Introduction
By the end of the last decade, the incidence rate of cybercrime, ransomware attacks and online security threats had escalated to levels where legislators and regulators around the world were stepping up the nature and quality of laws and regulation that were being specifically designed to address those governance and risk management challenges. As the decade closed, regulators such as the SEC began introducing draft cybersecurity risk management, governance and reporting rules (enacted July 2023), and both the Financial Conduct Authority and the Prudential Regulation Authority in the UK had made it clear that cyber risk had become a material business risk that registrants must prudently, diligently and effectively address in the management, governance and supervision of all their related operations. At the same time, similar regulatory developments were initiated by Canada’s Office of the Superintendent of Financial Institutions (Canada’s regulator of banks, federal insurance businesses, and trust and loans companies), which resulted in several regulatory edicts beginning with the 31 July 2022 Guidelines titled “Technology and Cyber Risk Management” (No. B-13).
In Bermuda today, there are three established streams of cyber risk management law and regulation: the various Guidelines for the management of operational cyber risk that have been issued for various financial service sectors in Bermuda by the Bermuda Monetary Authority (BMA); the security provisions of Bermuda’s Personal Information Protection Act 2016, which comes into full force on 1 January 2025; and, the Cybersecurity Act 2024, which is directed at the operational cyber security standards and practices across several sectors of Bermuda’s critical infrastructure and essential services.
Cyber and Information Technology Regulation of Financial Services
The Authority was established by the Bermuda Monetary Authority Act in 1969. The BMA’s role has evolved over the years since then to meet changing needs in the financial services sector, including that sector’s profound reliance on information technology and web enabled solutions. Today the BMA supervises, regulates and inspects Bermuda’s financial service enterprises across the following sectors: digital assets (cryptocurrency and insurers); banks and deposit companies; credit unions; insurance and reinsurance; investment businesses and funds; corporate service providers; trusts; money service providers, and fund administrators. The BMA also issues Bermuda’s national currency, manages exchange control transactions, assists other authorities with the detection and prevention of financial crime, and advises Government on banking and other financial and monetary matters. The Authority develops and prescribes proportional risk-based regulations that apply to the business and operational supervision of each of those financial service sectors. The BMA also regulates both the Bermuda Stock Exchange and Bermuda Credit Union.
The BMA has approached its oversight of the financial service registrants it oversees by sectorial groupings, and its regulation of operational technology risk is no different. The following are the most recent versions of the operational cyber and information technology risk management guidelines that the BMA has issued:
- “Insurance Sector Operational Cyber Risk Management Code of Conduct”, October, 2020.
- “Operational Cyber Risk Management Code of Conduct” for corporate service providers, trust companies, money service providers, investment businesses and fund administration providers, banks and deposit companies, September 2022 (Revised).
- “Digital Asset Business Operational Cyber Risk Management Code of Practice” January 2024 (effective as of 30 June 30 2024)
Each of the foregoing cyber risk management codes of the BMA are generally the same, with mostly only minor drafting differences and nuances. However, they all have the following characteristics in common, among others:
- All impose a proportional risk-based requirement for registrants to be governed, managed and operated prudently and diligently by taking into account the profound importance of information technology systems, solutions and infrastructure in their business operations;
- Despite their titular focus on cyber risk, all actually address the operational risks associated with information technology more broadly, including cyber risk. For example, when read together with another applicable codes of conduct or guidance prescriptions, all take into account the risks of business and IT outsourcing, IT audit plans, of cloud computing, the risks associated with new IT projects and IT systems, third party service cyber risk, and the need for data protection;
- All prescribe the appointment of a Chief Information Security Officer (CISO);
- All make it very clear that the governance oversight of IT and cyber security and risk management resides with the Board of Directors and senior management;
- All require registrants to conduct personnel cyber risk awareness and management training;
- All recommend that registrants undertake cyber and IT threat intelligence, threat assessment and related vulnerability assessments;
- All require registrants to design and formulate formal IT security incident response processes and protocols;
- All require registrants to implement and prioritize software security patch management programs with reasonable installation and testing timeframes;
- All recommend the consideration of cyber incident insurance coverage, as well as the possible use of cryptographic solutions;
- All require network security standards and practices to be formally documented, which should include network intrusion detection tools and systems;
- All require registrants to implement a suitable cyber and IT testing program, with BMA recommended minimum baseline considerations that include external vulnerability scanning;
- All require the formulation and implementation of business continuity and disaster recovery plans;
- All make it very clear that registrants must formulate and implement structured programs, systemic controls, audits, operational policies, staff vetting processes, and organizational approaches to the risk management of their cyber and IT infrastructure;
- All address the additional considerations that outsourcing to third parties plays in the ongoing management and governance (primarily through the quality of the related service agreements) of operational cyber and IT risks;
- All stipulate requirements to notify the BMA of any cyber security incident that constitutes a “reporting event”, which tend to be restricted only to cyber events that result in a ‘significant adverse impact” to the registrant’s operations or its clients; and,
- All require registrants to assess their compliance with existing and applicable data protection requirements, and to process (use) all personal information in accordance with data protection/privacy laws that are relevant to each jurisdiction of operations.
As well, the BMA have expressly tied those cyber risk management codes of conduct to other relevant guidance prescriptions that have been issued by the BMA. In particular, the BMA’s “Insurance Code of Conduct” (August 2022, revised) includes various requirements related to outsourcing transactional risk management and governance. As well, for banks, deposit companies, the Bermuda stock exchange, corporate service providers, trust companies, money service businesses, investment businesses, fund administrators and The Credit Union, the BMA issued its Guidance Notes on ‘Outsourcing”, which includes prescriptions related to the use of innovative technologies, and the quality of the relevant outsourcing service agreement. Given the high incidence rate of outsourcing by Bermuda’s insurance industry, those prescriptions are directly relevant to all aspects of business process, IT and data processing – whether those service are provided by commercial third parties or by related affiliates. More generally, the BMA also published an additional outsourcing guidance document in the form of a Letter to Stakeholders on Outsourcing Guidance (28 June 2019) concerning the BMA’s previously mentioned Outsourcing Guidance Notes.
The failure of a registrant to comply with any of the BMA’s regulatory requirements concerning cyber and IT security may be reviewed and considered by the BMA as a fundamental matter of business license compliance. Therefore, a failure to comply with any such prescriptions may be a factor that the BMA takes into account in determining whether or not a registrant is meeting its obligation to conduct its business in a sound and prudent manner.
Personal Information Protection Act 2016 (PIPA)
PIPA was formulated and drafted through 2014 and 2015, and it became law upon Royal Assent in July 2016. PIPA applies to all organizations that use personal information in Bermuda. PIPA has ties to privacy and data protection laws on both sides of the Atlantic, however it is primarily based in its structure, nomenclature and simplification of law with various Canadian statutes, perhaps primarily the approach to privacy protection taken in Alberta, Canada, which also calls its privacy rights legislation the “Personal Information Protection Act”.
PIPA is structured as both omnibus legislation and primacy legislation. PIPA governs all sectors of Bermuda, both privacy and public. Except for the Human Rights Act in Bermuda, if any enactment in Bermuda is inconsistent with or conflicts with the provisions of PIPA, PIPA shall prevail. Arguably, PIPA’s legislative primacy stature renders the need for the Government to repeal the privacy law provisions of the ETA somewhat less pressing.
Although PIPA’s administrative provisions came into force in December 2016 to enable the establishment of a Privacy Commission (including the appointment of a Privacy Commissioner), the substantive provisions concerning the privacy right of individuals and the protection of personal information under PIPA will come into full force on 1 January 2025.
As we have discussed in our 2025 PIPA Guidance, PIPA enacts a set of jurisdictional “data protection principles” that are found across numerous jurisdictions, all with the express intention of securing EU and international “adequacy” and “safe harbour” status for personal information to move freely between Bermuda and the rest of the world. One of the most important aspects of PIPA that is common across all privacy rights jurisdictions are the obligations of organizations to protect and keep personal information secure, including with respect to all digital manifestations and electronic records of personal information.
Section 13 of PIPA provides that organizations shall protect personal information that it holds with appropriate safeguards against risk, including: loss; unauthorized access, destruction, use, modification or disclosure; or any other misuse. All such safeguards must be proportional to: the likelihood and severity of the harm threatened by the loss, access or misuse of the personal information; the sensitivity of the personal information (including in particular whether it is sensitive personal information); and, the context in which it is held, and shall be subject to periodic review and reassessment.
It is widely accepted that “appropriate safeguards” include all forms of safeguards and related security measures, including physical security, personnel security training, normative policies of workplace security (such as clean desk policies), personnel security clearances, data access prioritization, encryption, data segregation, and all professionally accepted technology and cyber security practices (which would likely include all of the BMA’s above noted cyber and IT security prescriptions). Like the BMA’s proportional risk-based approach to regulation, PIPA also takes a proportional risk-based approach, hence the impact variables that PIPA expressly identifies, as noted above.
PIPA also prescribes security breach reporting and notification requirements. In case of a breach of security leading to the loss or unlawful destruction or unauthorized disclosure of, or access to, personal information which is likely to adversely affect an individual, the organization responsible for that personal information shall, without undue delay: notify the Privacy Commissioner of the breach; and, then notify any individual affected by the breach. The notification to the Privacy Commissioner must describe: the nature of the breach; its likely consequences for that individual; and, the measures taken and to be taken by the organization to address the breach, so that the Commissioner can determine whether to order the organization to take further steps and for the Privacy Commissioner to maintain a record of the breach and the measures taken.
It is expected that any breach of security that is reportable under PIPA and that is investigated by the Privacy Commissioner, either independently or upon the compliant of an affected individual, will involve the disclosure and assessment of the “suitable measures and policies” that all organizations must formulate, adopt and implement to “give effect to its obligations and to the rights of individuals set out in” PIPA. Certainly, the measures and policies that an organization develops, adopts and implements to protect the security of personal information is one of the most important prescriptions in PIPA for organizations to comply with and adhere to.
The implications for not complying with PIPA’s requirement to protection personal information that an organization is using with appropriate safeguards can be very serious, depending on all the facts of any given situation of non-compliance. For example, it is an offence under PIPA to willfully or negligently uses or authorizes the use of personal information in a manner that is not consistent with the personal information safeguarding requirements of PIPA where that conduct is likely to cause harm to an individual or individuals. A person who is found to have committed such an offence is liable: on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment not exceeding two years or to both; and, on conviction on indictment, in the case of a person other than an individual, to a fine not exceeding $250,000.
Furthermore, where such an offence has been committed by the organization, and is proved to have been committed with the consent or connivance of, or to be attributable to, any neglect on the part of: any director, manager, secretary or similar officer of the body corporate; or, any person who was purporting to act in any such capacity, he, as well as the organization, may be found to have committed that offence and would be (in that circumstance) liable to be proceeded against and punished accordingly.
Cybersecurity Act 2024
On 31 May 2024, the Cybersecurity Act 2024 (Cyber Act) was passed by the Bermuda Legislature (and received Royal Assent on 24 June 2024) to address the need for regulatory oversight for IT and cyber security across numerous essential services and critical infrastructure in Bermuda. Although the Cyber Act does not (as at the date of this publication) set out the regulatory details of what IT security standards and practices will apply to each of the critical infrastructure sectors addressed by the Cyber Act, a previous draft of that legislation expressly designated specific industries such as healthcare, telecommunications and power generation and distribution as essential services that would be targeted by the Act. The expected regulations to the Cyber Act, which may not be issued in consultation draft until early in 2025, will provide much needed clarity on those intentions.
In passing the Cyber Act, the Government created a new regulatory regime for various sectors under the oversight of a single Minister rather than simply directing the existing regulators of those sectors, such as the Bermuda Health Council and the Regulatory Authority, to implement their own models of proportional-risk-based IT and cybersecurity regulation. As discussed above, the BMA’s has been very successful in its formulation, implementation and management of such regulations for several years.
Under the Cyber Act, the oversight of sector specific cyber and IT security prescriptions will first be overseen by the Minister of National Security in consultation with a Cybersecurity Advisory Board (Board). The principal function of the Board shall be to advise the Minister of National Security on the safeguarding of information resources connected to essential operations in Bermuda. Without limiting the generality of that broad mandate, the Board has the following mandate: to provide advice on the management of cybersecurity to protect Bermuda’s economic wellbeing and to prevent cybercrime; to provide advice to the Cabinet on the management of Bermuda’s national cybersecurity strategy and the internal Government cybersecurity program; to provide advice to the Public Service Executive on the management of the Government’s cybersecurity program; to provide advice to relevant Public Officers to enable them to meet their responsibilities relating to the Government’s cybersecurity program; to provide advice to each of the sectorial enforcement authorities; to coordinate and encourage collaboration among the Government and other sectorial enforcement authorities and the entities they regulate; and, to perform such other functions related to the foregoing as the Minister of National Security may determine.
The Cyber Act also provides for a secondary and direct level of industry-focused regulatory oversight (i.e., enforcement authorities) that are referred to as a “Critical National Information Infrastructure (CNII) enforcement authority”. Section 9 permits the Minister of National Security, after consultation with the Board, to designate an entity in Bermuda to stand as an CNII enforcement authority that will be charged with the duties and functions provided by the Cyber Act. As at the date of publication, it is expected that such enforcement authorities may include: for telecommunications and both power generation and distribution, the Regulatory Authority; for healthcare organizations, the Bermuda Health Council; and, for the operations of Bermuda’s national airport, the Bermuda Airport Authority. Also, currently it is not clear whether or not the Government’s compliance with the Cyber Act will be conducted independently of the Minister of National Security’s oversight and remit.
The Cyber Act creates three additional resource organizations that will be directly engaged in cyber and IT security preparedness, management and incident response and control functions: the National Cybersecurity Unit; the National Cybersecurity Incident Response Team; and, the Cybersecurity Operations Centre.
The National Cybersecurity Unit will operate within the Ministry of national Security and is mandated to conduct such functions in relation to cybersecurity as the Minister may determine after consulting the Board and, will include a mandate to:
- Operate and maintain the Cybersecurity Operation Centre;
- Operate and maintain the National Cybersecurity Incident Response Team in accordance with the designation of the Team under section 8;
- Provide specialised security services, capabilities, and expertise to support the Government and other CNII enforcement authorities and entities to enable the detection, identification, response, recovery and protection against cybersecurity threats and incidents;
- Perform secure centralised security logging and monitoring of the Government’s information and technology systems and environment to support the detection, analysis, response and investigation of cybersecurity threats and incidents;
- Perform security and risk assessments of Government information technology systems and environment (independent of the Government information technology staff members, vendors, contractors, and service providers responsible for implementing, operating and maintaining the Government computer systems) including: security testing; threat and vulnerability identification; risk analysis; evaluation protection measures; and other related matters;
- To conduct an annual national cyber risk assessment of critical national infrastructure sectors in Bermuda and provide a report and recommendations to the Minister of National Security and the Board;
- To provide specialized expertise and services to support computer system security planning, secure computer system design and enterprise security architecture for Government Ministries and Departments; and,
- To operate as the single point of contact for cybersecurity matters at national and international levels.
The National Cybersecurity Incident Response Team is mandated by the Cyber Act to conduct the following functions:
- Monitor cybersecurity events in Bermuda;
- To provide early warnings, alerts, announcements and dissemination of information to relevant stakeholders about risks and cybersecurity events;
- To respond to any cybersecurity event notified to it as the Minister may direct;
- To establish relationships to facilitate cooperation and coordination to address threats of cybersecurity events with CNII enforcement authorities and entities in Bermuda, other Cybersecurity Incident Response Teams established within Bermuda and cybersecurity regulators of other jurisdictions, with the written consent of the Minister of National Security and the Attorney General; and,
- To promote the adoption and use of common or standardized practices for managing cybersecurity events and risk-handling procedures, cybersecurity events, risk and information classification schemes, and co-operate with CNII enforcement authorities to enable the authorities to fulfil their obligations under the Act.
The Cybersecurity Operation Centre will be established as the governmental resource to provide the technology and other resources necessary to support the National Cybersecurity Unit and the National Cybersecurity Incident Response Team.
Across all critical infrastructure and essential service sectors, and under the supervision of each designated regulatory authority (CNII enforcement authority) it is expected that the Minister of National Security will follow the lead of the BMA to also issue industry specific codes of practice and specific standards of cybersecurity that all organizations must comply with under the supervision of their designated CNII enforcement authority. In that regard, the Minister of National Security has the authority under the Cyber Act to issue codes of practice or minimum standards of performance or to amend or revoke any code of practice or standard of performance that has been previously issued.
For further information, please contact:
Duncan Card, Partner, Appleby
dcard@applebyglobal.com