An Opposition MP has questioned how the island’s first national cybersecurity risk assessment can be conducted when a long-awaited report into a cyberattack that crippled government services remains incomplete.

Robert King, the shadow national security minister, said it was not possible to identify the threats and areas of vulnerability faced by Bermuda when it was still not publicly known what happened in the September 2023 attacks.

His comments came after the Government announced it was launching a national cybersecurity risk assessment.

Michael Weeks, the national security minister, said the work would contribute to the island’s updated National Cybersecurity Strategy, which is due to be completed by the end of the year.

He dismissed the need for the release of a joint select committee report on cyberattacks before the assessment takes place, saying that they were two separate things.

During questions on the announcement in the House of Assembly, Mr Weeks also said that information on an internal post-incident review on the attack was in the “public domain” but would not say where, adding anyone could do their own research.

The clash came after Mr Weeks announced the evaluation, which he said was a “formal survey instrument designed to gather structured cybersecurity risk intelligence from across Bermuda’s public and private sectors”.

“The assessment will capture information on threats, vulnerabilities, current controls and risk exposure across our organisations, including those operating within our critical national information infrastructure,” he added.

“This means that for the first time, our national strategy will be built on current, locally sourced risk intelligence — not assumptions.

“That is a significant advance in the maturity of our cybersecurity governance.”

Organisations and professionals from the public and private sectors were encouraged to take part in a process which would be entirely digital and secure, the minister said.

Mr Weeks told the House: “The strength of this assessment depends on the breadth and quality of participation.

“I therefore urge all relevant organisations across the Bermuda cyber community to engage seriously and respond fully,” he said, adding that participants will have three months to complete a survey.

The assessment will be renewed annually, he added.

Organisations that would like to participate or that require more information about the assessment process should e-mail the National Cybersecurity Unit at cybersecurity@gov.bm.

Mr Weeks said that the NCRA would be used in the development of an updated National Cybersecurity Strategy.

Mr King questioned how the assessment could be credible when “the joint select committee whose mandate it was to investigate the cause and make recommendations has yet to complete the recommendations”.

He added: “How can we have a risk assessment when we don’t have the critical information necessary to determine how and in what form it can take place?”

Mr Weeks responded that the JSC report was “a matter for the House and not for myself”.

Mr King said he did not see how the two issues could be separated.

The Opposition MP asked: “How can we determine what risk assessments are required if we do not know the nature of the breach, the extent of the breach and what information was compromised?

“How can we have a risk assessment if we don’t have that critical information?”

He went on to ask if the Government had conducted an internal post-incident review of the 2023 attack which was informing the introduction of the risk assessment, to which Mr Weeks replied: “The information is in the public domain.”

When asked by Mr King where he could find the information in the public domain, Mr Weeks replied: “I don’t know where it is in the public domain. We all have the ability to find it and do our own research.”

Lawrence Scott, the chairman of the JSC, said in February that the committee hoped to submit its report to the Speaker before the House breaks for summer in July.

He told The Royal Gazette that the committee had probed whether a ransom was paid to the hackers but said it was premature to disclose any details.

“We know what happened, when it happened and how it happened, and we are just in the midst of getting the last submissions before putting the report together,” Mr Scott added.

An external report into the attacks has remained under wraps since it was completed in late 2023.

The Cabinet Office was ordered by the Information Commissioner to respond to a records request from the Gazette for that report last February.

Major Marc Telemaque, the Cabinet Secretary, wrote to the newspaper the following month stating that the report was exempt from release for national security and law enforcement reasons, as well as parliamentary privilege and it being a Cabinet document.

That decision is under review by the Information Commissioner.