Every 'licensed undertaking' in Bermuda shall file annually a written report (prepared by its Chief Information Security Officer) assessing the availability, functionality and integrity of its electronic systems which shall include identifying associated risks arising from a digital asset business and a cybersecurity policy that is in place which addresses identified inadequacies, including a detailed response plan.
An audit is required annually and includes, at least quarterly, penetration testing and vulnerability assessment. An audit trail system must be in place:
- maintaining and protecting the integrity of an audit trail so that complete and accurate reconstruction of all financial transactions and accounting can occur;
- protecting the integrity of data stored (ensuring hardware and software are free from alteration and tampering), maintaining system logging (including access and events records)