Newsletter


7 October 2020News

BMA publishes cyber code of conduct for insurance

The Bermuda Monetary Authority has published the  Insurance Sector Operational Cyber Risk Management Code of Conduct to establish duties, requirements, standards, procedures, and principles for insurers and intermediaries operating in the cyber market.

The document provides detailed guidance in many areas of an insurer’s operation, and stipulates that the board of directors and senior management team has ultimate oversight of cyber risks.

It requires the board of directors to approve a cyber risk policy document at least on an annual basis. The cyber risk may be covered in a standalone cyber risk policy document or expressly set forth as a section in a broader risk policy document. Regular updates detailing the overall cyber risk status must be made available to the board and senior management team.

The code sets out the role of the chief information security officer (CISO), which must be allocated to the appropriately qualified member of staff or outsourced. In the latter case the responsibility remains with the board. The code also states there should be clear oversight and accountability for any outsourced function.

The CISO should deliver the operational cyber risk management programme and be of sufficient seniority to facilitate the delivery of the operational cyber risk management programme, which must include a risk assessment process to identify, evaluate, and manage cyber risks

IT service management processes should also be in place to assist in the management of stable and secure IT systems, services and operations across the organisation.

The BMA also requires that cyber risk governance should follow a Three Lines of Defense (3LOD) model, incorporating operational management, risk management and audit. The programme should include a risk assessment process that allows for identification, measurement and response to cyber risk. A risk register should be maintained to monitor risks, with risk assessments documented and retained for at least five years in a format that can be shared with the BMA upon request.

The BMA stressed it is not adopting a one-size-fits-all approach, and expects cyber risk controls to be proportional to the nature,scale and complexity of the organisation.



Editor's picks

Aspen secures $397.5 million in expanded US IPO
News
Aspen secures $397.5 million in expanded US IPO
9 May 2025

Editor's picks

News
Aspen secures $397.5 million in expanded US IPO
9 May 2025   The offering values the company at about $2.76 billion.
News
Aon appoints veteran to head Bermuda reinsurance operations
7 May 2025
News
Aspen kicks off IPO valuing firm at $2.85bn
1 May 2025
News
Conduit CUO Roberts exits following California wildfire losses
24 April 2025
News
Hannover Re appoints Rhonda Hasell as CFO and general manager
16 April 2025
News
Everest offers big pay package to new CEO
4 April 2025



Related content

Fidelis Insurance names Hannah Greenwood CUO
Everest adds Darryl Page to board of directors
Aspen appoints Jon Kattman head of inland marine
Third Point to list Malibu Re on London Stock Exchange
Acrisure secures $2.1bn in latest funding round
Hamilton adds David Priebe, Karen Green to board
Fidelis hit by California wildfire losses as combined ratio soars
Vantage taps Elementum as it expands into alternative risk capital