EIOPA: New Guidelines on cloud outsourcing for (re)insurers

New challenge for the insurance industry – increased outsourcing requirements will likely kick in as of July 1st, 2020

On the 1st of July 2019, the European Insurance and Occupational Pensions Authority (EIOPA) issued the consultation paper on the proposal for Guidelines on outsourcing to cloud service providers. The draft Guidelines provide principle-based rules for insurance and re-insurance undertakings (undertakings) in relation to cloud outsourcing and invite stakeholders to comment on its provisions. The consultation is open until 30 September 2019. The below timeline indicates all relevant dates regarding the outsourcing regulation, which the insurance sector should be aware of.

Acknowledging the increased adoption of cloud outsourcing in the financial industry, and the fact that the associated risks are similar across all sectors, EIOPA has considered the most recent guidance published by the European Banking Authority (EBA): the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) and the EBA Recommendations on cloud outsourcing (EBA/REC/2017/03). In order to avoid inconsistencies in accessing outsourcing risks in the banking and the insurance sector, the EIOPA Guidelines follow a very similar structure to the EBA Guidelines.

The Guidelines on cloud outsourcing for (re)insurers shall become applicable as of July 1st, 2020 to all cloud outsourcing arrangements entered into or amended after this date. Undertakings should review and amend existing outsourcing arrangements in order to ensure compliance with the Guidelines before the 1st of July 2022.

Background

EIOPA identified the need to develop specific guidance on cloud outsourcing for undertakings as a response to the European Commission FinTech Action Plain (COM(2018) 109 final), and following the discussions and exchanges with stakeholders.

Compared to traditional forms, cloud outsourcing offers a more standardised approach that allows the functions and services to be outsourced in a larger number, in a much more automated manner, and on a larger scale. However, cloud services raise some significant challenges such as data protection, security issues and concentration risks. Therefore, cloud outsourcing should be regulated in more specific terms.

EIOPA Guidelines on cloud outsourcing

The Guidelines aim to specify a set of principle-based rules in order to provide clarification and transparency to market participants and to avoid regulatory arbitrary. In addition, they intend to harmonise the supervisory practices and create a minimum European standard.

The following key areas are covered by the Guidelines and are built on the EBA work in the field of outsourcing:

• Criteria to assess whether cloud services should be considered as outsourcing;
• General principals and requirements of the governance of the cloud outsourcing including written outsourcing policy, written notification to the supervisory authorities and outsourcing register including detailed information on all material and non-material functions outsourced to cloud service providers;
• Pre-outsourcing analysis including materiality and risk assessment as well as due diligence on cloud service providers;
• Contractual requirements;
• Requirements on access and audit rights; security of data and systems; sub-outsourcing; monitoring and oversight of outsourcing arrangements; termination rights and exit strategies;
• Provisions for the supervision of cloud outsourcing arrangements by supervisory authorities.

Sources:

Consultation paper on the proposal for Guidelines on outsourcing to cloud service providers
EBA Guidelines on outsourcing arrangements
EBA Recommendations on outsourcing to cloud service providers
 

Share this post: