Bermuda has introduced the Operational Cyber Risk Management Code of Conduct (Code) which applies to all Bermuda registered insurers, insurance managers, and insurance intermediaries in the jurisdiction. The Code became effective on 1 January 2021 and full compliance is required by 31 December 2021.
The introduction of the Code is welcomed. It comes at a time when high profile cyber incidents are becoming more prevalent, heightening risks of severe financial losses and reputational damage, and causing data integrity concerns for insurers and their clients. The new regulations represent a codification of best practices that have organically developed within Bermuda's insurance industry over the years. As such, many insurers that already have robust IT policies and systems in place may not find compliance with the Code to be excessively onerous.
As with most insurance regulations, Bermuda is not adopting a 'one-size-fits-all' approach. Cyber risk controls are expected to be proportional to the nature, scale and complexity of the specific insurance entity. The Code is deliberately inexhaustive, and it is not merely a shopping list of requirements. The goal is that all insurers must be able to evidence that there is adequate board visibility and governance over cyber risk, in a manner that is proportionate to the commercial activities of the insurer.
Key considerations for insurers
The Code comprises three principal sections. The first addresses identification of assets and risks; the second, detection and protection controls; and the third, response and recovery controls. Provisions are identified as mandatory, strongly recommended, or optional. Salient considerations include:
Use of third parties: The Code is very practical, and recognises the realities of the insurance market. For example, the use of third-party technology services providers on an outsourced basis is allowed; however, there must be oversight and clear accountability for all outsourced functions as if these functions were performed internally. The third-party provider's practices must be consistent with the insurer's stated standards of governance and internal control. This applies whether the functions are outsourced to affiliated or non-affiliated entities.
Board oversight: Compliance with the Code will be a factor against which an insurer's obligation to conduct its business in a sound and prudent manner is assessed. The board of directors and senior management are ultimately responsible for oversight of cyber risks, and must now review and approve the cyber risk policy annually as a minimum. The cyber risk policy document may be standalone or it may be expressly included as a section of a broader risk policy document.
Appointment of a chief information security officer: The Code requires a qualified executive to be appointed as the chief information security officer (CISO), senior enough to oversee and implement the cyber risk program and to enforce cyber risk policies enterprise-wide. The role can be fulfilled by an outsourced provider; however, where the CISO is outsourced, oversight responsibility remains with the board.
Cyber risk management programme: The objectives of the cyber risk policy are delivered by an operational cyber risk management programme (Programme). The Programme, embodied in policies, processes and procedures, should include: a risk assessment process to identify, evaluate, and manage cyber risk; data governance, classification controls, information security controls; and detection, protection, response and recovery controls. Risk assessments must be documented and retained for at least five years in a manner that allows the reports to be provided to the regulator upon request.
IT audit plan: An IT audit plan is also required to independently assess the effectiveness of IT risk controls. Audits may be carried out by a qualified internal or external third-party audit resource. Regular penetration testing of internet-facing services by an independent resource is also suggested.
Cyber insurance: As a risk financing measure, a cyber insurance policy may be purchased as a way of transferring some or all the cyber risk to a third party. While this minimises potential financial loss from a cyber incident, it does not protect the insurer from an actual cyber event. The Code encourages insurers to review its cyber insurance coverage at least on an annual basis.
Incident management processing: An IT incident occurs when there is an unexpected disruption to normal IT services, and an incident management process must be established with the objective of restoring normal service without significant impact to business operations. A formal IT security incident response process must be in place and all employees, contractors and third-party users must be made aware of the procedure for reporting incidents. A post-incident review establishing the root cause of the incident, and the effectiveness of remedial action is also required.
A cyber reporting event is identified in the Code as: "Any act that results in unauthorised access to, disruption or misuse of the electronic systems or information stored on such systems of a licensed undertaking, including any breach of security leading to the loss or unlawful destruction or unauthorised disclosure of or access to such systems or information." In certain circumstances such as where there is the likelihood of an adverse impact on policyholders, clients, the insurer's business, or there has been an event which requires notice to be given to a regulatory body or government agency, for example, a data breach.
The Bermuda Monetary Authority (BMA) must be notified within 72 hours of the determination or confirmation of an event (whichever is earlier). An incident report must be submitted within 14 days of the notification of the initial incident and the BMA must be kept updated on progress until the incident is fully remediated. Logs of all cybersecurity incidents, together with details of remedial actions taken must be maintained and incident investigation and response logs must be available for inspection upon the BMA's request.
The Code extends Bermuda's best practice
Many of the requirements laid out in the Code are already routine for insurers. Examples are screening and vetting of staff to mitigate personnel risk, and ensuring that employees, third parties and customers using IT systems are authorised to do so through an approved process, with access and level of privilege appropriate to their role. Other requirements that are already commonplace include annual staff cyber risk awareness training and ensuring that staff responsible for cyber risk and cybersecurity have the relevant skills and training to carry out their role.
Due to the nature of information traditionally retained by insurance companies, there are usually systems in place to classify and protect such information in a manner commensurate with its sensitivity, value and criticality. This is now a requirement of the Code along with a documented assessment of data loss prevention controls, with reference to the level of data classification, potential unauthorised data egress points and appropriate mitigating controls.
The Code recognises the shift to remote working and mobile computing which has become more commonplace together with "Bring Your Own Device" services. A reasonable requirement is that such arrangements be subjected to a risk assessment and secured with appropriate controls.
Ocorian provide a full suite of administration and fiduciary services to the ILS and captive market in Bermuda and other key insurance jurisdictions, adding value throughout an entity's life cycle and providing confidence to clients in complex transactions. Get in touch at ocorian.com.
This article deals in broad terms only and is intended to merely provide a brief overview and give very general information. It is not intended as formal advice and should not be relied on as such.
Providing confidence to clients in complex transactions
Our team provide a full suite of administration, fiduciary and legal services to the ILS and captive market from our Bermuda, Cayman and BVI offices, ensuring that all structures remain compliant with applicable regulations in each jurisdiction. We add value throughout the life cycle, from incorporation and licensing, to unwinding and voluntary liquidations when the structure ends its natural life - precision and technical expertise has been the hallmark of our service offerings to this important global industry.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.