Olivia Santantonio
Intellectual Property (IP)
Life Science
Commercial law
Dispute Resolution
Information Governance & Data Protection
Telecommunications, Media & Technology
olivia.santantonio@lydian.be
The National Bank of Belgium (NBB) published 15 recommendations for (re)insurance companies that outsource to cloud service providers. These recommendations will apply as of 1 January 2021. In this article, we will briefly summarise these recommendations.
Outsourcing to cloud service providers has many advantages including flexibility and scalability, economies of scale, cost effectiveness and operational efficiencies (e.g., to invest in and implement security measures). However, outsourcing to cloud service providers also raises challenges such as security, data protection, etc. These challenges are present on a company level, but also at an industrial level when many companies rely on the same cloud service provider(s).
When a (re)insurance company uses its own servers, it keeps full control. However, when outsourcing, the (re)insurance company and the cloud service provider share the control. Nonetheless, (re)insurance companies remain responsible for complying with all their regulatory obligations when outsourcing. The NBB’s recommendations oblige (re)insurance companies that use cloud service providers to pay attention to and mitigate the risks of outsourcing.
Every (re)insurance company should take the necessary measures to ensure that the use of outsourcing does not lead to:
The recommendations published by the National Bank of Belgium set out how (re)insurance companies can establish the above in practice when outsourcing to cloud service providers.
Below, we will briefly discuss the fifteen recommendations that will enter into force on 1 January 2021 for all (re)insurance company that enter into, renew or amend outsourcing arrangements after that date. For existing and current outsourcing arrangements related to critical or important functions or activities (as defined under Recommendation 5), (re)insurance companies must comply with the recommendations by 1 January 2022.
(Re)insurance companies should determine if the intended outsourcing to a cloud service providers falls under the scope of the recommendations. The recommendations apply to ‘outsourcing’ as defined in the law of 13 March 2016 on the legal status and supervision of insurance and reinsurance companies. The latter defines ‘outsourcing’ as:
“an agreement of any form between an insurance or reinsurance company and a service provider, whether a supervised or uninspected service provider, under which that service provider performs, directly or by way of sub-contracting, a process, a service or an activity which would otherwise be carried out by the insurance or reinsurance company itself” (free translation of Article 15, 54° of the law of 13 March 2016 on the legal status and supervision of insurance and reinsurance companies)
When the outsourcing to cloud service providers falls under the definition above, (re)insurance companies must comply with these recommendations.
Before outsourcing to cloud service providers, the management of (re)insurance companies has to carry out a thorough risk assessment, as the outsourcing should be consistent with the (re)insurance company’s strategies, internal policies and processes. Risks relating to ICT, business continuity, confidentiality, data migration etc. should be taken into account. The (re)insurance company should also update its strategies, internal policies and processes, if necessary.
As stated above, the (re)insurance company should update its internal policies, including its outsourcing policy, taking into account the following elements:
A (re)insurance company should undertake the following actions before entering into an agreement with a cloud service provider:
A (re)insurance company should assess if the outsourcing relates to an activity that is critical or important or could become critical or important in the future. In that regard, the following elements should be taken into account:
(Re)insurance companies should assess the nature, scale and complexity of the risks of the cloud outsourcing and adapt their strategy accordingly. When outsourcing critical or important activities, (re)insurance companies should take into account additional elements, such as political stability of the countries from where the outsourced services are provided, how to reduce risks, etc.
Before engaging a cloud service provider, the (re)insurance company should perform a due diligence on that provider. When outsourcing critical or important activities, (re)insurance companies should assess the suitability of the provider by taking into account its infrastructure, economic situation, regulatory status, etc.
The (re)insurance company and the cloud service provider should lay down their obligations in a written agreement. The recommendations set out several elements that should be included in this agreement, such as the parties’ financial obligations, whether the outsourcing concerns a critical or important activity, the locations where the data will be stored, monitoring rights of the (re)insurance company, etc.
The above agreement should include auditing and access rights for the (re)insurance company to enable it to fulfil its regulatory obligations. Specific attention is necessary in this regard, if the outsourcing relates to critical or important operational functions or activities. The recommendations precise that third party (pooled) audits or internal audit reports made available by the cloud service provider may be sufficient when taking into account sufficient safeguards in case of critical or important operational functions.
(Re)insurance companies must ensure that the cloud service provider complies with the applicable European and national legislation and with appropriate ICT security standards. When outsourcing critical or important operational functions, a risk-based approach is necessary. The recommendations set out some elements that should be assessed, such as the network traffic availability and expected capacity, incident management process, ensure that a copy of the data is stored in one or more locations outside the cloud service provider’s head office, protection by strong authentication solutions.
When a (re)insurance company outsources critical or important functions, certain clauses relating to sub-outsourcing should be included in the outsourcing agreement.
Through a set up monitoring and oversight mechanism, the (re)insurance company should monitor on a regular basis the performance, security and adherence to the agreed service levels of the cloud service provider. Moreover, the management of the (re)insurance company should be updated regularly.
In case of outsourcing of critical or important operational functions, the outsourcing agreement should contain an exit strategy to avoid a lock-in, i.e. to enable the (re)insurance company to terminate the agreement without detriment to the continuity and quality of the services. The recommendations precise that for example a comprehensive exit plan and the identification of alternative solutions etc. are necessary.
Outsourcing to a cloud service provider outside of the European Economic Area is permitted when the (re)insurance company can guarantee that the its statutory auditor and the National Bank of Belgium can exercise their access and auditing rights in accordance with applicable law, which means that the latter have access to the data at all times. Additional conditions apply again when outsourcing critical or important activities outside the EEA.
The law of 13 March 2016 on the legal status and supervision of insurance and reinsurance companies (see above) provides that insurance companies must keep original copies of certain documents, such as (re)insurance agreements at their registered office. Thus, (re)insurance companies should comply not only with the recommendations for retention but also with the aforementioned law.
Cloud outsourcing has many advantages, however (re)insurance companies must be aware of the challenges as well. The National Bank of Belgium obliges (re)insurance companies to mitigate these challenges through a risk-based approach. In addition, (re)insurance companies must pay special attention to outsourcing critical or important functional operations or activities as described in recommendation 5.
We are at your disposal to assist you with the audit of the cloud service provider or with the drafting or review of the cloud outsourcing agreement.
Intellectual Property (IP)
Life Science
Commercial law
Dispute Resolution
Information Governance & Data Protection
Telecommunications, Media & Technology
olivia.santantonio@lydian.be