The increasing threat that new market entrants might use technology to win a share of the insurance market has been forcing established insurers to assess the ways in which they might maintain their competitive advantage. These assessments can be difficult and have far-reaching consequences, with some insurers selling businesses to allow their systems to be streamlined and others announcing significant changes to their strategy.
Cognisant of changing market conditions, regulators are taking particular interest in the steps that insurers are taking to use technology in order to improve efficiency and to reshape their operations. More generally, regulators are considering how “operationally resilient” insurers (and other financial service companies) are, and how business models will fare when they are subjected to unexpected events.
Regulators (as well as legislators) are, however, also showing a willingness to facilitate the use of new technologies. The EU’s Digital Single Market Strategy is an important and widely publicised initiative from the EU Commission, and is being expressly recognised by regulators as they consider how best to engage with progress in technology.
Against this background, EIOPA has decided to consult on whether its existing guidelines on outsourcing need to be amended or supplemented to reflect properly the challenges faced by insurers availing of the services of cloud service providers (CSPs). Its consultation paper sets out a number of policy questions on which EIOPA wants to engage. The paper also contains a series of draft guidelines that are similar to, but different from, EIOPA’s existing guidelines on outsourcing.
Many of the guidelines in EIOPA’s consultation paper will be familiar to seasoned compliance professionals. These include obligations to document matters appropriately, to give advance notice to regulators before implementing material outsourcing and to ensure that outsourcing is appropriately overseen on an ongoing basis, none of which is surprising to insurers that must already comply with Solvency II outsourcing rules
The consultation paper does, however, seek to engage on many issues that are specific to outsourcing with CSPs. For example, it invites insurers to consider whether their relationships with different types of CSPs (e.g. those that provide software as a service, those that provide insurers with a platform, and those that make infrastructure available) might need to be treated differently. EIOPA also highlights data protection, security issues, the location of data and concentration risks (particularly to large CSPs) as specific areas of concern.
Of these concerns, data protection and the risk of a cyber-breach will be all too familiar to insurers. The ICO’s recent announcements that it intends to fine British Airways (£189m) and the Marriot hotel group (£100m) will have ensured that there is no complacency now that GDPR implementation projects have finished.
Engaging with CSPs may, however, require insurers to consider location of data in a different way than in the past. CSPs can have servers in numerous locations, and this can give rise to some regulatory challenges. Even if all of these servers are in the EEA (which would side-step some otherwise difficult data-protection questions), financial regulators may need to be convinced that insurers can discharge their obligation under Solvency II to ensure that their regulators have effective access. Regulators may become particularly focussed on this if the data in question will be held on servers in remote and inaccessible locations.
Concentration risks may also require analysis that is more difficult to assess than more readily quantifiable risks. Establishing the operational risks posed by having a relationship with a CSP that is not readily substitutable, or having wide and varied relationships with a single CSP, will almost certainly involve a multi-disciplinary assessment of the insurer’s operational processes. Establishing and prioritising the operational risks arising from concentrations with any one CSP could prove difficult, particularly where the relationship with the CSP covers a number of businesses with operations in different countries.
EIOPA has asked interested parties to respond to the consultation by 30 September 2019. Each insurer will need to consider how best to engage on the consultation.
Of wider import, however, is EIOPA’s expectation that new guidelines would apply from 1 July 2020 and that existing arrangements would comply with those guidelines by 1 July 2022. How significant this exercise is will clearly depend on the extent to which an insurer expects to rely on CSPs by 2020 or 2022, respectively. For some, this can be expected to be a reasonably onerous exercise. While EIOPA indicates that some flexibility may be forthcoming in respect of the 2022 deadline, a given insurer can expect leniency to be dependent upon there having been adequate engagement on the issue before then.