On 6 February 2020, the European Insurance and Occupational Pensions Authority (EIOPA) published “Guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002)” (Guidelines”).The Guidelines provide guidance to insurance and reinsurance undertakings (Undertakings) on how the outsourcing provisions included in Solvency II Directive and the Commission Delegated Regulations are to be applied by Undertakings when outsourcing to cloud service providers (CSPs).
The Guidelines apply at Undertaking and group level. Undertakings are required to “make every effort to comply with” the Guidelines and incorporate them into their compliance with their regulatory framework.
Outsourcing of Critical or Important Operational Functions or Activities
The Guidelines apply to all cloud outsourcing arrangements by Undertakings, but there is a particular focus on the outsourcing of critical or important operational functions or activities (CIFAs) to CSPs.
Timeline for Undertakings’ compliance with the Guidelines:
- Undertaking’s should review and update (where needed) their policies and internal processes by 1 January 2021 to bring them into line with the Guidelines.
- All new cloud outsourcing arrangements entered into or amended by Undertakings on or after 1 January 2021 will be subject to the Guidelines.
- Undertakings should, by the end of 2022, bring their existing cloud outsourcing contracts related to CIFAs entered into before that date into line with the Guidelines (or explain to CBI why they have not done so and their plan to deal with it).
As Undertakings approach the end of their annual board cycle, we suggest that they should review and update (where needed) their related internal policies and processes, in order to bring any updates to their board for approval before the 1 January 2021 deadline.
Key Considerations for Undertakings
The most significant Guidelines for Undertakings are dealt with below:
- Documentation requirements (Guideline 5)
Undertakings should maintain a dedicated register of their cloud outsourcing arrangements. The register should be regularly updated. The register should be made available to the supervisory authority on request.
Undertakings must ensure all internal policies and procedures relating to outsourcing are updated to reflect the new Guidelines.
- Risk Assessment of Cloud Outsourcing (Guideline 8)
Undertakings should adopt an approach proportionate to the nature, scale and complexity of the risks inherent in the services outsourced to CSPs. This includes, assessing the potential impact of any cloud outsourcing on their operational and reputational risks.
- Due Diligence on CSP (Guideline 9)
Undertakings should ensure in its selection and assessment process that the CSP is suitable according to the criteria defined by its written outsourcing policy. The due diligence on the CSP should be performed prior to outsourcing any operational function or activity.
- Contractual requirements (Guideline 10)
Guideline 10 introduces certain clauses which should be included in any CIFA cloud-based outsourcing agreement between an Undertaking and a CSP.
- Sub-outsourcing of CIFAs (Guideline 13)
The Guidelines oblige CSPs to inform their clients of any planned significant changes to the services of the sub-outsourcer. Clients of the CSP have a right to consent or to object to any such changes.
- Termination rights and exit strategies (Guideline 15)
The Guidelines provide the clearly defined exit strategies are necessary to enable termination without detriment to the continuity and quality of its provision of services to policyholders.
Undertakings should ensure access rights and audit rights in respect of their CSPs (including rights of entry to data centres etc.) for an Undertaking, the CBI and any person appointed by either of them.
If you would like to know more about the services which we are offering or have any queries in relation to the Guidelines , please contact our partners listed here or your usual contact at William Fry.
Contributed by Shannon O’Neill
Follow us @WilliamFryLaw