Previously the domain of business continuity programmes and disaster recovery policies, the Resilience Code takes the governance and operational requirements of business continuity to an entirely new level of compliance.

The code applies, in part, to banks and deposit companies, insurance enterprises, investment businesses and digital-asset businesses, and it addresses all operational circumstances of disruption even though the title of the Resilience Code may misleadingly suggest that outsourcing transactions are the primary focus of attention.

The BMA will require registrants to proactively adopt measures to avoid, minimise, recover from and respond to operational disruptions from all causes to enhance their ability to operate in the face of such disruptions by March 31, 2028, although banks and deposit companies must be compliant by January 1, 2027.

Bermuda is not alone in this regulatory development.

Born from the recognition that financial services are essential and critical to national interests, in July the Bank of England announced very similar operational resiliency requirements further to the work it began on this topic in 2021 with its policy paper Bank of England Policy on Operational Resilience of FMIs.

The Bank of England then published a consultation paper on operational resilience and outsourcing in 2024, which led to the issuance this year of Britain’s Insurance Operational Resilience: Prudential Authority Handbook, among other related guidance.

The BMA’s counterpart in Canada, the Superintendent of Financial Institutions, issued its first guidance on this topic in 2016, which was revised in stages from 2021 through 2024, before the publication of E-21, Operational Risk and Resilience this year.

The Resilience Code includes, in part, the following requirements for operational resilience implementation and ongoing governance:

  • The adoption, implementation and adherence to OpRes governance measures and programmes that reflect the operational principles of “resilience by design”, “operational resilience” and “continuous improvement”
  • The board of directors must approve the OpRes programme, including the determination of disruption risk tolerances
  • The nature, scale and complexity of the OpRes programme, and each registrant’s compliance with the Resilience Code, will be assessed on a proportional-risk basis to ensure they conduct business in a sound and prudent manner
  • OpRes programmes must include and document (including resource mapping): the most relevant business services to avoid harm; all personnel; all OpRes processes, technology, facilities, information and other related resources
  • Internal and external communications plans, which may include communication plans with the BMA
  • Define and establish a remediation programme for implementation and testing, with a self-assessment and “lessons learnt” improvements
  • Manage all outsourcing arrangements prudently and as operationally specified in the Resilience Code, including the board, management and committee access to relevant performance data
  • The board of directors are ultimately responsible for, and must govern, the OpRes programme and all outsourcing arrangements
  • Part VIII of the Resilience Code addresses the requirements for outsourcing agreements, which are elaborated on in the BMA’s Resilience Code guidance notes

It will be interesting to see if the pending policy directions, codes of practice and performance standards for critical infrastructure that are awaited under the Cybersecurity Act 2024 will focus as robustly on resilience, including with regard to outsourced services.

Whereas many multinational affiliates have too often documented their intercompany outsourcing transactions as mere transfer pricing arrangements, the BMA’s existing outsourcing guidance and the Resilience Code arguably places tremendous regulatory pressure on registrants to elevate the nature, scope and quality of those outsourcing agreements to the standards of arms-length commercial outsourcing agreements.

Notwithstanding the BMA’s outsourcing prescriptions, robust contractual provisions to comprehensively address outsourcing resiliency and continuity (including service-level agreements and key performance indicators) have been a material part of outsourcing transaction best practices for more than two decades.

Regardless, there are some very onerous and complex governance requirements that the BMA sets out in the Resilience Code’s 20 pages, and it is likely that most subject registrants will require the full amount of time allotted to ensure their compliance readiness.

Given the pervasive imposition of operational resiliency by financial service regulators internationally, and taking into account the steeply increasing business disruption threats faced by financial enterprises, the BMA’s prescriptions to enhance business continuity simply constitute one more reason why governance leaders must be more threat and operationally savvy than ever.

First Published in The Royal Gazette, Legally Speaking column, October 2025

Locations

Bermuda

Services

Corporate, Regulatory Advice

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Bermuda2
30 Oct 2025

Changes to beneficial ownership regime

One of the most notable innovations in the Beneficial Ownership Act 2025, which was passed last mont...

Jarion Richardson
Brad Adderley
John Wasty
Jarion Richardson, Brad Adderley, John Wasty
Appleby-Website-Employment-and-Immigration
29 Oct 2025

Changes to Department of Immigration’s Work Permit Policy Are Here

It has been over ten years since Bermuda’s Department of Immigration released a policy with respec...

Anna Markiewicz
Anna Markiewicz
Appleby-Website-Corporate-Practice
28 Oct 2025

Updates on Hong Kong’s Uncertificated Securities Market Regime from an offshore perspective

Hong Kong’s uncertificated securities market ("USM”) initiative is scheduled to take effect in 2...

Judy Lee
Kelly Tang
Judy Lee, Kelly Tang
Website-Code-Bermuda-1
16 Oct 2025

Privacy issues in new beneficial ownership regime

Bermuda has passed the Beneficial Ownership Act 2025, a landmark reform that consolidates and simpli...

Jarion Richardson
Brad Adderley
John Wasty
Jarion Richardson, Brad Adderley, John Wasty
Appleby-Website-Insurance-and-Reinsurance
1 Oct 2025

Private Cat Bonds and Casualty Sidecars Gaining Momentum in ILS Space

Following a particularly busy quarter for privately placed catastrophe bond transactions, this appea...

Brad Adderley
Brad Adderley
Technology and Innovation
25 Sep 2025

IT Enables Global Business Alignment

In Bermuda, many — if not most — of our international businesses are part of a multinational ent...

Duncan Card
Duncan Card
Appleby_preview_Bermuda_1
23 Sep 2025

Continuous Compliance: Building Confidence, Reducing Risk

Over the past decade, Bermuda businesses have faced a steady rise in regulatory and legal obligation...

Jarion Richardson
Jarion Richardson
Bermuda-1024x576-1
11 Sep 2025

A guide to selling your Bermuda home

Bermuda homeowners should protect their interests by enlisting expert advice when they decide to sel...

Neil Molyneux
Neil Molyneux
Bermuda-1024x576-1
10 Sep 2025

Discipline Now Key as Pressures on Reinsurers Mount

The reinsurance market is in a strong position after two years of profits and covering its cost of c...

Brad Adderley
Brad Adderley
Appleby-Website-Insurance-and-Reinsurance
10 Sep 2025

Education and Acceptance Fuel Wave of New Sponsors in Cat Bond Market

With the catastrophe bond market seeing eleven new sponsors enter the space so far this year, the tr...

Brad Adderley
Brad Adderley