The Bermuda Monetary Authority has posted for consultation its draft new Digital Asset Business Operational Cyber Risk Management Code of Practice along with revised Digital Asset Business Custody Code of Practice and Digital Asset (Cybersecurity) Rules.

It is part of the authority’s commitment to foster and encourage the prudent development of the growing DAB sector in Bermuda.

The authority said: “Cybersecurity is a key risk affecting all financial sectors regulated by the Bermuda Monetary Authority and continues to garner global attention as the number and severity of risk incidents increase.

“As such, it is also an important area of concern within the digital asset business sector.”

The BMA said: “The consultation documents intend to streamline the obligations of DABs with those of other sectors. It is, therefore, to the fullest extent possible, harmonised with the insurance and banking, trust, corporate services and Investments regulatory cyber frameworks.

“Nevertheless, in light of the heightened inherent cyber-risk pertaining to DABs, the consultation documents contain more stringent requirements in key areas, including: (i) audit trails (system logs) and audits both in the periodicity and number of controls in scope; (ii) systems/code testing, change management and incident reporting; and (iii) the addition of DAB-specific requirements (eg., smart contracts and blockchain security).

“The consultation documents are designed to promote the stable and secure management of information technology systems of regulated entities.

“They are deliberately not exhaustive and should remain flexible so as to accommodate a wide range of business models.

“DABs are required to implement their own technology risk assessment programmes, and determine their top risks and decide the appropriate risk response. DABs must be able to evidence that there is adequate board visibility and governance of their cyber-risk.

“Failure to comply with provisions set out in the consultation documents will be an important factor taken into account by the authority in determining whether a registrant is meeting its obligation to conduct its business in a sound and prudent manner.

“The DAB industry and other interested parties are invited to submit their views on the proposals set out in the consultation documents.

“These documents may be found at: https://www.bma.bm/document-centre/discussions-consultation-papers.

Comments should be sent to the authority digitally, via the below survey link or QR code, no later than 6 May 2022.

https://www.surveymonkey.com/r/WQTTT88