Skip to content
Home » Blog » CIMA Statement of Guidance: Cyber Checklist

CIMA Statement of Guidance: Cyber Checklist

  • by

Three years after the Statement of Guidance for Cybersecurity (SOG:C) was released, CIMA has started to schedule examinations for regulated entities. We’ve heard that CIMA has been thorough in ensuring Cybersecurity Frameworks and their implementations are being taken seriously. While this is a massive step forward for data protections and bringing organizations on island up to date for cyber controls, there is still room for improvement.

Many organizations are still scrambling to implement the items listed within SOG:C as they slowly get back to working order similar to their pre-pandemic environment. While I personally have written and spoken about the regulation more times that I care to admit, it’s still a topic that warrants further discussion.

At Ember Lake, we’ve worked with many regulated entities in advance of their inspections and found ourselves answering many of the same questions. Whether this is due to the nature of the SOG:C, or how was written, is up for interpretation, but we believe that the information should be freely available and easily digestible for every regulated entity.

Over the past several weeks, we’ve worked towards summarizing the regulation and have pulled together a simple checklist for entities and their requirements, based on our practical experiences.

This one page PDF was created with Managing Directors or executives of regulated entities in mind, stripping away buzzwords and identifying the core requirements of the regulation. In it, we highlight the core requirements of the SOG:C and SOG:R, what is required to be compliant, and what are some best practices for to elevate cybersecurity maturity levels. We hope the document can serve as a reference and help shed some light on what CIMA is specifically looking for and how to assist with compliance.

I was lucky enough to have the opportunity to speak about the SOG:C at last year’s BSides 2022 Cayman Islands Conference. The main purpose of the presentation was to create a bullet list or “SparkNotes” for the SOG:C, similarly to the checklist above. Taking out all the extra fluff and revealing what the regulation specifically states, the presentation highlights areas of interest and what CIMA is expecting for regulated entities. If you’re interested in a copy of the slide deck or how Ember Lake can help with navigating CIMA’s regulations, reach out to us at

While we know CIMA inspections can be a bit harrowing, we’re here to help. If you’ve got questions about specific requirements, what to do next, or how to get started, don’t hesitate to use us as a resource! Feel free to reference this post as much as possible and if you have any questions, reach out for a more purpose-driven discussion by emailing us at