Those of you with a passing familiarity to the Cayman Islands CIMA Cybersecurity Rule may have asked the same question. Whether regulated or not, all businesses should have a degree of confidence in the robustness of their cybersecurity defenses, and should be investing in the protection of their digital workspace.  Data breaches regularly cause irreparable damage to businesses and are irrefutably on the rise. The Verizon 2024 Data Breach Investigations report provides some grim statistics on the cost, frequency and shape of cybersecurity attacks over the past year.

So where do we start?

Section 6.3 of the CIMA Statement of Guidance states:

“The cybersecurity framework of a regulated entity should be commensurate with the size, complexity, structure, nature of business and risk profile of its operations and the nature of their cyber risk exposures.”

The gloriously vague statement leaves a lot open to interpretation.  On the sliding scale of no figs given to complete lockdown, what should your company stance be on cybersecurity, and how even do you measure this?

Cayman is not alone in wrestling with this conundrum.  Numerous states in the US have enacted comprehensive data privacy statues that require organizations controlling private information to protect their data using reasonable security, but provide no criteria to achieve it. 

In Cayman, as in the United States, there is no cross-sector minimum standard for information security, and no clear definition as to what should be considered reasonable security in matters involving data breaches.  In the US, negligence claims under the common law of various states have become a frequent basis for data-breach related litigation.  These claims often require proving that the person or organization that caused the damage had both a legal obligation (i.e. owed a duty of care to the person claiming negligence) and failed to meet that obligation (i.e. exercise a standard of care that a reasonable person would provide).

Cybersecurity has quickly moved from the shadows into the mainstream of risk-based decision making for every enterprise.  CIMA are the first of many regulatory bodies that will require that cybersecurity controls must be in place and to a reasonable standard.  By considering regulatory requirements as well as industry cybersecurity standards, we will attempt to provide a definition for “reasonable cybersecurity” and fill in the blanks left by the regulatory bodies.

Guidelines for implementing reasonable Cybersecurity

“We expect that reasonable security measures will include measures that are commonly the subject of best practices”

Federal Communication Commission

“In the absence of clear guidance from the courts, organizations must rely on a variety of sources to determine the reasonable standard of care in cybersecurity, including industry best practices, government regulations and expert opinions”

James Lewis, Senor VP and Director of the Center for Strategic and International Studies

In the US, states are beginning to point to solutions by identifying and accepting industry best practices and by referencing published frameworks as constituting reasonable security.  As an example, in a data breach report the California Attorney General concluded that failure to implement all relevant security controls in the CIS published Cybersecurity framework “constitutes a lack of reasonable security[1]”. CIMA in its Cybersecurity rule stipulates the adoption of a cybersecurity framework, but falls short of identifying said frameworks or indeed mandating an industry recognized framework. Essentially you could create a “framework” on the back of a napkin and it would satisfy this criteria.

It would be useful here I think to look at states who have passed safe harbor laws which provide similar ways to identify reasonable cybersecurity.  Looking to the Ohio law[2] (the first of the safe harbor laws) as an example, its statute is very similar to the CIMA Cybersecurity Rule, and concludes that the scale and scope of a company’s cybersecurity program is “appropriate if its based on all of the following factors”:

• The size and complexity of the company
• The nature and scope of the activities of the company
• The sensitivity of the information to be protected
• The cost and availability of tools to improve information security and reduce vulnerabilities
• The resources available to the company

After identifying these five factors  o determine the scale and scope of an appropriate cyber defense, the Ohio safe harbor statute makes it even more clear by expressly accepting as reasonable those defenses based on among other controls:

• The Framework for Improving Critical Infrastructure Cybersecurity developed by NIST
• The CIS Critical Security Controls

By listing factors that determine an appropriate scale and scope and then expressly pointing to specific, effective, existing industry best practices this creates a clear roadmap for organizations as they determine how best to mitigate risk and assess the “reasonableness” of their cybersecurity measures.

NIST v CIS

The frameworks mentioned above offer a range of prescriptive and flexible defensive actions an organization could take.  NIST (National Institute of Standards & Technology) are policy standards, while CIS (Center for Internet Security) Controls are operational standards.  We at Iris 365 follow the CIS framework to implement operational security against a defined set of controls, and this forms the basis of our guidance for what to consider reasonable cybersecurity.  Organizations require policies and procedures that provide the basis for the security controls, and there are any number of examples of these based on either NIST or CIS (Iris 365 can help with the development and lifecycle of these policies and procedures as well!).

When assessing the cybersecurity health of an organization, leadership should consider a basic set of questions:

• What is the scope of our mission, obligations, and stakeholders
• Do we know what is connected to our systems and networks?
• Do we know what is trying to run on our systems and networks?
• Have we assessed the impact of 3^rd party outages on our systems?
• Do we understand the data that is running on our systems and the relative sensitivity?
• Are we limiting and managing the number of people who have privileged access to our systems and networks?
• Have we established processes for training employees, securing user access and recovering from possible breaches?
• What are our gaps and what risk do they pose?

In addressing these questions, an organization can show they have established and maintain a cybersecurity program that include protections commensurate with their risk.  As mentioned, one of the most effective ways to demonstrate this is by aligning with a known cybersecurity framework and objectively measuring conformity and progress on the implementation of that framework’s security criteria.  Additionally, organizations should provide periodic audits, assessments and reviews of the framework for updated guidance. 

Pillars of Cybersecurity

Here we look to the CIS Critical Security Controls to provide guidance to show reasonable cybersecurity measures.  These controls are intentionally very detailed, however in broad terms they can be broken into the following common-sense pillars:

1. Know your environment
2. Account and configuration management
3. Security tools
4. Data Recovery
5. Security Awareness
6. Business processes and outsourcing

Know your environment

An organization must know what assets (hardware and software) are on its network or accessing its data, and catalog these assets.  They must also identify the data within the enterprise they are obligated to protect.  Once this is understood they can apply the relevant security controls to the assets where high value data resides.

Account and configuration management

Once the above is understood, the next step is to manage accounts and standardize hardware/software configuration.  This includes defining processes for creating and revoking accounts and defining what accounts have access to what data/systems.  This account governance is essential because compromising accounts and taking advantage of their access is a common attack vector.

Another highly effective way to mitigate against and detect malicious activity is to apply and maintain secure configurations across hardware and software assets.  Enabling automated patching, keeping software upto date, scanning for  software vulnerabilities and removing legacy/obsolete software is a primary way for organizations to defend against attacks.  Log collection, aggregation and review will help with detecting and understanding an attack.

Security Tools

Commercial cybersecurity tools can be used to protect against common attacks such as malware, which can enter an organization via end user devices, email attachments, web sites and other means.  Email and browser protections are thus extremely important for  network defense, and there are a plethora of products to provide layered defense in these areas.  Monitoring through Endpoint Detection and Response (EDR) is also important to defend against attacks, as well as intrusion detection and prevention (IDP) tools.  Some levels of protection in these spheres is vital to provide an adequate and thus reasonable level of protection.

Data Recovery

Given the modern threat landscape, it is critical for all organizations to put in place a data recovery plan where applicable as preparation for a breach, which should include automated backups at a minimum.  It is equally important to implement and maintain an incident response plan, identifying roles and contact information for key personnel responsible for responding to an incident.

Security Awareness

An effective cybersecurity program implements controls through technology, processes and people.  Often called the last line of defense, the human element introduces the most risk to the business. A cybersecurity awareness program, preferably one that is measurable, is the most effective defense against social engineering attacks.  Social engineering is commonly used to trick a user into divulging confidential information such as user credentials, clicking on malicious links and delivering ransomware.

Business Processes and Outsourcing

Many organizations outsource their business processes.  These firms must develop a process to identify, evaluate and manage service providers who are responsible for their sensitive data and functions, and assessing these providers.

By addressing the general categories listed above, and investing in resources to continue to monitor and asses your environment, your organization can establish and maintain a cybersecurity program that balances the scope of your security against the risk and consequences of a data breach.  For all businesses this would seem a common sense approach.  For CIMA regulated entities this is non-negotiable.

Iris 365 can help you on your journey to a healthy cybersecurity outlook, and to CIMA compliance for regulated entities.  We have a deep understanding of the CIS framework and how to apply this to IT environments.  Get in touch to discuss how we can put our knowledge to work for you.

Many thanks to John Watson, Head of  the RCIPS Cyber Crime and Digital Forensics Unit for reviewing this article prior to release.

---

[1] California Department of Justice, Office of the Attorney General. (2016). California data breach report. Retrieved from https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf

[2] Ohio Revised Code § 1354.01-1354.05 [Sections 1354.01-1354.05]. (2018). Retrieved from https://codes.ohio.gov/ohio-revised-code/section-1354.01