On 24 June 2020, Luxembourg’s insurance regulatory body (Commissariat aux Assurances – CAA) published Circular Letter 20/13 concerning the EIOPA guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002). Through this circular letter, the CAA clarifies that it fully intends to apply these guidelines, inviting all insurance and reinsurance entities to take the necessary steps to achieve compliance.
Given the growing importance of cloud services as a driver of innovation and the rising interest in outsourced cloud solutions within the insurance sector, this comes as a welcomed step. It clarifies the regulatory requirements that entities should apply when making cloud outsourcing arrangements.
As detailed below, the guidelines consist of 16 chapters, with the first 15 focused on companies and the last one concerning the CAA.
- Cloud services and outsourcing
- General principles of governance for cloud outsourcing
- Update of the outsourcing written policy
- Written notification to the supervisory authority
- Documentation requirements
- Pre-outsourcing analysis
- Assessment of critical or important operational functions and activities
- Risk assessment of cloud outsourcing
- Due diligence on cloud service provider
- Contractual requirements
- Access and audit rights
- Security of data and systems
- Sub-outsourcing of critical or important operational functions or activities
- Monitoring and oversight of cloud outsourcing arrangements
- Termination rights and exit strategies
- Supervision of cloud outsourcing arrangements by supervisory authorities
For those familiar with banking regulation, the guidelines do not feature a precise definition of cloud computing as seen in Circular CSSF 17/654 on cloud computing. In general, the requirements are similar to those of the European Banking Authority Guidelines on outsourcing (more on this).
It should be noted that the guidelines require entities to notify the CAA whenever a cloud outsourcing arrangement relates to a critical or important function.
Circular Letter 20/13 draws attention to professional secrecy, as defined in Article 300 of the Law of 7 December 2015 on the insurance sector. While the obligation of professional secrecy remains, the law was amended in 2018 to define compliance requirements in the cases of intragroup outsourcing arrangements and outsourcing abroad.
The guidelines apply to all cloud outsourcing arrangements entered into or amended on or after 1 January 2021 . Companies should review and amend existing cloud outsourcing arrangements related to critical or important functions by 31 December 2022.
Need a hand?
KPMG can help in a number of ways: cloud strategy and transformation services, internal upgrades and liaising with regulators. Please visit our website or contact me to find out more.