New EIOPA guideline on outsourcing to cloud service providers

Insurance law Regulatory 4 March 2020

The European Insurance and Occupational Pensions Authority (EIOPA) has recently published its final report on guidelines (Guideline) on outsourcing to cloud service providers.

This Guideline can be considered as a shortcoming, since only the European Banking Authority has published a recommendation on the use of cloud services in the banking sector.

However, it shall be noted that the National Bank of Hungary (NBH), evaluated the forward-looking requirements and practices of the above-mentioned recommendation of the European Banking Authority in its Recommendation no. 4/2019. (IV.1) (Recommendation) and has already set out its expectations regarding the usage of cloud services for all institutions in the financial intermediary system. Although there is some overlap between the topics covered by the Recommendation and the Guidelines (such as the Assessment of critical or important operational functions and activities, the documentation of activities covered by cloud services, risk analysis, contractual requirements, data protection, monitoring), the Guidelines contain more extensive and detailed rules. Consequently, the NBH is expected to amend the Recommendation or issue a new recommendation for the insurance sector.

The Guideline shall apply from 1 January 2021 to all cloud outsourcing arrangements and internal regulations entered into or amended on or after this date. The deadline for the revision of existing agreements and regulations is 31 December 2022.

In the light of the already known Recommendation, the guidelines we consider the most important are the following.

Documentation requirements (Guideline 5)

As regards the documentation obligation, this guideline specifies the data related to all critical or important operational functions covered by the cloud services of which undertakings are required to maintain a registry.

In case of outsourcing of non-critical or non-important operational functions or activities, the undertaking should define the information to be recorded on the basis of the nature, scale and complexity of the risks inherent in the services provided by the cloud service provider.

Sub-outsourcing (Guideline 13)

If sub-outsourcing of critical or important operational functions (or a part thereof) is permitted, the cloud outsourcing agreement between the undertaking and the cloud service provider should:

1) specify any types of activities that are excluded from potential sub-outsourcing; 

2) indicate the conditions to be complied with in case of sub-outsourcing, these obligations include the audit and access rights and the security of data and systems;

3) indicate that the cloud service provider retains full accountability and oversight for the services sub-outsourced;

4) include an obligation for the cloud service provider to inform the undertaking of any planned significant changes to the sub-contractors or the sub-outsourced services that might affect the ability of the service provider to meet its obligations under the cloud outsourcing agreement.

5) requires the consent of the undertaking to change the subcontractor or the sub-outsourced services by the cloud provider.

Termination rights (Guideline 15)

In case of cloud outsourcing of critical or important operational functions or activities, within the cloud outsourcing agreement the undertaking should have a clearly defined exit strategy clause ensuring that it is able to terminate the arrangement, where necessary. The termination should be made possible without detriment to the continuity and quality of its provision of services to policyholders.

 The steps to be taken as a result of the Guideline

By January 1, 2021, insurers will have to update their internal policies and procedures to comply with the Guideline, and all outsourcing agreement entered or amended on or after January 1, 2021 must comply with the Guidelines. In the meantime, review of the existing outsourcing agreements is advised to be started in order to identify any changes that are needed to comply with the Guideline.

The Guideline can be found at the following link:

https://www.eiopa.europa.eu/content/guidelines-outsourcing-cloud-service-providers_en

Back to news