BMA to integrate cyber code into insurance supervision rules

The Bermuda Monetary Authority (BMA) will amend the rules governing the insurance sector to bring them into line with the requirements of its new cyber code of conduct.

The BMA said it will clarify certain rules and make various other changes to make the rules more effective. It does not intend to oversee the cyber risk of insurance groups in cases where the BMA is not the group supervisor.

The amendments, which are part of the BMA’s ongoing development of Bermuda’s regulatory framework, will add new definitions, clarify corporate governance requirements, elaborate on the risk management framework and add a new cyber reporting obligation.

The BMA will require insurance entities to appoint a senior executive with responsibility for information security, and clarify that parent company board’s remain accountable for the group’s cyber risk, ensuring all management measures are appropriate. Insurance groups that experience a cyber event that results in a “significant adverse impact” must notify the BMA within 72 hours.