The Bermuda Monetary Authority has unveiled new rules that raise the bar on how financial companies prepare for shocks, from hurricanes to cyberattacks. Boards of directors will now be held directly responsible for making sure vital services keep running when things go wrong.

The Operational Resilience and Outsourcing Guidance Notes, released this month, apply across the sector to banks, insurers, fund administrators, trust firms, corporate service providers and digital asset companies.

The BMA said the aim is to move beyond traditional back-up plans and ensure firms can actually deliver for clients in a crisis.

“Clients expect, and have come to depend upon, real-time availability of financial services and transaction processing,” the BMA wrote. “When disruptions occur, they can quickly result in harm to clients … as well as contagion to the wider financial sector.”

Company boards must now approve resilience plans every year and set strict limits on how long essential services can be down. They also need to identify the people, systems and facilities that keep their business running, and file an annual self-assessment showing progress.

The BMA emphasised directors must have enough knowledge to challenge management and make resilience a top priority.

The guidance also tightens the rules on outsourcing. Firms will have to vet outside providers more carefully, write stricter contracts and have back-up plans if vendors fail.

The BMA warned that putting too many important services in the hands of one provider can create a dangerous “unique point of failure”.

Companies must now run scenario tests for disasters such as data loss, vendor collapse, power outages, pandemics and even war. Key vendors must take part, and firms will also be required to test how they communicate with clients, regulators and the media during a disruption.

The authority said the aim is to embed “resilience by design” across the sector. “[Operational resilience] is about maintaining the delivery of key services through adversity and disruptions. It also encourages organisations to have a ‘resilience-by-design’ mindset, where resilience becomes ingrained throughout all levels of operations rather than an afterthought.”

The move puts Bermuda in line with other leading financial centres, such as Britain and the European Union, that have introduced tougher standards after the pandemic, cyber incidents and geopolitical turmoil.