The recommendations cover the entire outsourcing process and build in higher standards in case critical or important functions and activities are outsourced. They reflect the opportunities that outsourcing can offer, but equally recognise the risks inherent thereto, especially in respect to cloud outsourcing. Successful (cloud) outsourcing strategies in the insurance sector will therefore require an integrated and pro-active approach.
In summary, the NBB recommends insurers to:
- Ask themselves whether or not the contemplated arrangement constitutes outsourcing;
- Ensure that any decision to outsource critical or important functions/activities is based on a through risk assessment;
- Update the written outsourcing policy;
- Carry out a pre-outsourcing analysis;
- Assess whether it concerns a critical or important function/activity;
- Identify and assess the potential impact of cloud outsourcing in order to adopt an proportionate risk approach;
- Perform a due diligence on the cloud service provider;
- Clearly allocate the rights and obligations of the company resp. cloud service provider;
- Preserve access and audit rights in order to comply with their regulatory obligations;
- Ensure regulatory compliance (incl. ICT security standards) by cloud service providers;
- Consider and insert arrangements on sub-outsourcing (if permitted);
- Monitor the cloud outsourcing arrangements and set up the necessary mechanisms to do so;
- Have a clearly defined exit strategy clause to terminate the agreement (if necessary);
- In case the cloud service provider’s data are located outside the EEA, ensure (and enforce) access and audit rights;
- Retain original copies of certain documents at the registered office.