Governance of Information Security: the Cayman Context
You are probably familiar with the concept of GRC (Governance, Risk, and Compliance). There are as many interpretations of this as there are people, but in our financial services corner of the world, people general view governance as board control of finance; risk management as management of financial risks such as credit risk or loss expectations; and compliance as AML/CFT (anti money laundering/ counter financing of terrorism) or in essence, doing what the law requires. Generalizations aside, there is a certain lack of oversight into how information security is inherently part of an effective GRC effort.
GRC, at the board level, tends to be limited to governance of finance though an audit of financial systems and controls. There may be some attention to business continuity, and the related IT discipline of disaster recovery, as risk mitigation. Information security is not generally being addressed as you would any other risk. Instead organizations throw money, sweat, and hope at it without a clear understanding of what the results will be. However, there is an increasing trend for cyber security to become a compliance issue as it forms a part of a number of international regulations such as the EU GDPR and the New York State DFS 23 NYCRR 500. Many organizations understand that serious clients are asking for assurance around your information security practices ahead of the regulators. The trend for disclosure of a breach is unmistakable. What exactly constitutes a breach is a topic for another day.
This global direction indicates you can expect our local regulators and lawmakers to pay additional attention in the future. Here and now CIMA asks specific governance questions on the “Information Security Questionnaire”. These questions show that increasing attention is being paid to senior level information security responsibilities, cyber risk, and how much of that is part of the internal audit program. Other questions delve deeper into specific technical controls, technologies, practices, and systems in use.
In its March 2019 information circular, CIMA supplied some statistics on specific items related to a failure of governance from their on-site inspections that covered a cross section of the regulated Cayman entities. Even though the inspections focused on AML/CFT, almost half of the required remediations were related to corporate governance, internal operations, and audit. To summarize they point to no formal documentation, testing, or assurance around cyber risk and a lack of clarity as to who at a senior level is responsible within the firm for oversight.
Reviewing the CIMA guidance notes reveals there are over 60 narratives speaking to governance items related to information security and risk controls. The narratives are clear in what your statutory duties are in relation to manging the risk that goes with the use of 3rd parties such as outsourcing your IT support or technology systems and services. You can outsource operations, but you cannot outsource responsibility. This starts at the board level and follows on through to senior management.
One effective way to address this without onerous effort, is to ensure your compliance committee also takes steps to include consideration of information security concerns. This then also prepares the committee to address any future regulation in Cayman and elsewhere. Further it can also supply effective governance to address existing and forthcoming privacy concerns within the Cayman Data Protection Law. This centralized GRC function and oversight of IT cleanly matches what should be self-evident; every business is a technology business and you need clear management of associated technology risk.
August 23rd, 2019 – Author: Kent Green (B.Sc. CISSP, CCSP, CRISC)
Kent Green is an InfoSec wonk currently walking his dogs in the Cayman Islands. firstname.lastname@example.org, www.smartsecurity.com