BMA Operational Cyber Risk Management Code of Conduct 2022

The Bermuda Monetary Authority (‘BMA’) published its Operational Cyber Risk Management Code of Conduct (‘Code’) for CSPs, Trust Companies, Money Service Businesses, Investment Businesses, and Fund Administration Providers (Relevant Licensed Entities or ‘RLE’) on 15 March 2022 and RLE are required to comply by 15 February 2023.

The goals of the Code are to ensure that RLE establishes a robust cybersecurity program and comply with related requirements. The Code prescribes specific requirements to ensure appropriate cybersecurity programs are in place. RLE should implement the Code in proportion to their cyber risk profile (nature, scale, and complexity of their business), following an appropriate assessment of their cyber risks. Each entity is required to assess its particular risk profile and design a program that robustly addresses such risks.

The Code emphasizes the importance for RLE to ensure that robust cybersecurity measures are in place:

  • Cyber risk governance;
  • Identification of assets and risks;
  • Detect and protect controls; and
  • Response and recovery controls.

cybersecurity measures

What You Need To Know

RLE are required to identify and manage cyber risks to organizational systems, assets, data, and capabilities. They also need to ensure senior management and Board involvement and sponsorship of a business-aligned cybersecurity program. A cybersecurity program that is designed with security, vigilance, and resilience in mind, guided by a clear strategy, and supported by strong governance measures will be well placed to meet the regulatory requirements.

business-aligned cybersecurity program

Below are the key responsibilities and minimum standard requirements:

  • Board of Directors & management must have oversight of risks.
  • Create an asset inventory listing.
  • Appoint a CISO (Chief Information Security Officer) or outsource the role.
  • Consider a cyber insurance policy and review coverage at least annually.
  • Identify and understand the cyber risk posture.
  • Measure the potential impact and consequences of risk.
  • Monitor & report – maintain a risk register.
  • Compliance and audit: The control environment should be continuously monitored and evaluated.
  • IT Service Management, IT Incident Management & Security Incident Management.
  • Business Continuity Planning (BCP) & Disaster Recovery (DR).

What’s Next?

Assessing Your Compliance

The Code is not a “one size fits all” approach for all RLE. The BMA developed the Code as a flexible reference point and encourages RLE to align their cyber risk profile to the nature, scale, and complexity of the business.

We recommend that RLE undertake evaluative processes to assess their individual cyber security risks and compliance with BMA requirements, considering other new regulatory requirements.

How Can We Help?

Our team of cyber security experts will work with your company to:

  • Identify and assess cyber security risks and current compliance with the Code.
  • Develop a cyber security document tailored to your organization, in line with BMA requirements.
  • Develop document response and recovery processes.
  • Oversee design, implementation and monitoring (audit) of controls.
  • Provide ongoing support to maintain and grow a cyber security program.

OneStopNetworks in collaboration with Nangia Andersen LLP

  • Service delivery will be managed and executed in Bermuda by OneStopNetworks. Rene Ambrusch of OneStopNetworks will be your main point of contact in Bermuda.
  • Nangia Andersen LLP’s cyber security expert team will provide technical support remotely.
  • Nangia Andersen’s Cyber Security team comprises professionals having unique skills in technology and business from a diverse range of backgrounds, industry & sector experience.
  • Nangia Andersen’s Cyber Security practice has executed and delivered numerous engagements in multiple geographies across the globe, viz. Africa, the Middle East, Asia Pacific, etc.
  • We collaborate with OneStopNetworks on various client projects in Bermuda.

About OneStopNetworks

OneStopNetworks is a Bermuda based Information Technology Company. We have expanded our services to offer Support, Cloud Backup, Virtual PBX, Remote and onsite Support as well as as a list of customized Solution for small and medium sized Business. To say it short, we are a One Stop Solution for all of your companies IT needs.

About Andersen Global

Nangia Andersen is a full member firm of Andersen Global. Andersen Global is an international association  of legally separate, independent member firms with more than 1000+ global partners.

Nangia Andersen LLP
a member firm of

As part of Andersen Global we have reached more than 220 offices globally, having presence in more than  120 countries.

Our core values are:

Core Values


To find out more about what the new Cyber Risk  Management Code of Conduct means for your business, and for help assessing and managing your cybersecurity program(s), contact OneStopNetworks.

PDF file


Download the Operational Cyber Risk Management Brochure


Additional information



September 2022 (Revised) – View Document