A regulator’s perspective: cloud outsourcing in the insurance sector
The National Bank of Belgium (NBB) has issued fifteen recommendations for cloud service providers in the insurance sector, which will apply as from 1 January 2021.
The recommendations cover the entire outsourcing process and build in higher standards in case critical or important functions and activities are outsourced. They reflect the opportunities that outsourcing can offer, but equally recognise the risks inherent thereto, especially in respect to cloud outsourcing. Successful (cloud) outsourcing strategies in the insurance sector will therefore require an integrated and pro-active approach.
In summary, the NBB recommends insurers to:
- Ask themselves whether or not the contemplated arrangement constitutes outsourcing;
- Ensure that any decision to outsource critical or important functions/activities is based on a through risk assessment;
- Update the written outsourcing policy;
- Carry out a pre-outsourcing analysis;
- Assess whether it concerns a critical or important function/activity;
- Identify and assess the potential impact of cloud outsourcing in order to adopt an proportionate risk approach;
- Perform a due diligence on the cloud service provider;
- Clearly allocate the rights and obligations of the company resp. cloud service provider;
- Preserve access and audit rights in order to comply with their regulatory obligations;
- Ensure regulatory compliance (incl. ICT security standards) by cloud service providers;
- Consider and insert arrangements on sub-outsourcing (if permitted);
- Monitor the cloud outsourcing arrangements and set up the necessary mechanisms to do so;
- Have a clearly defined exit strategy clause to terminate the agreement (if necessary);
- In case the cloud service provider’s data are located outside the EEA, ensure (and enforce) access and audit rights;
- Retain original copies of certain documents at the registered office.
Vanessa MarquettePartner Attorney at Law
Vanessa Marquette, attorney at law, is a partner in the Banking and Finance Practice Group of our Brussels office and a member of the firmwide Restructuring & Insolvency team. She is recognized for her expertise in Banking and Finance with a focus on international finance law, regulated financial services, sustainable finance and banking litigation.T: +32 2 773 23 25 E: firstname.lastname@example.org
Stéphanie De SmedtCounsel Attorney at Law
Stéphanie De Smedt, attorney-at-law, is a member of the Litigation & Risk Management practice group in our Brussels office. She is head for Belgium of the IP/IT Team, the Data Protection Team and the Life Sciences Team.T: +32 2 773 23 77 E: email@example.com