How do the Bermuda Monetary Authority's Insurance Code of Conduct and the Operational Cyber Risk Management Code actually fit together?
It's more important than most firms realise - because getting it wrong is one of the most common compliance failures I see in practice.
They're not two separate boxes to tick
The instinct in many firms is to divide and conquer. Legal owns the Insurance Code. IT owns the Cyber Code. The two teams rarely speak.
The BMA sees that disconnect immediately.
The Insurance Code is the constitution -it sets the overarching standard for running a sound Bermuda business. The Cyber Code is the tactical playbook -it takes the vague obligations in the Insurance Code and defines exactly what they mean for CISOs, penetration testing, and incident response. One sets the standard. The other defines what meeting it looks like.
What both codes agree on
Board accountability cannot be delegated. Tasks can be outsourced to a Group function or SaaS vendor -but the Bermuda board retains ultimate accountability. The codes are designed to prevent any board from saying "that was an IT problem, not an insurance problem."
There's also a direct legal link. If an entity fails to notify the BMA within the 72-hour window, the BMA treats that as a breach of the Insurance Code's "sound and prudent" obligation. A cyber failure is a corporate governance failure.
Where the Cyber Code goes further
The Cyber Code introduces hard mandates that don't exist in the general Insurance Code: a named CISO with direct board access; technical security testing including penetration tests and tabletop exercises; a 72-hour notification clock; and a formal Data Classification Framework.
These aren't optional enhancements. They're mandatory -and they require the CISO and Compliance function to be working from the same page.
The firms that get this right integrate the two frameworks. Cyber risk metrics and notification pathways are woven into the ORSA. When the CISO reports to the board, they frame cyber metrics in the context of the Insurance Code's prudential standards -not just firewalls.
That's exactly the role a fractional or managed CISO plays: owning the governance narrative that ties cyber risk to corporate accountability across both codes.
Get in touch if you want to understand how the two codes interact for your business.
