All Bermudian-based insurance companies could soon be required to report cyber events that affect their operations to the Bermuda Monetary Authority.The potential vulnerability of insurance companies to such attacks has been investigated by the regulator.The BMA has identified areas of concern in its Bermuda Insurance Sector Operational Cyber Risk Management 2019 report, and said operational cyber-risk is a “critical risk” and that it expects directors of insurance companies to ensure “prudent policies, procedures and controls are in place” with regards to cyber-risk.The regulator said a growing number of Bermudian-registered insurance companies have improved their resilience to cyber attacks. However, it has identified areas that need further improvement, including board-approved operational cyber-risk strategy and policy, and “tabletop testing” of security incident response plans.The BMA said 77 per cent of commercial insurers have operational cyber-risk insurance in place, however, a “lower than expected” 68 per cent reported having the best practice “three lines of defence” model in place — the lines of defence being operational control owner, risk function, and audit.In addition, the BMA found that only 66 per cent of commercial insurers reported having data loss prevention controls in place. It said: “This is a lower percentage than expected; incidents resulting in data breach often lead to both financial loss and reputational damage.”The regulator is currently consulting for the introduction of an Operational Cyber Risk Management Code of Conduct to be applied to all insurance entities. It will set out the BMA’s expectations for companies to demonstrate prudent cyber-risk management process and technical controls.The code is expected to come into effect in January 2021, with enforcement starting six months later.The BMA said it is also looking to introduce a cyber-reporting event requirement for all insurance companies as part of its legislative agenda for this year.