The Government admitted in a report it published four years ago that the island was without a "formal framework for monitoring cyberthreats and for preventing, detecting, and mitigating against cyberattacks“.

The Bermuda Cybersecurity Strategy 2018-2022 revealed a raft of shortcomings and set out a list of “strategic goals, specific objectives and actions” urgently needed to protect the country’s cyberspace.

It is not clear, amid the cyberattack which derailed government IT systems last week and is still affecting public services, how many of those objectives have been met.

The 42-page document, released in September 2019, included a pledge to “develop, enact and maintain appropriate legislation, regulation, policies and procedures to enhance cybersecurity and reduce cybercrime”.

However, in June this year, Michael Weeks, the Minister of National Security, told Parliament a dedicated cybersecurity incident response team was not yet operational and legislation to tighten cybersecurity was still being drafted.

“The cyberthreats we face continue to increase in frequency and sophistication, with potentially devastating effects,” he told MPs, adding that his ministry was “working diligently to help ensure that Bermuda has adequate capabilities to defend” itself.

The minister did not detail the cost of the work in his statement and the most recent Government Budget Book does not provide a clear picture of how much has been allocated for cybersecurity in 2023-24 or how much has been spent on it in recent years.

Mr Weeks told the House of Assembly his ministry’s “cybersecurity team and disaster risk reduction and mitigation team” worked with experts from the UK Home Office to conduct a national cyber-risk assessment earlier this year, looking at “nine critical infrastructure sectors”.

He said most of the findings and recommendations in the Home Office’s ensuing report, delivered in March, were already addressed in the Bermuda Cybersecurity Strategy and the Government’s Cybersecurity Programme.

“The areas not already addressed will be considered when we update the Cybersecurity Programme and Strategy during the current fiscal year,” added Mr Weeks.

The Budget Book shows a line item and business unit for “disaster risk reduction and mitigation” within the national security ministry, but the estimated budget for it is given as zero, compared to $20,000 last year and $200,000 in 2021-22.

The unit achieved only 60 per cent of its work on progressing “contingency plans”, according to a section on performance measures.

Mr Weeks also spoke of an internal government Information Systems Risk Management Committee, which would “also work to continue the development and implementation of the Government Cybersecurity Programme to ensure government IT systems are designed, implemented, operated, and maintained with adequate security”.

The Ministry of National Security’s overall $2.7 million budget for this financial year includes $1.6 million on administration.

The information systems risk management programme is listed as being within the administration business unit.

Meanwhile, the Information and Digital Technologies department within the Cabinet Office was allotted $223,000 for security this financial year.

The same amount was initially estimated for 2022-23 but a revised estimate for that fiscal year, based on spending by the time the new budget was drawn up, is given as zero.

The IDT department’s security unit achieved “0 per cent” of the “disaster recovery exercises planned and executed” for 2021-22 and was expected to achieve “0 per cent” in 2022-23.

Ministerial responsibility for keeping Bermuda’s cyberspace safe lies with Mr Weeks, as chairman of the Cabinet Cybersecurity Committee, along with committee members Walter Roban, the Deputy Premier, and Vance Campbell, the Minister of Tourism and the Cabinet Office.

There was no response from the Department of Communications yesterday to a question about whether the objectives in the cybersecurity strategy had been met.