EIOPA issues final guidelines on outsourcing to the cloud
Background The European Insurance and Occupational Pensions Authority (EIOPA) has recently (31st January 2020) published its final guidelines on outsourcing to cloud service providers (Guidelines)…. Read more
The European Insurance and Occupational Pensions Authority (EIOPA) has recently (31st January 2020) published its final guidelines on outsourcing to cloud service providers (Guidelines).
Whilst recognising the benefits that cloud services can deliver, the Guidelines identify four key areas of risk: data protection, location, security issues and concentration risk (both at a firm level and industry level).
EIOPA received just under 30 contributions (from a mix of insurers, re-insurers and cloud providers) to the public consultation. One of the key changes to the final form Guidelines that EIOPA has made as a result of the consultation is to strengthen the principle of proportionality by focussing the requirements of the Guidelines primarily on the outsourcing of ‘critical or important’ operational functions or activities. EIOPA has also sought to harmonise its approach with that of other regulators by aligning, where possible, to the European Banking Authority (EBA) guidelines on outsourcing arrangements which came into effect in September 2019 (EBA Outsourcing Guidelines).
The Guidelines are additional to, and do not replace, the Solvency II principles on outsourcing, although they replicate and now embed some of those principles in relation to cloud outsourcings.
Regulators have 2 months from the date of issue of the Guidelines to confirm if they comply or intend to comply with them.
Who do the Guidelines apply to?
The Guidelines apply to insurance and reinsurance undertakings. It should be noted that some insurance groups may find themselves subject to the Guidelines and the EBA Outsourcing Guidelines where the group includes, for example, an insurance company and a MiFID investment firm. This may add some complexity to compliance.
Which arrangements do the Guidelines apply to?
While the Guidelines apply to all outsourcing arrangements with cloud providers, many of the requirements of the Guidelines apply only to critical or important cloud outsourcings. Firms will need to establish whether an arrangement with a cloud provider falls under the definition of ‘outsourcing’ under the Solvency II Directive. In this context, it is worth noting that EIOPA has removed from the final version of the Guidelines the assumption that all arrangements with cloud providers should be considered outsourcing.
The scope of application of the Guidelines is therefore narrower than that of the EBA Outsourcing Guidelines, which apply to all outsourcings, whether or not to cloud providers. However, firms should note that where outsourcings are “to service providers that are not cloud service providers but rely significantly on cloud infrastructures to deliver their services” the arrangement would be subject to the Guidelines.Unlike the EBA Outsourcing Guidelines, the Guidelines do not include any guidance on cloud services that should not be considered outsourcings – despite requests from respondents to the consultation.
When do the Guidelines apply from?
The Guidelines apply from 1 January 2021 to all cloud outsourcing arrangements entered into or amended on or after that date. Existing cloud outsourcing arrangements related to critical or important operational functions or activities should be reviewed and updated by no later than 31 December 2022. Both these deadlines represent a six month extension to the deadlines in the draft guidelines.
Firm’s outsourcing policies and internal processes will also need to be updated by 1 January 2021, with the documentation requirements (see below) for critical or important cloud outsourcings being implemented by 31 December 2022.
What are the key requirements of the Guidelines?
- Proportionate and Risk -based Approach. One of the key underlying principles of the Guidelines is that of proportionality, and the criticality or importance of the outsourcing, with firms expected to ensure that their governance arrangements are proportionate to the nature, scale and complexity of the underlying risks of the outsourcing.
- Updated Outsourcing Policy. Firms will need to update their written outsourcing policies and other relevant policies (information security for example) to take account of the cloud outsourcing, including roles and responsibilities of the functions involved, processes and reporting procedures required for the approval, implementation, monitoring and management of the cloud outsourcing arrangements, and oversight procedures, including risk assessments and service provider due diligence.
For critical and important cloud outsourcings, the firm’s outsourcing policy should include a reference to the contractual requirements referred to in Guideline 10 (see below) and a requirement to have in place a documented and sufficiently tested exit strategy.
- Regulatory Notification. In the case of critical and important cloud outsourcings firms should notify the supervisory authority of details of the outsourcing, including a brief description of the services being outsourced, details of the cloud provider, the deployment model (i.e. public/private/hybrid/community cloud), the nature of the date to be held and locations where the data will be stored, and a brief summary of the reasons why the outsourcing is considered critical or important.
Importantly, the requirement that firms submit a draft copy of the outsourcing agreement to EIOPA prior to outsourcing has been removed from the final version of the Guidelines.
- Record of Cloud Outsourcing Arrangements. In what is a departure from the EBA Outsourcing Guidelines, the requirement to maintain an outsourcing register has been removed from the final version of the Guidelines, and replaced with a more flexible requirement to keep a record of cloud outsourcing arrangements. In practice, because the information to be recorded is broadly the same as the information to be included in the outsourcing register under the EBA Outsourcing Guidelines, this difference between the two sets of guidelines on this point is one of form rather than substance.
- Pre-contract Analysis. Before entering into any cloud outsourcing arrangement, firms should (i) assess if the arrangement involves the outsourcing of a critical or important function, (ii) identify and assess all relevant risks, (iii) undertake appropriate due diligence, and (iv) identify and assess any conflicts of interest.
- Criticality Assessment. As part of their assessment of the criticality of an outsourcing, firms should take into account the potential impact of any material disruption to the services, the impact of the arrangement on the firm’s ability to monitor and manage risk, comply with regulatory requirements and conduct appropriate audits, the firm’s (and its group’s) reliance on the same cloud service provider, the potential cumulative impact of outsourcing arrangements in the same business area, the ability to transfer the services to another provider or back in-house, and the protection of data (personal and non-personal), taking special account of any business secrets and any sensitive date (such as health data).
- Risk Assessment. As noted above, firms’ approach to risk assessment should be proportionate to the scale and complexity of the services and associated risks. These assessments should be carried out before entering into the contract, and post-contract signature if there are any significant changes to the services or the service provider, and as part of any renewal. In relation to critical or important outsourcings, firms should carry out a cost/benefit analysis, assess the legal, ICT, compliance and reputational risks arising from the outsourcing (and any oversight limitations), the political and security stability of the country from where the services will be provided, the extent of any subcontracting by the service provider, and any concentration risk.
- Due Diligence. Firms should ensure that selection of any service provider is based on criteria defined in its outsourcing policy. In the case of critical or important outsourcings, the due diligence should include an evaluation of the suitability of the cloud provider. Firms can use internal and third party audit reports and certifications based on international standards to support their due diligence findings.
- Contractual Requirements. Guideline 10 contains a non-exhaustive list of things that should be covered in all contracts involving a critical or important outsourcing to the cloud. For the most part, these reflect common sense and good practice and largely mirror the equivalent provisions of the EBA Outsourcing Guidelines. These contractual requirements include extensive audit rights which the cloud provider must grant to the firm, including ‘full access to all relevant business premises [and] devices, systems, networks, information and data” used to provide the outsourced services.
Guideline 11 provides some more detail on audit and, in what will be a welcome addition for cloud providers and many firms, acknowledges that if the exercise of an audit right creates a risk for the environment of the cloud provider (or its other customers), the firm and the cloud provider can agree on alternative ways to provide a similar level of assurance. These alternatives could include the use of pooled audits (audits performed jointly with other customers of the cloud provider), and reliance on third party certifications and third party or internal reports. In the case of critical or important outsourcings, reliance on third party certifications and third party or internal reports is subject to a number of conditions being satisfied including having the contractual right to request an expansion of the scope of the certifications and audits.
- The Guidelines contain terms governing the cloud provider’s ability to use subcontracts in the case of critical or important outsourcings. In particular, the outsourcing contract should (i) specify any activities which cannot be subcontracted, (ii) set out the conditions that must be met for any subcontracting (including audit and access rights), (iii) require the cloud provider to inform the firm of any planned significant changes to the subcontractors, and (iv) most importantly perhaps, include a right for the firm to terminate the contract where the cloud provider plans to make a change to a subcontractor or subcontracted services which would have an adverse effect on the risk assessment of the services.
- Termination Rights and Exit Strategies. Finally, firms are required, for their critical or important outsourcings, to have in place a clearly defined exit strategy to ensure that they can, if necessary, terminate the arrangement without impacting the quality and continuity of the services they provide to policy holders. This exit strategy should include comprehensive, service based and ‘sufficiently tested’ exit plans, and the identification of alternative solutions and development of appropriate and feasible transition plans to enable the firm to switch to another provider or to take the services back in-house.
The Guidelines are largely a reflection of good practice when outsourcing to the cloud. Some of the changes introduced in the final version of the Guidelines – such as the greater emphasis on proportionality – are to be welcomed from a business standpoint, as is the acknowledgement in some areas (such as that of on-site audit) that cloud outsourcings are different, and should be treated differently to, more traditional outsourcing arrangements.
With firms having to update their outsourcing policies and internal processes by the end of January next year, and having to apply the Guidelines to new contracts entered into, or amendments agreed, after that date, firms will need to start to prepare for these changes in the coming months.
Share this blog
- Adtech & martech
- Artificial intelligence
- EBA outsourcing
- Cloud computing
- Complex & sensitive investigations
- Cryptocurrencies & blockchain
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- KLick DPO
- KLick Trade Mark
- Open banking
- Software & services