Cybersecurity as a Board Governance Issue — Moving beyond IT

It is still a common belief among many organizations that cybersecurity is solely an IT issue — and that everyone else, including the board, plays only a secondary role. Boards were always content to receive a reassuring summary at year-end and move on. However, this mindset is not only outdated; it could expose your firm to serious cyberattacks and regulatory consequences.

Over the years, the threat dynamics have changed materially. Attackers today are more sophisticated, better resourced, and increasingly targeting the financial sector than ever before. Regulatory expectations have also shifted in step, with CIMA, the SEC, and other bodies now treating cybersecurity preparedness as a governance matter, not just a technical one.

The consequences of a significant breach now land squarely at board level. 

That’s why it has become crucial for leadership, including the board to treat cybersecurity as a core agenda item, not an afterthought. It should inform business decisions and receive sufficient budget allocation, on a par with any other critical function within the firm.

In this article, we will examine why cybersecurity has become a board governance issue, what regulators now expect, and what directors of Cayman-domiciled funds and corporate entities should have in place to demonstrate appropriate oversight.

The Threat Profile Has Changed

Ever since the advent of computers and the internet, the financial services sector has always been an attractive target for malicious actors. What keeps changing over the years is the nature and scale of the threat. 

Today's attackers are not lone individuals probing for weaknesses — they include organized crime syndicates and, in some cases, state-sponsored groups with significant technical capabilities.

Attackers of this kind have the capacity and resources to penetrate vulnerable firms, with a specific interest in the data that financial institutions hold — including investor information, fund strategies, transactional records, and operational systems.

Every day, new attack methods are developed and shared across criminal networks. Ransomware, phishing campaigns, and third-party supply chain attacks have all become more prevalent and more damaging than ever before.

A single successful attack can render critical systems inoperable, compromise confidential investor data, and trigger a wide range of regulatory and reputational consequences.

The financial firm's exposure is further compounded by its reliance on an ecosystem of service providers, including fund administrators, technology platforms, legal advisers, and custodians. Each of these relationships represents a potential entry point.

A firm may have robust internal controls and still suffer a breach through a compromised third party. This interconnected exposure makes cyber risk not just an internal operational matter, but a structural feature of how financial services firms operate.

In response to this evolving environment, regulators have stepped in — both to guide firms on how best to withstand these threats, and to hold accountable those who fall short of the standards expected. The SEC's enforcement action against Morgan Stanley, in which the firm was fined for failing to protect customer data, is one prominent example.

Regulators are sending a clear message: cyber risk must be treated as a structural and systemic challenge, not merely a technical one. Insufficient cyber governance is increasingly treated as a failure of institutional responsibility — and firms are being held to account accordingly.

Why This Is a Board Issue, Not Just an IT Issue

For many years, core business functions such as sales, marketing, and legal have been treated as board-level priorities — and rightly so, given their direct impact on a firm's operations and success. Cybersecurity deserves the same standing. Its impact on the firm is no less significant than these functions, and in many respects the consequences of getting it wrong are more severe.

Of course, the framing of cybersecurity as an IT concern is understandable — it has technical dimensions that most board members will not be experts in. But this framing has become a liability.

Cyber risk is, at its core, operational risk. And operational risk — the risk that people, processes, systems, or external events cause material harm to the business — falls squarely within the board's governance mandate.

When a firm suffers a data breach, it is not the IT team that faces regulatory scrutiny, investor pressure, or reputational fallout. It is the board. Directors of regulated funds and corporate entities in the Cayman Islands carry governance responsibilities that extend to how the firm identifies, manages, and responds to material risks. Cybersecurity now falls firmly within that category.

A director who cannot demonstrate that they have considered cyber risk at board level, tested the firm's resilience, and ensured appropriate structures are in place is increasingly exposed. This does not mean board members must become technical experts — but a working understanding of cybersecurity fundamentals is fast becoming a reasonable expectation of effective governance.

There is also a strategic dimension that boards cannot afford to overlook. Investors and counterparties are paying greater attention to cyber resilience as part of their due diligence. A firm that cannot clearly articulate how it manages cyber risk — at board level, not just at the IT level — is at a material disadvantage.

What Regulators Expect

Regulatory expectations around cybersecurity have evolved significantly, and the direction of travel is consistent across jurisdictions. Boards and senior leadership are expected to take ownership of cyber risk, not delegate it entirely to technical staff. Below is an overview of the key regulatory expectations for firms operating in the Cayman Islands.

CIMA

The Cayman Islands Monetary Authority has made clear to its licensees that data security risk management falls within its supervisory scope. CIMA has signalled that it will review how regulated entities manage cyber and data security risks as part of its broader oversight of operational governance.

For directors of CIMA-regulated funds, this means that cyber preparedness is part of what regulators will assess when examining whether a board is exercising appropriate oversight of the entity it governs.

SEC

The US Securities and Exchange Commission has incorporated cybersecurity into its regular examination programme and has already taken enforcement action against firms that failed to maintain adequate controls around customer data and information security — making clear that deficient cyber governance carries material regulatory risk.

For instance, in June 2024, R.R. Donnelley & Sons agreed to pay a civil penalty of over $2 million to settle charges relating to disclosure failures and inadequate internal controls in connection with cybersecurity incidents. For Cayman funds with US investors or US regulatory touchpoints, SEC expectations are directly relevant.

NFA

The National Futures Association has amended its Information Systems Security Programs requirements to mandate annual cybersecurity training for all employees, formal senior-level ownership of information security, and mandatory reporting of cybersecurity incidents that result in loss of customer funds or trigger legal notification obligations.

These requirements reflect a broader expectation that cybersecurity governance is formalised, documented, and actively maintained. Firms that operate without these structures in place — regardless of whether a breach has occurred — risk being found deficient during regulatory examination.

The broader direction

Across the EU, UK, and other major jurisdictions, regulators are converging on the same expectation: boards are accountable for cyber preparedness. Frameworks such as the EU's Digital Operational Resilience Act — DORA — which applies to financial entities and their critical third-party providers, are raising the bar for what structured, board-level cyber governance looks like in practice.

While DORA applies primarily to EU-regulated entities, its influence on international standards and investor expectations is already being felt across the wider financial services industry. Firms that do not operate within the EU should not assume these developments are irrelevant — as regulatory standards converge globally, the frameworks being established today are likely to inform expectations in other jurisdictions tomorrow.

Building Cyber Risk into the Governance Framework

Now that we have established that cyber risk is a board-level issue and examined what regulators expect, it is time to consider how this translates into a robust governance framework. The following are the key areas that boards of Cayman funds and corporate entities should have in place.

Assign clear ownership

Cybersecurity governance begins with accountability. The board should ensure that a named senior officer — whether a Chief Technology Officer, Chief Information Security Officer, or equivalent — holds formal responsibility for the firm's information security programme. 

That individual should have a clear and direct reporting line to the board, and the board should receive regular, substantive updates on the state of the firm's cyber posture. The primary role of this officer is to ensure that the technical dimensions of cyber risk are translated into business terms — communicated in a way that enables leaders and the board to understand the implications and take informed action.

Embed cyber risk in board reporting

Cyber risk should feature as a standing item in board governance, not an occasional update. Reporting should be framed in governance terms — exposure, incidents, remediation, third-party risk, and benchmarking against peers — rather than purely technical language. 

The board does not need to understand every technical detail; it needs to understand the firm's risk profile and whether it is being adequately managed.

Address third-party exposure

Given the systemic reliance on external service providers, boards should ensure that cyber risk is embedded in the due diligence and ongoing monitoring of all material third-party vendors. Contracts with these vendors should include appropriate security standards, and periodic assessments should confirm that those standards are being met.

Establish and test an incident response plan

Even firms with the strongest security controls can fall victim to a sophisticated attack. That is why every regulated entity should have a documented cyber incident response plan that sets out clearly how the firm will identify, contain, and recover from a breach — and who is responsible for each step.

Critically, the plan should address notification obligations: to CIMA, to investors, to counterparties, and where relevant to data protection authorities. Equally important, the plan must be tested under realistic conditions to ensure it functions as intended. A plan that has never been rehearsed is of limited value when it is needed most.

Embed training and awareness

Human error remains one of the most common vectors for a successful cyber attack. Verizon's 2025 Data Breach Investigations Report found that around 60% of breaches involve the human element. This figure makes it clear that training at all levels of the organisation is essential to building genuine resilience.

Annual cybersecurity training for all staff has become a regulatory baseline, not merely a best practice aspiration. Boards should satisfy themselves that training is taking place, that it is meaningful, and that awareness of reporting obligations is embedded across the organisation — from the leadership team to frontline staff.

Benchmark against peers

While every firm has its own specific risk profile, many aspects of cybersecurity governance are consistent across the industry. That is precisely why benchmarking against peers is a worthwhile exercise. 

Boards should periodically seek an independent assessment of the firm's cyber maturity relative to comparable organisations and applicable industry standards — not as a one-off exercise, but as a regular part of the governance cycle.

Conclusion

Cybersecurity is no longer simply a matter of having the right technology and technical teams in place. It requires the right strategies and governance frameworks, and the responsibility for creating those frameworks sits with leadership. Technical talent remains essential for implementing and executing these strategies, but it is capable, engaged leadership that must define them in the first place.

Regulators across the Cayman Islands, the US, and beyond have made it clear that cyber preparedness is a board responsibility, and firms that treat it otherwise do so at their own risk. The consequences of falling short, including financial penalties, regulatory sanction, and reputational damage, are all board-level consequences. They affect the entire firm, and the ownership of that risk must sit at the same level.

How Daymer Can Help

Daymer provides independent director and governance advisory services to funds and corporate entities across the Cayman Islands, the UK, and the UAE. Our directors bring governance expertise and a structured approach to risk oversight — including the frameworks needed to ensure that operational risks such as cybersecurity are appropriately embedded in board-level governance.

If your board would benefit from an independent perspective on its current cyber governance arrangements, or if you are looking to strengthen your governance framework more broadly, we would be pleased to discuss how we can help.