EIOPA guidelines on outsourcing to cloud service providers adopted by the CAA

On 24 June 2020, the Luxembourg insurance and reinsurance regulator, the Commissariat aux Assurances (the “CAA”) has formally adopted, by way of circular letter 20/13, the guidelines on outsourcing to cloud services providers issued by the European Insurance and Occupational Pensions Authority (the “EIOPA”).

The EIOPA guidelines aim to provide guidance to insurers and reinsurers on how the outsourcing provisions set forth in the Solvency II Directive[1] should be applied in case of outsourcing to cloud service providers.

The EIOPA guidelines in their final version bring the provisions into greater alignment with previous outsourcing guidance issued by the European Banking Authority. This supervisory convergence will help financial institutions, particularly those operating banking and insurance arms, to implement standardised risk management processes to address the challenges entailed in adopting cloud-based solutions in the heavily-regulated financial services sector.

Application of guidelines

The EIOPA guidelines refer to the definition of “outsourcing” provided under Solvency II Directive. The scope of the EIOPA guidelines is however limited to outsourcing to cloud service providers.

While the EIOPA guidelines apply to all outsourcing arrangements with cloud providers, many of the requirements of the guidelines apply only to critical or important cloud outsourcings.

The EIOPA guidelines state that “prior to entering any cloud outsourcing arrangement, the Undertaking should assess whether the cloud outsourcing arrangement relates to an operational function or activity that is critical or important”.

The EIOPA guidelines further provide for a number of factors the undertakings must consider to conduct this assessment such as (i) whether the outsourced operational function or activity is performed on a recurring or an ongoing basis and (ii) whether the operational function or activity would normally fall within the scope of operational functions or activities that would or could be performed by the undertaking in the course of its regular business activities, even if the undertaking has not performed the operational function or activity in the past.

Key requirements under these guidelines

These guidelines outline several requirements for undertakings, including:

a) Internal governance requirements

• obligation to conduct a pre-outsourcing analysis including (i) assessing whether the cloud outsourcing arrangement concerns a critical or important operational function or activity, (ii) conducting a risk assessment of cloud outsourcing, (iii) undertaking appropriate due diligence on a prospective cloud service provider and (iv) identifying any conflicts of interest;
• updating the undertakings’ written outsourcing policy and other relevant internal policies;
• maintaining oversight of active cloud outsourcing arrangements in keeping an up-to-date register recording all cloud outsourcing arrangements including specific information for those related to critical or important functions or activities;
• monitoring on an ongoing basis the service providers performance of activities, security measures and adherence to service levels.

b) Notification

Undertakings must give notice to supervisory authorities (the CAA when it comes to Luxembourg supervised undertakings) of an outsourcing of critical or important operational functions and activities to cloud service providers; while this is not a new requirement, the scope of what should be notified has been significantly expanded as per the non-exhaustive list of information referred to under Guideline 4 – Written notification to the supervisory authority.

c) Contractual requirements

Any critical or important cloud-based outsourcing agreement concluded by and between the undertaking and the cloud service provider must contain certain compulsory clauses including: a clear description of the outsourced function, the start and end date of the agreement and the notice periods, a governing law and dispute resolution clause, the parties’ financial obligations, whether a sub-outsourcing of a critical or important operational function or activity is permitted and at which conditions, locations where the relevant data is stored and processed, provisions regarding the accessibility, availability, integrity, confidentiality, privacy and safety of data, monitoring rights over the cloud service provider’s performance, the agreed service levels, reporting obligations, exit strategy clauses, etc.

The EIOPA guidance also addresses topics such as rights of audit, data and systems security and business continuity planning.

Timeline for compliance with the guidelines

EIOPA took on board the industry’s concern over the proposed timeline to implement the guidelines and has changed the date of application to 1 January 2021 (it was previously 1 July 2020).

All new cloud outsourcing arrangements entered into or amended on or after 1 January 2021 will be subject to the guidelines, while insurance and reinsurance providers will have until the end of 2022 to bring cloud outsourcing contracts related to critical or important operational functions or activities entered into prior to that date into line with the new requirements.

EIOPA said it expects insurers to update their internal policies and processes to reflect the new guidelines by the beginning of 2021, and meet the documentation requirements for cloud outsourcing arrangements related to critical or important operational functions or activities by 31 December 2022.

We, at CMS, are happy to assist insurance and reinsurance providers with the required update of their written outsourcing policies and related oversight procedures as well as their outsourcing contracts.

For any questions regarding the above, please do not hesitate to contact our specialists.

[1] Directive 2009/138/EC on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) and the amended Delegated Regulation (EU) 2015/35.