Introduction

The Cybersecurity Act 2024 (“the Act”) in Bermuda has been introduced to safeguard the nation's critical infrastructure. This piece of legislation is not dissimilar from codes of conduct we have seen in other jurisdictions and is especially important in the wake of widely publicised cyber attacks on the Government of Bermuda in 2023. This blog post explores key aspects of the Act and its implications for organisations in Bermuda.

What is the Cybersecurity Act 2024?

The Cybersecurity Act 2024 is designed to protect what are considered critical infrastructure services in Bermuda. It seeks to protect against any potential loss or damages as a result of any critical infrastructure being hit by a cyber attack and defines those critical infrastructures as; telecoms, hospitals, government departments and the energy sector. The idea, then, is that they have multiple bodies (The Government of Bermuda, The Regulatory Authority and The Bermuda Health Council) to oversee and help identify areas to improve and respond to cyber incidents. By explicitly specifying certain service providers as part of the Critical National Information Infrastructure (CNII), the Act aims to enhance the cyber security and resilience of these essential services.

Reactions to the Act

The Act has been announced in its current form to mixed reviews. It mandates a risk-based approach to cybersecurity, requiring organisations to have a programme in place. This aligns with our ongoing recommendation that organisations follow a risk-based information security standard, for example, ISO 27001 Information Security Management System (ISMS). However, one ambiguous aspect we have identified which is similar to other cybersecurity or data protection acts we have come across is the requirement to appoint an "appropriately qualified individual" to lead the development and administration of this risk-based information security standard, without a clear definition of “appropriately qualified”. Defining this term will be crucial to avoid misunderstandings and ensuring effective implementation.

Integration with the Personal Information Protection Act (PIPA)

The Cybersecurity Act complements the Personal Information Protection Act (PIPA). While PIPA focuses on maintaining the privacy of individuals' data, cybersecurity strategies enforce the principles of confidentiality, integrity, and availability. Together, these Acts help create a robust data protection programme by ensuring personal information remains confidential and is only accessible to those who need it legally.

A risk-based cybersecurity programme involves understanding and mitigating risks to confidentiality, availability, and integrity and implementing suitable controls to remediate those risks. The two go hand in hand; any organisation that follows both Acts adequately will have a very robust data protection program.

Where Should Organisations Start?

Organisations in Bermuda must now demonstrate that they have built the necessary cybersecurity resilience. The first step is to obtain executive buy-in, which will ensure that company executives understand and appreciate the necessity of these measures. This starts with sensitisation and awareness training. Next, organisations should perform a gap assessment and adopt a recognised standard like ISO 27001 or the NIST Cybersecurity Framework, but ensure whatever they choose is risk-based. Proper adoption of the ISO 27001 standard requires the identification of someone responsible for risk. This aligns well with the Cybersecurity Act's requirement to "appoint an appropriately qualified individual to lead the development and administration of the cybersecurity programme". Finally, it's one thing to say we've put a program in place, but for it to mean something, you have to test it.

Potential Mistakes

One common mistake is not using qualified people, whether internal or external, to design and implement your programme and not properly adopting the requirements. We see this all the time. Another mistake is not securing leadership support/buy-in, which can result in the implementation being seen as a cost rather than a value. This leads to incomplete or poorly executed programmes, which are often just as ineffective as never being done at all. Importantly, the consistency and maintenance of the programme are also crucial for long-term effectiveness.

What Does Symptai Bring to the Table?

Symptai solves the risk of using an inexperienced entity by offering over 26 years of experience in implementing and maintaining suitable programmes. Our suite of services—cybersecurity, audit and assurance, data privacy and compliance, and digital transformation—allows us to offer comprehensive assessments, implementations, and validations of risk-based programmes. Our experience extends to multiple implementations of the COBIT framework, ISO 27001, NIST Cybersecurity Framework and PCI DSS, among others, demonstrating our competence.

Recommendations

When implementing the Cybersecurity Act 2024, it is essential to break the process into manageable segments and involve different teams in the implementation. Building a robust programme can take years and often requires a phased approach with multiple layers of protection. You don't want just one layer of control that when bypassed, everything crumbles. A defence-in-depth strategy is recommended, leveraging additional frameworks to ensure that everything important and critical to your organisation is considered. Finally, ensure you identify all of your assets, the essential items, and even the people you need to protect.

Implementing the Cybersecurity Act 2024 is a significant step towards safeguarding critical infrastructure and ensuring robust data protection. Organisations must adopt a comprehensive, risk-based approach supported by experienced professionals and well-defined standards. By doing so, they can enhance their cybersecurity resilience and maintain the privacy and security of sensitive information.

For more insights and practical advice on cybersecurity and data protection, be sure to check out our latest blog post on "Data Privacy Best Practices in Public Spaces." and contact us today to schedule a free consultation Today.