As Bermuda insurers engage with third-party service providers to support their business functions, the Bermuda Monetary Authority has clarified its regulatory expectations surrounding outsourcing arrangements and operational resilience.

This column outlines a high-level overview of the regulatory, governance, and practical considerations for Bermuda insurers as they assess, implement and oversee outsourcing arrangements.

Key takeaways from this column:

• Accountability and oversight remain with the board

• Insurers must have a clear framework in place to identify, assess and manage risk

• Due diligence must be undertaken when considering material outsourcing arrangements

The Insurance Act 1978, as amended, Insurance Code of Conduct 2022, the Operational Resilience and Outsourcing Code 2025 and the accompanying Guidance Notes form the regulatory framework for governance and outsourcing arrangements for insurers.

The Insurance Code of Conduct applies on a proportional basis to all insurers, and the Outsourcing Code applies on a proportional basis to commercial insurers and innovative insurers (as well as other relevant entities as set out therein).

Insurers are required to have procedures and processes for identifying, measuring and assessing (among other things) outsourcing risk and third-party oversight. Although functions may be outsourced externally or internally to other affiliated entities, boards must ensure oversight and clear accountability as if the outsourced functions were performed internally and subject to the insurer’s own governance standards and internal controls.

Insurers with higher risk profiles, based on their businesses' nature, scale and complexity, will require a more comprehensive governance and risk management framework to conduct business in a sound and prudent manner.

Certain outsourcing arrangements may trigger notification obligations to the BMA where they amount to a material change pursuant to the Insurance Act.

Where an outsourcing arrangement could materially impact the risk profile, policyholder interests, financial conditions or compliance with statutory duties, notification to the BMA may be required as part of the insurer’s ongoing supervisory engagement.

While the Insurance Code of Conduct does not expressly define outsourcing or material outsourcing, the Outsourcing Code provides the following definitions as guidance:

Outsourcing: an arrangement in which the relevant entity uses a third party (ie, the outsourcing service provider), to perform activities on an ongoing basis that are integral to the provision of services by the relevant entity that could otherwise be undertaken by that relevant entity.

Material outsourcing: an outsourcing arrangement where an important activity, as determined by senior management of the relevant entity, has been outsourced to a third party.

An activity will generally be regarded as material if such activity would materially impact:

• Business operations, reputation or financial performance

• Ability to manage risk

• Compliance with applicable Bermuda laws

• Clients and policyholders

The board retains responsibility and accountability for operational resilience and outsourcing oversight. The responsibility is on the board to regularly review (at least annually) and approve all material outsourcing arrangements.

Boards must conduct due diligence and assess the impact or potential impact of material outsourcing arrangements prior to engagement. The board must also ensure that there are clear policies and procedures in place, based on the proportionality principle, to adhere to the obligations set out in the regulatory framework in order to effectively manage risk, as applicable.

Such due diligence should include — but is not limited to — evaluating whether the service provider has the following in place:

• The quantity and quality of staff with the requisite skills and experience to effectively deliver the outsourced activities

• The relevant technology, cybersecurity arrangements, operational infrastructure and financial capacity to undertake the outsourcing arrangement effectively and efficiently

• Appropriate information and data security to protect any and all confidential information

• An appropriate risk management framework and controls to ensure that risks associated with the outsourcing are effectively managed

• The ability to maintain appropriate internal controls and meet regulatory requirements

• An appropriate business continuity plan and disaster recovery plan

• The ability to provide access to all documents and data relating to the outsourced activity, its auditors and its competent authority

Insurers should always ensure that outsourcing does not impede obligations imposed by the BMA or obligations to policyholders.

• Aleisha Hollis is a senior associate in Appleby’s Corporate practice in Bermuda. A copy of this column can be obtained on the firm’s website at www.applebyglobal.com. This column should not be used as a substitute for professional legal advice. Before proceeding with any matters discussed here, persons are advised to consult with a lawyer