Privacy regulations brought into focus
New privacy-related regulations are set to affect Bermudian companies in the new year.
A virtual roundtable with 35 executives from Bermudian-based insurance companies was assembled by professional services firm EY to discuss Risk and compliance regulations and the implications for financial services organisations.
The event was held at the beginning of International Cybersecurity Awareness Month. Alexander White, the Privacy Commissioner for Bermuda, and Michael Lingham, a cyber risk specialist at the Bermuda Monetary Authority, were among the main speakers.
The Personal Information Protection Act was passed in 2016, aimed at addressing the need for privacy controls around personal data in Bermuda, while the Operational Cyber Risk Management Code of Conduct was published by the BMA in October.
A spokeswoman for EY said the Code of Conduct establishes the minimum set of requirements for the robustness of cybersecurity risk management practices expected of the Bermuda-based insurance industry.
The internationally aligned regulations are anticipated to bolster Bermuda’s regulatory reputation and provide companies with confidence that Bermuda is a safe harbour in which to both establish and grow their businesses.
Kerr Kennedy, associate partner and technology risk leader for the EY region of the Bahamas, Bermuda, British Virgin Islands and Cayman Islands, was facilitator of the roundtable discussion. He said: “All organisations should view these regulations as an opportunity to improve.”
He added: “That means adopting a privacy and security-by-design mindset, especially when an organisation introduces a new product or service.
“By demonstrating compliance to these internationally aligned regulations may also provide organisations a competitive advantage via gaining trust with customers, stakeholders and employees.”
The regulators emphasised that both PIPA and the Code of Conduct are not designed or intended as strict, uniform compliance tests.
Instead, it is hoped that the measures will open a dialogue between companies and regulators around privacy matters and offer a way forward that will ultimately improve business operations and strategy.
Mr White said: “First and foremost, privacy is a customer service matter. At a pragmatic level, customers want to know how their personal information is being used and protected.”
He also noted that privacy has larger, societal implications because it empowers creativity and risk-taking, which is the lifeblood of an entrepreneurial economy.
Mr Lingham said the BMA did not develop the regulations “as a strict tick the box compliance exercise,” but rather to encourage a culture of continuous risk assessment among insurers.
That applies particularly to third-party risk, which is often not examined closely enough, leading to unexpected breaches in a company’s cybersecurity ecosystem.
Mr Lingham added: “You cannot outsource your responsibility for cyber risk.”
The three speakers agreed that those who take a risk-based approach to compliance, ensure appropriate governance is established, take stock of their obligations and document the key steps taken to meet them will have a head start on meeting the regulatory requirements before they come into force, starting in 2021.
To learn more, see https://www.ey.com/bermuda.