BMA wants insurers to boost cyberdefences

  • Growing threat: the BMA is consulting for the introduction of an Operational Cyber Risk Management Code of Conduct for insurance entities on the island (File photograph)

    Growing threat: the BMA is consulting for the introduction of an Operational Cyber Risk Management Code of Conduct for insurance entities on the island (File photograph)


All Bermudian-based insurance companies could soon be required to report cyber events that affect their operations to the Bermuda Monetary Authority.

The potential vulnerability of insurance companies to such attacks has been investigated by the regulator.

The BMA has identified areas of concern in its Bermuda Insurance Sector Operational Cyber Risk Management 2019 report, and said operational cyber-risk is a “critical risk” and that it expects directors of insurance companies to ensure “prudent policies, procedures and controls are in place” with regards to cyber-risk.

The regulator said a growing number of Bermudian-registered insurance companies have improved their resilience to cyber attacks. However, it has identified areas that need further improvement, including board-approved operational cyber-risk strategy and policy, and “tabletop testing” of security incident response plans.

The BMA said 77 per cent of commercial insurers have operational cyber-risk insurance in place, however, a “lower than expected” 68 per cent reported having the best practice “three lines of defence” model in place — the lines of defence being operational control owner, risk function, and audit.

In addition, the BMA found that only 66 per cent of commercial insurers reported having data loss prevention controls in place. It said: “This is a lower percentage than expected; incidents resulting in data breach often lead to both financial loss and reputational damage.”

The regulator is currently consulting for the introduction of an Operational Cyber Risk Management Code of Conduct to be applied to all insurance entities. It will set out the BMA’s expectations for companies to demonstrate prudent cyber-risk management process and technical controls.

The code is expected to come into effect in January 2021, with enforcement starting six months later.

The BMA said it is also looking to introduce a cyber-reporting event requirement for all insurance companies as part of its legislative agenda for this year.

You must be registered or signed-in to post comment or to vote.

Published Jan 9, 2020 at 7:00 pm (Updated Jan 8, 2020 at 11:50 pm)

BMA wants insurers to boost cyberdefences

What you
Need to
Know
1. For a smooth experience with our commenting system we recommend that you use Internet Explorer 10 or higher, Firefox or Chrome Browsers. Additionally please clear both your browser's cache and cookies - How do I clear my cache and cookies?
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service
7. To report breaches of the Terms of Service use the flag icon

  • Take Our Poll

    Today's Obituaries

    eMoo Posts