What we are seeing in the market

The cyber threat landscape is increasing and expanding. As we move to an experience-led economy powered by data, there is also an increased focus on data privacy, underpinned by rising customer expectations and increased regulatory scrutiny. The pace and scale of regulatory change over the last five years have greatly impacted organizations’ approach to cyber and privacy risk management both locally and globally.

Approach to cyber and privacy risk management


of organizations would describe cybersecurity as enabling innovation; most choose terms such as “compliance-driven” and “risk-averse.”

Approach to cyber and privacy risk management


of organizations say that crisis prevention and compliance remain the top drivers of new or increased security spending.

2019 saw the highest-ever fines issued by privacy regulators; meanwhile, data breaches reported under the General Data Protection Regulation (GDPR) more than doubled over the prior year.

Approach to cyber and privacy risk management

6 in 10

businesses only consider cybersecurity after it’s already too late.

Approach to cyber and privacy risk management


faced a serious cyber incident in the past 12 months.

Bermuda regulatory landscape: what’s changing?

  • BMA Insurance Cyber Risk Management Code of Practice 2019

    • The code sets out risk management principles and leading-practice standards to make sure that regulated insurers:
      • Establish a sound and robust cyber risk management program
      • Implement a minimum set of requirements for technical and business process controls
    • Failure to comply with the provisions will be a factor taken into account when determining whether a licensed insurer is meeting its obligation to conduct business in a sound and prudent manner.
    • Insurers must regularly assess cyber risks arising from their business model and implement higher standards than those outlined in the code, where leading practice warrants it.
    • The BMA will assess compliance in a proportionate manner relative to the insurer’s nature, scale and complexity.
  • Personal Information Protection Act (PIPA), 2016

    • The PIPA outlines the requirements for organizations that process personal information, as well as the rights granted to individuals regarding the use of their personal information by such organizations.
    • This legislation, which follows international best practice, applies to all organizations, businesses and the government that process personal information in Bermuda.


What does this mean for you?

An effective approach to compliance

A new mindset is required to meet new and broader regulatory expectations and to enable the drive for change in a way that delivers real value to the business.

Yesterday's thinking

Today's thinking

Organizations have implemented many risk and control structures post-crisis at the regulators’ reques leading to patchwork piecemeal and often siloed solutions. Integrated: Organizations address cyber and privacy risk governance holistically, not in a compartmentalized manner; they work to certify each of the parts works well together.
The collective mindset remains focused on regulatory compliance. Strategic: Focus on capturing key benefits of effective cyber and privacy risk governance by aligning strategic decisions with the vision of the organization and realizing compliance forms part of the journey of continuous improvement.
Not enough organizations fully consider future regulatory requirements – they focus too heavily on domestic requirements with insufficient regard to global cyber and privacy trends. Forward-looking: New approaches are built with a view to the future – heading in the direction of global cyber and privacy trends, not where the agenda currently stands.
Cyber risk and control approaches have often been decentralized, overlapping and/or duplicative. Effective and efficient: Second-line risk and control approaches are centralized, roles and responsibilities are clearly defined, and integrated systems and infrastructure are sustainable and cost-efficient.
In several areas, organizations embarked on complex or impractical approaches. Practical: There is a strong focus on driving practical and substantive change in cyber and privacy risk governance.

Mapping out your compliance journey

EY’s insights on the key areas to comply with BMA cyber regulation

Impacted area
Key considerations

Governance and cyber risk management


  • Define and document Cyber Risk Policy and approve it with the board of directors at least annually
  • Appoint a Chief Information Security Officer (CISO) role to an appropriately qualified member of staff or outsourced resource
  • Develop a cyber risk plan and approve it with the board
  • Perform regular cyber risk assessments and retain the reports to be ready to be provided to the Authority upon request



  • Develop a cyber incident management procedure, including incident identification, containment and reporting to the Authority
  • Perform staff cyber risk awareness trainings at least annually and adopt a security-by-design approach
  • Implement appropriate security controls to protect desktop, mobile and network devices
  • Perform regular cybersecurity testing, including penetration testing and vulnerability assessments

Third-party risk management​


  • Identify and evaluate the risks associated with third parties
  • Define contractual terms and conditions that would enable you to manage appropriate risks
  • Request for outsourced service providers to implement security policies, procedures and controls that are at least as stringent as the ones established within your own organization

Data security


  • Classify the information you hold in terms of its sensitivity, value and criticality
  • Develop and implement a data protection policy including the requirements for data loss prevention, data retention, data sanitation and data backup in accordance with the data classification levels

IT operations


  • Document and implement the following processes to ensure the ongoing security and stability of IT operations: change management, incident management, access management, patch management, security events logging and monitoring

Cloud security


  • Assess the risks of the use of cloud environments and implement appropriate controls to address identified risks depending on cloud architecture

Business continuity


  • Develop and implement business continuity planning (BCP) and disaster recovery (DR) planning policies and procedures
  • Perform regular tests of BCP and DR plans to ensure the recovery and availability of the systems

EY’s insights on the key areas to comply with the PIPA regulation

Impacted areas
Key considerations

Data protection policy and data classification


  •  Classify personally identifiable information (PII)
  • Develop mechanisms to enforce policies and standards

Privacy risk and controls


  • Integrate privacy controls in existing control framework and risk assessments
  • Conduct risk assessments on processes and data flows

Data life cycle management


  • Maintain data flows and privacy register
  • Document conditions for processing (i.e., legal ground, data minimization, information provision, purpose limitation)

Data subject rights


  • Set up procedures to support rights of data subjects, i.e., to access, modify and erase their PII; transfer PII to another organization (data portability); and object to the processing

Privacy by design and architecture


  • Update security architecture to support privacy by design
  • Conduct privacy impact assessment for new projects and systems

Data security


  • Identify technical security measures to protect PII in line
  • Consider data encryption (rest, use motion)
  • Ensure identity access management with appropriate use in line with PIPA

Data retention and disposal


  • Document data retention and disposal policy
  • Identify retention periods for each category of PII


  • Ensure that PII is used in line with policies, standards and PIPA
  • Set up mechanisms to detect deviations, i.e., unauthorized disclosures

Incident response and breach notification

  • Integrate personal data breaches within incident response
  • Identify stakeholders to be notified after a data breach

Vendor management

  • Gain visibility on vendors that process PII
  • Set up mechanism to ensure vendors only process PII in line with policies, standards and PIPA (e.g., monitoring vendors and performing audits)

How we can help

Our portfolio of high-demand services is designed to address your cyber and privacy regulatory compliance requirements in a holistic and impactful way.

Show resources

Contact us by location



Contact us by location

  • Bahamas

    Ernst & Young
    P.O. Box N-3231
    Nassau - Bahamas

    Phone: +1 242 502 6000
    Fax: +1 242 502 6095


  • Bermuda

    EY Bermuda Ltd.
    3 Bermudiana Road
    Hamilton, HM08

    Phone: +1 441 295 7000
    Fax: +1 441 295 5193


  • British Virgin Islands

    Ernst & Young Ltd.
    Ritter House
    Wickhams Cay 2
    Road Town
    Tortola VG1110, British Virgin Islands

    Phone: +1 284 852 5450
    Fax: +1 284 852 5451


  • Cayman Islands

    EY Cayman Ltd.
    62 Forum Lane
    Camana Bay
    P.O. Box 510
    Grand Cayman
    Cayman Islands

    Phone: +1 345 949 8444
    Fax: +345 949 8529



Return to the EY Region of the Bahamas, Bermuda, BVI and Cayman Islands main page

Click here