Insurers should review cloud contracts with EIOPA guidance in mind

The guidance is still under development but it looks set to place strict regulatory demands on insurers in respect of both the contents of their contracts with cloud providers and their governance of those contracts.

Pinsent Masons, the law firm behind Out-Law, has urged the European Insurance and Occupational Pension Authority (EIOPA), the body behind the proposed new guidance, to make some changes to its draft text to help insurers more practically achieve compliance.

EIOPA's cloud guidance

EIOPA published its draft guidelines on outsourcing to cloud service providers in July this year, opening a consultation on its proposals at the same time. That consultation closed on 30 September.

The EIOPA guidance is relevant to insurance and reinsurance providers and expands upon legislative requirements contained in the EU's so-called 'Solvency II' framework.

EIOPA said it was prompted to develop new guidelines on cloud outsourcing after the European Commission called on EU regulators to explore the need for guidelines on cloud outsourcing in its 2018 fintech action plan and its follow-up discussions with stakeholders.

EIOPA has proposed that the guidelines should apply immediately to cloud outsourcing arrangements entered into or amended on or after 1 July 2020, but has signalled that insurers and reinsurers would have until 1 July 2022 to "review and amend accordingly existing cloud outsourcing arrangements with a view to ensuring that these are compliant" with the guidelines too.

The guidelines that EIOPA consulted on broadly mirror separate guidance on outsourcing developed by the European Banking Authority (EBA), although with some significant differences. That guidance took effect on 30 September this year, though the banks, investment firms and payment institutions subject to the EBA's guidelines have until the end of 2021 to ensure their full compliance with them.

While EIOPA appears to have tried to adapt the EBA's guidance, and managed to avoid replicating some requirements from the EBA's guidance which industry flagged as problematic - including in relation to oversight of sub-contracting and contract termination – there remain some issues with EIOPA's proposals which we hope it will address in its finalised guidance.

Clarifying the scope

One of the challenges facing financial firms subject to either the EBA's outsourcing guidance or the prospective EIOPA cloud guidance is that they are required to assess whether the arrangements they enter into with cloud providers constitute an 'outsourcing' at all.

In the case of the EIOPA guidance, it is the definition of 'outsourcing' under the Solvency II regime that is relevant. That states that outsourcing is "an arrangement of any form between an insurance or reinsurance undertaking and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be performed by the insurance or reinsurance undertaking itself".

According to EIOPA, in assessing whether an arrangement constitutes an outsourcing insurers should consider whether the function (or a part thereof) outsourced is performed on a recurrent or an ongoing basis; and whether this function (or part thereof) would normally fall within the scope of functions that would or could normally be performed by the undertaking in the course of its regular business activities, even if the undertaking has not performed this function in the past.

Beyond that, EIOPA has made clear that it expects insurance providers, in cases where it may not be clear, to 'assume' that the arrangements they have put in place with cloud providers constitute an outsourcing.

Why the assessment should not be objectively made and the starting position should be that an arrangement is an outsourcing is not clear and could lead to some unintended consequences.

Taking this more proportionate risk-based approach would be more consistent with the approach that financial institutions subject to the EBA guidelines are required to take as the EBA's guidelines do not require businesses subject to those requirements to assume all third party arrangements to be outsourcings.

Consistency across both sets of guidelines will result in greater harmonisation and potentially significant cost reduction benefits through standardisation of risk management processes across the financial sector.

It would also be helpful for the EIOPA to follow the lead of the EBA in setting out a list of examples of arrangements that fall outside the definition of outsourcing.

A question of language

EIOPA's decision to use the term 'materiality' within the guidelines to describe the concept of a ‘critical or important operational function’ that has its basis in the Solvency II framework creates confusion and is potentially inconsistent with the legislation.

EIOPA has said insurers should make two assessments – one, whether the cloud outsourcing relates to a critical or important operational function; and two, whether the cloud outsourcing materially affects the risk profile of the undertaking. The underlying provisions in Solvency II, however, are wholly concerned with outsourcing arrangements which relate to critical or important functions and the concept of materiality is relevant in assessing whether an outsourcing of a critical or important function materially impairs the quality of the system of governance of the undertaking.

We think that to achieve a more consistent approach with Solvency II, the guidelines should require insurers to make an assessment of whether the outsourcing arrangement relates to a critical or important function only and not separately assess whether it materially affects the risk profile of the undertaking.

If EIOPA are to retain the approach of additionally asking insurers to assess whether the cloud outsourcing materially affects their risk profiles, the guidelines will need to clarify which rules apply in the event the assessment reveals that an arrangement does not relate to a critical or important function but does materially affect the insurer's risk profile. Separate lists which specify which guidelines apply to which category of agreements would provide greater clarity.

Keeping the language the way it is now will make it more difficult for the people tasked within insurance companies to carry out what are often already quite complex risk assessments.

Unnecessary requirements on data

The EIOPA proposals require insurers to ensure their cloud providers comply with appropriate IT security and data protection standards. Insurers are also required to define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis.

As an extension of those requirements, EIOPA has also laid out a number of steps insurers need to take prior to entering into outsourcing agreements with cloud providers. This includes agreeing a data residency policy.

According to EIOPA, this data residency policy must set out "the countries where the undertaking’s data can be stored, processed and managed".

This obligation goes further than what EU data protection law requires. It should be sufficient for insurers to satisfy regulators, using the legal mechanisms provided for under data protection law, that there are adequate protections in place for personal data they are responsible for where that data is transferred outside of the EU without having to effectively list where the cloud providers' data centres are situated.

A further requirement EIOPA has proposed – that insurers document the names of significant sub-outsourcers, if any, including the countries where the sub-outsourcers are registered, where the service will be performed and, if applicable, the locations (i.e. countries or regions) where the data will be stored and processed – is also unnecessarily prescriptive.

That requirement fails to recognise that, in a cloud context, data may transit through a number of locations when services are provided. EIOPA should clarify the meaning of 'where the service will be performed', and exclude from that meaning locations where data is merely in transit.

Being prepared for exiting cloud contracts

Understandably EIOPA, like the EBA in its guidance, wants insurers outsourcing to the cloud to have a strategy in place to ensure they can access their data and continue operations as normal when they exit cloud outsourcing agreements.

EIOPA specifically has stated that insurers should develop exit plans that are sufficiently tested where appropriate. It is not certain, though, from that requirement what it means in practice to 'test' an exit plan.

To reduce uncertainty and inconsistent approaches developing, EIOPA should provide further guidance on what a sufficient test of an exit plan will involve. Inspiration can perhaps be found in the EBA's guidelines which provide that a test could involve carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service.

Consistency matters

In finalising its guidance it is to be hoped that EIOPA are cognisant of the fact that many of the insurers and reinsurers that will be required to comply with the requirements will be part of group companies that have banking or investment arms. Those sister companies may well be subject to the EBA's outsourcing guidelines.

With this in mind, EIOPA should look to ensure the language of their guidelines is aligned with that of the EBA's to give scope for the deployment of standardised approaches to compliance on cloud outsourcing across group companies.

Luke Scanlon is an expert in financial services and technology law at Pinsent Masons, the law firm behind Out-Law.