EIOPA guidelines on outsourcing to cloud service providers
On 6 February 2020, the European Insurance and Occupational Pensions Authority (“EIOPA”) has published its final guidelines (the “EIOPA Guidelines”) on outsourcing to cloud service providers (“CSPs”)[1].
On 24 June 2020, the Luxembourg supervisory authority of the insurance sector, the Commissariat aux Assurances (“CAA”), has issued a Circular Letter 20/13, in which the CAA confirms that it has informed EIPOA that the CAA will apply the EIOPA Guidelines and invites the insurance and reinsurance undertakings subject to its supervision to comply with the latter.
The CAA has further specified in such Circular Letter 20/13 that the provisions of the EIOPA Guidelines apply without prejudice to the rules provided for in Article 300 of the amended law of 7 December 2015 on the financial sector, which refers to the duty to professional secrecy.
I. Purpose and Scope of the EIOPA Guidelines
The EIOPA Guidelines shed light on how the outsourcing provisions set forth in the Directive 2009/138/EC (the “Solvency II Directive”) and in the Delegated Regulation (EU) no. 2015/35 (the “Delegated Regulation”) are to be applied in case of outsourcing by insurance and reinsurance undertakings to CSPs.
Where outsourcing arrangements are set up with service providers that are not CSPs, the EIOPA Guidelines nevertheless apply if the relevant service providers rely significantly on cloud infrastructures to deliver their services.
In terms of timing, two dates should be borne in mind:
- the EIOPA Guidelines apply to all cloud outsourcing arrangements entered into or amended on or after 1 January 2021.
Undertakings should further update their internal processes and procedures by such same date;
- in addition, existing cloud outsourcing arrangements related to critical or important operational functions or activities should be reviewed and amended in order to ensure compliance with the EIOPA Guidelines by 31 December 2022.
II. Overview of the main general requirements of the EIOPA Guidelines applicable to all cloud outsourcing arrangements
1. Assessing whether an arrangement qualifies as an “outsourcing” arrangement
Undertakings are required to determine whether an arrangement with a cloud service provider falls within the scope of the definition of “outsourcing” pursuant to Article 13(28) of the Solvency II Directive.
In doing so, undertakings should assess:
- whether the outsourced operational function or activity is performed on a recurrent or and ongoing basis; and
- whether the outsourced operational function or activity would normally fall within the scope of the operational functions or activities that would or could be performed by the undertaking in the course of its regular business activities.
2. Pre-outsourcing analysis
Prior to entering into any outsourcing arrangement with CSPs, undertakings should:
- assess whether the contemplated outsourcing arrangement relates to a critical or important operational function or activity (including whether an outsourcing arrangement has the potential to become critical or important in the future), on the basis of certain specific factors set out in paragraphs 28 and seq. of the EIOPA Guidelines;
- assess the potential impacts of the relevant cloud outsourcing arrangement on the undertaking’s operational and reputational risks. In case of cloud outsourcing of critical or important functions or activities, such risk assessment should include the specific factors set out in paragraphs 31 and seq. of the EIOPA Guidelines;
- undertake an appropriate due diligence on the prospective CSPs;
- identify and assess conflicts of interests that may arise from the considered arrangement.
3. Governance requirements
The undertakings’ written outsourcing policy (as well as any other relevant internal policies and processes) should be updated in order to take into account cloud outsourcing specificities and risks in each of the areas specified in paragraph 20 of the EIOPA Guidelines.
Undertakings are further required to keep a record of all of their outsourcing arrangements, which should be updated over time and also include terminated cloud outsourcing arrangements during an appropriate retention period.
4. Contractual requirements
The respective rights and obligations of the undertakings and their CSPs should be clearly allocated and set out in a written agreement.
5. Access and audit rights
Undertakings are required to ensure that they have effective access and audit rights as well as control options on the outsourced cloud services in order to fulfil their regulatory obligations.
6. Security of data and systems
Undertakings should ensure that CSPs comply with European and national regulations as well as appropriate ICT security standards.
7. Monitoring and oversight of cloud outsourcing arrangements
Undertakings should set up mechanisms in order to monitor, on a regular basis, the performance of the outsourced activities as well as the security measures and adherence level by their CSPs in accordance with a risk based approach.
III. Key specific requirements of the EIOPA Guidelines applicable to the outsourcing of critical or important operational functions or activities
The EIOPA Guidelines include a series of specific requirements that are only applicable to the outsourcing of critical or important operational functions and many of the general requirements applicable to all outsourcing arrangements are more onerous in case of outsourcing of such critical or important functions:
- Risk assessment: Undertakings should conduct a thorough risk assessment, taking a. into account business continuity, legal and compliance, operational risks and risks associated with data migration and/or the implementation phase. Any changes to the undertakings’ risk profile due to the cloud outsourcing arrangements are to be reflected in their risk and solvency assessment.
- Written notification: Details of the outsourcing arrangement should be notified to the supervisory authority. The same notification duty applies in case an outsourced function previously classified as non-critical or non-important becomes critical or important.
- Documentation specificities: The record kept by the undertaking should include the minimum information specified in paragraph 24 of the EIOPA Guidelines.
- Contractual requirements: The agreement between the undertaking and the relevant CSP should include a series of mandatory provisions set out in paragraphs 37 and seq. of the EIOPA Guidelines, including a. the parties’ financial obligations, provisions protecting the relevant data, reporting obligations of the CSP to the undertaking and business contingency plans.
- Access and audit rights: The scope and frequency of the undertakings’ exercise of access or audit rights should be determined in consideration of whether the cloud outsourcing is related to a critical or important function or activity. Undertakings may only use third-party certifications and/or pooled audits if the specific conditions laid down in paragraph 43 of the EIOPA Guidelines are met.
- Security of data and systems: Undertakings should include additional specific information security requirements defined in paragraph 49 of the EIOPA Guidelines in the contractual agreement concluded with their CSP and monitor compliance with these requirements by the CSP.
- Sub-outsourcing of critical or important functions or activities: If sub-outsourcing is permitted, the agreement between the undertaking and the CSP should include a number of additional provisions detailed in paragraph 50 of the EIOPA Guidelines.
- Termination rights and exit strategies: The agreement between the undertaking and the CSP should include a clearly defined exit strategy clause ensuring that the undertaking may terminate the arrangement when necessary. To ensure that such termination is possible without detriment to the continuity and quality of the outsourced services, undertakings must comply with a series of specific requirements detailed in paragraph 51 of the EIOPA Guidelines.
IV. Other connected European texts
The EIOPA Guidelines are closely aligned with the Guidelines on outsourcing arrangements published by the European Banking Authority (“EBA”) on 25 February 2019[2], which have incorporated the Recommendations on outsourcing to cloud service providers published by the EBA on 20 December 2017[3].
On 3 June 2020, the European Security and Markets Authority (“ESMA”) has published a Consultation Paper on Draft Guidelines on Outsourcing to Cloud Service Providers[4] (the “ESMA Guidelines”), which contain requirements similar to those laid down in the EIOPA Guidelines.