On March 27, 2019, the European Insurance and Occupational Pensions Authority (EIOPA) published a report looking at outsourcing to the cloud by (re) insurers. In addition to outlining EIOPA's plans to provide guidance for (re)insurers that outsource to cloud service providers, the EIOPA report provides an overview of cloud computing and market practices in the European Union (EU), drawing on feedback from National Supervisory Authorities (NSAs).
Amongst the key takeaways outlined in the EIOPA report are:
- Cloud services are not yet extensively used by (re)insurance undertakings in the EU, but the level of use by (re)insurance companies differs among EU jurisdictions, and the cloud services used are aligned to those used by the banking sector
- Cloud computing is used mainly by newcomers, by a niche of the market and by larger undertakings mainly for non-critical functions, but many large European (re)insurers are expanding their use of the cloud as part of their wider digital transformation strategies
- The impact of cloud computing on the (re)insurance market is assessed differently among jurisdictions, due to its complexity and level of technicality
Under both banking and (re)insurance regulation, outsourcing to a cloud service provider is covered by the same provisions that would apply to any other outsourcing for regulatory purposes.
For (re)insurers in the EU, this means compliance with the measures on outsourcing within the Solvency II framework (see Articles 38 and 49 of the Directive and Article 274 of the Delegated Regulations, and the EIOPA guidelines 60-64 on System of Governance provide level 3 principle-based guidance). However, the report notes that the current level of national guidance on cloud outsourcing for the (re) insurance sector is not standardized across EU countries and is not being applied consistently.
For example, while certain regulators have already issued or are planning to issue national guidance on cloud outsourcing (e.g., the UK, France, Germany and Poland), other regulators rely on broader national standards to support the management of specific critical areas of cloud outsourcing (e.g., in Spain, Italy and the Netherlands) and others have no specific plans (e.g., Portugal and Ireland). The report also notes that NSAs take different views as to whether cloud computing is always outsourcing, and some NSAs have adopted a specific definition for cloud computing.
In determining whether separate guidance was needed for the (re) insurance sector, EIOPA carried out a gap analysis between the existing Solvency II regulations and the European Banking Authority (EBA) Recommendations, and its findings are set out in the EIOPA report. EIOPA has concluded:
- The current Solvency II recommendations are sound to discipline outsourcing to cloud service providers and already cover most of the contents of the EBA Recommendations, which just appear to be more specific about certain areas
- Despite this, EIOPA should issue guidance on cloud outsourcing in order to provide legal transparency to regulated undertakings and service providers in the market and "to avoid potential regulatory arbitrage"; this guidance would be aligned with the EBA Recommendations and, where applicable, the EBA's new guidelines on outsourcing arrangements (as these incorporate and will repeal the EBA Recommendations when the guidelines come into effect on September 30, 2019)