EIOPA has published the final text of its Guidelines on outsourcing to cloud service providers (the “Guidelines”), following last year’s consultation.
The Guidelines provide guidance to insurers on how the outsourcing provisions in the Solvency II Directive and Delegated Regulation should be applied in the case of outsourcing to cloud service providers.
The Guidelines largely follow the EBA Guidelines on outsourcing arrangements (effective since 30 September 2019), but are more streamlined and primarily focus on outsourcing critical or important operational functions.
Key guidelines include:
- outsourcing policies should be updated to specifically address outsourcing to cloud service providers;
- written notifications of critical or important outsourcings should be made to supervisory authorities – happily the consultation proposal to provide draft agreements to supervisors has been dropped;
- a record of cloud outsourcing arrangements should be kept;
- risks inherent in services outsourced to cloud service providers should be assessed;
- due diligence should be carried out on cloud service providers;
- rights and obligations of the parties should be clearly allocated and set out in a written agreement;
- access and audit rights should be maintained and exercised;
- agreements should set out information security requirements and compliance with these should be monitored on a regular basis;
- any sub-contractors used by the cloud service provider should be subject to the same requirements; and
- agreements should have clearly defined exit strategy clauses.
Departure from EBA equivalent guidelines
In a significant point of departure from the EBA Guidelines, EIOPA will not require insurers and reinsurers to maintain a detailed register of all cloud outsourcing arrangements; the record keeping requirement proposed by EIOPA is high level and more flexible because it does not specify the format of the record. In its recent consultation paper on Outsourcing (CP30/19), the PRA proposed a requirement for all firms (i.e. including insurers) to maintain a register of outsourcing arrangements. As the PRA’s rules are not yet final, it will be interesting to see whether the PRA implements this requirement for insurers, or whether it will follow EIOPA’s lead. Although, we query the practical difference for insurers in keeping a detailed and prescriptive register versus a ‘record’.
Insurers will be pleased to see that EIOPA proposes a risk-based review which means only contracts related to critical or important operational functions need to be amended by 31 December 2022. EIOPA took on board the industry’s concern over the proposed timeline to implement the Guidelines and has changed the date of application to 1 January 2021 (it was previously 1 July 2020). This means that by 1 January 2021 insurers will need to have updated their policies and internal processes to reflect the Guidelines and any cloud outsourcing arrangements entered into or amended on or after 1 January 2021 will need to comply with the Guidelines.
Competent authorities have until the end of March 2020 to confirm whether they comply, or intend to comply, with the Guidelines. Whilst the UK left the EU on 31 January 2020, as of 1 February 2020 it entered into an “implementation” or “transition” period set to last until 31 December 2020, unless it is extended. During this implementation period, the UK will continue to be treated by the EU as a Member State for many purposes and must continue to adhere to its obligations under EU law. The main question now is to what extent the PRA will reflect the Guidelines in its final policy on outsourcing and third-party risk management.
In the meantime, insurers and reinsurers will want to familiarise themselves with the content of the Guidelines and the PRA’s consultation paper, Outsourcing and third party risk management (CP30/19), and respond (if necessary) to the CP30/19 by the deadline of 3 April 2020. They should also start the process of reviewing their outsourcing arrangements involving critical or important functions and identifying where remediation may be required.