The final guidelines create new obligations for insurers that will impact cloud outsourcing arrangements.
By Fiona M. Maclean, Andrew C. Moyle, and Victoria Sander
On 6 February 2020, the European Insurance and Occupational Pensions Authority (EIOPA) published its final guidelines on outsourcing to cloud service providers (CSPs) (the Guidelines). The Guidelines have been finalised following public consultation on the draft guidelines launched on 1 July 2019, and closely follow the European Banking Authority’s (EBA’s) final guidelines on outsourcing arrangements, published early last year (the EBA Guidelines). (See What EBA’s Outsourcing Guidelines Mean for Financial Institutions.)
What Do the Guidelines Mean for Insurers?
The Guidelines will apply to all cloud outsourcing arrangements entered into or amended on or after 1 January 2021. Insurance and reinsurance undertakings (together, Undertakings) are required to “make every effort to comply with” the Guidelines, incorporating them into their regulatory or supervisory framework as appropriate. Undertakings are also expected to review and amend existing cloud outsourcing arrangements before 31 December 2022. The Guidelines apply to both individual Undertakings and to groups. The Guidelines also provide guidance to competent authorities on how the Guidelines should apply to Undertakings.
In line with guidance from the EBA and the Solvency II Directive, the Guidelines distinguish between general outsourcing and outsourcing of “critical or important operational functions or activities” (Critical Outsourcings) and place more onerous requirements on the latter. Undertakings unable to complete their review of Critical Outsourcings by the 31 December 2022 deadline must notify the supervisory authority and provide details of their planned measures to complete the reviews in a reasonable period of time.
Key Changes From the Draft Guidelines
Following public consultation, EIOPA made various amendments to the draft guidelines, including:
- Proportionality and less stringent requirements. A number of the requirements in the Guidelines are now only applicable to Critical Outsourcing. Further, many of the requirements that apply to all outsourcing arrangements have now been amended to be less onerous. For example, notification and documentation requirements have been reduced.
- Harmonisation with the EBA Guidelines. Many amendments ensure alignment with the requirements set by the EBA Guidelines.
- Date of application. EIOPA delayed the date of application from 1 July 2020 to 1 January 2021 and prolonged the period for reviewing existing arrangements from 1 July 2022 to 31 December 2022.
Key Considerations for Undertakings
Are all cloud services “outsourcing”?
The Guidelines remove the unpopular statement in the draft guidelines that all arrangements with CSPs should “as a rule” be assumed to be outsourcing. To determine whether an arrangement is outsourcing, Undertakings should consider the Solvency II Directive definition of outsourcing and assess whether the operational function is performed on an ongoing basis and would normally fall within the scope of operational functions that would or could be performed internally. Outsourcing to non-CSPs that rely significantly on cloud infrastructures to deliver their services (for example, through sub-outsourcing) will still be caught by the Guidelines.
Governance requirements (including documentation and notification)
- Ensure that internal policies and processes, especially the outsourcing written policy, are updated to take into account all cloud outsourcing specificities and risks and to record any roles and responsibilities of the Undertaking.
- Keep a record of their cloud outsourcing arrangements over time.
The Guidelines set out the minimum documentation requirements for Critical Outsourcing only, specifying that for non-Critical Outsourcing, the Undertaking should define the information recorded based on the nature, scale, and complexity of the risks. This information, along with a copy of the outsourcing contract, must be made available to supervisory authorities on request.
For Critical Outsourcing only, Undertakings must:
- Conduct a thorough risk assessment, considering a breadth of factors, including, but not limited to, business continuity, legal and compliance, operational risks, and risks associated with data migration and/or the implementation phase. Any changes to the Undertaking’s risk profile due to its cloud outsourcing arrangements should be reflected in its risk and solvency assessment.
- Provide a written notification to the supervisory authority with details of the arrangement. The Guidelines set out the minimum information to be provided, which includes, but is not limited to, the start and renewal date, a description of the outsourced function, governing law, details of the CSP, cloud services and deployment models, and details of where data will be stored.
Prior to entering into an arrangement with CSPs, Undertakings should:
- Determine whether the outsourcing is Critical Outsourcing in accordance with Guideline 7.
- Identify and assess all relevant risks in the arrangement in accordance with Guideline 8.
- Undertake appropriate due diligence in accordance with Guideline 9.
- Identify and assess conflicts of interest that the outsourcing may cause.
Undertakings should also reassess whether outsourcing is Critical Outsourcing if the nature, scale, and complexity of the risks inherent to the agreement materially change.
Undertakings should ensure that the respective rights and obligations of the Undertaking and the CSP is clearly allocated and set out in a written agreement. For Critical Outsourcing, the Guidelines set out specific contractual clauses that must be included, including the parties’ financial obligations, requirements of the sub-outsourcing clauses, locations of where data will be stored, agreed service level, reporting obligations of the CSP, and the grant of full access and audit rights.
EIOPA acknowledges that Undertakings will often have limited negotiation power with CSPs and will consider the possibility of workshops and/or roundtables with CSPs on the guidelines in 2020.
Access and audit rights
Undertakings should retain access and audit rights including to data centres and retain control options on cloud services in order to fulfil their regulatory obligations. For Critical Outsourcing, Undertakings should only rely on third-party certifications and/or pooled-audits if certain considerations are met, including ensuring the scope of certification is adequate. If audits are conducted by the Undertaking’s internal staff, such staff should have adequate and appropriate knowledge to perform the audit/assessment.
Other important points
Undertakings should always ensure the CSP complies with European and national regulations in relation to the security of data and systems, but for Critical Outsourcing, the Guidelines define specific information security requirements that must be included in the contract. These include specifying the appropriate level of protection, ensuring measures for data in transit, at rest and in memory, and ensuring that sound and well-documented incident management processes are in place.
Undertakings should set up monitoring and oversight mechanisms to monitor the performance of the cloud outsourcing arrangements, with particular focus on Critical Outsourcing, to ensure the clauses in the agreement are met, including adherence to the agreed service level and appropriate security measures. In order to do so, Undertakings should employ enough resources with adequate knowledge to monitor the outsourced services.
For Critical Outsourcing, the agreement must contain a clearly defined exit strategy clause ensuring the Undertaking can terminate the agreement, where necessary, without detriment to the continuity and quality of its provision of services to policyholders.
Undertakings should ensure they are familiar with the requirements set out in the Guidelines and update their internal processes and procedures by 1 January 2021. They should ensure that new cloud outsourcing arrangements meet the Guidelines’ requirements and review existing arrangements prior to the applicable deadline and ensure that they are amended if necessary. Undertaking should also support the implementation of updated internal policies through relevant internal training where appropriate.
If you have any questions about the Guidelines, please contact one of the authors of this post or the Latham lawyer with whom you normally consult.
This post was prepared with the assistance of Victoria Wan in the London office of Latham & Watkins.
Submit a comment about this post to the editor.