As the trading of digital assets becomes more prevalent across all sectors of economic activity, the cyber threat to businesses and customers will continue to proliferate. The Bermuda Monetary Authority (“BMA”) recognizes the need for effective cybersecurity programs in all areas of financial services it regulates, including the digital asset sector. Digital asset companies operating in or out of Bermuda should implement and maintain effective cybersecurity rules in line with the 2018 Rules on Digital Asset Business (Cybersecurity) In response to the growing implications of cybersecurity failures for customers and the reputation of the jurisdiction, the BMA has established a specific team to oversee the cybersecurity programs of licensed digital asset companies.
Each authorized company must appoint a senior executive to oversee and implement its cybersecurity program and enforce its cybersecurity policies (the “CISO”). The CISO will be required to report regularly to the Board of Directors and provide an annual report. When appointing the CISO, care should be taken to ensure that the proposed individual is a ‘fit and appropriate’ person and will fulfill the role with the appropriate level of competence in accordance with the minimum licensing criteria. of the Digital Asset Business Act 2018.
A license application to the BMA should include relevant information about the cybersecurity risk management policies proposed by the applicant and how they interact with each other, including a description of how the applicant implements implements the “three lines of defense” model, including (i) risk management, (ii) internal audit and (iii) compliance functions. The BMA considers the NIST and ISO framework to be “best practice” standards and, therefore, entities refer to these standards when creating their Cyber Compliance Framework, for the Bermuda Authorized Entity.
The following diagram provides an overview of the required elements in the cybersecurity audit program, test and reporting cycle that will be required by authorized companies. The four components of the audit program are represented in blue, the quarterly penetration tests represented by the red arrows and the monitoring and reporting required to the board by the CISO, as well as the requirement for an independent audit , are shown in gray. .
