Cloud Technology for Insurers - Part 8
Is it possible to audit a provider of public cloud services?
When outsourcing IT infrastructure to the public cloud, insurers remain responsible for their compliance with all requirements under insurance supervisory law. One of these requirements is that they must have full rights to audit the cloud provider.
The risk of a limited audit right
Solvency II defines extensive requirements for audit rights that must be granted to an insurer by an outsourcing partner1: the insurance company itself, its auditor, and the responsible supervisory authority must be allowed to carry out inspections on site.
However, for security reasons, cloud providers usually do not grant access to their data centers to anyone except selected independent audit and certification bodies. For good reason: if every cloud customer were allowed to walk through a provider’s data centers, this would not exactly contribute to security.
How to manage this risk
When negotiating a legal agreement with a cloud provider, insurers should in all cases try to contractually secure as broad a scope as possible for the prescribed audit rights. Some providers have already recognized the special requirements of financial services providers (and even insurers specifically) and have prepared the corresponding contractual amendments for this category of customers, which at least ensure limited audit rights.
Reports and certifications
If it is not possible to implement the regulatory requirements literally, this should be factored in as a risk and discussed with the supervisory authority at an early stage. By way of argument, reference can be made to the certifications and reports compiled by external, independent auditors (e.g. SOC reports), which the cloud provider has regularly created and published.
The range of certifications and reports available should be one of the criteria used when evaluating cloud provider candidates, because providers may differ significantly in terms of the types of reports and certifications they provide. Typically, more mature providers offer a wider range than less mature ones. The table below gives a short overview of some important certifications and reports. In addition to these globally relevant types, providers may also have certifications or reports that are based on country-specific standards, in some cases even standards of the local financial services regulatory authority.
1: Article 274 of Directive 2015/35 of the Commission as a supplement to Guideline 2009/138/EC
If you have questions on this or any other article in this series, please feel free to contact us.