HAMILTON, Bermuda – Bermuda's government has launched the National Cybersecurity Risk Assessment (NCRA), describing it as a landmark initiative in keeping with the government’s Digital Transformation Initiative (DTI) .
National Security Minister, Michael Weeks“For the first time, Bermuda will conduct a structured, jurisdiction-wide assessment of our collective cybersecurity risks, delivered entirely in digital form,” National Security Minister Michael Weekes has said.
“Cyber threats do not stand still…and neither can we. As the threat landscape evolves, so too must our understanding of the risks facing our digital infrastructure, our critical services, and our citizens.”
Weeks said that the initiative builds on the foundations laid by the Bermuda Cybersecurity Strategy 2018-2022 and strengthened by the Cybersecurity Act 2024.
He said the NCRA is a formal survey instrument designed to gather structured cybersecurity risk intelligence from across Bermuda’s public and private sectors.
“The assessment will capture information on threats, vulnerabilities, current controls, and risk exposure across our organizations, including those operating within our Critical National Information Infrastructure (CNII).”
Weeks said that the results of the NCRA will directly inform the development of Bermuda’s updated National Cybersecurity Strategy, which the government is targeting for release in the fourth quarter of this year.
“This means that for the first time, our national strategy will be built on current, locally-sourced risk intelligence, not assumptions,” he said, adding “that is a significant advance in the maturity of our cybersecurity governance”.
The National Security Minister said the NCRA represents a first for Bermuda in another important respect, noting that previous exercises of this nature have relied on manual or paper-based processes.
“This assessment will be distributed and completed entirely online, enabling broader participation, faster data collection, and more reliable analysis.
“The digital platform has been designed to ensure the secure delivery of responses. Respondents can complete the assessment with confidence that their submissions are handled in accordance with the Government of Bermuda’s security standards and the obligations set out under the Personal Information Protection Act 2016.”
Weeks said that the NCRA is intended to reach as much of the Bermuda cyber community as possible, urging organizations and professionals across all sectors to participate, including government ministries, departments, and agencies; financial services, insurance, and reinsurance organizations as well as telecommunications and technology providers; healthcare, energy, and essential services operators and small and medium-sized enterprises with a digital footprint.
“The strength of this assessment depends on the breadth and quality of participation. I therefore, urge all relevant organizations across the Bermuda cyber community to engage seriously and respond fully.”
Weeks said that the NCRA will be distributed by the National Cybersecurity Unit (NCU) and that respondents will have a period of three months to complete the assessment from the date of distribution.
He said this window has been set to allow sufficient time for thorough and considered responses, while maintaining the timeline necessary to support the development of the updated National Cybersecurity Strategy.
”The NCRA will be administered on an annual basis going forward. This will enable the government to track the evolution of Bermuda’s cybersecurity risk profile over time and ensure that our national strategy remains current and responsive to emerging threats.”
But Weeks acknowledged that the National Cybersecurity Risk Assessment is not an end in itself, saying “it is a critical input into a larger process, the development of an updated National Cybersecurity Strategy that is grounded in evidence, shaped by the real-world risk environment that Bermuda currently faces.
“This government is committed to building a secure digital Bermuda, one where citizens, businesses, and institutions can operate with confidence in the safety and resilience of our digital environment.
“The Cybersecurity Act 2024 has given us the legislative framework. Our partnership with the International Telecommunications Union is strengthening our operational capabilities through the National Cybersecurity Incident Response Team. The NCRA now gives us the intelligence to make strategic decisions that are truly informed.
“I call upon all stakeholders across Bermuda’s cyber community to seize this opportunity to shape our national cybersecurity direction. Your participation matters and your insights are essential. Together, we will build a stronger, more robust digital Bermuda,” Weeks said.
