Fund GovernanceCybersecurityCIMADigital AssetsVASP Regime

Cybersecurity and Governance for Digital Asset Funds: Lessons from CIMA's VASP Thematic Review

In November 2025 the Cayman Islands Monetary Authority published the findings of a thematic desk-based review of registered virtual asset service providers, and they made uncomfortable reading. According to the published review, 82% of the VASPs examined carried no cybersecurity insurance, more than a quarter had not appointed a qualified chief information security officer, and over 80% of custody service providers had not completed an independent audit of their custody systems. Digital asset funds are not VASPs, and the review was not addressed to them. But it is the clearest public statement to date of what CIMA considers inadequate in a digital asset business, and allocators are reading it the same way. A fund whose technology governance could not survive the questions CIMA put to its VASP licensees has a problem, whether or not any rule formally compels an answer.

"The VASP review is best read as a preview of the questions every digital asset manager will eventually face, from the regulator, from auditors and from allocators. The funds that treat cyber governance as a board agenda item rather than an IT ticket are the ones that pass operational due diligence without friction."Jeffrey Shaul, Director at CV5 Capital

Why This Matters for Funds and Managers

CIMA's review covered eleven regulated VASPs, a mixture of exchanges and custody providers, examined between September 2024 and February 2025. Its significance for fund managers lies less in the licensing perimeter than in the supervisory mindset it reveals. CIMA looked past policies on paper to whether governance actually functioned: whether boards had the composition and information to oversee technology risk, whether accountability for security was assigned to a qualified individual, whether outsourced arrangements were monitored rather than merely contracted, and whether business continuity and internal audit existed in practice. Those are precisely the dimensions on which digital asset funds are now assessed, both in CIMA's broader supervisory engagement and in institutional operational due diligence, where cyber posture has become a standing module rather than an optional annex. We covered how that examination process works in our guide to preparing for a CIMA regulatory examination.

There is also a hard commercial logic. In digital asset strategies, the losses that end funds are disproportionately operational rather than market-driven: compromised keys, phished credentials, failed vendors and ungoverned transfers. The historical pattern is consistent with what we described in our review of the largest hedge fund governance failures, where the common thread was not bad trades but absent oversight. A manager who can demonstrate disciplined technology governance is therefore not merely satisfying a regulator; they are removing one of the few risks that allocators regard as disqualifying rather than merely priced.

The Common Misunderstanding

The first misunderstanding is scope. Because the thematic review examined VASP licensees, some managers conclude it has nothing to say to a fund that holds digital assets through third-party custodians. That is technically right and practically wrong. CIMA has for several years maintained a rule and statement of guidance on cybersecurity for regulated entities, which generally extends to CIMA-registered funds, and the thematic review shows how the Authority tests such expectations in practice. It would be imprudent to assume that the standards articulated for VASPs will not inform how CIMA, and the independent directors who sit on fund boards, frame technology-risk oversight for funds. Managers should confirm the precise application of CIMA's cybersecurity measures to their vehicle with Cayman counsel, but the direction of travel is not ambiguous.

The second misunderstanding is that outsourcing transfers the risk. A fund that uses a licensed custodian, an exchange and a third-party administrator has outsourced functions, not accountability. CIMA's findings on inadequate oversight of outsourced arrangements make the point directly: the deficiency was not that firms outsourced, but that they could not evidence how they selected, monitored and would replace their providers. For a fund, the same logic applies to every wallet provider, exchange and staking intermediary in the operational chain, which is why a documented wallet governance policy and structured exchange onboarding process have become baseline expectations.

Translating the Findings into Fund-Level Practice

The most useful way to read the thematic review is as a gap analysis someone else paid for. Each published deficiency maps onto a concrete control that a digital asset fund, and the manager behind it, can implement and document.

CIMA finding (VASP review, Nov 2025)Fund-level translation
Deficient cybersecurity governance and oversightTechnology risk becomes a standing board agenda item, with a documented framework, defined risk appetite and management reporting the directors can actually interrogate.
27% had no qualified CISO or CIOA named, suitably qualified individual owns information security, in-house or fractional, with a reporting line to the board rather than to the function being overseen.
Inadequate oversight of outsourced arrangementsA vendor risk programme covering custodians, exchanges, wallet infrastructure and administrators: due diligence at onboarding, annual review, and a documented exit or substitution path.
Over 80% of custody providers lacked an independent custody systems auditFunds request SOC reports or equivalent independent attestations from custody providers, and treat their absence as a risk factor to be escalated, mitigated or disclosed.
82% carried no cybersecurity insuranceThe board considers whether cyber cover is available and proportionate for the fund and manager, and records the decision either way.
Gaps in business continuity and internal auditA written, tested incident response plan covering key compromise, exchange failure and data breach, plus periodic independent testing of the control environment.

CV5 Insight: Allocators increasingly benchmark a fund's technology governance against published regulator findings; a documented cyber and vendor-risk framework costs a fraction of a single failed operational due diligence process.

Key Considerations for Managers

None of this requires a bank-grade security function. It requires proportionate controls, honestly documented. The areas below are where CIMA's findings, allocator due diligence questionnaires and practical loss experience converge.

A cyber governance baseline for a digital asset fund

  • Access management: Multi-party approval for asset movements, least-privilege access to systems and wallets, hardware-backed authentication, and immediate revocation on staff departure.
  • Vendor risk: Documented due diligence and annual review of custodians, exchanges and technology providers, including their attestations, insurance and financial standing.
  • Incident response: A written plan naming decision-makers, notification obligations and recovery steps, tested at least annually against realistic scenarios such as key compromise or counterparty failure.
  • Board oversight: Quarterly technology-risk reporting to the fund board, with directors minuting challenge and follow-up, consistent with CIMA's corporate governance rules.
  • Protocol and smart contract exposure: Where strategies touch DeFi, a documented assessment of smart contract risk and the controls around it.
  • Documentation pack: Policies, test results and board minutes maintained so that regulator requests and allocator DDQs can be answered from the file, not reconstructed.

How the CV5 Platform Model Helps

Governance Infrastructure Without the Standalone Build

CV5 Capital is a Cayman Islands-based, CIMA-registered fund platform. For digital asset managers, the platform provides the governance chassis that the thematic review implies every serious operator needs:

  • Regulated structure: A CIMA-registered segregated portfolio with experienced directors for whom technology-risk oversight is an established agenda item, not a novelty.
  • Vendor coordination: Established relationships with institutional custodians, administrators and auditors, with service-provider diligence embedded in the platform's operating model.
  • Policy framework: Wallet governance, access management and incident response expectations built into launch, so controls exist before capital does.
  • Examination readiness: Documentation maintained in the form CIMA requests it and allocators expect to see it.

CV5 does not make investment decisions for third-party strategies and is not a law firm, administrator, auditor or investment adviser. Managers retain their strategy, branding and investment discretion; the platform provides the regulated infrastructure and coordination layer described at the digital asset fund platform, part of what it takes to run a credible digital asset fund.

Risks and Caveats

The thematic review examined VASP licensees, not funds, and its findings are supervisory observations rather than new rules; nothing in this article should be read as a statement that CIMA formally requires any specific control of a registered fund. Equally, the inference should not be over-corrected: CIMA's cybersecurity rule and guidance generally apply across regulated entities, and supervisory expectations typically harden over time. Documented frameworks are necessary but not sufficient; a policy that is not operated is arguably worse than none, because it evidences awareness without action. Finally, cyber insurance capacity for digital asset businesses remains limited and exclusion-heavy, so cover should be assessed on its actual terms rather than assumed to respond. Managers should take Cayman legal advice on how CIMA's measures apply to their specific structure.


Key Takeaways

  • CIMA's November 2025 VASP thematic review found widespread gaps: 82% of reviewed VASPs had no cyber insurance, 27% lacked a qualified CISO or CIO, and most custody providers had no independent custody systems audit.
  • The review was addressed to VASPs, but it signals the standard against which CIMA and allocators will assess any digital asset business, including funds.
  • Outsourcing custody and execution transfers functions, not accountability; vendor oversight was one of CIMA's central criticisms.
  • A proportionate fund-level baseline covers access management, vendor risk, tested incident response, board-level technology reporting and a maintained documentation pack.
  • Findings are supervisory observations rather than formal fund requirements; managers should confirm application to their structure with Cayman counsel.

Build Governance That Survives Scrutiny

CV5 Capital provides digital asset managers with a CIMA-registered platform where technology-risk governance, vendor coordination and documentation discipline are part of the launch, not an afterthought.

Speak with CV5 Capital about governance and compliance infrastructure for a new or existing digital asset fund.

Schedule a Consultation

Frequently Asked Questions

Does CIMA's VASP thematic review apply to digital asset funds?

Not directly. The review examined registered virtual asset service providers, and its findings are not rules imposed on funds. However, CIMA maintains cybersecurity expectations for regulated entities generally, and the review is the best public evidence of how the Authority evaluates technology governance in practice. Prudent managers treat it as a benchmark.

What cybersecurity documentation do allocators expect from a fund?

Typically a technology and cyber risk policy, a wallet governance and access management framework, vendor due diligence records for custodians and exchanges, a written incident response plan with evidence of testing, and board minutes showing technology risk is actually overseen. Most institutional DDQs now probe each of these areas.

Who should own technology risk at fund level?

Ultimate oversight sits with the fund's board of directors, which should receive regular reporting and minute its challenge. Day-to-day accountability generally sits with a named, qualified individual at the manager, which can be a fractional or outsourced CISO for emerging managers, provided the reporting line is independent of the functions being overseen.

Does using a licensed custodian remove the fund's cyber risk?

No. A licensed custodian reduces certain risks but introduces counterparty and integration risks that the fund must oversee. CIMA's findings on outsourced arrangements, and the fact that most reviewed custody providers had no independent custody systems audit, underline why funds should obtain and review attestations rather than rely on licensing status alone.

This article is produced by CV5 Capital for general information only and does not constitute legal, regulatory, tax or investment advice. Regulatory findings and supervisory expectations described here reflect publicly available CIMA materials as at July 2026 and may evolve. Fund managers should obtain advice based on their specific structure, investors, strategy and regulatory obligations. CV5 Capital is registered with the Cayman Islands Monetary Authority (CIMA Registration No. 1885380, LEI: 984500C44B2KFE900490).
Ready to Launch Your Fund?
Whether you are launching your first hedge fund or expanding an established investment strategy, CV5 Capital provides the infrastructure, regulatory framework, and operational support required to bring your fund to market quickly and efficiently.