We mentioned in our blog on 12 April 2019 that the European Insurance and Occupational Pension Authority (EIOPA) intended to publish guidance on cloud outsourcing in the (re)insurance sector.
Following the lead of the European Banking Authority (EBA), whose Recommendations on outsourcing to cloud service providers for the banking industry have been in force since 1 July 2018, EIOPA launched a consultation on 1 July 2019 on its own set of draft Guidelines on outsourcing to cloud service providers (Guidelines). The Guidelines are based on, and very closely follow, the EBA’s guidance on cloud (both the Recommendations and the EBA’s new Guidelines on outsourcing arrangements, which incorporate and will repeal the Recommendations from 30 September 2019).
Application and timetable
The Guidelines, which are addressed to (re)insurance undertakings and national supervisory authorities, have been issued as part of EIOPA’s remit to establish consistent supervisory practices and to ensure uniform and consistent application of EU law. Insurance undertakings, reinsurance undertakings and competent authorities “must make every effort to comply” with EIOPA guidelines and recommendations.
As currently drafted, the Guidelines will enter into force on 1 July 2020 and apply to all cloud outsourcing arrangements entered into, or amended, on or after that date. (Re)insurance undertakings will have until 1 July 2022 to bring all existing cloud outsourcing arrangements into line with the Guidelines.
Are new guidelines needed?
In its March 2019 report on cloud, EIOPA concluded that the existing Solvency II outsourcing requirements are sufficient to govern outsourcing to cloud service providers (CSPs). However, it noted that cloud services differ in several ways from traditional IT outsourcing and that current outsourcing guidelines do not provide an adequate regulatory framework for (re)insurers and regulators in their handling of cloud outsourcing activities. EIOPA found also that national guidance is not standardised across the EU. Given the often cross-border nature of cloud, EIOPA was concerned that the inconsistent treatment of risks (or potential risks) related to cloud services could lead to an uneven playing field across jurisdictions and undertakings in the EU.
Between publishing its report and issuing the draft Guidelines, EIOPA organised a public roundtable – the Fourth InsurTech Roundtable – to discuss the use of cloud computing by (re)insurance undertakings. 70 participants from 48 organisations across Europe participated in the Roundtable, and one of the reported takeaways from the discussions was that cloud computing is expected to become the “new normal” for business and IT development in coming years, due to its operational advantages.
Based on its findings and the outcome of the Roundtable, EIOPA has issued its Guidelines to:
- provide guidance to (re)insurance undertakings on how the current outsourcing requirements in the Solvency II framework (the Solvency II Directive and the Solvency II Delegated Regulation) should be applied when outsourcing to CSPs, building on the existing EIOPA Guidelines on system of governance;
- provide clarification and transparency to market participants avoiding potential regulatory arbitrages; and
- foster supervisory convergence regarding the expectations and processes applicable in relation to cloud outsourcing.
In setting out its policy reasons for issuing guidance, EIOPA points out that the Guidelines should support (re)insurers “in their prudent transition to the cloud, providing clarity on the application of regulatory requirements, and, therefore, unlocking the opportunities that this technology provides“.
What do the draft Guidelines say?
The proposed Guidelines cover the following key areas:
- Whether cloud services should be considered within the scope of outsourcing, and criteria for determining ‘materiality’.
- Is it an outsourcing? The Guidelines are clear that each (re)insurer needs to determine whether its arrangement with a CSP is an outsourcing (as already defined under Solvency II – the Guidelines do not seek to define ‘outsourcing’). The Guidelines do not deem all cloud services to be an outsourcing, but they do state that “as a rule, outsourcing should be assumed“.
- Is the outsourcing considered to be ‘material’? The Guidelines set out minimum factors that a (re)insurer should take into account when determining the materiality of a cloud outsourcing. These include: the potential impact of the arrangement on the (re)insurer’s ability to comply with its legal or regulatory requirements (notably its ability to conduct appropriate audits of the function being outsourced); the impact of service failure on reputation, business continuity and operational resilience; the substitutability of the CSP or ability to bring the services back in-house; and the potential ‘business interconnections’ between the (re)insurer and the CSP (e.g. if the insurer is providing insurance coverage to the CSP). Under the Guidelines, a (re)insurer “should always consider as material all the outsourcing of critical or important operational functions to cloud service providers“, and the identification of functions that are critical or important should be done in accordance with EIOPA’s existing Guidelines on system of governance.
- Principles and elements of governance of cloud outsourcing, including documentation requirements and a list of minimum information that should form part of the notification of a material cloud outsourcing to the supervisory authority.
- The robust governance of cloud outsourcing arrangements is a key theme of both these Guidelines and the EBA Recommendations. The Guidelines are explicit that if the supervisory authority comes to the conclusion that a (re)insurer no longer has robust governance arrangements in place or does not comply with regulatory requirements, then the authority “should take appropriate actions“. The Guidelines set out examples of what such action might be, including limiting or restricting the scope of the outsourcing functions or requiring exit from one or more outsourcing arrangements. In addition, the Guidelines note that “the cancellation of contracts could be required if the supervision and enforcement of regulatory requirements cannot be ensured by other means“. While this is something that a regulator may only consider in extreme circumstances, given the likelihood of interruption to business continuity, a (re)insurer should bear this possibility in mind when negotiating the termination provisions, and consequences of termination, in its outsourcing agreement.
- In respect of documentation, one point to call out is the requirement for a (re)insurer to maintain an updated register of all of its material and non-material functions outsourced to CSPs – the Guidelines set out the minimum information that must be included. In addition to current outsourcings, a (re)insurer must maintain documentation of past outsourcing arrangements within the register ‘for an appropriate retention period‘, although (re)insurers can apply the principle of proportionality. The register should be provided to the supervisory authority on request. If the register is maintained centrally within a group, each undertaking in the group should be able to obtain its section of the register ‘without undue delay‘. The requirement to maintain a register is in the EBA Recommendations and the latest EBA Guidelines, and financial undertakings had raised concerns that this could be quite an onerous obligation given the amount of information to be captured and maintained across both material and non-material outsourcings.
- Pre-outsourcing analysis, including materiality assessment, risk assessment and due diligence on the service providers.
- A thorough risk assessment must be undertaken before entering into a material cloud outsourcing and on a periodical basis afterwards. While this is not new to (re)insurers, the Guidelines set out a list of minimum factors for assessing cloud arrangements. These include the design of the cloud service used, the risks arising from the particular cloud deployment model (e.g. a public, private or hybrid cloud model), where the cloud service provider is located, where data is stored or processed, and the risks of ‘significant sub-outsourcing’ (defined as a sub-outsourcing where ‘the main agreement would not work without an effective and safe delivery of sub-outsourced services‘). A (re)insurer will also need to consider any concentration risk of using a particular CSP – this is not just the fact that many organisations in the sector may use the same few CSPs, but also how reliant an insurance company or group might be on one particular CSP and therefore the wider impact if that CSP’s services fail.
- Contractual requirements.
- In addition to the requirements for outsourcing agreements that are already defined in Article 274 of the Solvency II Delegated Regulation, the Guidelines specify contractual provisions that must be included for a cloud outsourcing arrangement that is classified as ‘material’. These include provisions to ensure that data owned by the (re)insurer can be promptly recovered if the CSP becomes insolvent or ceases its business operations, and whether significant sub-outsourcing is permitted. In line with the EBA Recommendations, the contract should set out agreed service levels that include quantitative and qualitative performance targets. However, EIOPA has gone a bit further in its Guidelines by requiring that these “are directly measureable by the undertaking in order to independently monitor the services received“.
- For non-material outsourcing agreements, the Guidelines say that clauses “should be written taking into account the type of data stored, managed or processed by the cloud service provider (or, where applicable, its significant sub-outsourcers)“, i.e. (re)insurers should include provisions that are proportionate to the risks presented by the cloud outsourcing arrangement.
- Specific areas of concern with cloud services, namely access and audit rights, security of data and systems, sub-outsourcing, termination rights and exit strategies.
- When a regulated entity is outsourcing to a CSP, often one of the key challenges is securing sufficiently broad audit and access rights – both for it and the regulator – to ensure its compliance with legal and regulatory requirements. While the Guidelines do not change the audit requirements of a (re)insurer, they do allow for (i) the use of audits organised jointly with other clients of the CSP, and (ii) the ability to rely on third party certifications and third party or internal audit reports made available by the CSP (subject to certain conditions being fulfilled). This approach was welcomed in the EBA Recommendations by CSPs, and the Fourth InsurTech Roundtable discussed that the cloud industry is dedicating resources to increase transparency of their services, most notably by providing tools and approaches to ‘auditing’ cloud services.
- In respect of security, the Guidelines require (re)insurers to procure that CSPs comply with appropriate IT security and data protection standards, and there is a list of considerations (e.g. specific measures to secure data in transit and at rest, such as encryption). This is not new. However, (re)insurers need to be mindful that the CSP is not always fully responsible for security, and that under the shared responsibility model the (re)insurer will have security responsibilities – for example, the CSP may be responsible for providing a secure cloud, including security of its data centres and the host operating system, but the (re)insurer is responsible for configuring and managing the security controls within that cloud. The risk assessment of the outsourcing arrangement needs to take into account the level of cloud knowledge and expertise within the (re)insurer and whether there is a clear understanding of what the CSP is providing and the parties’ respective responsibilities.
- Monitoring and oversight of cloud outsourcing arrangements.
- Principles-based instructions for the national supervisory authorities on the supervision of cloud outsourcing arrangements.
- In line with the EBA Recommendations, the Guidelines say that parties should take into account the principle of proportionality when complying with, or supervising compliance with, the guidance. However, as noted above, there are some prescriptive requirements that will need to be applied.
Why copy the EBA’s recommendations?
EIOPA’s policy reasons for following the work already done by the EBA point to EIOPA taking a pragmatic approach to support the (re)insurance sector in adopting cloud solutions. EIOPA’s research into the use of cloud in the (re)insurance sector found that cloud services used by (re)insurance companies are aligned to those used by the banking sector, and that the main risks associated with cloud outsourcings are similar across sectors. Further, EIOPA found that most National Supervisory Authorities (both banking and (re)insurance supervisors alike) were already considering the EBA Recommendations as a reference for the management of cloud outsourcing in their jurisdictions.
Amongst others, EIOPA makes reference in its consultation document to the following benefits of leveraging the EBA’s guidance:
- Having a framework for cloud outsourcing that aligns across the financial services industry (i) enables the scalability of the investments already made by CSPs to achieve compliance with the EBA’s guidance, and (ii) should enable CSPs to provide additional services (e.g. cloud service provider compliance programs) to the industry at a fraction of the cost
- It will maximise the investments made by authorities, in terms of supervisory skills and knowledge, where the insurance competent authorities are the same as those for the banking or payments markets
- Recognising that there will be a cost for (re)insurers in having to comply with the Guidelines, the cost of compliance should be lower in jurisdictions where practices overlap or show similarities
What happens now?
The deadline for submission of feedback on the consultation is Monday 30 September 2019 at 23.59 hrs CET. The submission page can be accessed here.
As mentioned above, if the Guidelines are adopted as drafted, (re)insurers will have to comply with them from 1 July 2020 for all new cloud outsourcing arrangements.