After the September 2023 hack, the Government needed to pay 3,500 people manually, but had no cheques in the office, according to the retired National Disaster Coordinator.

“Then the signatures at the bank were not current,” Stephen Cosham revealed.

The former Bermuda Police Inspector was speaking at an audit conference at the Royal Bermuda Yacht Club on Thursday, on the topic of lessons learnt from the cyberattack, and other calamities such as Covid-19.

Dealing with the press was also an issue during the event, Mr Cosham said.

“Some of the comments the Government made on the hack came across very well, and some of them you may think did not come across very well,” he stated.

He advised organisations to have pre-scripted communication plans in place before disaster hit.

“You need examples of press releases in it, and you need to have written down what people can say, but what you don’t want people say,” he said. “That will come across a lot better whether you are dealing with the public or with customers.”

He told the room the first step to coping with disaster was to have a plan in place before the unexpected happens.

“Often you need a plan for compliance purposes, and it needs to be evidence based to the auditors,” he said.

It is also important to store important contact details for people such as vendors, somewhere in addition to the computer system, he said.

“After a hack, a lot of businesses then find themselves paging through the phone book in a desperate effort to contact their vendors,” he said. “And how do you pay them when you do not have access to your finance system?”

Mr Cosham said when boards meet there should be reporting on cybersecurity and any hacks that the company has experienced.

“If they are not reporting on it, then it is not a priority,” he said.

He held the disaster management post with the Bermuda Police Service for ten years before retiring last year.

The conference, “Unlocking the Power of Tomorrow Emerging Trends & Innovative Approaches in Assurance and Technology”, was hosted jointly by the Information Systems Audit and Control Association and Institute of Internal Audit Bermuda Chapter.