Is the insurance and reinsurance sector up to date on the EIOPA Guidelines on outsourcing?

The EIOPA Guidelines on outsourcing agreements to cloud service providers, with a compliance deadline by the end of this year, imposes a heavy compliance burden on the insurance and reinsurance sector and the deadline for reviewing its cloud outsourcing agreements is quickly approaching. However, due to the lack of attention concerning the implementation of the sector specific guidelines there is a valid question to be raised: is the insurance sector up to date on the implementation of the EIOPA Guidelines?

Background

Recent cyber-attack demonstrates the vulnerability and risks that the insurance sector faces and shows the importance of secure IT systems containing sensitive personal data. In the end of October this year, Australia’s largest health insurance company, Medibank, announced that it had been subject to a cyber-attack, where the hackers came across personal data of all four million customers. The hackers behind the attack demanded a ransomware to be paid and threatened to otherwise reveal medically sensitive data about known customers.[1]

The importance of outsourcing functions to cloud service providers has increased rapidly in many industries. Outsourcing data processing and storage capacity to cloud service providers reduces the cost of hosting, infrastructure and software and can help streamline IT expenditure leading to greater performance, flexibility, and adaptability.[2] However, as shown in the Medibank cyber case, regular security breaches emphases  that cyber-attacks are a growing concern which undermine confidence and represents a fundamental threat to businesses in all sectors. Given the sensitive personal data which in many cases can be processed by the insurance sector and the potential exposure this entails, it is of great importance to make the financial sector cyber resilient.

The European Insurance and Occupational Pensions Authority’s (“EIOPA”) Guidelines on outsourcing agreements to cloud service providers (“EIOPA Guidelines”), which entered into force on 1 January 2021, serve to identify such risks and to ensure a secure cloud outsourcing infrastructure within the insurance sector. In addition, insurance undertakings must review and amend existing arrangements for cloud service outsourcing relating to critical or important operational functions or activities in accordance with the EIOPA Guidelines and notify the Swedish Financial Supervisory Authority of such agreements by 31 December 2022.

However, despite the closely emerging deadline to review, amend and notify existing arrangements for cloud service outsourcing agreements, the implementation process of the EIOPA Guidelines has been followed by comparatively less attention unlike when the similar Guidelines on outsourcing arrangements from the European Banking Authority entered into force on three years ago (“EBA Guidelines”). One can not but wonder how the implementation process has gone for the industry? Can this relative silence be explained by the insurance sector being more prepared for this type of regulation or is there still work to be done to implement the EIOPA Guidelines?

Why is there no buzz?

Although the EIOPA Guidelines imposes a stricter and heavier regulatory burden on the insurance sector compared to the prior sector specific requirements on internal governance, and even though a violation of the EIOPA Guidelines may be subject to administrative fines or revocation of license, the EIOPA Guidelines have received seemingly little attention compared to when the EBA Guidelines were introduced.

The EIOPA Guidelines apply to all cloud outsourcing arrangements by insurance undertakings, but there is a particular focus on the outsourcing of critical or important operational functions or activities to cloud service providers. Moreover, the EIOPA Guidelines impose the undertakings to maintain a record of its cloud outsourcing arrangements including information on, e.g., the contract and on the service provider[3]; conduct a risk assessment before entering into a cloud outsourcing[4]; conduct a due diligence on the cloud service provider[5]; and include certain clauses in an agreement with any cloud service provider when outsourcing critical or important functions.[6]

Indeed, the EIOPA Guidelines imposes a great administrative weight on insurance undertakings and a need for a well-functioning internal governance. Considering this, as well as the quickly emerging deadlines, it is surprising that the EIOPA Guidelines have not been preceded by a more intense discussion regarding the implantation and its impact on the insurance sector.

Is the insurance sector ready for the EIOPA Guidelines – what does the indications tell us?

The predecessors of the EIOPA Guidelines

The insurance sector’s potential silent treatment of the implementation might be understood in light of the regulations this sector already is obliged to comply with, which may have made it easier for the industry to adopt the new EIOPA Guidelines. The EIOPA Guidelines are based on the Solvency II Directive[7], the Delegated Regulation[8], and EIOPA’s guidance on System of Governance.[9] Hence, the EIOPA Guidelines may be seen as an expansion of the legislative requirements contained in these regulatory frameworks.

The abovementioned regulatory frameworks contain requirements similar to those in the EIOPA Guidelines. Furthermore, the EIOPA Guidelines aim to provide guidance on how the outsourcing provisions set forth in the Solvency II Directive should be applied in case of outsourcing to cloud service providers. In addition, the EIOPA Guidelines is meant to be understood considering the EIOPA Guidelines on System of Governance, in which similar compliance regulations in relation to outsourcing of critical or important operational functions and activities may be found, inter alia, written notification requirements and audit rights.

However, similar legal frameworks also existed for the banking sector when the EBA Guidelines were introduced, which thus does not explain why the EBA Guidelines were followed with greater attention.

Comparison to EBA Guidelines – is the insurance sector now better equipped?

Although the scope of the EIOPA Guidelines (mainly focusing on outsourcing of critical or important operational functions or activities to cloud service providers) is narrower than the EBA Guidelines, the insurance sector may have had an advantage if complying with the EBA Guidelines before the implementation of the EIOPA Guidelines.

EIOPA has explicitly stated that the EIOPA Guidelines have been, to some extent, kept aligned to the EBA Guidelines in order to have market consistency and to foster the harmonisation of the practice related to cloud outsourcing across sectors. The similarities in definitions, wordings, and requirements between these two guidelines may be explained by the fact that the risks associated to this practice are similar across sectors, as well as by EIOPA’s purpose of avoiding potential risks of regulatory fragmentation.[10]

Furthermore, when the EBA Guideline were first introduced, the Swedish Financial Supervisory Authority urged other regulated sectors, including the insurance sector, which did not fall within the scope of the EBA Guidelines, to comply with the EBA Guidelines as well. This “false start” is likely to have given the insurance sector an advantage in complying with the requirements set out in the EIOPA Guidelines. This is also confirmed by a survey conducted by the Swedish Financial Supervisory Authority where especially the life insurance companies proclaimed that they already assessed that they complied with the majority of the requirements set out in the EIOPA Guidelines.[11]

The number of outsourcing agreements notified to the Swedish Financial Supervisory Authority – what does it tell us?

According to the Swedish Financial Supervisory Authority’s records of matter registrations, the insurance undertakings are keeping up the pace with the requirements set out in the EIOPA Guidelines. When reviewing the number of outsourcing agreements notified by the largest insurance undertakings in Sweden to the Swedish Financial Supervisory Authority, the records display a clear trend that insurance undertakings are active in this process. Although the records of registration do not reveal whether these outsourcing agreements concerns cloud service providers, it shows a clear distinction of the number registered outsourcing agreements before and after the EIOPA Guidelines entered into force.

In addition, the records also entail that the insurance undertakings started to submit its outsourcing agreements early upon the introduction of the EIOPA Guidelines, indicating that the insurance undertakings were familiar with the procedures and that it had already implemented adequate internal routines. The fact that the insurance companies were quick to register their outsourcing agreements also suggests that the companies had already adopted the EBA Guidelines while awaiting the EIOPA Guidelines, as implied above.

Final remarks

The fact that the insurance sector, to some extent, already have been working with compliance in relation to the EBA Guidelines prior to the introduction of the EIOPA Guidelines, as well as the fact that most insurance companies have started notifying outsourcing agreements to the Swedish Financial Supervisory Authority, indicate that the insurance sector is well prepared for the EIOPA Guidelines. However, despite the seemingly proactive indications, there is still work to be done and some insurance companies likely have more work cut out for them than others, if to meet the deadlines and to be compliant with the EIOPA Guidelines when procuring new IT services henceforth.

As for now, it is due time for the insurance sector to get their outsourcing arrangements in place and to comply with the EIOPA Guidelines, and we will have to await the final verdict of whether the sector already has done its proactive implementation work, or if the deadlines will take the insurance undertakings off-the-cuff. It will indeed be interesting to see how many notifications that will be received by the Swedish Financial Supervisory Authority and whether the insurance sector’s compliance with the EIOPA Guidelines will be supervised by the Swedish Financial Supervisory Authority as of 2023. And for the time thereafter, the work to ensure compliance with the EIOPA Guidelines, in both existing and new outsourcing arrangements, will continue.

[1] https://computersweden.idg.se/2.2683/1.772062/medibank-hackat?utm_source=dmdelivery&utm_medium=email&utm_campaign=CS%20Senaste%20Nytt%20KV%C3%84LL%202022%202022-10-26%2015%3A50%3A34

[2] the European Commission FinTech Action plan (COM(2018) 109 final), p 11.

[3] Guideline 5.

[4] Guideline 8.

[5] Guideline 9.

[6] Guideline 10.

[7] Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II).

[8] Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 supplementing Directive 2009/138/EC of the European Parliament and of the Council on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II).

[9] EIOPA-BoS-14/253.

[10] Final report on public consultation 19-270 on guidelines on outsourcing to cloud service providers.

[11] FI dnr 20-19345.