EY - Professional tennis players handshakes after the match

Why data protection is giving Cayman businesses a competitive edge

As organizations in the Cayman Islands deal with high volumes of personal data, securing and handling that data has become a significant challenge.

In brief

  • Industry leaders discuss the impact of the new data protection and cybersecurity regulations in the Cayman Islands.
  • Undetectable cyber attacks can be the biggest threat to an organization’s cybersecurity program.

Two recently enacted Cayman regulations aim to provide consistent standards around data protection and cybersecurity that are in line with broader global regulations.

On Data Privacy Day, participants at an EY-hosted roundtable discussed the two directives — the Cayman Islands Data Protection Law (DPL) and the Rule and Statement Guidance – Cybersecurity (Rule) of the Cayman Islands Monetary Authority (CIMA) — and their impact on organizations doing business in Cayman. Attendees included chief information officers, chief information security officers, data protection officers, and heads of risk, compliance and internal audit across the financial services and government sectors.

“These Cayman-focused regulations align with and enhance various global data protection regimes, including General Data Protection Regulation (GDPR),” said David McGibbon, EY Principal, Technology Consulting. “They are robust and will boost confidence among Cayman organizations and clients that their data is being managed properly and safely, benefitting the Cayman community at large.”

Understanding the DPL

For a close look at key concepts of the DPL, the participants heard from Jan Liebaers, Cayman Islands Deputy Ombudsman. Eight data protection principles form the “backbone of the legislation that went into force on 30 September 2019,” according to Liebaers.

Each of the principles supports the protection of personal data and the extent to which it can be used. “Organizations can collect only the data they need and keep it only as long as necessary,” Liebaers said. “Holding onto data ‘just in case’ is not okay.”

Liebaers also emphasized an important distinction in the DPL between a “data controller” and a “data processor” and how companies should understand these roles. The data processor acts on behalf of the data controller, which sets the conditions for how data can be used. The data controller can be based inside or outside Cayman, but both controller and processor must abide by the DPL when any data passes through Cayman, and the controller remains liable.

Nearly all roundtable participants reported they were familiar with the DPL, and a majority said they are comfortable applying it. Most process a high volume of personal and/or sensitive data. Liebaers said that it’s unlikely any organization doing business in Cayman could ignore the DPL. “In the digital era, every company handles some type of personal data.”

Building a cybersecurity framework


CIMA’s new cybersecurity rule arrives amid an increasing wave of breaches, particularly ransomware exploits. The Rule, which came into effect 27 November 2020, will help companies position for the growing threats by mandating annual cybersecurity risk assessments, the designation of a senior cybersecurity officer, and other policies and provisions.


“The Rule encourages a cross-functional approach to cybersecurity that goes beyond IT,” said Anil Persad, EY Caribbean Cybersecurity Leader. Companies are already assessing the Rule’s organizational impacts and making adjustments as needed, but the agility around this needs to increase. Even the largest companies in the world have been unable to avoid cybersecurity incidents, exposing hundreds of millions of highly confidential records (including user accounts and credentials), with severe reputational and financial backlash. Among the Caribbean Islands, financial institutions, government entities and more have been recently compromised and some subjected to ransomware attacks.


“Employees and former employees can be the biggest threats,” said Persad. He told the roundtable that, on average, three months pass between a cyberattack and its detection, a duration that has persisted for years. “Given that kind of time, an undetected insider can do a lot of damage.”

Undetected cyber attacks
86 days
Nearly three months passes between a cyberattack and its discovery

Building (and owning) a holistic response

Effective cybersecurity springs from a coordinated, layered strategy that prioritizes the biggest threats. That approach will also help Cayman organizations get the most from the two new regulations. “Ultimately, data protection and cybersecurity risks are best managed when businesses and regulators collaborate, sharing insights and leading practices, which brings about a more holistic response” said Liebaers.

Cayman companies should also understand that, even if they outsource IT security functions to a global and established technology service provider, the DPL and the CIMA Rule still apply. “It’s not good enough to say that ‘my parent company or outsourced vendor does this,’” notes Persad.

Fortunately, complying with the regulations boosts confidence among business partners. “It demonstrates that a company cares about personal data,” said McGibbon. “It’s a reputational differentiator that shows a client you are worthy of their trust and that a considerate risk-based approach has been taken.”

Return to the EY Region of the Bahamas, Bermuda, BVI and Cayman Islands main page



Recognizing that potential for a competitive edge around cybersecurity, participants reported enthusiasm for working even more closely with Cayman regulators. Ongoing collaboration between the public sector and private sector organizations will continue as Cayman businesses and regulators move forward with evolving cybersecurity and data protection priorities.

About this article

Related articles

What makes digital an urgency for the insurance industry

Digital transformation can help insurance companies meet new customer expectations in the new world of social distancing. Read more.