Bermuda is a leading re/insurance jurisdiction and continues to be a global leader in innovative risk transfer solutions, including ILS, climate risk finance and insurtech. In keeping with other jurisdictions Bermuda’s (re)insurance legal and regulatory environment continues to develop responsibly, to protect consumers while also supporting the industry and facilitating the continued development of new, inventive (re)insurance products.
As Bermuda continues to develop its legal framework to keep pace with innovation and new technologies, the regulatory landscape must also continue to evolve. As such, in-house legal and compliance leaders are forced to grapple with managing these regulatory compliance requirements against the increasing pace of doing business, as a result of emerging technologies promoting efficiencies. In consideration of the Bermuda regulatory landscape, in-house counsel will need to pay particular attention to the following legal and regulatory requirements coming down the pike, such as data privacy and protection, cyber risk management and the enhanced supervisory regime set out under the Bermuda Insurance Code of Conduct.
1. Data privacy and protection
The Personal Information Protection Act 2016 (as amended) (‘PIPA’ or the ‘Act’) received royal assent on 27 July 2016, though only limited provisions relating to the appointment of the Privacy Commissioner (the ‘Commissioner’) and the establishment of his office have been operative to date. The Bermuda Government has given an indication that PIPA may come into full force this year, which would place certain obligations on organisations that use personal information in Bermuda. The Commissioner was appointed in 2020 and has since participated in numerous industry meetings and panels, produced guidance and provided resources for educating organisations on their obligations under the Act.
PIPA regulates the use of personal information with an aim to protect the rights of individuals as well as focusing on organisations’ use of personal information. The legislation applies to all organisations, which includes individuals and public authorities that use personal information in Bermuda. Personal information collected and under an organisation’s control prior to the substantive provisions of PIPA becoming operative, is deemed to have been collected with the consent of the relevant individual and the organisation may continue to use the personal information for the purpose for which it was collected, at the time it was collected.
‘Personal information’ is defined as any information about an identified or identifiable individual. ‘Use’ in relation to personal information means carrying out any operation on personal information and includes collecting, storing, disclosing, transferring and destroying information.
Given the likelihood of the remaining provisions of PIPA becoming effective this year, in-house counsel responsible for the operations of Bermuda (re)insurers should be aware of the following obligations imposed by PIPA, which will require Bermuda (re)insurers to:
- Adopt suitable measures and policies to give effect to the obligations and to the rights of individuals set out in PIPA;
- Designate a privacy officer for the purposes of compliance with PIPA, who will have the primary responsibility for communicating with the Commissioner;
- Provide individuals with a clear and easily accessible private statement about its practices and policies with respect to personal information;
- Ensure there is a lawful basis for the use of personal information, which under PIPA, can include the consent of the individual where the Bermuda (re)insurer can reasonably demonstrate that the individual has knowingly consented;
- Implement appropriate safeguards to protect against the misuse, loss, unauthorised access, destruction, modification or disclosure of the personal information that the Bermuda (re)insurer uses for its business;
- Implement systems and controls to assess the level of protection provided by overseas third parties or affiliates that are using the Bermuda (re)insurer personal information;
- Have clear mechanisms in place to respond to subject access requests within the required 30 days; and
- Ensure that the Bermuda (re)insurer uses personal information in a lawful and fair manner, for specific purposes that are relevant and not excessive and that the personal information on the customer is accurate and kept up to date.
In-house counsel can be reassured that the lawful basis for processing personal information and the principles underpinning the data privacy and protection framework prescribed under PIPA marry with international data privacy and protection regimes. As an international business hub, (re)insurers that have established in Bermuda, will no doubt have affiliates in other jurisdictions, requiring in-house counsel to manage the multi-jurisdictional privacy programmes as well as consider the geographies of their customers to ensure that data privacy regimes with extra-territorial effect, are met by Bermuda registered entities, even before PIPA is operative.
2. Operational Cyber Risk Management Code of Conduct
Although often referred to as the ‘gem of the Atlantic’ Bermuda and its (re)insurers are not immune from cyberattacks and increasing cyber security regulation. The Bermuda Monetary Authority (‘BMA’) published the Insurance Sector Operational Cyber Risk Management Code of Conduct (‘Cyber Risk Code’) on 6 October 2020.
Bermuda (re)insurers must implement a cyber-security risk management framework that is proportionate to the nature, scale and complexity of its business and the effectiveness of a (re)insurer’s governance and risk management will be assessed on the same basis. The BMA will consider that a registered (re)insurer is conducting business in a prudent manner, in accordance with the minimum criteria for registration, where the (re)insurer is conducting business in accordance with the Cyber Risk Code. The BMA will consider its prudential objectives as well as the appropriateness of each requirement prescribed under the Cyber Risk Code, on a proportionate basis.
Registered insurers must implement a cyber risk framework that utilises the ‘three lines of defence model’, namely operational, risk management and audit. Roles and areas of responsibility should be segregated as much as possible to minimise opportunities for misuse, abuse of privileges and unauthorised or unintentional modification. Access to systems and data should only be granted to individuals confirmed as having a requirement for such. An audit log of all logical access changes should be maintained. Specific processes and audit trails should exist to manage the access and transactions performed by super users or system administrators.
Overall, Bermuda (re)insurers must establish documented policies, standards, procedures and controls for addressing and enforcing security related to mobile device usage including ‘bring your own device’ programmes. Specifically, mobile computing services must be subject to a risk assessment and then secured with appropriate controls.
Given the increased oversight of the board and the requirement to effectively appoint a risk owner, in-house legal counsel are having a growing influence on their organisations’ cybersecurity practices and risk management framework.
The Cyber Risk Code requires the board of directors and senior management of Bermuda (re)insurers to have oversight of cyber risks and, on an annual basis, approve a cyber-security policy, which may be set out in a standalone policy or be comprised of a wide risk management framework. Registered entities must appoint a Chief Information Security Officer (the ‘CISO’) (or equivalent) that must be appropriately qualified and is responsible for delivering the operational cyber risk management programme. The CISO must be of sufficient seniority to facilitate the delivery of the cyber risk management framework.
The BMA 2022 report on the Cyber Risk Code (the ‘report’) identified that, amongst others, email is commonly targeted successfully by malicious attackers, poor security testing practices lead to undetected vulnerabilities that attackers exploit, security incidents are impacting third-party service providers and that ransomware continues to be a real threat. On review, each of these vulnerabilities may be linked back to the role and oversight of in-house counsel and the reliance on in-house counsel to develop and document a robust cyber-security risk management framework.
In order for entities to reduce their exposure to these common risks identified by the BMA in the report, in-house counsel will play a key role. Often, in-house counsel will be responsible for ensuring staff are provided with adequate training, not just on market cyber risks but also the registered (re)insurer’s policies and procedures and the requirements of the Cyber Risk Code. In-house counsel will be expected to conduct vigorous due diligence on third-party service providers prior to their engagement and ensure that where a third-party service provider is engaged, it understands and agrees to adhere to the obligations on the (re)insurer pursuant to the Cyber Risk Code. Service contracts must not restrict access to the provision of information to the registered entity or the BMA. Additionally, in-house counsel will support the CISO in communicating the importance of implementing a sophisticated cyber-risk management programme to the board of directors with the goal of ensuring sufficient resources are allocated to the cyber compliance programme.
The Cyber Risk Code is on the BMA Website at https://www.bma.bm/viewPDF/ documents/2020-10-06-09-27-29-InsuranceSector-Cyber-Risk-Management-Code-ofConduct.pdf
3. BMA Insurance Code of Conduct
The introduction of a revised Insurance Code of Conduct (the ‘Insurance Code’) comes with the BMA’s proposal to enhance customer protection measures for regulated financial services businesses. The amendments to the Insurance Code intend to protect customers and encourage best practices in the industry. The BMA also sought to ensure alignment with international prudential standards in areas including corporate governance, outsourcing, business continuity and disaster recovery, a substantive focus on risk management, market conduct and sustainability risk.
Some of the most material changes to the Insurance Code of which registered (re)insurers in-house counsel should be aware of, include, amongst others, the following:
- To ensure that (re)insurers have a comprehensive and integrated, forward-looking view of all material reasonably foreseeable risks that arise from the (re)insurer’s business model and interaction with the wider environment, a self-assessment must be performed at least annually and reported to the BMA, and the self-assessment framework should be developed on the basis of the proportionality principle. Material deficiencies should be reported and suitable remediation actions should be taken;
- The board must review the board membership and its committees and the composition of the (re)insurer’s chief and senior executives every three years and where there has been a material change to the business activities or risk profile of the (re)insurer. This will ensure that the board members, chief and senior executives continue to be fit and proper and possess the requisite knowledge, skills, expertise, diversity, tenure, and resources on a proportionate basis;
- Each (re)insurer must ensure that the board is compromised of the necessary mix of directors to discharge its duties and must include an appropriate number of independent directors without executive responsibility for the businesses’ management, subject to the power of the BMA to review and require the addition of independent directors as it may deem appropriate;
- Annually, the board must establish and maintain policies and procedures that adequately address actual or potential conflicts of interest and take into account that in certain circumstances a potential conflict of interest may preclude the involvement of individual members on particular issues or decisions;
- The Insurance Code now prescribes the material risks that must be addressed by the risk management framework of the (re)insurer, which include: insurance underwriting risk; investment, liquidity and concentration risk; market risk; credit risk; systems, cyber and operational risk; group risk; strategic risk; reputational and emerging risks; systemic risk; reputational risk; legal and litigation risk and sustainability risk;
- The (re)insurer must have a documented business continuity and disaster recovery plan that addresses all of its key business processes and critical business functions. The effectiveness of the business continuity and disaster recovery plan must be tested regularly and recorded – and as such documents should be available to the BMA for inspection as part of the supervisory process;
- (Re)insurers must have a process to adequately capture sustainability or environmental, social and governance risk in their business plans and strategies and when establishing risk appetites;
- (Re)insurers are now required to prepare an internal audit plan to ensure assessment of governance and controls of key risk areas at an appropriate interval, taking into consideration the (re)insurers nature, scale and complexity. The internal audit plan must be reviewed at least annually and approved by the board of the (re)insurer;
- Prior to entering into an outsourcing relationship with an affiliate or third-party service provider, the (re)insurer must complete a risk evaluation process visible to the BMA, clearly articulating the rationale as to why the outsourcing relationship is being pursued and the benefits of the outsourcing to the (re)insurer, as well as how any risks will be mitigated. The BMA will expect (re)insurers to conduct due diligence on all proposed outsourced service providers and be able to demonstrate that the (re)insurer is monitoring all its outsourcing relationships through the use of management information, calls, meetings and visits to the service provider; and
- The sustainability risk component of the (re)insurer’s risk management framework should include a consideration of the sustainability risk in the development of policies and risk management strategies for all material risks.
Registered (re)insurers have a period of six months to become compliant with the provisions of the Insurance Code that relate to the conduct of business and a period of 12 months to become compliant with provisions and amendments of all other sections of the revised Insurance Code.
The Code is available on the BMA Website at https://www.bma.bm/viewPDF/ documents/2022-08-31-12-35-41-InsuranceCode-of-Conduct–Revised-August-2022.pdf
Please do not hesitate to contact Walkers should you have any questions regarding the material set out in this article. Walkers would be happy to assist with ensuring that your current policies are compliant with any aspects of Bermuda law regulation and compliance.