On 6 February 2020, EIOPA published its Guidelines on outsourcing to cloud service providers (the Guidelines). The Guidelines will apply from 1 January 2021 to all cloud outsourcing arrangements entered into or amended on or after that date.
The Guidelines address a number of issues, including, the following:
- what should be considered within the ‘scope’ of outsourcing to cloud service providers;
- governance of cloud outsourcing arrangements, including the requirement that thorough risk assessments be carried out when outsourcing any critical or important functions or activities (CIFA) to a cloud service provider;
- changes to the risk profile of the undertaking as a result of the outsourcing to a cloud service provider should be reflected in its Own Risk Solvency Statement (ORSA);
- papering of cloud outsourcing arrangements, including documenting the arrangement in a written agreement, updating the undertaking’s outsourcing policy and making notifications to the undertaking’s supervisory authority;
- due diligence of cloud outsourcing arrangements, including a set of criteria to be followed to assess whether a cloud outsourcing arrangement relates to a CIFA; and
- sub-outsourcing of CIFAs to cloud service providers.
The Guidelines will apply to both individual insurance and reinsurance undertakings and to groups as defined in the Solvency II Directive.