The current economic circumstances have brought into sharper focus the efficiencies and cost-cutting opportunities presented by “Cloud computing”. This is a form of outsourcing by which vendors can supply computer services to multiple customers over the Internet.
At its core, Cloud computing envisages that hardware and software will be provided remotely to customers as a service and only as required. At the same time, Cloud services can be delivered to customers regardless of their location, via a PC, laptop or other handheld device.
High-profile Cloud services for consumers include Gmail, Hotmail, YouTube and Facebook. Business services are only now gaining a similar profile, but a January 2011 report by the Centre for Economics and Business Research in the UK concluded that the widespread adoption of Cloud computing could provide the top five EU economies with a US$1 trillion (£645 billion) boost over the next five years.
The potential benefits of Cloud computing for businesses, including insurance companies, cover:
- Cheaper computing power: with end-users having the flexibility of only paying for what they use in terms of the bandwidth and server and, again, a single I.T. provider can host services for multiple companies.
- Financial savings: there is no need to purchase (or maintain) servers or company data storage facilities and the costs of power, security, lighting and other services are shared between customers.
- Energy efficiency (and environmental credibility): since overall carbon dioxide emissions should be reduced.
- Long-term flexibility: in terms of the end-user being able to adapt storage and processing power as the business grows.
- Better-coordinated security systems: to minimise the risk of any company data being lost or stolen.
- Time savings: it does not require data back-up on individual computers (since it will automatically be stored on the Cloud application).
For the service providers, the servers can be located anywhere in the world, but often in countries with a favourable tax regime, lower costs or both.
Yet while its commercial benefits have been recognised for some time, the legal, regulatory and other risks that Cloud computing presents are only now beginning to be adequately explored and understood.
The potential purchase of Cloud computing services also brings into play, however, a host of contractual, intellectual property and data protection issues.
At the contractual level, providers of these services inevitably seek to limit their exposure.
The major providers in particular seek to keep their performance assurances and warranties to a minimum and retain their right to suspend their services at any time in case of “unanticipated” downtime or unavailability.
The “public” Cloud providers (i.e., those selling services to anyone on the Internet) seek indemnities against claims occurring as a result of information passed on their Cloud service which may have infringed a third party’s intellectual property rights.
Other common indemnities covering public, private and “hybrid” Clouds include: protecting suppliers against losses as a result of a customer’s breach of a services agreement, failure to secure their passwords or permitting a third party unauthorised access to the Cloud service.
Finally, many providers try to exclude liability for the security of any data and require that the customer retains full responsibility for data safety.
Customers must also address issues such as what will happen to company data located in the supplier’s data centres if the relationship is brought to an end and whether the service provider has any right to see and access customer data.
The centralisation of services can of course offer more scope for damage to customers if a Cloud data store should be compromised (as opposed to, for instance, a stand-alone server).
Customers should also be aware of the legal consequences of such data storage problems. There may be jurisdictional challenges arising out of security and privacy concerns; for instance, if one customer suffers from a data breach, who would investigate the potential crime (or civil offence)? Further, it would need to be addressed whether other companies’ data was also compromised and how that would impact on any investigations and wider jurisdictional issues.
Finally, the extent to which a customer has audit rights needs to be clarified. Equally, there needs to be careful management of third party access to data by means of, for instance, disclosure/discovery exercises in legal proceedings.
These are fundamental issues that the relevant regulators are already examining.
The UK’s Information Commissioner, who has the power to impose fines of up to £500,000 for breaches of the Data Protection Act 1998, has issued guidance on the storage of personal information on a third party’s equipment and hasadvised that an entity must not relinquish control of the personal data they have collected or expose it to security risks that would not have arisen had the data remained in their possession in the UK.
The Commissioner has also noted that it is good practice to encrypt the data before it is transferred to the Cloud service provider, so as to render the data useless to hackers without the relevant “key”, irrespective of the jurisdiction it is in or who is processing it. The transfer of any “personal data” to, for example, the U.S. will (as it is outside the EEA) have to be subject to a data transfer agreement with the Cloud computing company and should comply with the Commissioner’s “good practice” recommendations.
At a wider level, the European Commission’s consultation on its approach to modernising EU data protection law closed on the 15th January 2011. The Commission specifically emphasised the new challenges for data protection posed by Cloud computing and new EU wide legislation is expected during 2011.
It is therefore clear that gaining access to the advantages of Cloud computing is not simply a question of calculating the financial benefits and entering into an appropriate agreement. For certain sections of the economy there are considerable hurdles to be overcome and satisfied if the perils of regulatory intervention, loss of reputation and substantial fines are to be avoided.
UK Regulatory Implications for the Financial Services Sector
Whilst the Commission’s approach to the challenges posed by “Cloud computing” continues to evolve, the financial services sector is presently subject to a mature, well-established regulatory environment which dictates its approach to participation in Cloud computing from planning through to the execution and delivery of services to private individuals and companies alike.
I.T. systems are at the core of the regulated financial services sector banking, investment and insurance. With regard specifically to the insurance industry, there are a number of key constraints on Cloud computing that are imposed upon (re) insurance companies and insurance intermediaries authorised by the UK’s Financial Services Authority (“FSA”).
The FSA’s rules have their origin in related EU Directives and, as a result, the principles addressed below can be expected to apply to a greater or lesser degree to regulated financial services firms in all 27 EEA states. They also provide a best practice template that can be adopted on a volun-tary basis by entities not subject to financial services regulation.
In essence, while a regulated firm may engage a Cloud service provider to undertake certain functions, the firm remains liable to ensure that those functions are carried out in accordance with the FSA’s rules, even when undertaken by a Cloud service provider in another country.
The UK regulatory implications of Cloud computing include, but, are not limited to, obligations regarding:
- Outsourcing: rules relating to outsourcing generally, and the outsourcing of I.T. systems in particular, directly affect corporate governance and the terms of the contract with the Cloud services provider.
- Systems and Controls: all regulated firms are under an overarching obligation to maintain such effective “systems and controls” as are appropriate to their business. Failure to do so can lead to direct regulatory intervention.
- Record Keeping: regulated firms are subject to specific rules regarding the maintenance of appropriate records and access to them, including access by the FSA.
- Disaster Recovery — Business Interruption: there are further obligations regarding disaster recovery and access to records where there has been a critical systems failure. These should be built in to the service level agreement with the Cloud service provider.
A firm cannot contract out of its regulatory obligations by delegating them to the Cloud service provider and firms are required to take reasonable care to supervise the discharge of outsourced functions, including undertaking due diligence on the Cloud service provider before entering into a contract. The firm must also be able to demonstrate proper contractual arrangements for smooth transition to new or changed outsourcing arrangements.
Further, a regulated firm must notify the FSA before it enters into a “material outsourcing” arrangement.
Substantive outsourced I.T. services can be expected to constitute “material outsourcing” where the services are of such importance that any structural weakness or failure would cast serious doubt on the firm’s ability to satisfy its licensing requirements or the FSA’s Principles for Business, such as the failure to maintain adequate “systems and controls”.
Cloud service providers operating under “material outsourcing” arrangements must permit access by the FSA to inspect their business premises and this must be clearly included in the terms of the contract with the regulated firm.
There are, in addition, specific rules dealing with the outsourcing of individual activities, such as claims handling, and obligations to maintain proper supervision of the Cloud service provider.
Systems and Controls
Insurers and other FSA regulated entities must obtain sufficient information from the Cloud service provider to enable the insurer to assess the impact of outsourcing on its current “systems and controls” and to maintain appropriate arrangements to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. By the same token, the insurer is obliged to review and consider the adequacy of the staffing arrangements and policies of the service provider and to notify the FSA of any significant failure in the Cloud service provider’s systems and controls.
The insurer will also need to be able to satisfy itself that the Cloud service provider is capable of managing I.T. system risks, including confidentiality, firewall entry restrictions and verification of identity.
Maintaining operating processes and systems at separate geographic locations and using alternative sites for the continuity of operations may alter a firm’s operational risk profile. FSA regulated firms need to understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries. In doing so, they should also understand business operating environment of each country, for example, the likelihood and impact of political disruptions or cultural differences on the provision of services as well as the relevant local regulatory and other requirements regarding data protection and transfer.
Firms also need in particular to develop and maintain an understanding of:
- The extent to which local regulatory and other requirements may restrict their ability to meet their regulatory obligations in the UK (for example, access to information by the FSA and local restrictions on internal or external audit due to restrictions on access) and the timeliness of information flows to and from headquarters, and
- Whether the level of delegated authority and the risk management structures of the overseas operation are compatible with the firm’s head office arrangements.
The FSA requires both a firm and its Cloud service provider to protect the processing and security of its information and each should have regard to established security standards such as IS0 17799 (Information Security Management). The Cloud service provider will be required to show at all times that it complies with this or an equivalent standard.
Disaster Recovery / Business Interruption
An FSA regulated firm is similarly required to consider the impact of a disruption to the continuity of its operations from unexpected events, including the loss or corruption of its information. To address this, appropriate protections must be put in place in order to provide adequate risk management systems and insurance. Failure by the Cloud service provider to demonstrate that it can discharge these obligations will mean that the insurer will be unable to use its services without facing sanction by the FSA.
There is a clear body of rules and standards to which regulated financial services firms are subject and which are relevant to Cloud service providers by proxy. In common with regulators elsewhere, the FSA in the UK has formally adopted a more intensive and intrusive approach to supervision. One company was recently fined £2,275,000 for failing to maintain adequate systems and controls to prevent the loss of customers’ confidential information.
The Solvency II Directive, which is due to enters into force in January 2013, also contains several provisions dealing with outsourced functions and activities. Firms will be required to have written policies relating to outsourcing setting out the goals, reporting procedures and processes to be applied. It is recommended that firms maintain sufficient in-house expertise to determine whether the service provider is delivering according to contract.
As Cloud computing becomes increasingly common in the business environment, additional regulatory attention can be expected. Regulated entities should be conscious, at all times, of their legal and regulatory obligations, whilst Cloud service providers should be able to demonstrate both their willingness and ability to provide a service that is consistent with such customers’ obligations.