"What are the top three red flags you see when you walk into a Bermuda entity that thinks it's ready for the Code but isn't?"
That’s a question I was asked last week as a panelist for at the ABIR Operational Resilience Working Group – and it’s a good one.
So many Bermuda companies are borrowing their compliance. Their policies, their incident playbooks, and their board reports are lifted from their parent company or built from generic templates, and it’s setting them up to fail.
This isn’t just about BMA readiness, it's basic compliance best practice. And it’s easy to spot – but easy to start fixing too.
Here are the three ‘red flags’ that tell me a firm has work to do:
The Copy-Paste Policy
Professionally presented, technically sound... but built for a fundamentally different jurisdiction, threat model, and environment because it’s copied from the parent with no mention of Bermuda or BMA requirements.
The BMA isn’t assessing the group, it’s assessing the Bermuda entity. A Bermuda-specific governance addendum, anchored to the Code and owned locally, is the only way to demonstrate that.
An Incident Response Plan with No Bermuda in It
No local key persons named. No BMA notification timelines. No Bermuda in the communication trees. And no contractual protection against the clock.
The Code imposes a hard 72-hour determination window – but standard SaaS contracts notify clients within 5-to 7 days. If ransomware takes out your underwriting vendor, you could be three days into an operational blackout without enough data to file an accurate BMA report.
You need a local owner – whether internal or through a dedicated managed CISO partner – with the authority and portal credentials to notify the BMA as soon as possible.
Risk Management Built for the Group, Not the Entity
IB registers and impact tolerances designed at group level reflect global materiality, not local reality. What barely registers as a disruption globally can be operationally devastating locally.
The Code is clear: these must be signed off locally. Group methodology can inform that process, but it cannot replace it.
None of this requires starting from scratch, just genuine localisation. In many cases a dedicated local resource who can bridge the gap between group capability and Bermuda regulatory reality is needed. A fractional or managed CISO helps bridge this gap, translating group-level frameworks into BMA-ready evidence and ensuring the right person is ready to act when it matters most.
Borrowing someone else's framework and putting a Bermuda address on it isn't operational resilience. If you want to understand where your firm genuinely stands against the Code, get in touch.
