We're halfway through 2026, and if you work in Bermuda's insurance and reinsurance market, the first six months have been a lot.
The conversations I've been having - across boardrooms, working groups, and industry panels - have shifted in a way I haven't seen before.
We've moved past the "what does the regulation require?" phase and into something harder: "why aren't we ready yet?"
Here's what H1 told me, and what it means for the rest of the year.
Operational resilience isn't a project anymore. It's an assessment.
For the past two years, the dominant narrative around the BMA's Operational Resilience and Outsourcing Code of Conduct has been preparation. Map your services. Document your dependencies. Build your framework.
That phase is over.
Firms are now being assessed against the Code - not in principle, but in practice. The BMA is asking specific questions and expecting specific evidence. And the gap between firms that treated this as a genuine operational priority and those that treated it as a compliance exercise is becoming very clear, very quickly.
If your framework is still a work in progress, I'd stop calling it preparation and start calling it what it is: a finding waiting to happen.
The group-entity disconnect is the defining compliance risk of the moment.
Of all the issues I've encountered in H1, this one is the most consistent - and the most avoidable.
Bermuda entities operating as subsidiaries of international groups are running compliance frameworks built for the parent. Policies that don't mention Bermuda. Incident response plans that route decisions through overseas committees. Risk registers calibrated to global materiality thresholds that have no relevance to what's actually material to the local legal entity.
The BMA isn't assessing the group. It never was. It's assessing the Bermuda entity - its governance, its controls, its board accountability. And a board that can't demonstrate it has genuinely interrogated its own risk position, rather than simply deferring to a quarterly heat map from Group, is a board that's exposed.
The fix isn't complicated. It requires localisation - taking what the group has built and making it work for Bermuda specifically, with a local accountable owner behind every critical decision point.
The Insurance Code and the Cyber Code are converging. Treat them as one.
There's a structural problem I see in almost every firm I walk into: Legal owns the Insurance Code, IT owns the Cyber Code, and the two teams operate in parallel without much overlap.
The BMA doesn't see it that way.
A breach of the Cyber Code's 72-hour notification window isn't just a technical failure - it's a breach of the Insurance Code's "sound and prudent" standard. A cyber problem is a governance problem. And a governance framework that doesn't integrate both codes isn't a governance framework at all.
The firms getting this right are treating the two codes as a single accountability structure, not two separate workstreams. Cyber risk metrics sit in the ORSA. The CISO reports to the board in the context of prudential standards, not just firewall stats. The compliance function and the IT function are genuinely aligned.
If those two functions aren't talking to each other in your organisation, that's the first thing to fix.
AI governance is no longer optional - and the window to get ahead is closing.
The BMA published its Discussion Paper on the Responsible Use of AI in Bermuda's Financial Services Sector in July 2025. Formal guidance is expected through 2026.
What struck me most at this year's Bermuda Risk Summit was not that people are worried about AI - it's that most organisations are still in the awareness phase. They're asking the right questions. They're not yet acting on the answers.
The risk with AI governance is the same as it was with operational resilience two years ago: waiting for the regulation to land before building the framework. That approach leaves you scrambling to cover the basics when you should be building on top of them.
The organisations that act now - building board-level accountability, risk-based controls, and clear policy on how AI touches regulated activity - will be the ones best positioned when formal guidance drops. The ones that wait will be doing catch-up.
Done well, AI governance isn't just a compliance obligation. It's a competitive differentiator.
The fractional CISO has stopped being a nice-to-have.
A few years ago, suggesting a fractional or managed CISO to a Bermuda firm was sometimes a hard sell. The concept wasn't always well understood, and the regulatory pressure wasn't yet acute enough to make it feel urgent.
That's changed.
Between the Operational Resilience Code, the Cyber Code, documentation retention requirements, vendor oversight obligations, and a hard 72-hour notification window, the regulatory load on Bermuda entities is now substantial. For most firms - particularly those without a large internal IT or compliance function - managing it without dedicated local resource is increasingly unrealistic.
The question I'm being asked isn't "do we need this?" anymore. It's "how quickly can we get it in place?"
A fractional CISO isn't a vendor relationship. It's a local accountable owner - someone who can stand behind your compliance, bridge the gap between group capability and BMA reality, and ensure the right person is ready to act when things go wrong.
H1 2026 made one thing clear above all else: the gap between awareness and action in Bermuda's regulated businesses is still wider than it should be. The good news is that it's closable - and the firms that close it in H2 will be in a fundamentally stronger position going into 2027.
If any of this reflects challenges you're navigating in your own organisation, get in touch. We're here to help. https://www.gnosis.bm/contact