What we are seeing in the market

The cyber threat landscape is increasing and expanding. As we move to an experience-led economy powered by data, there is also an increased focus on data privacy, underpinned by rising customer expectations and increased regulatory scrutiny. The pace and scale of regulatory change over the last five years have greatly impacted organizations’ approach to cyber and privacy risk management both locally and globally.

Approach to cyber and privacy risk management


of organizations would describe cybersecurity as enabling innovation; most choose terms such as “compliance-driven” and “risk-averse.”

Approach to cyber and privacy risk management


of organizations say that crisis prevention and compliance remain the top drivers of new or increased security spending.

2019 saw the highest-ever fines issued by privacy regulators; meanwhile, data breaches reported under the General Data Protection Regulation (GDPR) more than doubled over the prior year.

Approach to cyber and privacy risk management

6 in 10

businesses only consider cybersecurity after it’s already too late.

Approach to cyber and privacy risk management


faced a serious cyber incident in the past 12 months.

Cayman regulatory landscape: what’s changing?

  • CIMA’s Rule and Statement of Guidance - Cybersecurity

    • The code sets out risk management principles and leading-practice standards to make sure that regulated entities:
      • Establish a sound and robust cyber risk management program
      • Implement a minimum standard of technical and business process controls
      • Make every effort to improve their level of resilience to cyber attacks, as well as their ability to respond and recover from any actual cyber incidents
      • Put measures in place to ensure the confidentiality, integrity and availability of their data and systems
    • CIMA incorporates cybersecurity and IT system reviews in its examination/inspection procedures 


  • Cayman Islands Data Protection Law (DPL), 2017

    • On 30 September 2019, the long-awaited Data Protection Law, 2017 came into force in the Cayman Islands
    • The DPL outlines the requirements for organizations that process personal information, as well as the rights granted to individuals regarding the use of their personal information by such organizations
    • This legislation, which follows international best practice, applies to almost all organizations, businesses (including investment funds) and the government that process personal information in Cayman


What does this mean for you?

An effective approach to compliance

A new mindset is required to meet new and broader regulatory expectations and to enable the drive for change in a way that delivers real value to the business.

Yesterday's thinking

Today's thinking

Organizations have implemented many risk and control structures post-crisis at the regulators’ reques leading to patchwork piecemeal and often siloed solutions. Integrated: Organizations address cyber and privacy risk governance holistically, not in a compartmentalized manner; they work to certify each of the parts works well together.
The collective mindset remains focused on regulatory compliance. Strategic: Focus on capturing key benefits of effective cyber and privacy risk governance by aligning strategic decisions with the vision of the organization and realizing compliance forms part of the journey of continuous improvement.
Not enough organizations fully consider future regulatory requirements – they focus too heavily on domestic requirements with insufficient regard to global cyber and privacy trends. Forward-looking: New approaches are built with a view to the future – heading in the direction of global cyber and privacy trends, not where the agenda currently stands.
Cyber risk and control approaches have often been decentralized, overlapping and/or duplicative. Effective and efficient: Second-line risk and control approaches are centralized, roles and responsibilities are clearly defined, and integrated systems and infrastructure are sustainable and cost-efficient.
In several areas, organizations embarked on complex or impractical approaches. Practical: There is a strong focus on driving practical and substantive change in cyber and privacy risk governance.

Mapping out your compliance journey

EY’s insights on the key areas to comply with CIMA cyber regulation

Impacted area
Key considerations

Framework and cyber risk management​


  • Ensure appropriate governance mechanisms are in place to address cyber security risk across the enterprise, including: 
  • Establish, implement, maintain and document cybersecurity framework
  • Approve cybersecurity risk management strategy
  • Maintain adequate IT security policies and procedures
  • Identify managerial responsibilities 
  • Review the emerging cybersecurity threats

Role of the governing body


  • Approve written cybersecurity risk management strategy​
  • Approve cybersecurity risk assessment​
  • Approve comprehensive cybersecurity framework

Cybersecurity awareness, training and resources​


  • Establish a comprehensive training and awareness program which needs to be reviewed and updated. Adopt a security-by-design approach
  • Appoint sufficient and suitable personnel to maintain their cybersecurity framework

Third-party risk management


  • Ensure oversight and clear accountability for all outsourced functions
  • Identify and evaluate the risks associated with third parties​
  • Define contractual terms and conditions that would enable you to manage appropriate risks​
  • Request third parties to implement security policies, procedures and controls that are at least as stringent as the ones established within your own organization​

Data protection


  • Demonstrate that data protection is part of their strategy and cybersecurity framework, taking into consideration the provisions of the Data Protection Law and the guidance issued by the ombudsman on data protection

Notification requirements


  • Immediately notify the Authority in writing of an incident when it is deemed to have a material impact or has the potential to become a material incident, and no later than 72 hours following the discovery of said incident



  • Whenever there has been a breach of these rules, the Authority’s policies and procedures as contained in its Enforcement Manual will apply, in addition to any other powers provided in the regulatory laws and the Monetary Authority Law (MAL)

EY’s insights on the key areas to comply with the DPL regulation

Impacted areas
Key considerations

Data protection policy and data classification


  •  Classify personally identifiable information (PII)
  • Develop mechanisms to enforce policies and standards

Privacy risk and controls


  • Integrate privacy controls in existing control framework and risk assessments
  • Conduct risk assessments on processes and data flows

Data life cycle management


  • Maintain data flows and privacy register
  • Document conditions for processing (i.e., legal ground, data minimization, information provision, purpose limitation)

Data subject rights


  • Set up procedures to support rights of data subjects, i.e., to access, modify and erase their PII; transfer PII to another organization (data portability); and object to the processing

Privacy by design and architecture


  • Update security architecture to support privacy by design
  • Conduct privacy impact assessment for new projects and systems

Data security


  • Identify technical security measures to protect PII in line
  • Consider data encryption (rest, use motion)
  • Ensure identity access management with appropriate use in line with DPL

Data retention and disposal


  • Document data retention and disposal policy
  • Identify retention periods for each category of PII


  • Ensure that PII is used in line with policies, standards and DPL
  • Set up mechanisms to detect deviations, i.e., unauthorized disclosures

Incident response and breach notification

  • Integrate personal data breaches within incident response
  • Identify stakeholders to be notified after a data breach

Vendor management

  • Gain visibility on vendors that process PII
  • Set up mechanism to ensure vendors only process PII in line with policies, standards and DPL (e.g., monitoring vendors and performing audits)

How we can help

Our portfolio of high-demand services is designed to address your cyber and privacy regulatory compliance requirements in a holistic and impactful way.

Show resources

Contact us by location



Contact us by location

  • Bahamas

    Ernst & Young
    P.O. Box N-3231
    Nassau - Bahamas

    Phone: +1 242 502 6000
    Fax: +1 242 502 6095


  • Bermuda

    EY Bermuda Ltd.
    3 Bermudiana Road
    Hamilton, HM08

    Phone: +1 441 295 7000
    Fax: +1 441 295 5193


  • British Virgin Islands

    Ernst & Young Ltd.
    Ritter House
    Wickhams Cay 2
    Road Town
    Tortola VG1110, British Virgin Islands

    Phone: +1 284 852 5450
    Fax: +1 284 852 5451


  • Cayman Islands

    EY Cayman Ltd.
    62 Forum Lane
    Camana Bay
    P.O. Box 510
    Grand Cayman
    Cayman Islands

    Phone: +1 345 949 8444
    Fax: +345 949 8529



Return to the EY Region of the Bahamas, Bermuda, BVI and Cayman Islands main page

Click here