Cybersecurity · Cayman Islands
Cybersecurity regulation in Cayman Islands (2026)
Cayman Islands shaded by its cybersecurity status
The Cayman Islands has no single comprehensive (NIS2-style) cybersecurity law; obligations are sectoral and instrument-specific. The financial sector is governed by CIMA's binding Rule and Statement of Guidance on Cybersecurity for Regulated Entities (in force, current version effective 14 April 2023), while personal-data breaches trigger notification duties to the Ombudsman under the Data Protection Act. Cybercrime is criminalised separately under the Computer Misuse Act, and government-wide cyber resilience is pursued through policy/awareness initiatives rather than a binding general law.
Key points
There is no economy-wide, horizontal cybersecurity statute imposing security and incident-reporting duties across all critical sectors; requirements arise from sectoral financial regulation and data-protection law instead.
CIMA's binding Rule on Cybersecurity for Regulated Entities, supplemented by a Statement of Guidance, sets minimum requirements: a cybersecurity programme, board-overseen policies, and a designated Senior Officer. The current version took effect 14 April 2023 and applies broadly to CIMA licensees and registrants.
A regulated entity that becomes aware of a cybersecurity incident with material impact (or potential to become material) must notify CIMA in writing immediately and no later than 72 hours after discovery, and must notify affected persons where non-public information is breached or services disrupted.
The 2023 update clarified that the cybersecurity measures apply to virtual asset service providers under the Virtual Asset (Service Providers) Act and registered persons under the Securities Investment Business Act; the mutual-fund exemption was extended to private funds.
On a personal-data breach, the data controller must notify the Ombudsman and affected data subjects without undue delay and within five days of when it should reasonably have become aware. Notice must describe the breach, consequences, and mitigation measures.
Failure to report a data breach is an offence carrying a fine of about US$121,951; the Ombudsman may also impose monetary penalties up to about US$304,878. Computer-related offences (unauthorised access, modification, interception) are criminalised under the Computer Misuse Act.
Timeline - major decisions & events
CIMA's thematic review of 11 virtual asset service providers (assessed Sept 2024–Feb 2025) found that 82% lacked cybersecurity insurance, 27% had not appointed a qualified CISO/CIO, and many had inadequate custody, wallet and private-key controls. It signals heightened cyber-supervisory scrutiny of the crypto sector.
CIMA ↗CIMA revoked AC Holding Limited's virtual asset registration for failures including non-provision of documents, deficient AML systems and breaches of CIMA's Corporate Governance and Internal Controls Rules. It illustrates the regulator's growing willingness to take enforcement action against governance and control failings.
Loeb Smith ↗CIMA reviewed 12 banking, insurance and securities entities and concluded the 2020 cybersecurity guidance had largely been adopted, while flagging weaknesses in risk assessment and oversight of outsourced providers (notably Microsoft 365/Azure dependencies). The report sets supervisory expectations for the sector.
CIMA ↗Updated binding Rule and SOG on Cybersecurity for Regulated Entities took effect, expressly extending obligations to virtual asset service providers and SIBA-registered persons while extending the cybersecurity/outsourcing exemption from mutual funds to private funds. It broadened the perimeter of regulated entities subject to mandatory cyber-risk management.
Ogier ↗CIMA introduced its first dedicated, binding cybersecurity framework requiring regulated entities to adopt a board-approved cyber risk strategy, security policies and controls, and to notify CIMA of material cyber incidents within 72 hours. This established the financial sector's core cybersecurity obligations.
CIMA ↗The DPA took effect, making the Office of the Ombudsman the data-protection supervisor and requiring controllers to notify the Ombudsman and affected individuals of a personal data breach without undue delay and within five days. It created the islands' core data-security and breach-notification obligations, backed by penalties up to CI$250,000.
Cayman Islands Ombudsman ↗The consolidated Computer Misuse Law—modelled on the UK Computer Misuse Act—criminalises unauthorised access, modification, interception, obstruction and disclosure of access codes, with extra-territorial reach. It is the foundational anti-hacking statute underpinning the islands' cybersecurity legal framework.
OfReg (Cayman Islands) ↗Cayman Islands - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →