Cyber and privacy risk management: Cayman Islands

Organizations have implemented many risk and control structures post-crisis at the regulators’ reques leading to patchwork piecemeal and often siloed solutions.

Integrated: Organizations address cyber and privacy risk governance holistically, not in a compartmentalized manner; they work to certify each of the parts works well together.

The collective mindset remains focused on regulatory compliance.

Strategic: Focus on capturing key benefits of effective cyber and privacy risk governance by aligning strategic decisions with the vision of the organization and realizing compliance forms part of the journey of continuous improvement.

Not enough organizations fully consider future regulatory requirements – they focus too heavily on domestic requirements with insufficient regard to global cyber and privacy trends.

Forward-looking: New approaches are built with a view to the future – heading in the direction of global cyber and privacy trends, not where the agenda currently stands.

Cyber risk and control approaches have often been decentralized, overlapping and/or duplicative.

Effective and efficient: Second-line risk and control approaches are centralized, roles and responsibilities are clearly defined, and integrated systems and infrastructure are sustainable and cost-efficient.

In several areas, organizations embarked on complex or impractical approaches.

Practical: There is a strong focus on driving practical and substantive change in cyber and privacy risk governance.

Framework and cyber risk management​

• Ensure appropriate governance mechanisms are in place to address cyber security risk across the enterprise, including: 
• Establish, implement, maintain and document cybersecurity framework
• Approve cybersecurity risk management strategy
• Maintain adequate IT security policies and procedures
• Identify managerial responsibilities 
• Review the emerging cybersecurity threats

Role of the governing body

• Approve written cybersecurity risk management strategy​
• Approve cybersecurity risk assessment​
• Approve comprehensive cybersecurity framework

Cybersecurity awareness, training and resources​

• Establish a comprehensive training and awareness program which needs to be reviewed and updated. Adopt a security-by-design approach
• Appoint sufficient and suitable personnel to maintain their cybersecurity framework

Third-party risk management

• Ensure oversight and clear accountability for all outsourced functions
• Identify and evaluate the risks associated with third parties​
• Define contractual terms and conditions that would enable you to manage appropriate risks​
• Request third parties to implement security policies, procedures and controls that are at least as stringent as the ones established within your own organization​

Data protection

• Demonstrate that data protection is part of their strategy and cybersecurity framework, taking into consideration the provisions of the Data Protection Law and the guidance issued by the ombudsman on data protection

Notification requirements

• Immediately notify the Authority in writing of an incident when it is deemed to have a material impact or has the potential to become a material incident, and no later than 72 hours following the discovery of said incident

Enforcement

• Whenever there has been a breach of these rules, the Authority’s policies and procedures as contained in its Enforcement Manual will apply, in addition to any other powers provided in the regulatory laws and the Monetary Authority Law (MAL)

Data protection policy and data classification

• Classify personally identifiable information (PII)
• Develop mechanisms to enforce policies and standards

Privacy risk and controls

• Integrate privacy controls in existing control framework and risk assessments
• Conduct risk assessments on processes and data flows

Data life cycle management

• Maintain data flows and privacy register
  
• Document conditions for processing (i.e., legal ground, data minimization, information provision, purpose limitation)

Data subject rights

• Set up procedures to support rights of data subjects, i.e., to access, modify and erase their PII; transfer PII to another organization (data portability); and object to the processing

Privacy by design and architecture

• Update security architecture to support privacy by design
• Conduct privacy impact assessment for new projects and systems

Data security

• Identify technical security measures to protect PII in line
• Consider data encryption (rest, use motion)
• Ensure identity access management with appropriate use in line with DPL

Data retention and disposal

• Document data retention and disposal policy
• Identify retention periods for each category of PII

Monitoring

• Ensure that PII is used in line with policies, standards and DPL
• Set up mechanisms to detect deviations, i.e., unauthorized disclosures

Incident response and breach notification

• Integrate personal data breaches within incident response
• Identify stakeholders to be notified after a data breach

Vendor management

• Gain visibility on vendors that process PII
• Set up mechanism to ensure vendors only process PII in line with policies, standards and DPL (e.g., monitoring vendors and performing audits)