Why is it important for any jurisdiction to have robust IT and Cyber Security Laws and Regulations?
Decisions concerning the location of international business operations, trade and investment are being increasingly influenced by the standards and quality of each competing jurisdiction’s data, IT and related cyber security infrastructure. In 2024, many corporate governance surveys about what keeps a CEO awake at night consistently placed IT and cybersecurity threats among the top five issues of material concern. Jurisdictions with a sophisticated IT and cyber infrastructure, and the laws and regulations that impose robust quality standards and diligent governance oversight on that infrastructure, will have a tremendous competitive advantage when it comes attracting foreign investment and business operations over jurisdictions that have failed to addressed those business risks.
What law reforms has Bermuda implemented to address those significant business risk?
There are many. The Bermuda Monetary Authority (BMA) has had robust IT and cyber security regulations for all financial sectors for several years now. The Computer Misuse Act 2024 was introduced by the Bermuda Government to provide enhanced legal weapons to fight cybercrime. On 31 May, Bermuda’s Cybersecurity Act 2024 was passed by the Bermuda Government to create comprehensive IT and cyber regulations across numerous essential services and critical infrastructure. Bermuda’s Personal Information Protection Act 2016 ( PIPA ), effective at the end of this year, also includes laws that require appropriate IT and cybersecurity safeguards, as well as imposing related data protection duties and responsibilities.
What are the most important features of PIPA that will support international business operations in Bermuda?
First, PIPA is needed for Bermuda to internationally stand as a “safe harbour” so that global businesses can freely transfer business data to and through Bermuda. PIPA is primarily based on Canadian privacy legislation and the EU’s recent renewal of Canada’s “adequacy status” under the GDPR regime bodes well for PIPA’s international acceptance. Second, when compared to the GDPR, PIPA presents a relatively simple and easy privacy rights program to comply with. Third, the incident breach reporting requirements of PIPA dove tail very well with the corresponding notice requirements across Bermuda’s other IT and cybersecurity regulations.
Is it necessary for a registered Mutual or Private Fund to adopt policies and procedures to implement the Rules?
It is not necessary to adopt formal policies and procedures. The Rules are flexible in their application, whilst they do require written policies these may be set out in the fund’s constitutional or offering documents, board resolutions, service provider agreements, instructions to service providers or as formal policies and procedures.
Is a registered Mutual Fund or Private Fund still required to comply with CIMA’s statement of guidance on Corporate Governance for Mutual and Private Funds and how does this guidance interact with the Rules?
Yes, both these regulatory measures have a proportionality element and both allow for flexibility in their implementation. The Rules are intended to apply to a wide range of regulated entities and necessarily require more adaptation for registered funds whereas the Statement of Guidance has been written exclusively for registered funds and will have more direct relevant and consequently more restrictive application.
How should the governing body of a registered Mutual or Private fund undertake self-assessments of their performance?
We commonly see self-assessments made by way of a questionnaire completed by each director of the fund, general partner or trustee and with such questionnaires being provided to the registered fund an each other director. Once completed any issues arising from the questionnaire should be discussed at the next following board meeting and steps put in place to address them as thought appropriate.
Is there a prescribed minimum annual time commitment expected of non-executive directors of a registered Mutual or Private Fund, its general partner or trustee?
No, confirmations of time commitments are not prescribed and can be made annually in general terms.
Is it necessary for directors of a registered Mutual or Private Fund, its general partner or trustee to declare their conflicts of interest annually?
It is not necessary to repeat previously declared conflicts of interest annually, only to confirm annually that all conflicts of interest have been declared. If there is any doubt whether all conflicts have been declared an annual declaration listing all conflicts should be made.
How should CIMA’s rule on internal controls be implemented by a registered Mutual Fund or Private Fund which has no senior management and no staff?
The rule on internal control includes requirements to evaluate any internal control systems adopted by the fund’s service providers. A fund should ensure that each of its service providers includes in their regular reporting to the fund details of their internal control systems, any failures of those systems and any actions being taken to rectify or improve those systems.
How can a Jersey company prepare in advance for a migration?
- Creditors – The Jersey Company can prepare a list of its known creditors, and how to contact them. In addition, the creditors notice can be sent to the Jersey Gazette giving all creditors the prescribed 21 days to object to the migration, it is free of charge, can be done online and will appear on a public website.
- Jersey departments – The Jersey Company can also contact the Department of Health and Social Security, Revenue Jersey, the Judicial Greffe (if the company has immovable property in the island) and liaise with staff if the company proposes to make staff redundant in Jersey as a result of the discontinuance.
- Details – The Jersey Company will need to confirm the proposed registered office, new directors and advisors in the new country or territory.
- Financials – The Jersey Company will need to submit a copy of its financial statements (for a period ending within twelve months of the date of the application – together with a copy of the accounts of the parent company made up to a date not more than fifteen months before the date of the application).
- Other jurisdiction – In addition, the requirements of the jurisdiction into which the Jersey company proposes to re-domicile will also need to be met and therefore a co-ordinated approach will be needed with the other advisers.
Does migration affect the tax residency/economic substance of a Jersey company?
A Jersey company can alter its tax residency by becoming resident in another jurisdiction. In relation to migrations out of Jersey, industry is aware of the Jersey tax authority, Revenue Jersey, scrutinising these points in an increasingly compliant environment, together with a recent focus on permanent establishments reviews, and relocations based purely on tax residence.