Bermuda's insurers are operating in an environment where expectations of boards have never been higher. With a front-row view of how these pressures are reshaping governance standards across the market, Bermuda:Re+ILS asked Jenny Farrer, EVP and head of corporate governance and risk management services and Brittany Pitcher, client risk management consultant at Artex Capital Solutions, to provide critical insight into what can help boards test the strength, agility and future-readiness of their governance frameworks.
As Bermuda's insurance sector continues to grow in sophistication and global significance, boards are finding the governance expectations placed on them are evolving just as quickly. Regulators are sharpening their focus. international bodies are setting higher standards, and the industry itself is transforming through technology, climate risk and shifting business models. Against this backdrop, directors are being asked to play a more hands-on role in ensuring their organisations are resilient, compliant and forward-looking.
This year, that context is even more important. Bermuda is preparing for the Caribbean Financial Action Task Force (CFATF) 5th Round Mutual Evaluation, a process that comes with a substantially higher bar than before. The jurisdiction has been a top performer in previous rounds, and there's strong motivation to maintain that position. At the same time, expectations in areas ranging from anti-money laundering (AML), anti-terrorist financing (ATF) and anti-proliferation financing (APF) to climate risk, cyber oversight, operational resilience and data protection have all increased. Boards need to be ready.
With that in mind, Artex's corporate governance and risk management services team has highlighted eight questions directors should be asking themselves and their management teams throughout 2026.
The 2025 National Risk Assessment (NRA), issued late last year, sets out Bermuda's jurisdiction-wide money laundering/terrorist financing risk picture. For insurers, its findings are particularly meaningful. The NRA classifies long-term (life) insurers, insurance intermediaries and managers as the "Regulated Insurance Sector", assigning this group a medium-high inherent money laundering risk rating. That rating reflects the nature of long-term products, globalised client bases and the potential for high-value policies to store or move value.
Boards should expect management to have taken a close look at these findings, not simply by reading the report, but formally assessing what parts of it apply to the insurer's operations. Policies, procedures and AML/ATF controls might need updating as a result. Even insurers sitting outside this regulated category — such as captives, reinsurers, special-purpose insurers (SPIs) and general commercial insurers — should keep an eye on developments and themes of 'best practice', as Bermuda's authorities have signalled future consideration of whether these sectors should come under the AML/ATF umbrella.
Good governance starts with the board itself. The Bermuda Monetary Authority (BMA) encourages insurers to carry out full board evaluations at least once every three years, and in practice many insurers revisit these questions more frequently, especially when business models shift. In a landscape where underwriting strategies evolve, reinsurance structures grow more complex and new technologies reshape operations, the board's skills must keep pace.
This evaluation means taking time to consider whether the board still has the right mix of expertise, actuarial knowledge, underwriting experience, cyber and technology understanding and a strong grasp of enterprise risk management (ERM). It also means revisiting director role descriptions, succession planning and conflicts-of-interest disclosures to ensure they still reflect reality.
Climate risk is no longer a disclosure box to tick; it's increasingly intertwined with solvency, strategy and risk appetite. The BMA expects commercial insurers to demonstrate how climate considerations shape underwriting, investment decisions, capital assessments and stress testing. The Commercial Insurer's Solvency Self-Assessment (CISSA) should reflect this integration clearly.
For directors, this integration means confirming not only that climate risk appears in the CISSA, but that it's actively informing decision-making. Boards should be discussing the quality of climate-related data, the assumptions behind scenario modelling and whether climate exposures align with business strategy. For property catastrophe reinsurers, this scrutiny becomes even more central due to uncertainty in catastrophe models and climate-driven volatility.
Outsourcing is deeply embedded in Bermuda's insurance sector. Whether through insurance managers, managing general agents (MGAs), catastrophe modelling firms, IT providers, third-party administrators (TPAs) or other specialist partners. But as outsourcing arrangements become more sophisticated, the BMA's expectations for oversight continue to expand.
Boards should take a close look at how management oversees these relationships to understand whether due diligence on providers has been refreshed, whether contracts still protect the insurer's interests and whether data protection, cybersecurity and operational resilience are being properly addressed. Directors should also feel confident that the insurer has mapped out its critical service dependencies and has clear contingency plans if a major vendor experiences disruption.
The Personal Information Protection Act (PIPA) is another area where expectations are rising. PIPA applies whenever an insurer "uses" personal information in Bermuda, a definition broad enough to include collecting, accessing, storing, sharing or even deleting data. Even if information is stored overseas, accessing it from within Bermuda might trigger obligations.
Boards should ensure they understand whether their organisation falls within scope. Reinsurers that only handle fully anonymised or aggregated data might be exempt, but even one instance of identifiable policyholder data could bring them into scope of PIPA. Where the Act applies, insurers are required to appoint a privacy officer, establish robust privacy policies and ensure data protection is integrated across operations. Directors should confirm that PIPA compliance appears regularly on the board's agenda and receives the attention it requires.
AI is quickly becoming part of the insurance operational fabric. From underwriting and pricing tools to claims triage, capital modelling and even the preparation of board materials. With these opportunities come new responsibilities.
The BMA has already signalled that cyber governance will be a key supervisory priority in 2026, reinforcing the need for boards to understand how AI interacts with data handling, cyber controls, privacy and risk management. Insurers should be developing AI usage policies, monitoring for potential bias and ensuring sensitive commercial or personal data is used appropriately. Boards should ask the right questions and ensure that AI governance frameworks evolve as technology adoption accelerates.
A well-crafted business plan anchors strategy, risk appetite, staffing needs, reinsurance structures and capital management. But given recent market volatility, shifting interest rates and climate-related uncertainty, updating business plans and ensuring the regulator is kept updated as the business grows is paramount.
Given the current ongoing market volatility, hard/soft insurance cycles, climate trends, geopolitical risks and interest rate changes, the business plan should be reassessed at least annually. Such a review should be undertaken with a view to ensuring it continues to align with emerging risks, strategic growth areas, resource and staffing requirements, risk mitigation tools and the adoption of AI across the business.
The Insurance Code of Conduct remains one of the BMA's most important supervisory tools. Insurers are expected to maintain compliance across governance, internal controls, outsourcing oversight, risk and compliance functions and business continuity arrangements. A thorough gap analysis ensures nothing has fallen through the cracks.
This exercise becomes even more important for organisations undergoing growth, expanding into new jurisdictions or integrating new lines of business. Conducting a gap analysis not only prepares an organisation for BMA on-site inspections, it strengthens operational resilience and governance maturity across the board.
