Cybersecurity - Bermuda

The Cybersecurity Act 2024 was passed by the Legislature on 31 May 2024 and received Royal Assent on 24 June 2024, creating a framework to protect critical national information infrastructure across essential services (energy, telecoms, healthcare, government). No commencement date has been announced, so it is not yet operative.

Under the Cybersecurity Act 2024, sector-specific cyber and IT security prescriptions will be overseen by the Minister of National Security in consultation with a Cybersecurity Advisory Board that advises on safeguarding information resources connected to essential operations.

The BMA's Insurance Sector Operational Cyber Risk Management Code of Conduct took effect 1 January 2021, with full compliance required by 31 December 2021. It sets proportionate duties to maintain a robust cybersecurity programme; 97% of insurers reported a board-approved cyber-risk policy in 2024 filings.

The Personal Information Protection Act 2016 became fully operative on 1 January 2025. Organisations must notify the Office of the Privacy Commissioner (PrivCom) and affected individuals without undue delay of a breach likely to adversely affect an individual; failure to notify is a separate criminal offence.

Under PIPA, failing to report a qualifying breach can lead to fines up to $25,000 and/or up to 2 years imprisonment on summary conviction for individuals, and fines up to $250,000 on indictment for organisations.

Bermuda enacted the Computer Misuse Act 2024, replacing the 1996 statute of the same name, to align with international best practice and substantially increase penalties for computer-related offences.