In May of 2020, CIMA released a statement of guidance discussing specific requirements for regulated entities within the cybersecurity space. In the guidance, CIMA issued recommendations based on other recent regulations, such as Cayman’s Data Protection Law and the now commonplace GDPR. In this statement of guidance, CIMA placed the responsibility of identifying, monitoring, and preventing cyber threats onto the shoulders of regulated entities. In addition to these requirements, CIMA also laid the groundwork for organisations to identify gaps within their risk profile, as well as take a deeper look into what vendors are being used.




A quick overview of the new requirements is listed below:

  • Cybersecurity threat monitoring and prevention
  • Risk assessment
  • Penetration testing
  • Policy creation and implementation, including:
    • Vendor Due Diligence
    • Business Continuity Planning
    • Incident Response
    • Breach Notifications


These threats are always present and attackers using these techniques are changing to evade security controls. While this may seem daunting to smaller organisations or those that have never had to think about these threats before, now is good time to begin. There are several solutions out there, including those provided by Kirk ISS, that can help with not only regulatory satisfaction but also peace of mind.

Cybersecurity Threat Monitoring and Prevention

Kirk ISS has introduced SOC as a Service (SOCaaS) to customers in Cayman and throughout the Caribbean. SOCaaS provides organisations a cost-effective option for supplementing their IT environment with cybersecurity professionals that provide 24×7 support. SOCaaS utilises a “bring your own licensing” scheme that builds on what your organisation already has in place and can help shine light into gaps in the security posture. SOCaaS also natively connects with Microsoft products, allowing Kirk ISS to proactively monitor and mitigate threats across your organisation including email, identity management, Azure, Office 365, endpoints, and more. Analytics rules are deployed that identify threats such as phishing, brute forcing attempts, malware, data leakage, and more. More information about the Kirk ISS SOCaaS can be found here.

Penetration Testing

Penetration testing is a proactive assessment where cybersecurity professionals identify security vulnerabilities within an organisation in an effort to mitigate threats prior to attackers exploiting them. Kirk ISS’ cybersecurity engineers have years of experience performing penetration tests against organisations’ internal and external infrastructure, web applications, along with boutique testing scenarios.
Our Network Security Assessment (NSA) combines both traditional penetration testing and a vulnerability assessment to identify threats and misconfigurations within your organization. This approach is designed to provide granularity into not only underlying vulnerabilities, but to provide details about how they affect your overall security posture. More information about the Kirk ISS Network Security assessment can be found here.

Policy Creation

Written policies are the backbone of a successful information security program. Each organisation is different in the way they operate, deploy IT systems, and require each user to interact with internal resources. Without this baseline to refer to, an organisation is fighting uphill to define proper procedures and methodologies.
With years of experience working in cyber risk and threat management, Kirk ISS works with key stakeholders to help develop internal IT policies and procedures unique to your organisation. With CIMA’s Statement of Guidance as a baseline, we can develop mature IT policies to help make regulatory compliance much easier and help mold your organisation’s IT posture.



To learn more about where your organisation’s IT maturity lies compared to CIMA’s Statement of Guidance, contact Kirk ISS at 345-623-4730 or