prevent unauthorized access or privilege escalation.

Vulnerability Manager Plus

  • Use risk-based scoring and context-based analysis to prioritize vulnerabilities based on their severity, exploitability, and potential impact on the organization.
  • Meet regulatory compliance standards (e.g., GDPR, HIPAA, PCI DSS) by identifying compliance gaps and ensuring that systems are up to date with security patches and configurations.
  • Generate detailed reports and real-time alerts on vulnerabilities, patch status, and security risks.

DataSecurity Plus

  • Scan and classify sensitive data across file systems.
  • Monitor and audit access to sensitive data, identifying users with excessive permissions or inappropriate access levels.

Endpoint DLP Plus

  • Scan endpoints and classify sensitive data as PII, financial data, intellectual property, etc.
  • Enforce data access policies based on user roles, device types, and data sensitivity levels.
  • Stay compliant with data protection regulations (e.g., CIMA, JDPA, PIPA) by helping ensure that sensitive data is protected across endpoints.

Log360

Perform centralized log management, real-time monitoring, and advanced threat detection capabilities across your organization’s IT infrastructure and enhance security by aggregating logs from diverse sources (e.g., servers, network devices, firewalls, applications) and using analytics to identify potential risks and respond to security threats.

Risk monitoring and reporting

How IT can help

Deploy tools like security information and event management (SIEM) systems to continuously track threats and vulnerabilities across networks, endpoints, and applications.

How ManageEngine can help

OpManager Plus

  • Continuously monitor network devices, servers, and applications, to detect performance issues or anomalies.
  • Get automated, customizable reports on network health, security events, and system performance.
  • Track device health and availability and detect potential risks like hardware failures and network outages.

NetFlow Analyzer

Get deep visibility into network traffic patterns, allowing IT teams to detect anomalies, potential threats, and security risks in real time.

Network Configuration Manager

Manage and secure network device configurations, monitor for unauthorized changes, and ensure compliance with security best practices.

Firewall Analyzer

Get comprehensive firewall management, security auditing, and traffic analysis capabilities to identify vulnerabilities, track security policy changes, and ensure compliance.

OpUtils

Get comprehensive network monitoring, device management, and real-time alerting capabilities, allowing IT teams to quickly identify, assess, and respond to potential security threats and vulnerabilities.

Endpoint Central

  • Employ continuous background scanning, which ensures early detection of malware and provides detailed reports on details such as malware type and affected endpoints.
  • Deploy heuristic and behavioral analysis to detect new, unknown malware based on its behavior.
  • Generate detailed reports on identified threats that provide insights into the behavior of new malware, helping teams assess the severity and nature of attacks.

Analytics Plus

  • Consolidate data from multiple security tools and aggregate the centralized data to generate detailed reports on vulnerabilities and areas of concern.
  • Utilize dashboards, which enable continuous monitoring of critical security metrics, such as firewall events and threat intelligence feeds.
  • Get detailed vulnerability reports, including risk scores and remediation status.
  • Help teams focus on areas of highest risk through predictive monitoring and reporting.

Incident response

How IT can help

Detect, contain, and mitigate security threats through real-time monitoring, automated alerts, and system isolation.

How ManageEngine can help

ServiceDesk Plus

  • Categorize security incidents through tickets, track progress, and prioritize incidents based on severity.
  • Reduce response time by ensuring the right people are alerted and assigned to the right task, through automation.
  • Communicate and collaborate effectively across departments to speed up the resolution.

Log360

  • Provide quicker response through real-time alerts on potential incidents.
  • Enhance incident response by accessing centralized log data for analysis.
  • Automate incident response workflows through integration with other security tools.

EventLog Analyzer

Get real-time threat detection, centralized log aggregation, automated alerts, and advanced forensic analysis capabilities to quickly identify, investigate, and respond to security incidents.

DataSecurity Plus

Detect, contain, and mitigate threats involving sensitive data, whether from external attacks or insider threats, through powerful tools for incident detection, forensic analysis, automated responses, and compliance reporting.

Containment and recovery

How IT can help

Isolate affected systems, block malicious activities, and prevent further damage through automated responses.

How ManageEngine can help

PAM360

  • Restrict and monitor privileged accounts to prevent elevated access to attackers.
  • Securely store and manage passwords and access credentials.
  • Quickly reset and restore compromised privileged accounts to their original state.
  • Automate the rotation of critical passwords and provide emergency access for system restoration.

Log360

  • Integrate with other security tools to trigger automated containment actions such as IP address blocking and disabling accounts.
  • Get detailed logs and forensic tools to help security teams investigate incidents, determine how the attack occurred, and identify affected systems or data, after the threat has been contained.
  • Verify the integrity of restored systems with centralized log management and file integrity monitoring.

RecoveryManager Plus

Get snapshot-based backups, granular object-level recovery, and rapid rollback capabilities to quickly contain the impact of cyber attacks and recover essential components of the Active Directory environment.

ADManager Plus

  • Quickly contain threats by monitoring user account modifications, group membership changes, and organizational unit alterations.
  • Enforce least-privilege policies through RBAC, limiting the ability of attackers to escalate their privileges.
  • Automate account lockdowns for compromised or at-risk accounts.
  • Quickly recover deleted or modified Active Directory objects, such as user accounts, groups, and organizational units.
  • After a breach, simplify password resetting for compromised accounts and enforce password change across the organization.

Network Configuration Manager

Automate backup and restoration processes for network devices, ensuring that affected systems can be quickly restored to a safe state.

Device Control Plus

Prevent unauthorized external device access, block malware-laden devices, and enforce access policies, ensuring that compromised systems cannot exfiltrate data, preventing further tampering with sensitive files and providing forensic insights to aid in incident investigation.

Get guidance on CIMA cybersecurity risk management compliance

Talk to our experts to get more information on how your organization can meet the CIMA compliance mandate.

Please enter the name
Please enter your phone number

  • Endpoint Security
  • Endpoint Management
  • Patch Management
  • Password Management
  • Privileged Access Management
  • Compliance Reports
  • Log Analysis (SIEM)
  • GDPR Report Templates
  • Critical Alerts & Notifications
  • Active Directory Security & Reports
  • SSH/SSL Key Management
  • Mobile Device Management
  • File Integrity Monitoring
  • Data Breach Monitoring
  • Browser Security
  • Data Security
  • Microsoft 365 Management
Please select the product
Country*

By clicking ‘Submit’, you agree to the processing of personal data according to our Privacy Policy.

Disclaimer:

Fully complying with CIMA's cybersecurity risk management framework requires a variety of solutions, processes, people, and technologies. The solutions mentioned above are some IT management tools that can help with some of the act's requirements. Coupled with other appropriate solutions, processes, and people, ManageEngine's solutions can help you achieve and sustain compliance with the act. This material is provided for informational purposes only and should not be considered as legal advice for compliance. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.