If your Digital Asset Business (DAB) is licensed under Bermuda’s Digital Asset Business Act 2018 (DABA), you already know that maintaining a local head office isn’t optional. What many DABs get wrong, though, is what ‘head office’ actually means.
For the Bermuda Monetary Authority (BMA), it’s not about a registered address. It’s about where governance, risk management, and operational decision-making happen.
What Section 21 of DABA Requires
Section 21 of DABA mandates that every licensed DAB be directed and managed from Bermuda. The BMA’s primary compliance factors include:
- Where strategy and risk decisions are made
- Whether key personnel are locally based
- Whether critical systems, data, and records are accessible from Bermuda
- Whether outsourced functions are locally overseen
Crucially, the BMA does not require that your technology physically resides in Bermuda – but it does require that operational control and cybersecurity governance demonstrably occur from here.
Why Cybersecurity Governance is Non-Negotiable
For digital asset businesses, IT operations and cybersecurity are core business functions, not back-office support. The BMA’s Operational Risk Management Code of Practice for DABs makes clear that the following must be locally governed:
- Cybersecurity oversight and incident response
- Access to core systems and audit logs
- Monitoring of outsourced and technology providers
- Data governance and compliance reporting
Without a Bermuda-based cybersecurity lead, evidencing Section 21 compliance becomes very difficult – particularly as regulatory scrutiny of DABs continues to intensify.
The Case for Fractional CISO
Most DABs – especially those establishing a new presence in Bermuda – don't need a full-time, in-house Chief Information Security Officer. But they do need someone who is taking on that oversight, not just for the regulator’s sake, but to ensure the proper running of the business.
A fractional CISO provides executive-level cybersecurity leadership on a flexible engagement model. For BMA compliance purposes, this means:
- Local ownership of IT governance and incident response
- Documented oversight of outsourced and offshore technology providers
- Board-ready reporting and BMA-ready evidence trails
- Operational resilience planning aligned to the BMA’s Operational Resilience Code
Gnosis operates as a Bermuda-based fractional CISO for regulated businesses across the island. Our services are structured directly around the BMA’s head office requirements, including:
- Fractional CISO / CTO / CIO – local ‘mind and management’ for technology governance
- IT Infrastructure and systems oversight from Bermuda
- Vendor due diligence and outsourcing documentation
- Business continuity, disaster recovery, and resilience testing
- Technology governance frameworks and audit-ready compliance documentation
Whether you’re a DAB building your Bermuda presence from the ground up, or an established license holder looking to strengthen your regulatory position, we can help.
Get in touch today to find out how our fractional CISO and IT governance services can support your business through the BMA’s head office requirement.
