BIS: Regulating and supervising the clouds: emerging prudential approaches for insurance companies

06 December 2018

This paper outlines the emerging regulatory and supervisory approaches in selected jurisdictions to cloud computing activities in the insurance sector. Authors analyse the regulatory and supervisory approaches of 14 authorities worldwide and present key insights on the emerging prudential treatment of cloud computing in the insurance industry.

Insurers have made increasing use of cloud computing in recent years. Cloud services were initially applied to business support functions, such as customer management or collaboration applications. Currently, cloud computing is being used in core business functions, such as product development, distribution, underwriting or claims administration.

Cloud computing brings a number of benefits to the insurance industry. It lets insurers share available-on-demand networks, servers, storage, application and services that can be rapidly scaled up or down, and accessed anytime and anywhere. In this way, cloud computing allows insurers to quickly launch new products and services, make business processes more efficient and reduce information technology (IT) costs. 

The use of third-party cloud computing services may pose risks that are different from traditional outsourcing arrangements. Besides the operational risks of any outsourcing activity, cloud computing may pose additional risks to the insurance sector, given:

• shared computing resources in some cloud deployment models;
• the type of information that is stored and processed;
• the different geographical location of computing resources and providers; as well as
• the small number of global cloud providers, resulting in market concentration that could have systemic implications. The cross-border nature of cloud services complicates the effective oversight of all these risks. 

Authorities apply their frameworks for general outsourcing and for governance, risk management and information security to cloud computing. Some authorities include cloud-specific sections in these frameworks. Other authorities have issued cloud-specific recommendations or supervisory expectations. Regardless of the approach taken, cloud computing arrangements are subject to regulatory requirements only if they are deemed as material. However, the criteria for deciding whether such arrangements are material vary across jurisdictions.

Regulatory frameworks have a number of common requirements and expectations for cloud computing. Authorities generally focus on:

• the adequacy of information security and data confidentiality;
• the strength of IT and cyber-security capabilities at cloud service providers;
• the effectiveness of recovery and resumption capabilities; and
• the adequacy of audit rights (ie the supervisory authority’s access to documentation and information, and ability to conduct on-site inspections at the provider).

Also, authorities are generally using non-binding guidance through principles and recommendations and adopting a proportionate approach (ie tailored to reflect the size, complexity or risk profile of financial institutions or outsourced service).

Cloud computing outsourcing arrangements are generally supervised as part of the oversight of operational risks. Authorities usually assess cloud computing practices as part of insurance companies’ off-site and on-site reviews of operational risk, following a risk-based approach. Before an insurer enters into a cloud servicing agreement, some authorities require notification, while others prescribe a consultation or approval process: the approaches to this communication vary widely. At the very least, most authorities expect informal communication from insurers on their material cloud computing plans.

This study yields some useful insights on the emerging regulatory and supervisory approaches for cloud computing in the insurance sector. Some key specific considerations for insurance authorities include:

• There is value in clarifying regulatory/supervisory expectations on insurers’ use of cloud computing services. The usefulness of this approach is to address the unique risks posed by cloud computing and to provide a reasonable level of regulatory certainty with respect to the use of cloud services by the financial industry.
• Developing a supervisory framework to assess concentration risk in cloud computing is work in progress. While authorities generally acknowledge that reliance on a relatively small number of providers may result in systemic risk for insurers, very few perform industry reviews of the concentration risks arising from cloud service providers.
• Enhancing cross-border cooperation, particularly in terms of information-sharing, is essential for the effective supervision of the cloud computing business. Users and providers of cloud services may be located in different jurisdictions. Even if they are physically in the same place, data storage could be elsewhere. Therefore, international cooperation between different national authorities, in particular by sharing relevant information on cloud service providers, is especially important when it comes to ensuring effective oversight of cloud activities. 

Full publication

© BIS - Bank for International Settlements