Cyber and privacy risk management: Bermuda

Organizations have implemented many risk and control structures post-crisis at the regulators’ reques leading to patchwork piecemeal and often siloed solutions.

Integrated: Organizations address cyber and privacy risk governance holistically, not in a compartmentalized manner; they work to certify each of the parts works well together.

The collective mindset remains focused on regulatory compliance.

Strategic: Focus on capturing key benefits of effective cyber and privacy risk governance by aligning strategic decisions with the vision of the organization and realizing compliance forms part of the journey of continuous improvement.

Not enough organizations fully consider future regulatory requirements – they focus too heavily on domestic requirements with insufficient regard to global cyber and privacy trends.

Forward-looking: New approaches are built with a view to the future – heading in the direction of global cyber and privacy trends, not where the agenda currently stands.

Cyber risk and control approaches have often been decentralized, overlapping and/or duplicative.

Effective and efficient: Second-line risk and control approaches are centralized, roles and responsibilities are clearly defined, and integrated systems and infrastructure are sustainable and cost-efficient.

In several areas, organizations embarked on complex or impractical approaches.

Practical: There is a strong focus on driving practical and substantive change in cyber and privacy risk governance.

Governance and cyber risk management

• Define and document Cyber Risk Policy and approve it with the board of directors at least annually
• Appoint a Chief Information Security Officer (CISO) role to an appropriately qualified member of staff or outsourced resource
• Develop a cyber risk plan and approve it with the board
• Perform regular cyber risk assessments and retain the reports to be ready to be provided to the Authority upon request

Cybersecurity

• Develop a cyber incident management procedure, including incident identification, containment and reporting to the Authority
• Perform staff cyber risk awareness trainings at least annually and adopt a security-by-design approach
• Implement appropriate security controls to protect desktop, mobile and network devices
• Perform regular cybersecurity testing, including penetration testing and vulnerability assessments

Third-party risk management​

• Identify and evaluate the risks associated with third parties
• Define contractual terms and conditions that would enable you to manage appropriate risks
• Request for outsourced service providers to implement security policies, procedures and controls that are at least as stringent as the ones established within your own organization

Data security

• Classify the information you hold in terms of its sensitivity, value and criticality
• Develop and implement a data protection policy including the requirements for data loss prevention, data retention, data sanitation and data backup in accordance with the data classification levels

IT operations

• Document and implement the following processes to ensure the ongoing security and stability of IT operations: change management, incident management, access management, patch management, security events logging and monitoring

Cloud security

• Assess the risks of the use of cloud environments and implement appropriate controls to address identified risks depending on cloud architecture

Business continuity

• Develop and implement business continuity planning (BCP) and disaster recovery (DR) planning policies and procedures
• Perform regular tests of BCP and DR plans to ensure the recovery and availability of the systems

Data protection policy and data classification

• Classify personally identifiable information (PII)
• Develop mechanisms to enforce policies and standards

Privacy risk and controls

• Integrate privacy controls in existing control framework and risk assessments
• Conduct risk assessments on processes and data flows

Data life cycle management

• Maintain data flows and privacy register
  
• Document conditions for processing (i.e., legal ground, data minimization, information provision, purpose limitation)

Data subject rights

• Set up procedures to support rights of data subjects, i.e., to access, modify and erase their PII; transfer PII to another organization (data portability); and object to the processing

Privacy by design and architecture

• Update security architecture to support privacy by design
• Conduct privacy impact assessment for new projects and systems

Data security

• Identify technical security measures to protect PII in line
• Consider data encryption (rest, use motion)
• Ensure identity access management with appropriate use in line with PIPA

Data retention and disposal

• Document data retention and disposal policy
• Identify retention periods for each category of PII

Monitoring

• Ensure that PII is used in line with policies, standards and PIPA
• Set up mechanisms to detect deviations, i.e., unauthorized disclosures

Incident response and breach notification

• Integrate personal data breaches within incident response
• Identify stakeholders to be notified after a data breach

Vendor management

• Gain visibility on vendors that process PII
• Set up mechanism to ensure vendors only process PII in line with policies, standards and PIPA (e.g., monitoring vendors and performing audits)