EIOPA guidelines on outsourcing to cloud service providers (Timelex)
Author: Niels Vandezande (Timelex)
Publication date: 03/09/2020
Earlier this year, the European Insurance and Occupational Pensions Authority (EIOPA) published the final version of its guidelines on outsourcing to cloud service providers. These guidelines were finalized after a public consultation procedure.
While the guidelines of course apply specifically to insurance and reinsurance undertakings, EIOPA has taken note of existing guidelines by the European Banking Authority on outsourcing and on cloud services. This alignment serves to limit regulatory fragmentation in the financial market. In this blogpost, we briefly examine what these guidelines mean for insurance undertakings.
The guidelines define cloud services as “services provided using cloud computing, that is, a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”. These services can be provided through public clouds, private clouds, community clouds or hybrid clouds.
Outsourcing should be understood as under the Solvency II Directive, meaning any recurrent and ongoing outsourcing of operational functions or activities that normally would or could be performed by the undertaking. Also sub-outsourcing falls under the scope of the guidelines. Any outsourcing of critical or important functions to cloud services should be subject to a prior risk assessment. That risk assessment should also take into account any changes to the undertaking’s risk profile due to the outsourcing.
Written policy, documentation and notification
The undertaking must have a written outsourcing policy. That policy should indicate the roles and responsibilities of the undertaking’s departments involved with the outsourcing, as well as the process for approving and implementing outsourcing. Documentation and oversight are also key aspects of the outsourcing policy. When the outsourcing concerns critical or important functions, specific contractual requirements apply, and a clear ‘exit strategy’ should be in place.
The competent supervisory authority should be notified in writing of any outsourcing of critical or important functions. This notification should provide details on the contract and on the service provider.
The undertaking must maintain a dedicated register of its outsourcing activities. This register must document the information provided to the competent supervisory authority, internal or group outsourcing policies, the internal decision-making bodies, the risk assessment, an assessment of the service provider’s substitutability, cost estimations, and the exit strategy.
Before entering into a cloud outsourcing agreement, the undertaking must conduct a few prior analyses. This should also include an assessment of any conflict of interests that the outsourcing may cause.
First, the undertaking must assess whether the cloud outsourcing would constitute an outsourcing of critical or important functions, or whether it could become critical or important in the future. Apart from the overall risk assessment, this analysis should consider the potential impact of any material disruption in the outsourcing. The impact could relate to the undertaking’s compliance with its regulatory obligations, the short- and long-term financial solvability or business continuity of the undertaking, as well as operational and reputational risks.
Furthermore, the analysis should take into account the impact of the outsourcing on the undertaking’s overall risk management, aggregated exposure in group structures, the size and complexity of the business, substitutability, and data protection risks.
Second, the approach taken by the undertaking should be proportionate to the risks posed by the cloud outsourcing. This should reflect operational and reputational risks and costs, weighed against the expected benefits. Other elements to be reflected upon, include the type of cloud, the sensitivity of the data on the cloud, political stability and the legal framework of the country where the cloud service provider is established, the presence of sub-outsourcing, and overall concentration risk to the same cloud provider.
Third, due diligence should be conducted on the cloud service provider. This should ensure that the selection of the cloud service provider is in line with the written outsourcing policy. When outsourcing critical or important functions, due diligence should also evaluate the suitability of the cloud service provider.
A written agreement must be concluded between the undertaking and the cloud service provider.
When outsourcing critical or important functions, this agreement should clearly set out the description of the services, the duration of the agreement, parties’ financial obligations, competent court and applicable law, whether sub-outsourcing is permitted and how, the location of data centres, and return of the data in case of insolvency, resolution or discontinuation of the cloud service provider’s business operations. Accessibility, availability, integrity, confidentiality, privacy, and safety must be ensured.
The undertaking should also be able to monitor the service provider’s performance, according to agreed service levels. The cloud service provider must report to the undertaking, in support of the undertaking’s reporting duties to supervisory authorities. The cloud service provider may be required to take insurance against specific risks.
The undertaking should have effective access and audit rights. The undertaking should effectively use these rights by determining the frequency of access and audits according to a risk-based approach. In case of critical or important outsourcing, full access rights and unrestricted audit rights are needed.
In principle, the undertaking may rely on third-party certifications or audits, as well as pooled audits. However, in case of critical or important outsourcing, this reliance requires a thorough examination, as well as covering key systems and controls in future audits. When there is any doubt on the completeness or veracity of the audit report, the undertaking may request an expansion of the scope of the audit or conduct its own audit.
Cloud service providers should comply with EU and national laws, as well as with appropriate ICT security standards. In case of critical or important outsourcing, the undertaking should define specific security requirements. These should include a role allocation between the undertaking and the cloud service provider, define the appropriate level of protection, encryption technologies and keys management, integration through APIs and sound access management, continuity and availability, and a risk-based approach regarding the service provider’s location.
When allowing sub-outsourcing in critical or important outsourcing, the agreement should define the parameters of such sub-outsourcing. This includes ensuring that the cloud service provider maintains full accountability and oversight.
Monitoring and termination
The performance of the cloud service provider, the security measures and the adherence to the agreed service levels should be regularly monitored. The undertaking should have clear monitoring and oversight mechanisms in place for this.
Particularly when outsourcing critical or important functions, the undertaking should have a clear exit strategy in place to terminate the agreement. Such termination should be without detriment to the continuity or quality of its services. The exit plan should therefore determine alternative solutions and transition measures that can be triggered when needed.
Supervisory authorities must review the impacts of undertakings’ cloud outsourcing. They make take appropriate actions when they find that the undertaking no longer has robust governance arrangements in place or do no longer comply with regulatory requirements. This may include limiting or terminating the outsourcing.
Supervisory authorities must now confirm whether or not they intend to comply with these guidelines. In Belgium, the National Bank of Belgium has already issued a circular confirming its adherence to the guidelines. Insurance and reinsurance undertakings in Belgium will therefore have to comply with this framework starting from 1 January 2021. Existing arrangements must be reviewed by 31 December 2022. The circular also details the reporting requirements.
Furthermore, it is reminded that originals of insurance or reinsurance contracts, letters to insurance takers and prudential reporting must be archived at the premises of the undertaking or at a location approved by the National Bank of Belgium. These rules apply also when using cloud service providers for storing those documents.