Cybersecurity - Cayman Islands

There is no economy-wide, horizontal cybersecurity statute imposing security and incident-reporting duties across all critical sectors; requirements arise from sectoral financial regulation and data-protection law instead.

CIMA's binding Rule on Cybersecurity for Regulated Entities, supplemented by a Statement of Guidance, sets minimum requirements: a cybersecurity programme, board-overseen policies, and a designated Senior Officer. The current version took effect 14 April 2023 and applies broadly to CIMA licensees and registrants.

A regulated entity that becomes aware of a cybersecurity incident with material impact (or potential to become material) must notify CIMA in writing immediately and no later than 72 hours after discovery, and must notify affected persons where non-public information is breached or services disrupted.

The 2023 update clarified that the cybersecurity measures apply to virtual asset service providers under the Virtual Asset (Service Providers) Act and registered persons under the Securities Investment Business Act; the mutual-fund exemption was extended to private funds.

On a personal-data breach, the data controller must notify the Ombudsman and affected data subjects without undue delay and within five days of when it should reasonably have become aware. Notice must describe the breach, consequences, and mitigation measures.

Failure to report a data breach is an offence carrying a fine of about US$121,951; the Ombudsman may also impose monetary penalties up to about US$304,878. Computer-related offences (unauthorised access, modification, interception) are criminalised under the Computer Misuse Act.