What Web3 Founders Need to Know: A practical guide for CISOs navigating Bermuda’s digital asset regulation
Cyber incidents in the Web3 space are not a matter of "if," but "when." With the confidentiality, integrity, and availability of information being critical to daily operations, the Bermuda Monetary Authority (BMA) has moved beyond general guidance to enforce strict operational standards.
The BMA's Digital Asset Business (DAB) Operational Cyber Risk Management Code of Practice establishes the baseline duties for any digital asset business operating in or from Bermuda.
Whether you are running a centralized exchange (CEX), a DeFi protocol, or a custody solution, navigating these rules is critical for your license. Here is what you need to know.
What Is the BMA DAB Code of Practice?
The Code is issued pursuant to Section 6 of the Digital Asset Business Act 2018. It mandates that every regulated entity must implement a technology risk programme that is "proportionate" to its specific risk profile.
Unlike voluntary frameworks, this Code uses specific language to denote obligation:
- "Must": Mandatory standards that require strict adherence or a comparable higher standard.
- "Should": Strong recommendations that require a documented valid reason for departure.
Effective Date: The Code came into force on January 1, 2024. All DABs were required to be fully compliant by June 30, 2024.
Who Is Affected?
The Code applies to all Digital Asset Businesses (DABs) licensed under the Act. This broadly includes:
- Exchanges & Trading Platforms: Entities facilitating the exchange of digital assets.
- Custodians: Businesses maintaining custody of client assets/private keys.
- Payment Providers: Services handling digital asset transfers.
- DeFi Operators: Entities with administrative control over decentralized protocols.
Purpose of the Regulation
The regulation is designed to ensure:
- Board Visibility: Evidence that the board has oversight and governance of cyber risk.
- Stable Management: Promoting secure management of IT systems in regulated entities.
- Risk-Based Approach: Allowing DABs to determine top risks and responses based on their "Nature, Scale, and Complexity" (The Proportionality Principle).
Implementation Checklist for CISOs
Based on the official BMA Code of Practice text, here is a detailed implementation checklist to audit your current security posture.
Category | Requirement | Actionable Implementation Checklist |
|---|
1. Governance & Oversight | Board Responsibility | ☐ Annual Approval: Board must approve the cyber risk policy at least once a year . ☐ Visibility: Provide regular updates on cyber risk status to the board and senior management . ☐ Oversight: Ensure the board retains ultimate responsibility even if the CISO role is outsourced. |
| CISO Role | ☐ Appointment: Appoint a qualified CISO (internal or outsourced) . ☐ Seniority: Ensure the CISO has sufficient seniority to deliver the risk programme. |
| Audit (3 Lines of Defense) | ☐ Structure: Implement the "Three Lines of Defense" model (Operational Management, Risk Mgmt, Audit) . ☐ Audit Plan: Develop an annual IT audit plan approved by the audit committee. |
2. Risk Management | Asset Identification | ☐ Inventory: Create a detailed inventory of all information assets . ☐ Ownership: Assign a specific business owner to every asset . ☐ Classification: Classify data by value, legal requirements, sensitivity, and criticality. |
| Risk Assessment | ☐ Process: Document a process for Identification, Measurement, Response, and Monitoring . ☐ Register: Maintain a risk register to monitor identified risks . ☐ Retention: Keep risk assessment reports for at least five years. |
| Third-Party Risk | ☐ Contracts: Ensure agreements include compliance terms and guarantee BMA access to data . ☐ Pre-Assessment: Conduct risk assessments before using any third-party blockchain apps or smart contracts . ☐ Cloud: Assess cloud risks based on architecture (public/private/hybrid) and data governance. |
3. Digital Asset Specifics | Smart Contracts | ☐ Benchmarking: Test code against vulnerability standards (e.g., Smart Contract Weakness Classification Registry) . ☐ Design Review: Review for intrinsic errors (e.g., front-running) and design risks (e.g., privacy) . ☐ Change Mgmt: Re-assess security testing requirements for any smart contract changes. |
| Secure Development (SDLC) | ☐ Lifecycle: Formalize Design, Build, Test, Deploy, and Monitor phases . ☐ Environment: Separate development, testing, and production environments . ☐ Code Review: Perform source code reviews and exception testing. |
| Blockchain/DLT Security | ☐ Keys: Use strong cryptographic key and certificate management . ☐ Access: Enforce identity/access controls for blockchain data . ☐ APIs: Apply API security best practices for transactions. |
4. Cyber Defense Controls | Access Control | ☐ MFA: Enforce Multi-Factor Authentication for all web-based services . ☐ Least Privilege: Grant access only on a "need-to-have" basis . ☐ Review: Maintain audit logs of all access changes. |
| Cryptography & Data | ☐ Encryption: Encrypt nonpublic data (and PII) at rest and in transit . ☐ Testing: Test cryptographic modules before production use . ☐ DLP: Implement Data Loss Prevention controls for primary applications. |
| Vulnerability Mgmt | ☐ Ext. Scan: Perform external vulnerability scanning monthly. ☐ Int. Scan: Perform internal vulnerability scanning every six months . ☐ Pen Test: Conduct independent penetration testing annually . ☐ Patching: Define procedures to identify, categorize, and install patches. |
5. Incident Response | Notification | ☐ 24-Hour Rule: Notify the BMA within 24 hours of determining/confirming an event . ☐ 14-Day Report: Submit a full incident report (root cause, impact) within 14 days. |
| Readiness | ☐ Plan: Establish a formal IT security incident response process . ☐ Drills: Conduct "tabletop" exercises to test response procedures . ☐ Logs: Maintain incident investigation logs for five years. |
6. Resilience | Business Continuity | ☐ Testing: Test BCP and Disaster Recovery (DR) plans at least annually . ☐ Analysis: Conduct regular Business Impact Analysis (BIA) exercises . ☐ Documentation: Document all test results and track remediation of issues. |
Summary
The BMA DAB Operational Cyber Risk Management Code of Practice defines a mandatory cybersecurity baseline for Digital Asset Businesses operating in Bermuda.
To comply, DABs must establish clear governance and accountability, implement proportionate security and risk management controls, and maintain evidence that these measures are effective and regularly reviewed. This includes documented policies, risk assessments, asset inventories, third-party oversight, and tested incident response and resilience plans.
Cyber incidents must be handled under strict timelines: notification to the BMA within 24 hours once confirmed, followed by a detailed report within 14 days.
Meeting the Code is not about adopting specific tools, but about demonstrating ownership, consistency, and defensible decision-making across governance, risk, and technical controls.
