QU OF NT AT A FE RU

BERMUDA

INSURANCE (GROUP SUPERVISION) RULES 2011

BR 76 / 2011

PART 1GROUP RESPONSIBILITIES AND GOVERNANCE

2. Interpretation

(1) In these Rules—

“Act” means the Insurance Act 1978;

“Chief Information Security Officer” or “CISO” means the senior executive, by whatever title they are called, appointed by the registrant to oversee and implement its cyber risk programme and enforce its cyber risk policies;

“compliance risk,” “investment risk,” “market risk,” “liquidity risk,”

“concentration risk,” “credit risk,” “operational risk” and “insurance underwriting risk” have the meanings given in rule 2 of the Insurance (Prudential Standards) (Insurance Group Solvency Requirements) Rules 2011;

“contract service margin” means unearned or future profits released into earnings as insurance contract obligations are fulfilled;

“cyber reporting event” means any act that results in unauthorised access to, disruption of or misuse of the electronic systems or information stored on such systems of an insurance group, including any breach of security leading to the loss, unlawful destruction or unauthorised disclosure of or access to such systems or information, where—

(a) the event has the likelihood of adversely impacting policyholders or clients of members of the insurance group;

(b) a member of the insurance group has reached a view that there is a likelihood that loss of its system availability will have an adverse impact on its policyholders or clients;

(c) a member of the insurance group has reached a view that there is a likelihood that the integrity of its information or data has been compromised or that important information has been exfiltrated (stolen), which may have an adverse impact on its policyholders or clients;

(d) a member of the insurance group has become aware that there is a likelihood that there has been unauthorised access to its information systems whereby such would have an adverse impact on its policyholders or clients; or

(e) an event has occurred for which notice is required to be provided to a regulatory body or government agency by a member of the insurance group;

“cyber risk programme” means the policies and procedures of the insurance group that establish and document the manner in which cyber risk is managed;

INSURANCE (GROUP SUPERVISION) RULES 2011

“ECR” means enhanced capital requirement and has the same meaning as in section 1(1) of the Act;

“filing date” has the meaning given in rule 25(2) of these Rules;

“financial condition report” means any financial condition report prepared in accordance with rule 30 of these Rules;

“fit and proper” has the meaning given in paragraph 1(2) of the Schedule to the Act;

“GAAP” means Generally Accepted Accounting Principles;

“IFRS” means International Financial Reporting Standards;

“information asset” means any data, device or other component of the environment that supports information-related activities;

“information security” means the preservation of an information asset’s confidentiality, integrity and availability;

“insurance reserves” means the aggregate comprising the amounts shown on line 17(d) and line 27(d) of Form 1 of Schedule 1 and the lines 17, 17A, 27 and

27A of Form 1A of Schedule 4;

“insurance technical provisions” means the aggregate of amounts shown on Lines

19 and 27C of the Group Statutory Economic Balance Sheet set out in

Schedule — XIV of the Insurance (Prudential Standards) (Insurance Group

Solvency Requirement) Rules 2011;

“significant event” means an event which in the opinion of the parent board occurred—

(a) after year-end but before the filing date of the financial condition report; and

(b) after the filing date and publication of the financial condition report, and has or will have a material impact on the information contained in the financial condition report regarding the insurance group’s operations; including but not limited to, acquisitions, divestitures, or new lines of business entered into.

(2) References in these Rules to the “parent” are references to the parent company of the group (such as the ultimate parent) that is not a subsidiary company of any other member of the group; [Rule 2 (formerly paragraph 2) amended and definition "insurance reserves" inserted by BR 92 / 2012 para. 3 effective 1 January 2013; sub-rule (1) definitions "Act", "filing date", "financial condition report",

"insurance technical provisions" and "significant event" inserted by BR 54 / 2015 rule 2 effective 1 January 2016; Rule 2 definitions "Chief Information Security Officer", "cyber reporting event", "cyber risk programme", "information asset" and "information security" inserted by BR 41 / 2022 rule 2 effective 1 January 2023; Rule 2 paragraph (1) definition "insurance reserves" amended, and definition

"contract service margin" inserted by BR 28 / 2024 para. 2 effective 25 March 2024]

INSURANCE (GROUP SUPERVISION) RULES 2011

3. General principles

(1) These Rules apply to insurance groups of which the Authority is the group supervisor.

(2) An insurance group shall establish and maintain organizational, governance and communications structures at the group level that facilitate the fulfilment of the duties of the designated insurer.

(3) A designated insurer shall facilitate and maintain compliance by the group with the Act and these Rules.

(4) Where obligations are imposed on the group, or in the event of breaches of the Act or these Rules, or otherwise to safeguard the interests of policyholders or potential policyholders of the group, the Authority may issue a direction to the designated insurer to require the group to perform the obligations or to remediate the breach.

(5) The Authority may acknowledge the existence of a variety of group structures, taking into consideration that some group structures are more or less centralized and some are managed on a business line, as opposed to being managed on the basis of a legal entity.

(6) To the extent that reference is made to responsibilities performed by the parent board under these Rules, such responsibilities may be delegated to and performed by an appropriately constituted committee of the parent board or the board of a subsidiary or affiliate of the parent company, provided that the parent board exercises oversight over and ratifies key decisions that impact materially on group operations.

(7) Responsibilities assigned to senior executives of the parent company may be delegated to and performed by appropriate senior executives of a subsidiary or affiliate of the parent company, subject to the parent company oversight and the ratification by parent company executives of key decisions that materially impact group operations.

[Rule 3 (formerly paragraph 3) amended by BR 92 / 2012 para. 4 effective 1 January 2013]

4. Corporate governance: general

(1) An insurance group must establish a group risk tolerance and appetite and group operational objectives and strategies that reflect an understanding of the structure of the group, the material risks that the structure may pose to the group and the key drivers of those risks.

(2) An insurance group must have adequate capital resources and sources of funding liquidity in light of its risk profile and operational strategy and planned changes to that strategy.

(3) An insurance group must establish and maintain a reliable and transparent group-wide financial reporting process for regulatory reporting and public disclosure and for selecting (or proposing to shareholders) an independent and objective external auditor.

INSURANCE (GROUP SUPERVISION) RULES 2011

(4) An insurance group must establish and maintain a group internal audit function that is independent of other group functions, the lines of business for which it has audit responsibilities and underwriting and financial operations.

(4A) The compensation of persons responsible for the group internal audit function must not compromise their independence, and at a minimum, the parent board or an appropriate committee thereof must establish and periodically review the compensation of the head of internal audit and establish guidelines for the compensation of other internal audit staff .

(5) An insurance group must establish and maintain group internal audit, risk management, compliance and actuarial functions that are fit for the purpose, given the nature, scale and complexity of the group.

(6) In each insurance group—

(a) senior executives, persons responsible for the internal audit, cyber risk programme, risk management, compliance and actuarial functions and the approved group statutory function holders (such as an approved actuary, loss reserve specialist) shall have the ability to communicate directly with the parent board without the need for management review or approval; and

(b) the parent board shall have direct access to senior executives, the cyber information security officer, persons responsible for the internal audit, risk management, compliance and actuarial functions and the approved group statutory function holders.

(7) The insurance group must establish and maintain an adequate business continuity plan aimed at ensuring, in the case of a business interruption event, the preservation or timely recovery of group functions, data and business activities. [Rule 4 (formerly paragraph 4) amended by BR 92 / 2012 para. 5 effective 1 January 2013; Rule 4 paragraph (6) amended by BR 41 / 2022 rule 3 effective 1 January 2023]

5. Corporate governance: responsibilities of the parent board

(1) A parent board must establish and maintain appropriate governance procedures and practices to facilitate its work in a manner that supports objective and independent judgment and decision-making.

(2) A parent board must include such number of independent directors without executive responsibility for the management of the business of the group as the board considers appropriate, subject to the power of the Authority to review and require the addition of independent directors as it may deem appropriate.

(3) The independence of a director shall be determined by reference to the rules of an appointed stock exchange as defined in the Companies Act 1981.

(4) A parent board must establish and maintain, annually, policies and procedures that address adequately actual or potential conflicts of interest.

INSURANCE (GROUP SUPERVISION) RULES 2011

(5) A parent board must establish and maintain sufficient committees to allow for the effective discharge of the parent board’s responsibilities.

(6) The members of a parent board must review the membership of the board and its committees and the composition of the chief and senior executives of the group no less frequently than every three years and upon a material change in the business activities or risk profile of the group to ensure that—

(a) the members of the board and the executives continue to be fit and proper;

(b) the members of the board and each of its committees and the members of the executive individually and collectively have the requisite knowledge, skills, expertise and resources given the nature, scale and complexity of the group’s operations; and

(c) the members of the board and its committees and the members of the executive individually and collectively remain effective in discharging the respective roles and responsibilities assigned to them.

(7) A parent board is responsible for—

(a) overseeing the implementation by the senior executives of group operational objectives and strategies in light of the group’s stated risk tolerance and appetite, group structure and material risks;

(b) overseeing the effective management of the group’s business in a sound and prudent manner with integrity and the professional skills appropriate to the nature and scale of its activities;

(ba) reviewing annually the group’s solvency self-assessment and any changes;

(c) confirming that the organizational, governance and communications structures of the group facilitate the effective execution of the group’s operational objectives and strategies, the effective exercise of the role of the designated insurer and compliance with the Act and these Rules;

(d) confirming that the communications structure of the group facilitates the effective communication of the statutory obligations of the group and its members under Bermuda law;

(e) selecting a competent chief executive who is fit and proper and has the requisite knowledge, skills, expertise and resources given the nature, scale and complexity of the group’s operations, and, with respect to that person, establishing roles and responsibilities, giving due regard to the potential for conflicts of interest, reviewing and approving cash, non-cash and incentive compensation, evaluating at least annually performance and addressing in a timely manner any deficiencies in performance; and

(f) the group’s cyber risk posture and must ensure it provides overall strategic direction, adequate oversight and challenge to the group’s

INSURANCE (GROUP SUPERVISION) RULES 2011

information security, commensurate with the size and extent of cyber threats to its information assets. [Rule 5 (formerly paragraph 5) amended by BR 92 / 2012 para. 6 effective 1 January 2013; Rule 5 paragraph (7)(f) inserted by BR 41 / 2022 rule 4 effective 1 January 2023]

6. Corporate governance: responsibilities of the chief and senior executives of the parent company

(1) The chief executive of a parent company is responsible for selecting competent senior executives, who are fit and proper and have the requisite knowledge and skills, given the nature, scale and complexity of the group’s operations, establishing their roles and responsibilities, giving due regard to the potential for conflicts of interest, reviewing and approving their cash, non-cash and incentive compensation, evaluating at least annually their performance and addressing in a timely manner any deficiencies.

(2) Senior executives of a parent company (senior executives) are responsible for staffing the internal audit, risk management, compliance and actuarial functions in a manner that provides for appropriate segregation of duties, clear reporting lines and the avoidance or management of conflicts of interest by fit and proper persons who are competent and properly trained to perform the assigned functions, and able and willing to perform those functions in an effective manner.

(3) Senior executives of a parent company are responsible for establishing systems and controls that produce complete, reliable, clear, consistent, timely and relevant reporting and management information concerning the business activities and risks to which the group is exposed.

(4) Senior executives of a parent company are responsible for—

(a) providing the parent board with timely, accurate and comprehensive reports that highlight current and prospective changes in business activities, profitability, capital and funding liquidity positions, risk profile or risk drivers;

(b) reporting promptly to the parent board any material deficiencies in the effectiveness of group functions or any decisions taken that deviate materially from the group risk tolerance, risk appetite or operational strategy;

(c) reviewing and approving all material outsourcing arrangements and for the effective performance and oversight of outsourced functions or tasks; and

(d) filing all required returns and financial statements in an accurate, complete and timely manner.

[Rule 6 (formerly paragraph 6) amended by BR 92 / 2012 para. 7 effective 1 January 2013]

7. Internal audit function

(1) The group internal audit function is responsible for—

INSURANCE (GROUP SUPERVISION) RULES 2011

(a) providing an independent and objective evaluation of the robustness of the group’s corporate governance framework, and the reliability, integrity and completeness of the design and effectiveness of the risk management function and internal controls framework, and the compliance and actuarial functions;

(b) developing minimum standards for internal audit and a risk-based internal audit plan, which is reviewed, amended as appropriate and approved by the parent board or an appropriate committee thereof at least annually; and

(c) developing recommendations for the remediation of internal or external audit deficiencies or for improvement of corporate governance, the risk management, compliance and actuarial functions and business operations and monitoring the implementation of those recommendations.

(2) The internal audit function must be headed by an appropriately qualified and experienced senior executive with direct reporting lines to the parent board or an appropriate committee thereof.

(3) The internal audit function must be staffed by persons independent of any other function, the lines of business over which the function has audit responsibilities, and underwriting and financial operations.

(4) Staff of the internal audit function shall not report to the chief financial officer or the chief actuary or persons performing equivalent roles over which the internal audit function has audit responsibility, and must have unrestricted access to all group, legal entity and business line records, including those held at third party service providers, subject to legal requirements.

[Rule 7 (formerly paragraph 7) amended by BR 92 / 2012 para. 8 effective 1 January 2013]

8. Risk management function

(1) The risk management function is responsible for developing and maintaining appropriate enterprise-wide strategies and policies for identifying, measuring, monitoring, controlling and reporting in a timely manner the group’s reasonably foreseeable material risks, including those arising from off-balance sheet and contingent exposures and relating to, at a minimum: investment/market, liquidity, concentration, credit, operational and insurance risks, taking into consideration both regulated and unregulated entities and material intra-group transactions, and reflecting the structure and interdependencies within the group.

(2) The size, scope and sophistication of the risk management function shall reflect the nature, scale and complexity of the group’s operations and the risk tolerance, risk appetite and operational strategies established by the parent board.

(3) Persons responsible for the risk management function shall assess the adequacy of group capital and liquidity in light of the risk profile associated with the group’s activities and make recommendations to the parent board regarding appropriate levels of capital and liquidity.

INSURANCE (GROUP SUPERVISION) RULES 2011

(4) The risk management function must be supported by a risk management and internal controls framework that specifies and implements appropriate written procedures and processes to execute effectively the risk management framework and identifies the persons responsible for the implementation of the framework.

(5) The risk management function must be supported by management information and reporting systems that capture data that reflect the group’s risk exposures and provide timely, accurate and meaningful reports to the parent board, other appropriate boards and committees and appropriate executives.

9. Compliance function

(1) The compliance function is responsible for identifying, measuring, monitoring, and reporting compliance risk across the insurance group and developing and implementing strategies for mitigating material compliance risks.

(2) Persons responsible for the compliance function must—

(a) establish a compliance risk management framework that is documented in the form of policies, procedures and processes, including those related to legal and ethical conduct and compliance with applicable laws, rules and standards, including contract certainty standards;

(b) establish a system of compliance monitoring and testing that is risk- based and a program for remediating any deficiencies or non-compliance with policies or procedures revealed through the compliance monitoring and testing system;

(c) have direct access to and report to the parent board on matters including—

(i) the compliance risk management framework and the resources it has available to implement that program;

(ii) key compliance risks and the strategy for mitigating those risks;

(iii) the results of compliance monitoring and testing; and

(iv) compliance deficiencies or violations and actions taken or recommended to be taken to address those deficiencies or breaches; and

(d) hold regular training for staff on the compliance risk management framework and provide a mechanism for staff to report confidentially concerns regarding compliance deficiencies or breaches. [Rule 9(1) (formerly paragraph 9(1)) revoked and replaced by BR 92 / 2012 para. 9 effective 1 January 2013]

10. Actuarial function

(1) The actuarial function is responsible for—

INSURANCE (GROUP SUPERVISION) RULES 2011

(a) assessing the appropriateness and reasonableness of methodologies and assumptions relating to obligations to policyholders;

(b) providing independent support to the risk management function in the modeling and estimation of current and potential obligations to policyholders and appropriate levels of reserves against those obligations;

(c) providing independent support to the risk management function by providing input into pricing, reserves and risk mitigation techniques including ceding reinsurance and the purchase of protection;

(d) evaluating and providing independent advice on insurance technical provisions and a comparison of estimated policyholder obligations to actual policyholder payments; and

(e) providing a written report to the parent board and other appropriate boards and committees at least annually.

(2) In evaluating insurance technical provisions, the actuarial function shall apply methodologies and procedures to assess their sufficiency, taking into consideration uncertainties of estimation and data limitations. [Rule 10 (formerly paragraph 10) revoked and replaced by BR 92 / 2012 para. 10 effective 1 January 2013; sub-rules (1) and (2) amended by BR 54 / 2015 rule 3 effective 1 January 2016]

11. Risk management and internal controls framework

(1) The risk management and internal controls framework of an insurance group must be well integrated into the group’s overall system of governance and must contain policies, procedures and processes for implementing the strategies and policies developed by the risk management function to identify, measure, monitor and control in a timely manner the material risks of the insurance group.

(2) The risk management and internal controls framework must employ robust risk-based methodologies for identifying, measuring and monitoring material risks, taking into account the probability, potential impact and time duration of risks, as well as risks that are not readily quantifiable.

(3) The measurement of material risks shall include stress and scenario analysis using extreme but plausible internal scenarios, including those prescribed by the Authority.

(4) The risk management and internal controls framework must utilize comprehensive systems for identifying and reporting the potential impact of material risks to the parent board, and other appropriate boards and committees, and the chief and senior executives. [Rule 11(1) (formerly paragraph 11(1)) revoked and replaced by BR 92 / 2012 para. 11 effective 1 January 2013]

INSURANCE (GROUP SUPERVISION) RULES 2011

12. Risk management and internal controls framework: investment/market risk component

(1) The investment/market risk component of the group’s risk management and internal controls framework must, amongst other things—

(a) give effect to the ‘prudent person’ principle in relation to the investment of assets;

(b) reflect investment objectives, strategies, policies and practices that align with the risk tolerance, risk appetite and overall group strategies and provide—

(i) clear standards for the selection and composition of the investment portfolio, expected returns, desired holding periods, exit strategies and dispositions, diversification parameters and allocation limits;

(ii) clear standards for investments in more complex or less transparent assets, markets or instruments;

(iii) procedures for conducting due diligence and approving investments;

(iv) methodologies to assess the effectiveness of asset/liability management and the management of asset-liability mismatch risk and funding and cash flow gaps;

(v) a clear statement of objectives and strategy for their use and standards governing the employment and valuation of such instruments, where hedging and derivatives instruments are used;

(vi) methodologies for the valuation of the investment portfolio in accordance with generally accepted accounting standards and policies for the review of those methodologies for consistent application;

(vii) controls to prevent the inappropriate use of the investment portfolio to manage earnings or otherwise to conceal the true financial performance of the group;

(viii) techniques, including benchmarking and stress and scenario testing, to analyse performance results, confirm whether the investment strategy would continue to meet the group’s risk tolerance and operational strategy in a stressed market, and identify current and contingent exposures arising from the execution of a planned strategy or market developments;

(ix) standards for data management of the investment portfolio and the reporting of timely, accurate and meaningful information and results to the parent board and the chief and senior executives; and

(x) techniques for assessing and monitoring regularly the adequacy of capital to support current and planned objectives and strategies.

INSURANCE (GROUP SUPERVISION) RULES 2011

(c) establish lines of authority and responsibility of senior executives for making and monitoring investments and managing risk; and

(d) establish standards for the selection, compensation and oversight of service providers including those providing custodian and investment management services.

(2) For the purposes of sub-rule (1)(a), under the ‘prudent person’ principle, the group only assumes investment risks that it can properly identify, measure, monitor and control, taking into consideration its capital needs and resources, short-term and long- term sources and uses of funding liquidity, policyholder obligations and the protection of the interests of policyholders and beneficiaries.

Risk management and internal controls framework: Liquidity risk component

13 The liquidity risk component of the group’s risk management and internal controls framework must include—

(a) sound liquidity management policies, procedures and practices covering short, medium and long-term objectives that reflect the risk tolerance and operational strategy of the group, including investment, underwriting and claims strategies;

(b) policies and procedures to manage short-term liquidity requirements, including access to sufficient funds to meet its day-to-day obligations and any intra-group funding needs;

(c) policies and procedures to manage group-wide liquidity risk exposures on a consolidated basis, where necessary recognizing legal distinctions and possible obstacles, including legal and regulatory restrictions, to the movement of cash and other liquid assets among group members;

(d) policies, procedures and practices to manage the collateral positions of members of the group and any intra-group positions or exposures;

(e) benchmarking and stress and scenario testing to assist in the identification and determination of unexpected adverse developments in the medium and long-term; and

(f) timely, accurate and meaningful reporting of the group’s liquidity position and risk exposure to the parent board and the chief and senior executives.

14. Risk management and internal controls framework: Concentration risk component

(1) The concentration risk component of the group’s risk management and internal controls framework must include policies, procedures and methodologies to identify, measure, monitor and manage concentrations of risk within or among risk types (such as credit, investment/market, underwriting or liquidity risks) or arising from concentrations of exposures to a particular geography, market segment (catastrophe risk) or type of counterparty.

INSURANCE (GROUP SUPERVISION) RULES 2011

(2) Sound and robust reporting and accounting procedures must be in place to manage intra-group transactions and risk concentrations.

(3) Concentrations that pose material risks to group solvency or liquidity must be reported in a timely, accurate and meaningful manner to the parent board, other appropriate boards and committees and the senior executives.

Risk management and internal controls framework: Credit risk component

15 The credit risk component of the group’s risk management and internal controls framework must include—

(a) a credit risk policy that is aligned with the group’s risk tolerance, risk appetite and short-term and long-term strategies, reflects the group’s key business lines and activities, and takes into consideration plans for new business lines or activities or growth in existing business lines or activities;

(b) detailed exposure limits relating to—

(i) individual counterparty or concentrations of counterparties;

(ii) material intra-group transactions;

(iii) assets or sectors;

(iv) off-balance sheet exposures, including guarantees and letters of credit;

(v) exposures to issuer-specific countries or regions that may be exposed to country-specific or regional economic or market factors, including but not limited to sovereign exposures;

(c) qualitative and quantitative assessments of both on- and off-balance sheet exposures and potential future exposures;

(d) qualitative and quantitative standards for the use of credit risk mitigation tools and techniques, including collateral and other credit enhancements;

(e) measurement techniques to assess the risk exposures and effectiveness of the credit risk mitigation tools and techniques used, including stress and scenario testing; and

(f) timely, accurate and meaningful reporting of the group’s credit risk exposure to the parent board and the chief and senior executives.

16. Risk management and internal controls framework: Operational risk component

(1) The operational risk component of the group’s risk management and internal controls framework must include procedures and processes for identifying, measuring and assessing—

INSURANCE (GROUP SUPERVISION) RULES 2011

(a) the operational risk of the group and establishing appropriate tolerance limits within the group’s overall risk tolerance, taking into consideration: business process risk, business continuity risk, compliance risk, information systems risk, distribution channels risk, fraud risk, human resources risk and outsourcing risk;

(b) the operational risk of each material product, activity, process and system and for incorporating the consideration of potential sources of operational risk in new product or business line approval reviews;

(c) the extent to which operational risk may be transferred from one member of the group to others, including but not limited to risk transfer through guarantees or the purchase or sale of protection or derivatives instruments;

(d) systems and operations exposures and for capturing and tracking systems and operations near-miss data; and

(e) risks to its information assets including those managed by related parties and third parties.

(2) Operational risk must be managed and controlled through—

(a) a system of effective internal reporting and operating controls (including IT infrastructure);

(b) measurement techniques, including stress and scenario testing, to assess the vulnerability of the group to operational risk; and

(c) annual reviews to ensure that mitigation strategies, including business resiliency and contingency plans and an early warning system, have been deployed.

[Rule 16 paragraph (1)(e) inserted by BR 41 / 2022 rule 5 effective 1 January 2023]

17. Risk management and internal controls framework: Insurance underwriting risk component

(1) The insurance underwriting component of the risk management and internal controls framework must include—

(a) underwriting strategies that reflect the risk tolerance and overall group strategy and reflect appropriate risk mitigation techniques;

(b) appropriately detailed underwriting policies that reflect those underwriting strategies and facilitate the accurate pricing of underwriting contracts and manage the risk of loss from inadequate pricing or provisioning assumptions;

(c) monitoring and measurement of exposures to policyholders and risks arising from those exposures, and stress testing and scenario analysis of those exposures and risks, to ensure that they remain within established risk tolerance levels;

INSURANCE (GROUP SUPERVISION) RULES 2011

(d) procedures for managing and processing policyholder claims and resolving disputes;

(e) policies and procedures for establishing appropriate reserves against claims to reflect current and contingent obligations to policyholders; and

(f) systems to capture, maintain and analyze underwriting and claims data.

(2) The insurance underwriting component of the risk management function must encompass risk mitigation techniques that are embedded into the underwriting policies and processes and are reflective of the group’s risk tolerance and overall strategy.

18. Group Solvency Self-Assessment

(1) An insurance group must ensure that senior management establishes written group solvency self-assessment procedures that reflect all reasonably foreseeable material risks arising from both on and off balance sheet exposures of the group and material intra-group exposures.

(2) The procedures must—

(a) be an integral part of the group’s risk management framework, forward- looking, reflect the group’s risk tolerance and overall business strategy, and link the group’s risk tolerance to exposure limits and set forth the process through which breaches of exposure limits are addressed;

(b) be documented, readily available for supervisory review, and maintained by the parent company or the designated insurer in a form readily accessible to the Authority for a period of five years; and

(c) be conducted annually or after a significant change in the business activities or risk profile of the group self-assessments on the quantity and quality of capital required to adequately cover all reasonably foreseeable material risks to which the group is exposed and to support the group’s current and planned activities.

(3) The interlinkages among the procedures and the risk management framework, risk tolerance, business strategy, and new product approval or business line process must be documented and demonstrate consideration of the relationships among risk management, the quantity and quality of capital resources, the impact of risk mitigation techniques and correlations or interdependencies among material risks.

(4) The procedures must be subject to annual review, evaluation and updating by the parent board to reflect changes in the risk management framework, risk tolerance, business strategy and lines of business or activities of the group, as well as changes in market conditions.

(5) The procedures must include appropriate stress and scenario testing measures to determine the group’s ability to manage its business with appropriate levels of capital under conditions of severe but plausible stress and contingency plans to restore capital to adequate levels after an adverse event.

INSURANCE (GROUP SUPERVISION) RULES 2011

(6) The self-assessment procedures must contain a clear process and timeline for addressing any deficiencies in the quantity or quality of capital.

[Rule 18(4) (formerly paragraph 18(4)) amended by BR 92 / 2012 para. 12 effective 1 January 2013]

19. Minimum margin of solvency

(1) An insurance group must ensure that the value of the insurance group’s total statutory economic capital and surplus, calculated in accordance with Schedule XIV of the Insurance (Prudential Standards) (Insurance Group Solvency Requirement) Rules 2011, exceeds the aggregate of—

(a) the aggregate minimum margin of solvency (MSM) of each qualifying member of the group controlled by the parent company; and

(b) the parent company’s percentage shareholding in the member multiplied by the member’s MSM, where the parent company exercises significant influence over a member of the group but does not control the member.

(2) [Revoked by BR 92 / 2012 para. 13]

(3) A member is a qualifying member of a group if it is subject to solvency requirements in the jurisdiction in which it is registered.

(4) In determining whether the parent company controls or exercises significant influence over a member of the group, GAAP as applied in the United States of America, the United Kingdom or Canada or IFRS, as applicable, shall apply. [Rule 19 (formerly paragraph 19) amended by BR 92 / 2012 para. 13 effective 1 January 2013; sub- rule (1) amended by BR 54 / 2015 rule 4 effective 1 January 2016]

20. Group Enhanced Capital Requirement

(1) The insurance group must ensure that the group holds eligible capital equal to or exceeding the greater of the MSM calculated under rule 19 of these Rules and the group enhanced capital requirement (group ECR) calculated according to the requirements of this rule and the Insurance (Prudential Standards) (Insurance Group Solvency Requirement) Rules 2011 (or any subsequent amendments to or restatements of such Rules).

(2) In determining whether an insurance group is holding eligible capital in accordance with sub-rule (1), the insurance group shall apply the following requirements—

(a) non-admitted assets are deducted;

(b) the discounted expected value of contingent and off-balance sheet obligations are reflected as a liability;

(c) amounts that reflect the double or multiple gearing of capital or the intra-group creation of capital through reciprocal financing are deducted;

(d) holdings in regulated non-insurance financial entities are reflected by including in the group ECR the proportionate share of regulatory capital

INSURANCE (GROUP SUPERVISION) RULES 2011

calculated using the solvency rules applicable to those entities and without regard to any diversification benefit.

(3) The Authority may require additional capital to mitigate the risks arising from intra-group transactions and the lack of transferability of capital within the group.

(4) A group may apply to the Authority for approval to use an internal model to calculate the group ECR based on a robustly modeled assessment of the risks posed by such exposures or based on a modified aggregation approach under which the capital requirements for each company in an approved jurisdiction would be aggregated in determining the group ECR, and in accordance with the Insurance (Prudential Standards) (Insurance Group Solvency Requirement) Rules 2011.

[Rule 20(2) amended by BR 92 / 2012 rule 14 effective 1 January 2014]

PART 2ELIGIBLE CAPITAL

21. Interpretation

(1) In this part-–

“capital instruments” means a financial instrument that qualifies to be admitted for the purposes of determining a group’s total statutory capital and surplus calculated in accordance with Schedule 1 or is otherwise approved by the Authority as other fixed capital for the purpose of determining a group’s statutory capital and surplus in accordance with Schedule 1;

“encumbered assets” means assets held for security or as collateral against a liability or contingent liability of the group or other person or any other use restriction, excluding encumbered assets for policyholder obligations of the group;

“encumbered assets for policyholder obligations” means the total assets held for security or as collateral or otherwise restricted to meet the liabilities to the policyholders of the group in the event of a loss ;

“maturity” means the first contractual opportunity for the insurer to repay or redeem the capital instrument without the Authority’s approval, unless it is mandatory that the insurer repay or redeem the instrument with the issuance of an instrument of equal or higher quality;

“minimum margin of solvency” has the meaning given in rule 19;

“maturity” means the first contractual opportunity for the insurer to repay or redeem the capital instrument without the Authority’s approval, unless it is mandatory that the insurer repay or redeem the instrument with the issuance of an instrument of equal or higher quality;

“maturity” means the first contractual opportunity for the insurer to repay or redeem the capital instrument without the Authority’s approval, unless it is

INSURANCE (GROUP SUPERVISION) RULES 2011

mandatory that the insurer repay or redeem the instrument with the issuance of an instrument of equal or higher quality;

“maturity” means the first contractual opportunity for the insurer to repay or redeem the capital instrument without the Authority’s approval, unless it is mandatory that the insurer repay or redeem the instrument with the issuance of an instrument of equal or higher quality;

“Tier 1-ancillary capital”, in relation to an insurer’s available statutory capital and surplus, has the meaning given in sub-rule (2);

“Tier 1-basic capital”, in relation to a group’s available statutory capital and surplus, has the meaning given in sub-rule (3);

“Tier 2–ancillary capital”, in relation to a group’s available statutory capital and surplus, has the meaning given in sub-rule (4);

“Tier 2–basic capital”, in relation to a group’s available statutory capital and surplus, has the meaning given in sub-rule (5);

“Tier 1-capital” means the aggregate sum of “Tier 1–basic capital” and “Tier 1– ancillary capital”;

“Tier 2-capital” means the aggregate sum of “Tier 2–basic capital” and “Tier 2– ancillary capital”;

“Tier 3-capital” means the aggregate sum of “Tier 3–basic capital” and “Tier 3– ancillary capital”;

“Tier 3-ancillary capital” has the meaning given in sub-rule (6);

“Tier 3-basic capital” has the meaning given in sub-rule (7);

“Total statutory capital and surplus” means the total statutory capital and surplus of the group as calculated in accordance with Schedule 1.

(2) “Tier 1-ancillary capital” shall comprise the following—

(a) capital instruments approved by the Authority as other fixed capital pursuant to Line 1(c) of Form 8 of Schedule 1 and Line 1(c) of Form 8A of

Schedule 4, Group Statutory Statement of Capital and Surplus that satisfy the following—

(i) capable of absorbing losses in a going concern either by way of—

(A) write downs of the principal amount or until losses cease; or

(B) mandatory conversion to common stock when losses accumulate; and

(ii) highest level of subordination in a winding-up; and

(iii) paid-up; and

(iv) undated or actual maturity of not less than 10 years from the date of issuance; and

INSURANCE (GROUP SUPERVISION) RULES 2011

(v) non-redeemable or settled only with the issuance of an instrument of equal or higher quality; and

(vi) free of incentives to redeem; and

(vii) the coupon payment on the instrument, upon breach (or if it would cause a breach) in the ECR, is—

(A) cancellable; or

(B) deferrable indefinitely; and

(viii) unencumbered; and

(ix) do not contain terms or conditions designed to accelerate or induce a member of the group’s insolvency; and

(x) do not give rise to a right of set-off against a group’s claims and obligations to an investor or creditor; and

(b) excludes capital instruments that are included in Tier 1 – basic capital, Tier 2 – basic capital, Tier 2–ancillary capital, Tier 3–basic capital, and Tier 3–ancillary capital.

(3) “Tier 1-basic capital” shall comprise the following—

(a) statutory economic surplus as set out under Line 40 of the Group Economic Balance Sheet of Schedule XIV of the Insurance (Prudential Standards) (Insurance Group Solvency Requirement) Rules 2011, less Line 1(d) of Form 8 of Schedule 1 and Line 1(d) of Form 8A of Schedule 4, Group Statutory Statement of Capital and Surplus subject to the following—

(i) plus any adjustments to a group’s total statutory capital and surplus made by the Authority in accordance with the provisions of section

6D of the Act, or in accordance with Rules made under section 6A of the Act;

(ii) where the value of encumbered assets for policyholder obligations exceeds the sum of (A), (B) and (C), and to the extent to which there are encumbered assets for policyholder obligations which would not be available to meet the obligations of any policyholder in a going concern, less the aggregate difference between the value of the encumbered assets for policyholder obligations of each insurer that is a member of the group and the sum of—

(A) the value of the policyholder obligations of that insurer for which the assets have been held which will be either—

1 the value calculated in accordance with the sum total of Lines 16(a), 17(a) and 27(a), of the Group Statutory Economic Balance Sheet as set out in Schedule XIV of the Insurance (Prudential Standards) (Insurance Group Solvency Requirement) Rules 2011in relation to that insurer; or

INSURANCE (GROUP SUPERVISION) RULES 2011

2 where applicable, the value of the ceding insurer’s reserves if the ceding insurer is subject to statutory reserving requirements that are in excess of the Bermuda statutory reserve requirement and the group has been required to post collateral to meet the ceding insurer’s reserves and;

(B) the value of the capital requirement applicable to the encumbered assets for policyholder obligations of that insurer; and

(C) the value of the capital requirement applicable to the policyholder obligations referred to under clause (A) above; and

(iii) where the value of the encumbered assets exceeds the value reflected in Group Statutory Economic Balance Sheet set out under Schedule XIV of the Insurance (Prudential Standards) (Insurance Group Solvency Requirement) Rules 2011 arising from the relative liability or contingent liability for which the encumbered assets are held, the excess must be deducted; and

(iv) where assets are not transferable among members of the group, less the aggregate amount of such assets in excess of the capital requirement applicable to each member owning those assets provided such amount has not already been deducted in sub-paragraphs (ii) and (iii);

(v) where the group has pledged assets solely for risk management purposes such encumbered assets must not be deducted;

(b) capital stock and contributed surplus prepared in accordance with instructions set out for Lines 1(a)(i) and 1(b) of Form 8 of Schedule 1 and Lines 1(a)(i) and 1(b) of Form 8A of Schedule 4, Group Statutory Statement of Capital and Surplus excluding preference shares;

(c) capital instruments not requiring an approval from the Authority to be admitted for the purposes of determining a group’s total statutory capital and surplus calculated pursuant to Line 1(a)(ii) of Form 8 of Schedule 1 and Line 1(a)(ii) of Form 8A of Schedule 4, Group Statutory Statement of Capital and Surplus that satisfy the following—

(i) capable of absorbing losses in a going concern; and

(A) [revoked]

(B) [revoked]

(ii) highest level of subordination in a winding-up; and

(iii) paid-up; and

(iv) undated or actual maturity of not less than 10 years from the date of issuance; and

INSURANCE (GROUP SUPERVISION) RULES 2011

(v) non-redeemable or settled only with the issuance of an instrument of equal or higher quality; and

(vi) free of incentives to redeem; and

(vii) the coupon payment on the instrument, upon breach (or if it would cause a breach) in the ECR, is—

(A) cancellable; or

(B) deferrable indefinitely; and

(viii) unencumbered; and

(ix) do not contain terms or conditions designed to accelerate or induce a member of the group’s insolvency; and

(x) do not give rise to a right of set-off against a group’s claims and obligations to an investor or creditor; and

(d) excludes capital instruments and other amounts that are included in Tier 1–ancillary capital, Tier 2–basic capital, Tier 2–ancillary capital, Tier 3–basic capital, and Tier 3–ancillary capital.

(4) “Tier 2–ancillary capital” shall comprise the following—

(a) capital instruments approved by the Authority as other fixed capital pursuant to Line 1(c) of Form 8 of Schedule 1 and Line 1(c) of Form 8A of

Schedule 4, Group Statutory Statement of Capital and Surplus that would otherwise qualify for Tier 1-ancillary capital or Tier 1-basic capital instruments but are callable on demand and are unpaid;

(b) capital instruments approved by the Authority as other fixed capital pursuant to Schedule 1 that satisfy the following—

(i) [revoked]

(ii) subordinated to policyholder obligations in a winding-up; and

(iii) undated or actual maturity of not less than five years from the date of issuance; and

(iv) non-redeemable if ECR is breached or settled only with the issuance of an instrument of equal or higher quality; and

(v) free of incentives to redeem; and

(vi) the coupon payment is deferrable indefinitely when ECR is breached; and

(vii) unencumbered; and

(viii) do not contain terms or conditions designed to accelerate or induce a member of the group’s insolvency; and

INSURANCE (GROUP SUPERVISION) RULES 2011

(ix) do not give rise to a right of set-off against a group’s claims and obligations to an investor or creditor; and

(c) excludes capital instruments that are included in Tier 1-ancillary capital, Tier 1-basic capital, Tier 2–basic capital, Tier 3–basic capital, and Tier 3– ancillary capital.

(5) “Tier 2–basic capital” shall comprise the following—

(a) capital instruments not requiring an approval from the Authority to be admitted for the purposes of determining a group’s total statutory capital and surplus calculated pursuant to Line 1(a)(ii) of Form 8 of Schedule 1 and Line 1(a)(ii) of Form 8A of Schedule 4, Group Statutory Statement of Capital and Surplus that satisfy the following—

(i) capable of absorbing moderate level of losses on a going concern, including suspending coupon payments if the ECR is breached; and

(ii) subordinated to policyholder obligations in a winding-up; and

(iii) undated or actual maturity of not less than five years from the date of issuance; and

(iv) non-redeemable if the ECR is breached or settled only with the issuance of an instrument of equal or higher quality; and

(v) free of incentives to redeem; and

(vi) the coupon payment is deferrable indefinitely when ECR is breached; and

(vii) unencumbered; and

(viii) do not contain terms or conditions designed to accelerate or induce a member of the group’s insolvency; and

(ix) do not give rise to a right of set-off against a group’s claims and obligations to an investor or creditor;

(b) the value deducted pursuant to sub-rule (3)(a)(ii);

(c) excludes capital instruments and other amounts that are included as Tier 1- ancillary capital, Tier 1 - basic capital, Tier 2 – ancillary capital, Tier 3 – basic capital, and Tier 3 – ancillary capital.

(6) “Tier 3-ancillary capital” shall comprise the following—

(a) capital instruments approved by the Authority as other fixed capital pursuant to Line 1(c) of Form 8 of Schedule 1 and Line 1(c) of Form 8A of

Schedule 4, Group Statutory Statement of Capital and Surplus that satisfy the following—

(i) subordinated to policyholder obligations in a winding-up; and

(ii) unencumbered; and

INSURANCE (GROUP SUPERVISION) RULES 2011

(iii) undated or maturity of not less than 3 years from the date of issuance; and

(iv) do not contain terms or conditions designed to accelerate or induce a member of the group’s insolvency; and

(v) do not give rise to a right of set off against a group’s claims and obligations to the investor or creditor; and

(vi) non-redeemable if the ECR is breached or settled only with the issuance of an instrument of equal or higher quality; and

(vii) [revoked by BR 92 / 2012 para. 15]

(b) excludes capital instruments that are included in Tier 1- ancillary capital, Tier 1-basic capital, Tier 2–ancillary capital, Tier 2–basic capital, and Tier 3–basic capital.

(7) “Tier 3 - basic capital” shall comprise the following—

(a) capital instruments not requiring an approval to be admitted in determining a group’s total statutory capital and surplus calculated pursuant to Line 1(a)(ii) of Form 8 of Schedule 1 and Line 1(a)(ii) of Form

8A of Schedule 4, Group Statutory Statement of Capital and Surplus that satisfy the following—

(i) subordinated to policyholder obligations in a winding-up; and

(ii) unencumbered; and

(iii) undated or maturity of not less than 3 years from the date of issuance ; and

(iv) non-redeemable if the ECR is breached or settled only with the issuance of an instrument of equal or higher quality; and

(v) do not contain terms or conditions designed to accelerate or induce a member of the group’s insolvency; and

(vi) do not give rise to a right of set off against a group’s claims and obligations to the investor or creditor; and

(vii) [revoked by BR 92 / 2012 para. 15]

(b) excludes capital instruments and other amounts that are included in Tier 1-ancillary capital, Tier 1-basic capital, Tier 2–ancillary capital, Tier 2–basic capital, and Tier 3–ancillary capital.

(8) For the purposes of these Rules, “the capital requirement applicable to the encumbered assets for policyholder obligations and the capital requirement applicable to the policyholder obligations” means the following—

(a) when determining whether a group’s available statutory capital and surplus meets its minimum margin of solvency, such capital requirement is equal to the contribution of the pledged assets and the policyholder

INSURANCE (GROUP SUPERVISION) RULES 2011

obligations to the ECR multiplied by the quotient of the minimum margin of solvency divided by the ECR; and

(b) when determining whether a group’s available statutory capital and surplus meets its ECR, such capital requirement is the contribution of the pledged assets and the policyholder obligations to the ECR.

(9) For the purposes of these Rules, Tier 1-capital, Tier 2-capital and Tier 3- capital that meet the requirements of sub-rules (2) through (7), as applicable, but for the requirement that the instrument be non-redeemable or settled only with the issuance of an instrument of equal or higher quality upon breach (or if it would cause a breach) in the ECR, may continue to be included in Tier 1-capital, Tier 2-capital or Tier 3-capital, as applicable, until January 1, 2026.

(10) For the purposes of these Rules, Tier-1 capital and Tier-2 capital that meet the requirements of sub-rules (2) through (7), as applicable, but for the requirement that the coupon payment on the instrument would be cancellable or deferrable indefinitely upon breach (or if it would cause a breach) in the ECR, may continue to be included in Tier-1 capital or Tier-2 capital, as applicable, until January 1, 2026. [Rule 21 (formerly paragraph 21) amended by BR 92 / 2012 para. 15 effective 1 January 2013; sub- rules (3)(a), (3)(c)(i) and (8) amended by BR 115 / 2013 rule 2 effective 1 January 2014; amended by BR 54 / 2015 rule 5 effective 1 January 2016; amended by BR 74 / 2016 rule 2 effective 1 January 2017; sub-rule (4)(b)(i) amended by BR 119 / 2016 rule 2 effective 31 March 2017; Rule 21 amended by BR 28 / 2024 para. 3 effective 25 March 2024]

22. Available Statutory Economic Capital and Surplus

(1) Every insurance group shall, in accordance with sub-rule (2), maintain available statutory economic capital and surplus of an amount that is equal to or exceeds the value of its minimum margin of solvency.

(2) For the purposes of sub-rule (1), the available statutory economic capital and surplus is an amount equal to the sum of the following amounts—

(a) an amount of the group’s Tier 1-capital which must not be less than 80% of the value of the group’s minimum margin of solvency; and

(b) an amount of the group’s Tier 2-capital which must not be more than 25% of the amount of paragraph (a).

(3) Every group shall maintain available statutory economic capital and surplus of an amount that is equal to or exceeds the value of its ECR in accordance with sub-rule

(4).

(4) In the case of a group, the available statutory economic capital and surplus shall be equal to the sum of the following amounts—

(a) an amount of the group’s Tier 1-capital which shall be not less than 60% of the value of the group’s ECR;

(b) an amount of the group’s Tier 2–capital which shall not be more than

66.67% of the amount of paragraph (a); and

INSURANCE (GROUP SUPERVISION) RULES 2011

(c) an amount of the group’s Tier 3-capital which shall not be more than

17.65% of the aggregate sum of paragraphs (a) and (b) to the extent that the aggregate sum of paragraphs (b) and (c) do not exceed 66.67% of the amount of paragraph (a).

[Rule 22 amended by BR 54 / 2015 rule 6 effective 1 January 2016]

Assessment of the financial situation of the insurance group

23. Group financial statements

(1) Every insurance group must prepare in each financial year consolidated financial statements (including notes to the financial statements) of the parent company of the group in accordance with sub-rule (3) (“group financial statements”).

(2) Such financial statements must be prepared in accordance with any one of the following standards or principles—

(a) International Financial Reporting Standards (“IFRS”);

(b) Generally Accepted Accounting Principles (“GAAP”) that apply in Canada, the United Kingdom or the United States of America; or

(c) such other GAAP or international standards as the Authority may recognise.

(3) The group financial statements of an insurance group must be audited annually by the group’s approved auditor and an auditor’s report prepared by the group’s approved auditor in accordance with generally accepted auditing standards (“GAAS”) for Canada, the United Kingdom, the United States of America or such GAAS as the Authority may recognise.

(4) Group financial statements must be prepared in the English language.

(5) All amounts shown in a group financial statement must be shown in a single currency, and that currency must be the currency in which the books and records of the group are kept in the designated insurer’s principal office in Bermuda or, where different books and records are kept in different currencies in that office, then the currency in which the majority of those books and records are kept.

(6) Where the Authority, pursuant to the power provided by this rule, directs the production of group financial statements, and the amounts in those statements are shown in a foreign currency, then those amounts must be converted into their Bermuda equivalent before the statements are so produced.

(7) For the purposes of sub-rule (6), the Bermuda equivalent of an amount in a foreign currency is the Bermuda dollar equivalent of that amount as converted into Bermudian dollars at the rate of exchange used by any licensed bank in Bermuda in relation to purchases by that bank of that foreign currency on the last day of the group’s financial year, provided that the rate of exchange of one U.S. dollar will be deemed to be one Bermuda dollar.

INSURANCE (GROUP SUPERVISION) RULES 2011

(8) For all items shown in any account of any group there must be shown the corresponding amounts for the immediately preceding financial year.

(9) A designated insurer must within five months after the end of the financial year or such longer period, not exceeding eight months, as the Authority may allow after the end of each financial year, file with the Authority audited group financial statements in respect of the business of the group of which it is a member and the auditor's report.

(10) The Authority must publish in such manner as it considers appropriate a copy of every audited financial statement filed with it under sub-rule (9) together with the notes to those statements and the auditor’s report.

(11) Group financial statements shall be accompanied by an unaudited statement for public disclosure with respect to the group’s compliance with the MSM and ECR.

[Rule 23 (formerly paragraph 23) amended by BR 92 / 2012 para. 16 effective 1 January 2013]

Supervisory reporting and disclosures

24. Statutory financial statements

(1) Every insurance group must prepare in each year financial statements (including notes to the financial statements) of the parent company of the group in accordance with sub-rule (2) (“statutory financial statements’).

(2) The statutory financial statements must be prepared by—

(a) completing forms 1, 2 and 8 of Schedule 1 or forms 1A, 2A and 8A of

Schedule 4 for insurers that report using IFRS; and

(b) populating the line items therein with the corresponding Bermuda- equivalent values of the line items in the group financial statements for the corresponding financial year taking into account the applicable instructions in forms 1, 2, 8, 1A, 2A and 8A.

(3) For the purposes of sub-rule (2), the Bermuda equivalent of an amount in a foreign currency is the Bermuda dollar equivalent of that amount as converted into Bermudian dollars at the rate of exchange used by any licensed bank in Bermuda in relation to purchases by that bank of that foreign currency on the last day of the group’s financial year, provided that the rate of exchange of one U.S. dollar will be deemed to be one Bermuda dollar.

(4) A designated insurer must file with the Authority statutory financial statements prepared in accordance with sub-rule (2) in every financial year within five months after the end of the financial year or such longer period, not exceeding eight months as the Authority may allow.

[Rule 24 paragraph (2) revoked and substituted by BR 28 / 2024 para. 4 effective 25 March 2024]

25. Group Statutory financial return

(1) An insurance group must prepare an annual financial return in accordance with this rule (“statutory financial return”).

INSURANCE (GROUP SUPERVISION) RULES 2011

(2) A designated insurer must submit a group statutory financial return in respect of the insurance group of which it is a member for each financial year within five months after the end of the financial year or such longer period not exceeding eight months as the Authority may allow (“filing date”).

(3) The group statutory financial return must consist of the following documents—

(a) a cover sheet as prescribed in schedule 2;

(b) an insurance group business solvency certificate as prescribed in

schedule 2 — ;

(c) [deleted]

(d) particulars of ceded reinsurance comprising of the top ten unaffiliated reinsurers for which the group has the highest recoverable balances and any reinsurer with recoverable balances exceeding 15% of the insurance group’s statutory capital and surplus as prescribed in schedule 2;

(e) any adjustments applied to the group financial statements by the group to produce the statutory financial statements in the form of a reconciliation of amounts reported as total assets, total liabilities, net income and total statutory capital and surplus; and

(f) a list of non-insurance financial regulated entities owned by the group;

(g) particulars of qualifying members within the meaning of rule 19(3) as set out in sub-rule (4).

(4) The particulars of qualifying members within the meaning of rule 19(3) are—

(a) the name of the registered entity;

(b) the name of the jurisdiction in which the entity is registered;

(c) the minimum margin of solvency for each registered entity;

(d) the group’s participation interest (percentage) of each registered entity; and

(e) the member’s minimum margin of solvency that is taken into account in calculating the group’s minimum margin of solvency pursuant to rule 19.

(5) Schedule 2 which prescribes the form and content of the cover sheet, the insurance group business solvency certificate, the schedule of ceded reinsurance to unaffiliated reinsurers, has effect. [Rule 25(5) (formerly paragraph 25(5)) amended by BR 92 / 2012 para. 17 effective 1 January 2013; sub-rules (3)(c) and (5) amended by BR 54 / 2015 rule 7 effective 1 January 2016]

26. Requirements relating to preparation of returns generally

(1) Every statutory financial return and any document annexed to such a return must be prepared in the English language.

INSURANCE (GROUP SUPERVISION) RULES 2011

(2) All amounts which are shown in any such return or document must be shown in the currency in which, pursuant to rule 23(6), amounts in any account of a group are to be shown; but the Bermuda equivalent of every such amount must be stated next to that amount in every case where that amount is an amount expressed in a foreign currency (in this rule called a "foreign currency amount").

(3) For the purposes of sub-rule (2), the Bermuda equivalent of a foreign currency amount shall be the Bermuda dollar equivalent of that foreign currency amount as converted into Bermuda dollars at the rate of exchange used by any licensed bank in Bermuda in relation to purchases by that bank of that foreign currency on the last day of the relevant year, provided that the rate of exchange of one U.S. dollar will be deemed to be one Bermuda dollar; and the person preparing the return or document in question shall state that rate either in the return or document itself or in some other document made available to the Authority.

Opinion of group actuary

27 The capital and solvency return required in accordance with the Insurance (Prudential Standards) (Insurance Group Solvency Requirement) Rules 2011 shall include an annual opinion of the group actuary in accordance with the requirements of Schedule XV of those Rules. [Rule 27 (formerly paragraph 27) amended by BR 92 / 2012 para. 18 effective 1 January 2013; revoked and replaced by BR 54 / 2015 rule 8 effective 1 January 2016]

Requirement to keep records in Bermuda

28 Every designated insurer must keep a copy of the insurance group’s financial statements (together with the notes to those statements and the auditor’s report thereon), statutory financial statements and the statutory financial return at its principal office for a period of five years.

General provisions to ensure compliance

29. Designated insurer to report certain events

(1) A designated insurer must forthwith notify the Authority, in such manner as it may direct—

(a) on the designated insurer reaching a view that there is a likelihood of the insurance group or any member of the group of which it is a member becoming insolvent (i.e. breaching a regulatory capital requirement applicable to the insurance group or any member); or

(b) if it knows or has reason to believe, that an event to which this rule applies (as provided in sub-rule (3)) has occurred.

(2) Within 30 days of such notification, the designated insurer must furnish the Authority with a report in writing setting out all the particulars of the case that are available to it.

(3) This rule applies to the following events—

INSURANCE (GROUP SUPERVISION) RULES 2011

(a) failure by the insurance group or any member of the group to comply substantially with a requirement imposed upon it by or under these Rules or the Act or any rules or regulations made thereunder, including requirements relating to its solvency position, governance and risk management, or supervisory reporting and disclosures;

(b) failure by the designated insurer, to comply or to facilitate compliance by the group to enable the designated insurer to comply with a direction given to the designated insurer in respect of the group or any of its members under Sections 6C and 32A of the Act or under rule 3(4) of these Rules;

(c) conviction of a criminal offence by any member of the group whether in Bermuda or abroad;

(d) material breaches of any statutory requirements by any member of the group located outside of Bermuda that could lead to supervisory or enforcement action by a competent authority;

(e) a significant loss that is reasonably likely to cause the insurance group to be unable to comply with the enhanced capital requirement applicable to it.

(4) Within 45 days of notifying the Authority of an event referred to in sub-rule

(3)(e), the designated insurer must furnish the Authority with—

(a) a capital and solvency return that reflects an enhanced capital requirement that has been prepared using post-loss data;

(b) unaudited interim statutory financial statements in relation to such period as the Authority may require, together with a declaration of solvency in respect of those statements.

(5) A designated insurer must notify the Authority in writing within 14 days of becoming aware that a requirement of these Rules conflicts with the laws of another jurisdiction where a member of the insurance group operates.

[Rule 29 (formerly paragraph 29) amended by BR 92 / 2012 para. 19 effective 1 January 2013]

29A. Cyber risk programme

(1) Every insurance group shall implement a cyber risk programme to ensure the information security of its information assets.

(2) The cyber risk programme shall be evidenced by such policies and documentation as the insurance group deems appropriate, and shall reflect the nature, scale and complexity of the group’s business, systems and operations.

[Rule 29A inserted by BR 41 / 2022 rule 6 effective 1 January 2023]

29B. Cyber event reporting

(1) Every insurance group that comes into the knowledge of, or where it has reason to believe that, a cyber reporting event resulting in significant adverse impact to

INSURANCE (GROUP SUPERVISION) RULES 2011

the insurance group’s operations, policyholders or clients has occurred, shall within 72 hours from the time that there is either a determination or a confirmation of such event (whichever is sooner), notify the Authority in such manner as the Authority may direct.

(2) Within 14 days of such notification, the insurance group shall furnish the Authority with a report in writing, setting out all the known pertinent particulars of the case that are available to it, and if the root cause has not been confirmed, then the report must still be submitted detailing the information known to date.

(3) If the report in paragraph (2) does not include all the details due to event complexity and ongoing investigation, a full report containing root cause analysis should be submitted promptly once it is concluded.

(4) The report shall either be submitted by the designated insurer to the Authority or, where similar reporting requirements have been completed at local jurisdiction level for a member of the group, a copy of such report shall be furnished to the Authority.

(5) Where a notification is made to the Authority, but a copy of the local jurisdiction report referred to above is not furnished to the Authority, the Authority in its capacity as the group supervisor will seek to engage with and obtain the report or its particulars from the local jurisdiction regulator as part of the college of supervisors exchange of information.

[Rule 29B inserted by BR 41 / 2022 rule 6 effective 1 January 2023]

30. Financial Condition Report

(1) Schedule 3 has effect.

(2) An insurance group shall prepare a financial condition report in accordance with Schedule 3, in connection with public disclosure requirements under rule 4(3).

(3) A financial condition report shall be comprised of an electronic version and a printed version of the financial condition report and shall be filed by the designated insurer of the insurance group with the Authority on or before the filing date.

(4) An insurance group with a website shall publish on its website a copy of the financial condition report within 14 days of the date the report was filed with the Authority.

(5) An insurance group that does not have a website must furnish to the public a copy of a financial condition report within 10 days of receipt of a request made in writing.

(6) The designated insurer of an insurance group shall keep copies of the financial condition report at its head office for a period of five years beginning with the filing date.

(7) In considering an application under section 27F of the Act to modify, or exempt an insurance group from, any requirements of these Rules, the Authority may take into account whether—

INSURANCE (GROUP SUPERVISION) RULES 2011

(a) the Authority is satisfied that the disclosure of certain information will result in a competitive disadvantage for an insurance group;

(b) there are contractual obligations between the insurance group and any policyholder or counterparty to keep certain information confidential;

(c) such disclosures may be prohibited by a jurisdiction’s law or may breach a direction issued by the Authority or any other relevant overseas authority; and

(d) there are other statutory public disclosure requirements imposed on an insurance group under the Act and the Authority is satisfied that references may be made to the requirements under this rule, where such disclosures provide similar information to that required in the financial condition report.

(7A) When considering situations for an exemption under paragraph (7)(a) or (b), the Authority shall not grant an application of a designated insurer for an exemption from the requirement to provide particulars relating to paragraph (e) (capital management) of the financial condition report of an insurance group required in accordance with Schedule 3.

(8) Where approval has been granted by the Authority for a modification or exemption in accordance with the Act; the financial condition report may state that the Authority has provided such approval. [Rule 30 inserted by BR 54 / 2015 rule 9 effective 1 January 2016; paragraph (7A) inserted by BR

42 / 2016 rule 2 effective 13 May 2016]

31. Subsequent Event

(1) Where a significant event occurs on or before an insurance group’s filing date, the insurance group shall prepare a report on the event at the time of filing its financial condition report under rule 30 as part of the financial condition report under Schedule 3, heading “Subsequent Event”.

(2) Where a significant event occurs after an insurance group’s filing date, an insurance group shall prepare for the Authority a report on the event within 14 days of the occurrence of such event; which shall be filed with the Authority by the designated insurer of the insurance group.

(3) An insurance group with a website shall publish on such website, a report on a significant event occurring after the filing date within 30 days of the date of submission of the report to the Authority, or by such other date agreed by the Authority.

(4) An insurance group that does not have a website must furnish to the public a copy of any report prepared on a significant event occurring after the filing date within 30 days of receipt of a request made in writing.

INSURANCE (GROUP SUPERVISION) RULES 2011

(5) The designated insurer of the insurance group shall keep copies of reports on any significant event at its head office for a period of five years beginning with the filing date.

[Rule 31 inserted by BR 54 / 2015 rule 9 effective 1 January 2016]

Declaration on Financial Condition Report or Significant Event

32 Every financial condition report or report on a significant event filed by a designated insurer of an insurance group shall be signed by─

(a) the chief executive of the parent company; and

(b) any chief risk officer or chief financial officer of the parent company, declaring that to the best of their knowledge and belief, the financial condition report or the report on a significant event fairly represents the financial condition of the insurance group in all material respects.

[Rule 32 inserted by BR 54 / 2015 rule 9 effective 1 January 2016]

INSURANCE (GROUP SUPERVISION) RULES 2011

SCHEDULE

The Schedules to these Rules have been omitted. They are available for inspection at the offices of the Bermuda Monetary Authority or on the website: www.bma.bm

[Schedule 4 inserted by BR 28 / 2024 para. 5 effective 25 March 2024]

Made this 30th day of December 2011

Chairman The Bermuda Monetary Authority

[Amended by: BR 92 / 2012 BR 115 / 2013 BR 54 / 2015 BR 42 / 2016 BR 74 / 2016 BR 119 / 2016 BR 41 / 2022 BR 28 / 2024]