The European Insurance and Occupational Pension Authority (EIOPA) has opened a consultation on draft guidance on the use of cloud-based services by insurers and reinsurers.
The guidance largely mirrors guidance on outsourcing developed by the European Banking Authority (EBA) for banks, investment firms and payment institutions. That guidance is due to take effect on 30 September this year, though the financial companies subject to them will have until the end of 2021 to ensure their full compliance with them.
The EIOPA proposals address a broad range of topics, including risk assessment and due diligence obligations, governance arrangements, the substance of cloud contracts, oversight of the cloud supply chain, data security, rights of access to information held by cloud providers, as well as termination rights and exit strategies.
Like the EBA, the EIOPA guidelines make a distinction between the requirements applicable to 'material' outsourcing and 'non-material' outsourcing.
The guidelines require that insurers provide written notification of their material cloud outsourcings to regulators. An internal register of both material and non-material functions outsourced to cloud service providers must be maintained by insurance providers, EIOPA said.
A 'material' outsourcing is defined in the guidelines as "the outsourcing of critical or important operational functions or activities".
Insurers are required to carry out a materiality assessment to determine which outsourcing arrangements are considered material and which are not. The guidelines set out factors insurers should consider when carrying out the materiality assessment. These include the protection of data and potential impact of a confidentiality breach, how outages could affect the provision of services, the ability to manage risk and comply with legal obligations, as well as the cost, size and complexity of the outsourcing arrangements.
There are some areas in which the EIOPA guidelines differ to those developed by the EBA.
Financial services and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law, said: "EIOPA seems to have recognised that some of the language used in the EBA guidelines is unhelpful. This includes use of the word 'unrestricted’ in relation to audit rights, when clearly there are circumstances where audit rights need to be limited – such as where it could create a risk to another customer's environment in a multi-tenant cloud context. The consultation will give insurance and cloud providers the opportunity to reduce further instances where the language used may cause friction."
"One particular concern is that unlike the EBA guidelines, the EIOPA guidelines suggest that 'outsourcing should be assumed' when making an assessment of whether or not a purchase of goods or services or other arrangement will be subject to the guidelines. Why the assessment should not be objectively made and the starting position should be that an arrangement is an outsourcing is not clear and could lead to some unintended consequences," he said.
The EIOPA has proposed that the guidelines should apply to cloud outsourcing arrangements entered into or amended on or after 1 July 2020. Insurers and reinsurers would have until 1 July 2022 to "review and amend accordingly existing cloud outsourcing arrangements with a view to ensuring that these are compliant" with the guidelines, it said.
EIOPA's consultation is open until 30 September.