On April 17th, 2023, CIMA sent an updated version of the Cybersecurity Statement of Guidance (“SOG”) and Rule to Virtual Asset Service Providers (“VASP”), informing them of new guidance. In this updated guidance, however, were several changes that affect all CIMA regulated entities, not just VASPs. The majority of changes were formatting or brevity changes; however, several key updates are meant to apply the SOG and specific requirements to regulated entities and their IT Managed Service Providers (“MSP’s”), Managed Security Service Providers (“MSSP”), and other outsourced IT vendors.
We’ve reviewed the updated SOG and Rule and have outlined all material changes below. For a simple “too long, didn’t read (or TL;DR), we’ve also created a simple chart to showcase major changes and what the potential impact could be to your organization.
Changes
2023 Statement of Guidance: Cybersecurity Major Changes
| Statement of Guidance, April 2023 | - | Change Impact |
|---|---|---|
| 2.2: This Guidance should be read in conjunction, with other regulatory instruments issued by the Authority from time to time, where applicable. | Includes any applicable regulatory guidance from CIMA, based on the entity type. | |
| 3.1: This Guidance applies to all entities regulated by the Authority including controlled subsidiaries as defined in the Banks and Trust Companies Act (as amended). For the purpose of this Guidance, a regulated entity is an entity that is regulated by (or “regulatory Acts”), as defined in the Monetary Authority Act (as amended). | Now requires all CIMA Regulated entities to adhere to the Statement of Guidance, including VASPs. The only exceptions are: – Regulated Mutual Funds (defined in the Mutual Funds Act (as amended)) – Private Funds as defined in the Private Funds Act (as amended). |
|
| 3.2: References to any act or regulation shall be construed as references to those provisions as amended, modified, re-enacted or replaced from time to time. | Requires entities to ensure compliance with all applicable Acts and subsequent updates and/or changes. Standard request, but requires entities to be aware of regulations and updates to applicable SOG’s and Rules. | |
| 6.3: The cybersecurity framework of a regulated entity should be commensurate with the size, complexity, structure, nature of business and risk profile of its operations and the nature of their cyber risk exposures. | Forces entities to apply a Cybersecurity Framework (“CSF”) based on an organization’s structure, nature of business, and overarching risk profile. CSF’s could now be deemed “unfit” because of the nature of the organization and could result in findings during a CIMA inspection. | |
| 6.3(a): Regulated entities should establish suitable policies and controls to: (i) guard against potential cyber attacks or minimise the impact of such attacks and cybersecurity incidents on their internet systems where they provide financial services online and clients transact online; and (ii) ensure that transactions performed over the internet as well as online login credentials, passwords, personal identification numbers and other sensitive personal or account information are adequately protected and authenticated and secured against exploits including but not limited to, account takeovers, automated teller machine skimming, card cloning, hacking, phishing, 2FA hijacking, ransomware and malware. |
Requires updated policies to specifically address controls to protect against 2FA hijacking and ransomware. While this should be included in any policy created within the last 3 years, policies should be updated to reflect these controls. | |
| 6.3(e): Regulated entities should monitor and review the security policies, procedures and controls of the service provider on a regular basis to ensure they have robust controls in place to maintain security and compliance in the cloud as per set international standards, including commissioning or obtaining periodic independent audits on cybersecurity adequacy and compliance in respect of the operations and services provided. | Requires service providers to have robust controls in place, including cloud standards. In addition, service providers are required to have independent audits (pertaining to cybersecurity) based on the services provided. Cloud standards referenced include: International certifications include ISO 9001:2015 Compliance, Cloud security alliance, Cyber GRX, Cybervadis, Security standards council etc. |
Key Takeaways
While the table above should serve as a high-level overview for the major updates to the SOG, we want to highlight the major ones: 3.1, 6.3, and 6.3(e):
2023 Statement of Guidance, 3.1 & 3.2
SOG 3.1 now outlines that all entities regulated by CIMA must adhere to the SOG and associated Rule for cybersecurity. While this previously listed entities in specific regulations, by changing this verbiage, any new entity type regulated by CIMA is now subject to the regulations. This change was most likely pushed with the addition of VASPs to be governed by the SOG, but now has cascading affects to all entities regulated by the Authority.
In addition, 3.2 also forces entities to comply with updates to Acts or regulations that may affect them. Although this is a standard requirement in the grand scheme, it’s important for entities to ensure they’re reviewing the most recent and applicable regulations (hence this blog post to update our clients that are regulated by CIMA). This update is a perfect example of the impact section 3.2: if regulated entities weren’t made aware of these changes, or thought they only affected VASPs, they would be affected by the subsequent changes listed hereafter.
2023 Statement of Guidance, 6.3
SOG 6.3 addresses requirements for regulated entities to choose a Cybersecurity Framework that fits their organization based on the “size, complexity, structure, nature of business and risk profile of its operations and the nature of their cyber risk exposures.” What this means for regulated entities is CSF’s that may not be fit for purpose could result in a finding from CIMA. A perfect example is the use of the Center for Internet Security (“CIS”) Risk Assessment Method (“RAM”) – bear with me here because this is a lot of fancy regulatory and control work here that can be a little boring.
The CIS RAM has different tiers, called Implementation Groups (“IG”), that apply different controls to organizations based on size, nature, complexity, and most importantly, cybersecurity maturity levels. The most lightweight IG is IG1 and is meant for organizations that are just starting their cybersecurity control “journey”. Because of this, there are less controls applied to this group than the highest, IG3, which is meant for the most mature cybersecurity profiles. Where this has impact is in the details: the IG1 does not address penetration tests, risk assessments, or holistic policies and procedures.
You may be thinking, “But RJ, that’s ok! It’s a Cybersecurity Framework and that’s all we need!” And you would be correct; except for the SOG specifically requiring penetration testing, risk assessments, and a group of working policies and procedures, directly conflicting with the IG1 as an effective CSF.
2023 Statement of Guidance, 6.3(e)
This one is a bit more straightforward. This control places the effectiveness of any IT service provider for a regulated entity under scrutiny, requiring the provider themselves to have effective security controls. Not only do they need to have effective controls, but they also need to be tested independently, based on the types of services provided.
What does this mean? If a vendor is providing outsourced cybersecurity services, they should have effective controls themselves to adequately protect their own organization from cybersecurity events. The same goes for MSPs,
This also addresses specific requirements for applying controls to cloud instances, link Azure, Google Cloud, AWS, or any other provider of cloud-based infrastructure. This entire control puts the power in the hands of there regulated entity, ensuring they’re comfortable with the controls the service provider is using on their own infrastructure, not just those in place for the regulated entity.
Closing thoughts
At Ember Lake, we know there isn’t a “secret sauce” for applying security controls and procedures; it’s more of a matter of “you don’t know what you don’t know”. At our core, we believe this information should be easily digestible to effectively apply controls at your organization and adhere to regulations.
If you’re curious about how any of these changes could impact your organization, we’re more than happy to assist. You can contact us directly at info@emberlake.ky.
Related Articles
CIMA Statement of Guidance: Cyber Checklist
CIMA Compliance Assistance
