A regulator’s perspective: cloud outsourcing in the insurance sector (Loyens & Loeff)
Publication date: 28/10/2020
The National Bank of Belgium (NBB) has issued fifteen recommendations for cloud service providers in the insurance sector, which will apply as from 1 January 2021.
The recommendations cover the entire outsourcing process and build in higher standards in case critical or important functions and activities are outsourced. They reflect the opportunities that outsourcing can offer, but equally recognise the risks inherent thereto, especially in respect to cloud outsourcing. Successful (cloud) outsourcing strategies in the insurance sector will therefore require an integrated and pro-active approach.
In summary, the NBB recommends insurers to:
- Ask themselves whether or not the contemplated arrangement constitutes outsourcing;
- Ensure that any decision to outsource critical or important functions/activities is based on a through risk assessment;
- Update the written outsourcing policy;
- Carry out a pre-outsourcing analysis;
- Assess whether it concerns a critical or important function/activity;
- Identify and assess the potential impact of cloud outsourcing in order to adopt an proportionate risk approach;
- Perform a due diligence on the cloud service provider;
- Clearly allocate the rights and obligations of the company resp. cloud service provider;
- Preserve access and audit rights in order to comply with their regulatory obligations;
- Ensure regulatory compliance (incl. ICT security standards) by cloud service providers;
- Consider and insert arrangements on sub-outsourcing (if permitted);
- Monitor the cloud outsourcing arrangements and set up the necessary mechanisms to do so;
- Have a clearly defined exit strategy clause to terminate the agreement (if necessary);
- In case the cloud service provider’s data are located outside the EEA, ensure (and enforce) access and audit rights;
- Retain original copies of certain documents at the registered office.
On 5 May 2020, the National Bank of Belgium (the ‘NBB’) issued fifteen recommendations to cloud service providers in the insurance sector. A welcome tool for insurance market participants which have been seeking additional legal certainty on this topic. In order to put you on track with this important information, we outline the recommendations and provide you with the necessary background information.
The Solvency II Directive (Directive 2009/138/EC) defines outsourcing as “an arrangement of any form between an insurance or reinsurance undertaking and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be performed by the insurance or reinsurance undertaking itself.” In other words: instead of the (re-)insurance undertaking, a third party will perform a number of operational tasks that are directly or interrelated to the insurance business.
As the above definition reveals, however, the service provider will perform the tasks outsourced to him on the basis of an arrangement concluded with the insurance undertaking. Pursuant to the Delegated Regulation 2015/35 such arrangement, which is to be entered into in writing, must set out the respective tasks and responsibilities of the parties, establishing inter alia the service provider’s commitment to act in accordance with all applicable regulations and with the insurance company’s policies, as well as its obligation to report developments that may impede the actual performance of the outsourced activities or functions. It follows that the outsourcing implies a transfer of tasks, not of responsibility: the insurance undertaking remains fully responsible to comply with all requirements imposed on it under European and national insurance regulations.
In addition, the insurance company must draw up an outsourcing policy, which must deal with a number of concerns entailed by outsourcing, such as the identification of critical and important functions and the sound management thereof, the continuity of the business, and the processing of data.
Both the written arrangement and the outsourcing policy must be approved by the board of directors. Before outsourcing effectively enters into force, the national supervisory authority – being for Belgium, the NBB – must (i) be notified of the insurance company’s contemplated outsourcings of critical or important functions, and (ii) receive a list of those critical and important outsourcings.
It is clear that outsourcing requires a well-reasoned and detailed construction, the need for which is dictated by regulatory and supervisory concerns. Insurance companies must therefore carefully consider which activities and/or functions they wish to outsource and to whom they will do so. Often included in such consideration is the issue of cloud outsourcing.
Outsourcing to cloud service providers is considered a type of ‘information system service outsourcing’ . The cloud may manage services such as data processing or IT security, or may host services such as offering the necessary software. Essential to cloud services is flexibility and aptness to market, technological and digital developments. It does therefore not surprise that insurers show a considerable interest in the use of clouds as this enables them to meet customers’ needs and reduces costs .
In 2018, the European Commission put forth the ‘FinTech Action Plan’, through which it intends to deal with and follow up on the opportunities and challenges presented by technology-enabled innovation in financial services, “fintech”. Part of the plan is devoted to removing the obstacles to cloud services, an agenda point which appears to be industry-driven as stakeholders flagged that the use of cloud services was hampered by uncertainty regarding supervisory expectations. More generally, around the same time, identified obstacles for companies to use cloud services were also tackled by EU Regulation 2018/1807 on the free flow of non-personal data (applicable since 28 May 2019).
The European Commission therefore urged the EIOPA and the other European supervisory authorities to issue formal guidelines.
On 6 February 2020, EIOPA published such guidelines through which they address the EU national competent authorities, giving directions on how the insurance sector must apply the outsourcing requirements when outsourcing to cloud service providers . In recognition of the cross-sectoral risks, the EIOPA’s guidance mirrors that of its sister-authority, the European Banking’s Authority.
By way of implementation, the NBB issued fifteen recommendations on the subject, which will apply as from 1 January 2021. Each of these recommendations will now be discussed.
The NBB’s recommendations
When having decided to outsource tasks to a cloud service provider, an insurance company must first determine on the basis of the requirements of the Belgian Law of 4 April 2014 on insurance (the ‘Insurance Act’) whether or not this decision entails a case of outsourcing (Recommendation 1).
The NBB puts forth different criteria that could be taken into account during such assessment, one being the regularity of calling upon the service provider (recurrent or on an ongoing basis?), the other being the possibility for the insurance undertaking to perform the task in the ordinary course of business.
In addition, the decision to outsource critical or important operational functions or activities must be founded on a comprehensive and overall risk assessment of the relevant risks arising from the arrangement, such as operational en concentration risks (Recommendation 2). Any changes in the risk profile that stem from the cloud outsourcing arrangement should be reflected in the undertaking’s own risk and solvency assessment (“ORSA”). Through such ORSA, an insurance undertaking appraises the risks to which it expects to be exposed with a view to determine whether its regulatory capital is adequate.
Outsourcing to cloud service providers should come with an update of the written outsourcing policy and other relevant internal policies (Recommendation 3). In doing so, consideration must be given to outsourcing specificities in certain areas, such as the processes and reporting procedures required for the approval, implementation, monitoring, management and renewal of critical or important cloud outsourcing arrangements, and the oversight of cloud services proportionate to the nature, scale and complexity of risks inherent to the services provided. The policies’ content must also give thought to the documentation requirements and the written notification to the relevant national competent authority (NCA) supervising the insurance undertaking.
Before effectively concluding the cloud outsourcing agreement, the insurance undertaking should make various assessments (Recommendation 4). The NBB guidance provides concrete details on the conduct of these assessments, with the exception of the assessment of conflicts of interests outsourcing could cause.
The conclusion of the outsourcing arrangement must be preceded by an assessment of whether or not the cloud outsourcing arrangement concerns a critical or important operational function or activity (Recommendation 5). Not only must the insurance undertaking assess whether the arrangement could potentially become critical or important in the future, it must also reassess the criticality or importance of previously outsourced services if there is a material change in the risks inherent to the agreement. Amongst the factors that must be taken into account, attention should be paid to the consequences of any material disruption to the outsourced functions or activities or failure to the performance thereof in terms of compliance, resilience, viability and risk materialization. Further consideration must be given to the ability of the insurance undertaking to deal with the relevant risks, comply with regulatory requirements, and conduct appropriate audits regarding the outsourced function or activity.
A second assessment that is to be carried out prior to the conclusion of the outsourcing arrangement, is devoted to the risks inherent to the outsourced services and must be proportionate to the nature, scale and complexity of these risks. In case critical or important functions or activities are outsourced, certain specificities apply. Next to a cost-benefit analysis, various risks must be assessed as well as the oversight limitations stemming from, inter alia, (i) the selected cloud service and deployment models, (ii) sub-outsourcing, and (iii) the overall concentration risk to the same cloud service provider (Recommendation 6). If, once the arrangement is concluded, significant changes or deficiencies occur, the risk assessment must be reviewed or re-performed. In case of renewal of the arrangement, re-performance is any case required.
Another pre-outsourcing task imposed on the insurance undertaking concerns the implementation of due diligence measures in order to ensure the suitability of the cloud service provider in accordance with the criteria laid down in the undertaking’s outsourcing policy (Recommendation 7). In case of renewal, it must be verified whether a second due diligence is required. Re-performance (or review) of the due diligence is in any case required in case of significant changes or deficiencies to the outsourced services or cloud service provider. In addition, a special suitability test must be performed in case critical or important functions or activities are outsourced.
Equally important is to clearly set out in writing the rights and obligations of both the undertaking and the cloud service provider (Recommendation 8). If critical or important functions or activities are involved, the contract must include information regarding the outsourced function, the relevant data, the governing law, the financial obligations, sub-outsourcing (if applicable), the storage location of the relevant data and the consultation thereof, monitoring, the agreed service level, reporting, insurance coverage for the risks, the possibility to access the business premises and infrastructure of the cloud service provider and to carry out inspection and auditing, and the provisions to ensure the recovery of data in case of interrupted business operations.
In respect of control, the outsourcing agreement should not restrict the effective performance of the entity’s access and audit rights or its ability to monitor the cloud services in order to comply with its regulatory obligations (Recommendation 9). The criticality or importance of the outsourced function or activity will influence the frequency and the scope of the access and audit rights and attaches certain conditions to the possibility to make use of third-party certifications and third-party or internal audit reports.
As the cloud service provider stores and processes data, European and national regulations must be complied with and appropriate ICT security standards must be applied (Recommendation 10). For critical or important functions or activities, additional requisites are prescribed.
The NBB also addresses the sub-outsourcing arrangements. Sub-outsourcing is an increasing concern of NCAs, certainly if a chain of sub-outsourcing exists of critical or important functions or activities. The NBB therefore sets outs the obligations of the cloud service provider in this respect, such as the obligation to inform the insurance undertaking of any planned significant changes to the sub-outsourced services and a right for clients to object to such changes or terminate and exit the contract if there would be an adverse effect on the risk assessment of the agreed services (Recommendation 11).
In terms of monitoring and oversight, undertakings should monitor on a regular basis the performance and security measures of their cloud service providers (Recommendation 12). Sufficient resources, skills and knowledge should be allocated to the monitoring of services outsourced to the cloud. Furthermore, the management committee should be regularly updated on the risks identified in the cloud outsourcing of critical or important operational functions or activities.
It is of course also important to provide termination and exit of the cloud outsourcing arrangement, without discontinuing the service or offering less quality. For their critical or important outsourcings, insurance undertakings should implement a clearly defined exit strategy to ensure that they have the possibility to terminate the arrangement (Recommendation 13). It must be noted that this should not impact the quality and continuity of the services they provide to policy holders. The exit strategy must be supported by comprehensive, service based and ‘sufficiently tested’ exit plans and an identification of alternative solutions and transition plans to ensure a feasible switch to another provider or to pull the services again towards the insurance company itself.
The above guidance applies in case of functions or activities are outsourced to an EEA cloud service provider. However, the NBB does not lose sight of the outsourcing to non-EEA entities (Recommendation 14). This is allowed in so far as the insurance undertaking can explicitly guarantee that it, its auditor and the NBB at all times have access to the data located outside the EEA. In addition to this general rule, particular rules apply in case of critical or important outsourcing: not only must there be a cooperation agreement in place between the Bank and the third-country supervisor, this agreement must also warrant that the Bank has access to certain data, documents and locations and can request the information necessary to carry out its tasks. This condition must, however, not be fulfilled if the information is accessible and can be verified in an EEA subsidiary or branch.
Lastly, the NBB provides for specific rules with regard to the record keeping of insurance documents, in case it concerns original copies of (re-)insurance agreements (policies and appendices), letters sent to policyholders, and prudential reports required on the basis of the Belgian Insurance Law (Recommendation 15). Pursuant to the Law of 13 March 2016 on the legal status and supervision of insurance or reinsurance companies, these documents must be kept at the undertaking’s registered office or another location that has been approved by the NBB in consultation with the Financial Services and Markets Authority (FSMA).
The notification to the NBB
The NBB must be notified of the critical and important functions or activities outsourced by the insurance company. In addition to the information that has to be provided outside the context of cloud services, the Bank must be notified of:
- the fact it concerns cloud outsourcing;
- the date of the last risk assessment and a brief summary of the outcome thereof;
- the date of the most recent and prospective audits;
- the outcome of the assessment of the substitutability of the cloud services provider (easy, difficult or impossible); and
- whether an exit strategy is in place in case of termination or disruption of the services provision.
The NBB should also be notified in case of significant changes and disruptions in respect of the outsourcing.
A cumulative application of the EU General Data Protection Regulation
As data controllers responsible for the collection and processing of personal data (being any type of information related to identified or identifiable individuals) of their customers, insurance companies must comply with the provisions of the EU General Data Protection Regulation 2016/679 (the ‘GDPR‘).
When outsourcing certain tasks to cloud services providers, in addition to the written arrangements, policies and records described above, GDPR-specific documentation will therefore also need to be established for GDPR compliance reasons. Relevant GDPR obligations include internal record-keeping, carrying out data security audits and data protection risk/impact assessments, and entering into a written data processing agreement with any data processors that are engaged to host personal data on their behalf.
Among other things, insurance companies will need to make sure that they only use data processors providing sufficient guarantees in terms of data security and ensure the protection of the rights of the individuals concerned. A certain due diligence is expected to be conducted in this respect. The data processing agreement itself will have to contain information on the subject-matter and duration of the outsourcing, the nature and purpose of the outsourcing, the type of personal data and categories of individuals involved, and the obligations and rights of the insurance company. Specific details on data security, audit rights of the insurance company, obligations to cooperate, etc. must also be included.
The NBB guidance covers all steps of the outsourcing process. The detailed requirements relate to the governance, the outsourcing policy, the analysis prior to outsourcing, the contractual arrangement between the insurance undertaking and the cloud services provider and the monitoring.
It can be observed that the supervisor is very much concerned with outsourcing critical or important functions and activities given the higher standards applied in respect hereof.
A second observation is the clear overlap between the NBB’s outsourcing requirements and the formalities data controllers have to take into account pursuant to the GDPR when engaging data processors (such as hosting services providers): due diligence and audit requirements, risk assessments, record-keeping, mandatory written arrangements, etc.
Any comprehensive and successful outsourcing strategy in the insurance sector will therefore need to follow an integrated approach, involving regulatory specialists from both fields of expertise. Only through such integrated approach insurance companies will be able to adequately tackle possible loopholes and inconsistencies when outsourcing certain tasks to third parties, in particular to cloud services providers.