CIMA to review firms’ cybersecurity plans

The Cayman Islands Monetary Authority plans to begin reviewing the cybersecurity plans for banks, financial services companies and its other licensees, according to a notice issued recently by the regulator.

Micho Schumann
Micho Schumann

With financial institutions increasingly reliant on moving digital data around the world, more mobile devices and storing information remotely, the regulator writes, “The Authority sees cyberattacks as one of the key risks that the financial sector faces in today’s digital environment.”

The notice from CIMA continues, “Cyberattacks are much more frequent, they have become extremely sophisticated and as institutions around the globe are finding, they are very costly.”

“CIMA has put all their registrants on notice,” said KPMG principal Micho Schumann, who specializes in cybersecurity.

The regulator cites its work with the Information and Communications Technology Authority and the police Financial Crime Unit, saying, “We are well aware of the escalating attacks targeted directly at the Cayman Islands in general and our financial industry in particular.”

CIMA notes in the statement that while many of its licensees have proper systems in place for cybersecurity, others “may have systems that are improper or inadequate.”

The circular notes that a report from PwC earlier this year found that in 2015, cybersecurity incidents increased by 38 percent from the year before. PwC’s 2016 Global State of Information Security Survey also found that average cybersecurity budgets across industries increased by 25 percent.

CIMA says it plans to review its licensees’ data security and risk management, first announced in a circular in February. The security reviews, depending on the business and risks, will look at technical controls, staff training and incident response.

“As part of our reviews, the Authority will also consider licensees’ ability to protect the confidentiality, integrity and availability of sensitive customer and other information,” the notice states.

KPMG’s Mr. Schumann said the regulator will want to know that banks and financial services companies are protecting their computer systems and have proper data backups “if somebody knocks you offline” or if a company gets hit by a ransomware attack.

He said he has been hearing about a lot more ransomware attacks in Cayman and globally, where a hacker is able to take control of a company’s data and threatens to delete it unless the company pays a ransom.

The PwC report found that the biggest challenges for companies include security at third-party vendors, the rapid evolution of complex technologies, moving data across borders, increasing customer use of mobile devices, and hacker threats from overseas.

Mr. Schumann said employee training has become more popular recently, teaching people to watch out for potentially malicious email attachments and how to keep front-line employees from unwittingly giving hackers access to a network. This includes physical security too, preventing hackers from getting in-person access to a computer sitting in the building.

In Cayman, Mr. Schumann said, “Physical security is underrated.”

CIMA says it is developing internal policies to adopt the National Institute of Standards and Technology Cybersecurity Framework.

“The standard identifies five core functions of effective cybersecurity which are: Identify, Protect, Detect, Respond and Recover,” the authority notes.

“Creation of detailed procedures and policies to cover each of these areas will provide the Authority with the enhanced tools necessary to operate in today’s digital environment while being prepared to respond to a cyber event,” CIMA writes in the circular.



  1. Required reading for all involved should be “Ghost in the Wires” by Kevin Mitnick.

    It is the autobiography of the world’s best known hacker and how he penetrated supposedly secure systems.

    This included for example downloading the closely guarded source code of Nokia cell phones.

    Absolutely terrifying.


Comments are closed.