One in five insurance entities operating in Bermuda has yet to complete the classification of its data, a basic regulatory requirement under the Bermuda Monetary Authority’s cyber-risk framework, according to a new report from the regulator.

In its Bermuda Insurance Sector Operational Cyber Risk Management — 2025 Report, the authority said “the data shows that 21 per cent of entities reported that they have not completed the classification of their data”.

While the figure represents an improvement from the previous year, the BMA made clear that progress remains insufficient. “Although this is an improvement over the 25 per cent reported in the 2023 returns, this figure remains lower than regulatory expectations,” the report said.

The report is based on 2024 year-end filing return data from commercial insurers, insurance managers and insurance agents and brokers, including enhanced cyber-risk disclosures tied to the Bermuda Solvency Capital Requirement.

Under the authority’s code of conduct for cyber-risk management, data classification is a basic control meant to make sure that sensitive and critical information is protected. The report states: “The code requires all entities to classify their data. Data should be classified and protected in a manner commensurate with its sensitivity, value and criticality.”

Beyond data classification, the authority identified several other areas where compliance is still uneven across the sector. Third-party cyber-risk management slipped slightly in 2024, with 86 per cent of entities reporting that they reviewed the cyber-risks associated with outsourced information technology providers in the past 12 months, down from 87 per cent a year earlier. Among commercial insurers, that figure declined more sharply, to 85 per cent from 90 per cent.

The report also found that not all entities are meeting annual testing requirements for business continuity and disaster recovery plans. While 89 per cent of insurers completed such tests in 2024, the code requires annual testing by all registrants. Among insurance agents and brokers, 18 per cent reported that they had not tested their plans during the year.

Despite these gaps, the authority said the overall trend across the insurance sector remains positive. Ninety-seven per cent of entities reported having a board-approved cyber-risk policy in place, while 99 per cent said they regularly communicate cyber-risk updates to senior management and boards.

The BMA said its regulatory focus on cyber-risk will continue through 2026, including further analysis of filing returns, supervisory reviews and assessments of compliance with the code.