Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct
The Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct (2020) establishes cybersecurity expectations for BMA-regulated entities including insurers, reinsurers, banks, and trust companies. Bermuda is a major international insurance and reinsurance hub. The Code covers cyber risk governance, risk management, incident response, third-party management, and reporting. Proportionate approach based on entity size, complexity, and cyber risk profile. Compliance monitored through BMA supervisory reviews and examinations.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (4)
BMA Code Section V: Identification of Assets and Risks
| Code | Title |
|---|---|
| BMA-12 | Board and Senior Management Oversight |
| BMA-13 | Asset Inventory |
| BMA-27 | Cyber Insurance |
| BMA-3 | Operational Cyber Risk Management Programme |
| BMA-4 | Chief Information Security Officer |
| BMA-5 | Three Lines of Defence |
| BMA-6 | Risk Assessment Process |
| BMA-7 | Information Technology Audit Plan |
| BMA-8 | Third-Party, Outsourcing and Cloud Risk |
BMA Code Section VI: Detect and Protect Controls
| Code | Title |
|---|---|
| BMA-10 | Threat Intelligence and Vulnerability Alerting |
| BMA-11 | Information Technology Incident Management |
| BMA-14 | IT Security Incident Management and Response Team |
| BMA-15 | Notification of Cyber Reporting Events to the Authority |
| BMA-16 | Access Management and Segregation of Duties |
| BMA-17 | Staff Cyber Risk Awareness Training |
| BMA-18 | Data Classification and Security |
| BMA-19 | Data Protection, Governance and Loss Prevention |
| BMA-20 | Malicious Code Controls |
| BMA-21 | Security Testing Programme |
| BMA-22 | Patch Management |
| BMA-23 | Data Deletion, Sanitisation and Disposal |
| BMA-24 | Network Security Management |
| BMA-25 | Use of Cryptography |
| BMA-9 | Information Technology Services Management |
BMA Code Section VII: Response and Recovery Controls
| Code | Title |
|---|---|
| BMA-26 | Business Continuity and Disaster Recovery Planning |
BMA Code Sections III-IV: Interpretation and Proportionality
| Code | Title |
|---|---|
| BMA-1 | Interpretation |
| BMA-2 | Proportionality Principle |
Your Compliance Coverage
If you comply with Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct, you already cover:
NIST Cybersecurity Framework 2.0
81%
22 controls mapped
Compare →NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements
15%
4 controls mapped
Compare →API 1164
15%
4 controls mapped
Compare →+ 91 more: UK Defence Standard 05-138 - Cyber Security for Defence Suppliers (15%), ISO/IEC 27011:2024 (11%)
See all 94 mapped frameworks ↓Maps to 94 other frameworks
Frequently Asked Questions
What is Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct?
Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct is a compliance framework from Bermuda (BMA) with 4 domains and 27 controls. The Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct (2020) establishes cybersecurity expectations for BMA-regulated entities including insurers, reinsurers, banks, and trust companies. Bermuda is a major international insurance and reinsurance hub. The Code covers cyber risk governance, risk management, incident response, third-party management, and reporting. Proportionate approach based on entity size, complexity, and cyber risk profile. Compliance monitored through BMA supervisory reviews and examinations. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct have?
Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct has 27 controls organised across 4 domains. The largest domains are BMA Code Section VI: Detect and Protect Controls (15 controls), BMA Code Section V: Identification of Assets and Risks (9 controls), BMA Code Sections III-IV: Interpretation and Proportionality (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct map to?
Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct maps to 94 other compliance frameworks. The top mapping partners are NIST Cybersecurity Framework 2.0 (81% coverage), NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements (15% coverage), API 1164 (15% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct compliance?
Start your Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 27 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required