EIOPA is currently consulting on new guidelines on the use of cloud service providers by (re)insurance undertakings and has called for responses by 30 September 2019.

While acknowledging the benefits of cloud services, EIOPA raised concerns regarding their unique challenges in terms of data protection and location, security issues and concentration risk. In particular, there is a risk at industry level “as large suppliers of cloud services can become a single point of failure when many undertakings rely on them”.

EIOPA’s proposed guidelines (which take into account the recent guidance on cloud outsourcing published by the European Banking Authority) aim to:

  1. “provide clarification and transparency to market participants avoiding potential regulatory arbitrages”; and
  2. “foster supervisory convergence regarding the expectations and processes applicable in relation to cloud outsourcing.”

The key issues covered in the proposed guidelines are:

  1. Outsourcing definition: in the context of cloud services, what amounts to “outsourcing” (as defined in Solvency II – see guideline 1) and what constitutes “material” outsourcing (see guidelines 1 and 7).
  2. Risk assessments: these should be carried out prior to cloud outsourcing and should be reflected, where appropriate, in an undertaking’s ORSA (see guidelines 2 and 8).
  3. Notification: undertakings should notify their supervisory authority of any material cloud outsourcing (see guideline 4).
  4. Use of cloud service providers: undertakings should (a) carry out due diligence on cloud service providers, (b) ensure that agreements include the EIOPA recommended contractual requirements (including in relation to sub-outsourcing), (c) have access and audit rights over cloud service providers, (d) ensure that cloud service providers comply with appropriate IT security and data protection standards, (e) monitor the performance of the cloud service providers and their compliance with agreements on an on-going basis, and (f) have an exit strategy (see guidelines 9 to 15).
  5. Supervisory oversight: supervisory authorities should assess the impacts arising from cloud outsourcing arrangements (see guideline 16).

The draft guidelines can be found here.