Recommendations on outsourcing to cloud service providers by (re)insurance companies
The National Bank of Belgium (NBB) published 15 recommendations for (re)insurance companies that outsource to cloud service providers. These recommendations will apply as of 1 January 2021. In this article, we will briefly summarise these recommendations.
1 WHY ARE THESE RECOMMENDATIONS NECESSARY?
Outsourcing to cloud service providers has many advantages including flexibility and scalability, economies of scale, cost effectiveness and operational efficiencies (e.g., to invest in and implement security measures). However, outsourcing to cloud service providers also raises challenges such as security, data protection, etc. These challenges are present on a company level, but also at an industrial level when many companies rely on the same cloud service provider(s).
When a (re)insurance company uses its own servers, it keeps full control. However, when outsourcing, the (re)insurance company and the cloud service provider share the control. Nonetheless, (re)insurance companies remain responsible for complying with all their regulatory obligations when outsourcing. The NBB’s recommendations oblige (re)insurance companies that use cloud service providers to pay attention to and mitigate the risks of outsourcing.
2 HOW CAN A (RE)INSURANCE COMPANY COMPLY WITH ITS REGULATORY OBLIGATIONS WHEN OUTSOURCING?
Every (re)insurance company should take the necessary measures to ensure that the use of outsourcing does not lead to:
- materially impairing the quality of the company’s governance system;
- unduly increasing the operational risk;
- impairing the ability of the National Bank of Belgium to monitor the company’s compliance with its legal and regulatory obligations; or
- undermining the continuous and satisfactory service to policyholders, insureds and beneficiaries of insurance policies or the persons concerned by the performance of reinsurance policies.
The recommendations published by the National Bank of Belgium set out how (re)insurance companies can establish the above in practice when outsourcing to cloud service providers.
3 RECOMMENDATIONS AND ENTRY IN FORCE
Below, we will briefly discuss the fifteen recommendations that will enter into force on 1 January 2021 for all (re)insurance company that enter into, renew or amend outsourcing arrangements after that date. For existing and current outsourcing arrangements related to critical or important functions or activities (as defined under Recommendation 5), (re)insurance companies must comply with the recommendations by 1 January 2022.
3.1 Recommendation 1 – Cloud services and outsourcing
(Re)insurance companies should determine if the intended outsourcing to a cloud service providers falls under the scope of the recommendations. The recommendations apply to ‘outsourcing’ as defined in the law of 13 March 2016 on the legal status and supervision of insurance and reinsurance companies. The latter defines ‘outsourcing’ as:
“an agreement of any form between an insurance or reinsurance company and a service provider, whether a supervised or uninspected service provider, under which that service provider performs, directly or by way of sub-contracting, a process, a service or an activity which would otherwise be carried out by the insurance or reinsurance company itself” (free translation of Article 15, 54° of the law of 13 March 2016 on the legal status and supervision of insurance and reinsurance companies)
When the outsourcing to cloud service providers falls under the definition above, (re)insurance companies must comply with these recommendations.
3.2 Recommendation 2 – General principles of governance for cloud outsourcing
Before outsourcing to cloud service providers, the management of (re)insurance companies has to carry out a thorough risk assessment, as the outsourcing should be consistent with the (re)insurance company’s strategies, internal policies and processes. Risks relating to ICT, business continuity, confidentiality, data migration etc. should be taken into account. The (re)insurance company should also update its strategies, internal policies and processes, if necessary.
3.3 Recommendation 3 – Update of the written outsourcing policy
As stated above, the (re)insurance company should update its internal policies, including its outsourcing policy, taking into account the following elements:
- the roles and responsibilities of the company’s functions involved;
- the processes and reporting procedures required for the approval, implementation, monitoring, management and renewal of cloud outsourcing arrangements related to critical or important operational functions or activities;
- the oversight of the cloud services proportionate to the nature, scale and complexity of risks inherent in the services provided;
- with regard to cloud outsourcing of critical or important operational functions or activities, a reference should be made to the necessary contractual requirements;
- documentation requirements and written notification to the supervisory authority regarding cloud outsourcing of critical or important operational functions or activities; and
- with regard to each cloud outsourcing arrangement that covers critical or important operational functions or activities, a requirement for a documented and tested exit strategy. The exit strategy may involve a range of termination processes.
3.4 Recommendation 4 – Pre-outsourcing analysis
A (re)insurance company should undertake the following actions before entering into an agreement with a cloud service provider:
- assess if the cloud outsourcing agreement concerns a critical or important operational function or activity;
- identify and assess all relevant risks of the cloud outsourcing agreement;
- undertake appropriate due diligence on the prospective cloud service; and
- identify and assess conflicts of interest that the outsourcing may cause in line with the requirements set out in Article 274(3)(b) of Delegated Regulation 2015/35.
3.5 Recommendation 5 – Assessment of the criticality or importance of cloud outsourcing
A (re)insurance company should assess if the outsourcing relates to an activity that is critical or important or could become critical or important in the future. In that regard, the following elements should be taken into account:
- the potential impact of any material disruption to the outsourced activity or failure of the cloud service provider to provide the services at the agreed service levels on the company’s
- continuous compliance with its regulatory obligations;
- short and long-term financial and solvency resilience and viability;
- business continuity and operational resilience;
- operational risk, including conduct, ICT and legal risks; and
- reputational risks;
- the potential impact of the cloud outsourcing arrangement on the ability of the company to:
- identify, monitor and manage all relevant risks;
- comply with all legal and regulatory requirements; and
- conduct appropriate audits regarding the operational function or activity outsourced;
- the company’s (and/or group’s, where applicable) aggregated exposure to the same cloud service provider and the potential cumulative impact of outsourcing arrangements in the same business area;
- the size and complexity of any of the company’s business areas affected by the cloud outsourcing arrangement;
- the ability, if necessary or desirable, to transfer the proposed cloud outsourcing arrangement to another cloud service provider or reintegrate the services; and
- the protection of personal and non-personal data and the potential impact on the company, policyholders or other relevant subjects of a confidentiality breach or failure to ensure data availability and integrity based on the GDPR. The company should particularly take into consideration data that is business secret and/or sensitive (for example, policyholders’ health data).
3.6 Recommendation 6 – Risk assessment of cloud outsourcing
(Re)insurance companies should assess the nature, scale and complexity of the risks of the cloud outsourcing and adapt their strategy accordingly. When outsourcing critical or important activities, (re)insurance companies should take into account additional elements, such as political stability of the countries from where the outsourced services are provided, how to reduce risks, etc.
3.7 Recommendation 7 – Due diligence on the cloud service provider
Before engaging a cloud service provider, the (re)insurance company should perform a due diligence on that provider. When outsourcing critical or important activities, (re)insurance companies should assess the suitability of the provider by taking into account its infrastructure, economic situation, regulatory status, etc.
3.8 Recommendation 8 – Contractual requirements
The (re)insurance company and the cloud service provider should lay down their obligations in a written agreement. The recommendations set out several elements that should be included in this agreement, such as the parties’ financial obligations, whether the outsourcing concerns a critical or important activity, the locations where the data will be stored, monitoring rights of the (re)insurance company, etc.
3.9 Recommendation 9 – Access and audit rights
The above agreement should include auditing and access rights for the (re)insurance company to enable it to fulfil its regulatory obligations. Specific attention is necessary in this regard, if the outsourcing relates to critical or important operational functions or activities. The recommendations precise that third party (pooled) audits or internal audit reports made available by the cloud service provider may be sufficient when taking into account sufficient safeguards in case of critical or important operational functions.
3.10 Recommendation 10 – Security of data and systems
(Re)insurance companies must ensure that the cloud service provider complies with the applicable European and national legislation and with appropriate ICT security standards. When outsourcing critical or important operational functions, a risk-based approach is necessary. The recommendations set out some elements that should be assessed, such as the network traffic availability and expected capacity, incident management process, ensure that a copy of the data is stored in one or more locations outside the cloud service provider’s head office, protection by strong authentication solutions.
3.11 Recommendation 11 – Sub-outsourcing
When a (re)insurance company outsources critical or important functions, certain clauses relating to sub-outsourcing should be included in the outsourcing agreement.
3.12 Recommendation 12 – Monitoring and oversight of cloud outsourcing agreements
Through a set up monitoring and oversight mechanism, the (re)insurance company should monitor on a regular basis the performance, security and adherence to the agreed service levels of the cloud service provider. Moreover, the management of the (re)insurance company should be updated regularly.
3.13 Recommendation 13 – Termination rights and exit strategies
In case of outsourcing of critical or important operational functions, the outsourcing agreement should contain an exit strategy to avoid a lock-in, i.e. to enable the (re)insurance company to terminate the agreement without detriment to the continuity and quality of the services. The recommendations precise that for example a comprehensive exit plan and the identification of alternative solutions etc. are necessary.
3.14 Recommendation 14 – Cloud outsourcing to a third country
Outsourcing to a cloud service provider outside of the European Economic Area is permitted when the (re)insurance company can guarantee that the its statutory auditor and the National Bank of Belgium can exercise their access and auditing rights in accordance with applicable law, which means that the latter have access to the data at all times. Additional conditions apply again when outsourcing critical or important activities outside the EEA.
3.15 Recommendation 15 – Retention of (re)insurance documents
The law of 13 March 2016 on the legal status and supervision of insurance and reinsurance companies (see above) provides that insurance companies must keep original copies of certain documents, such as (re)insurance agreements at their registered office. Thus, (re)insurance companies should comply not only with the recommendations for retention but also with the aforementioned law.
4 PAY ATTENTION WHEN ENTERING INTO A CLOUD OUTSOURCING AGREEMENT
Cloud outsourcing has many advantages, however (re)insurance companies must be aware of the challenges as well. The National Bank of Belgium obliges (re)insurance companies to mitigate these challenges through a risk-based approach. In addition, (re)insurance companies must pay special attention to outsourcing critical or important functional operations or activities as described in recommendation 5.
We are at your disposal to assist you with the audit of the cloud service provider or with the drafting or review of the cloud outsourcing agreement.