In recent years, insurance and reinsurance companies have taken an increasing interest in using the services of cloud service providers. This has led the Belgian National Bank to issue 15 recommendations to provide further guidance for institutions outsourcing their activities to cloud service providers to avoid undue operational risks. We have set out below a summary of these recommendations, which will apply from 1 January 2021.
Cloud outsourcing has several advantages (such as economies of scale, flexibility, operational efficiencies and cost-effectiveness), but it also raises challenges in terms of “chain” outsourcing, data protection, security issues and concentration risk.
Therefore, the Belgian National Bank (“BNB”) has issued a circular for the insurance sector setting out 15 recommendations on outsourcing to cloud service providers (“Circular”). It is important to be aware of these recommendations as they will apply from 1 January 2021.
Context
Each insurance or reinsurance company wishing to adopt and benefit from cloud computing should ensure that risks are appropriately identified and managed (the use of outsourcing should not, for instance, unduly increase operational risk).
The Circular implements the guidelines of the European Insurance and Occupational Pensions Authority (EIOPA) relating to insurance outsourcing and applies without prejudice to the other regulations that apply to outsourcing in the insurance sector (such as the Solvency II Law and the Delegated Regulation n° 2015/35).
Recommendations on outsourcing to cloud service providers
In the Circular, the BNB has set out various recommendations for insurance or reinsurance companies entering into a cloud outsourcing agreement, namely:
- Determine, for each agreement, whether the partnership qualifies as outsourcing within the meaning of the Solvency II Law.
- Perform a thorough risk assessment when outsourcing important or even critical operational functions/activities to cloud service providers (e.g. take into account regulatory risks or possible competition law violations).
- Update the written outsourcing policy to reflect the specific details of the cloud outsourcing (for example, adding a separate appendix or developing new dedicated policies) and review the other relevant internal policies (for example, information security policies).
- Perform a pre-outsourcing analysis before concluding the cloud outsourcing agreement (e.g. determine the importance of the outsourced function/operational activity; assess the risks involved; conduct due diligence of the service provider).
- Ensure that the rights and obligations of the parties to the cloud outsourcing agreement are clearly established in a written agreement, while still complying with the mandatory statements applicable to outsourcing important or even critical operational functions/activities.
- Make sure that the cloud outsourcing agreement complies with regulatory obligations in terms of access, audit and control. The agreement needs to address, inter alia, the scope of these rights, the option of using a third party to carry out such controls and the minimum period between notifying and carrying out an on-site visit.
- Oblige the outsourcing service provider to protect the confidentiality of the data transferred and comply with ICT security standards and the GDPR. Further to the Schrems II judgment by the Court of Justice of the European Union (see Law Now) and guidance on data transfers post-Schrems II (see Law Now), institutions should take special care when entering into and managing outsourcing agreements undertaken outside the EEA because of possible data protection risks. Institutions should consider specific measures, where necessary, for data in transit, in memory and at rest using encryption technologies alongside appropriate keys management.
- Take into account the risks associated with “chain” outsourcing (sub-outsourcing), where the outsourcing service provider sub-contracts elements of the service to other providers. For instance, the master outsourcing contract (between the insurance/reinsurance undertaking and the cloud outsourcer) should clearly define its scope, deal with the liability of the sub-outsourcer and address the issue of replacing the sub-outsourcer.
- Monitor, on a regular basis, the cloud service provider’s outsourcing activities as well as compliance with its obligations. We would recommend implementing suitable monitoring mechanisms and procedures.
- Provide for an early termination clause, while also providing for the continuity and quality of the outsourced services in the event of early termination (for instance, the cloud service provider should adequately support the insurance/reinsurance undertaking when transferring the outsourced data, systems or applications to another service provider or directly back to such undertakings).
- Make sure that the undertaking’s accredited statutory auditor and the BNB are always able to exercise and enforce their access and audit rights and have access to data located outside the EEA.
- Keep a record of the cloud outsourcing agreements (including terminated arrangements) for an appropriate period in case the BNB requests a copy.
- Notify to the BNB the critical and important functions or activities outsourced.
When will the Circular take effect?
The Circular applies from 1 January 2021. From that date, all outsourcing agreements entered into, renewed or amended by insurance or reinsurance companies should comply with the Circular.
For more information on these recommendations and how they affect insurance or reinsurance companies, please contact Benoît Vandervelde or your usual local contact at CMS.
Benoît Vandervelde, Partner, Brussels
Florence Berchem, Junior Associate, Brussels
Thomas Dubuisson, Associate, Brussels
