Key takeaways
- As the recent attack announced by Bermuda's Department of Education demonstrates, all organisations are at risk of a cyber-attack occurring at any time.
- A pre-prepared and well executed response plan can make a significant difference in mitigating harm to impacted individuals, recovering compromised data and ensuring legal obligations are met.
- The legality of a ransomware payment must always be carefully considered before payment is made, taking into account the application of AML/ATF and sanctions laws.
Find out how to respond to the increasing cyber attacks in Bermuda.
Introduction
Cyber-attacks continue to be on the increase. Bermuda's new Personal Information Protection Act 2016 ("PIPA") has been in effect for less than one month and yet the Privacy Commissioner ("Commissioner") has already received the first data breach notification report.
The first reported incident relates to a data attack on PowerSchool, a vendor to the Department of Education, that took place in late December. PowerSchool has reported theft of personal information relating to teachers, students and parents. Whilst not infected with ransomware, PowerSchool has reportedly made a ransom payment to the threat actor in exchange for a promise that the stolen data will not be sold.
In this advisory, we set out practical guidance on how to prepare for a cyber-attack, how to put in place a cyber-attack response plan and the key legal considerations regarding ransom payments.
How to respond to a cyber-attack
The first few hours and days after discovery of a cyber-attack are crucial. Entities need to know who to contact, what to do, and how to balance the loss of personal information against the risk of paying funds to a sanctioned entity or criminal organisation.
It is integral to have a plan in place that outlines protocols for the first 48 hours. This plan needs to cover some core points, as described below.
1. Response team. It will save significant time and provide for a well-executed response to have a pre-determined team identified that will convene in the event of a cyber-attack and manage all aspects of the response. As a minimum, this should include the Chief Information Security Officer, General Counsel, Chief Compliance Officer, and Head of Human Resources (in case of internal involvement) and media relations (if available). Time zone coverage should be considered for global organisations establishing such teams. A timely report should be made to the Board to allow for effective governance.
2. Disaster recovery plan. This should include how to: switch off the systems, nodes and servers that are contaminated; identify required decryption tools; switch off backup systems likely to be targeted; and start an investigation into whether any internal threat actor was involved to enable swift suspension or dismissal.
3. External providers. You will require a team of legal, consultant and specialist service providers that can advise on legal requirements and risks of payment, monitor dark web activity, advise on who the threat actor appears to be and explain the extent of the breach.
4. Regulatory reporting requirements. In Bermuda, PIPA requires that in the case of a breach of security leading to the loss, unlawful destruction, unauthorised disclosure of, or access to, personal information which is likely to adversely affect an individual, the organisation responsible for that personal information must "without undue delay" notify the Commissioner of the breach. Further, PIPA requires the organisation to then notify any individual affected by the breach.
There is no specified time that amounts to undue delay. In an announcement made following the PowerSchool incident, released on 20 January 2025, the Commissioner provided the following guidance on the purpose and meaning of the phrase "undue delay":
"A breach of security can take time to investigate and resolve. Notification of a breach should occur as soon as possible, or in other words without undue delay. Once an organisation is aware of a breach, they are permitted to assess the situation and validate details before notification. An example of undue delay before notification would be if the time spent assessing the situation would increase the likelihood or severity of the harm to an individual."
There are also reporting requirements for reports relating to cyber incidents to be made to the Bermuda Monetary Authority ("BMA") for those in regulated sectors. For example, under the Digital Assets Business Act 2018, the Senior Representative of a regulated entity is required to disclose to the BMA any "cyber reporting event".
For any entity with a global footprint, it will be important to understand not only local reporting obligations to all relevant regulators, but also applicable laws and reporting obligations in each jurisdiction where the company has a presence. This should be contained in a cyber-attack response plan that details whether reporting is mandatory, the timeframe within which to report and what triggers the countdown timer for that timeframe.
This is where the pre-determined response team also helps, each area has a set role and responsibilities. Whilst legal are busy determining reporting requirements (under law or contractual obligations) and ensuring legal privilege extends to response efforts to the extent possible, IT security can be locking down the spread of the malware and consultants can be monitoring the dark web to see if the breached information is already up for sale.
5. Insurance. It is important to know what insurance applies, the extent of that insurance and whether there is a requirement to notify insurers within specified notification periods.
6. Remediate. Equally important to response, is remediation. At the same time as managing the attack, a team should be focused on understanding how it occurred and how to stop it reoccurring in future. A general cybersecurity audit should be considered.
Legality of ransom payments
When cyber-attacks occur, the first question often posed to external counsel is: "Should we pay the ransom demanded?"
The key factors to consider with this are: (i) is the payment likely to stop the sale and further distribution of the compromised data, thus reducing harm to individuals; and (ii) is payment lawful.
The first question should be answered with regard to the due diligence results obtained from the specialist advisors and will be influenced by matters such as whether it is a known threat actor organisation, and if so, its reputation for keeping to agreements and whether the information is already up for sale on the dark web, or has already been sold.
The second question will require a careful analysis of all applicable anti-money laundering, anti-terrorist financing and sanctions laws. For example, under Bermuda's Anti-Terrorism (Financial And Other Measures) Act 2004, it is an offence for a person to provide money where the person suspects it may be used for the purposes of terrorism. Depending on the facts, known and suspected, gathered by the forensic investigators, there is a risk that organised cyber-attacks are conducted by terrorists with the goal of fund raising for terrorism. As such, it is important to screen any known or suspected threat actors against terrorist related sanctions lists (e.g., the United ISIL (Da'esh) & Al-Qaida list).
Similarly, sanctions imposed by jurisdictions such as the United Kingdom that target cyber criminals (brought into effect in Bermuda through local legislation and regulations) generally impose an "asset freeze" against the designated person. An asset freeze imposes an obligation to ensure economic resources are not made available, directly or indirectly, to, or for the benefit of, the sanctioned person (or their majority owned entities). Alternatively, the threat actor might be in a jurisdiction subject to comprehensive sanctions, such as Russia or North Korea.
Making payment to an individual or jurisdiction subject to applicable sanctions could amount to an offence, regardless of the motivation for the payment.
It is important to understand the legal risks involved in making ransom payments before such payments are authorised.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
