Cloud Technology for Insurers - Part 6
Does EU insurance supervisory law allow insurers to use public clouds?
In the previous article in our series, we discussed the data protection challenges that insurers need to consider when planning to migrate into the public cloud. In the present article, we start discussing the requirements imposed by EU insurance regulation.
Requirements under Solvency II
Insurance companies in the EU must ensure compliance with the provisions and requirements of the European insurance supervisory law (Solvency II). The aim of the insurance regulator is to harmonize and regulate the insurance industry, and to improve the protection of policyholders.
Outsourcing business-critical applications
The EU insurance supervisory law defines specific requirements for outsourcing critical business components of insurance activities. All components which are required in order to perform key tasks for the insurance business are to be considered as business critical. Outsourcing comprises any service that an insurance company would normally carry out itself, but instead obtains from a third-party provider. This also includes the use of public cloud services, as they replace infrastructure and services classically provided by an insurer’s own IT department.
The insurance supervisory law stipulates specific organizational and notification requirements in the event that critical insurance activities are outsourced. Insurance companies are obliged to notify, in a timely manner, the insurance supervisory authority responsible for the planned outsourcing of critical components. The responsible supervisory authority is deemed to be that of the country in which the company’s registered headquarters are located.
Approval by the supervisory authority
Prior to the actual outsourcing, insurance companies must further submit a series of required statements and documents stating the reason for and scope of the planned outsourcing. Although the insurance supervisory law does not entail any licensing requirements, a national supervisory authority may prescribe its own. For example, the German supervisory authority BaFin merely requires a duty of disclosure for insurance companies, while the Swiss supervisor authority FINMA considers the outsourcing of critical components as relevant to the business plan and therefore subject to its approval.
Regardless of whether supervisory authority approval is required or not, the outsourcing of critical operational activities must not (materially) impair the quality of system governance, unduly increase operational risk, impair the supervisor’s ability to monitor compliance, or undermine continuous and satisfactory service to policyholders.
Another requirement for outsourcing under the insurance supervisory law is that the insurer must designate a person in charge with overall responsibility for the outsourced key function. Ideally this role should be assumed by an experienced IT professional who possesses sufficient knowledge and expertise regarding the outsourced key functions, and who is capable of challenging the performance of the cloud providers.
Furthermore, the insurer is required to establish a written internal governance framework describing in detail all the relevant functions and responsibilities for the outsourcing. The framework must further outline the due diligence process which was conducted by the insurer prior to the decision on whether or not to outsource to a public cloud provider. When outsourcing critical business applications, the insurer must undertake a detailed examination to ensure that the cloud provider has the ability and capacity to deliver the required functions or activities satisfactorily in light of the insurer's needs and objectives (i.e. the insurer must make sure that the cloud provider has adequate contingency plans in place to deal with emergency situations or business disruptions, and that it periodically tests backup facilities where necessary).
Finally, the insurer’s governance framework must include an appropriate outsourcing policy that considers the impact of outsourcing on its business and the monitoring and reporting arrangements to be implemented in the case of outsourcing. The objective is to create an oversight framework and assign clear responsibilities for managing and overseeing the services and the associated risks.
Directive 2009/138/EC and Commission Delegated Regulation (EU) 2015/35
In the next few articles in our series we will be discussing how insurance companies can meet further requirements imposed by insurance supervisory law when using public cloud services for critical business applications. Stay tuned!
If you have questions on any article in this series, please feel free to contact us.