Take the hint!
On January 31, 2020, the EIOPA (European Insurance and Occupational Pensions Authority), the European regulator of insurers and reinsurers, published document EIOPA-BoS-20-002, which establishes the guidelines for the supervision of cloud service providers that insurers hire to carry out activities considered critical or important to their business.
In addition to the pertinent analysis of the risks related to the outsourcing of these activities, it should be noted that the guidelines provide for an evaluation of potential suppliers prior to their hiring, to ensure that they are appropriate to the risk analysis carried out.
On the other hand, the obligation to carry out active supervision of suppliers is also established, to verify that they comply with the security requirements that entities must have defined, and that this compliance is maintained during the provision of their services.
Consequently, insurance and reinsurance companies acquire a series of obligations that may require the dedication of a series of resources, in order to ensure the protection and security of information and manage the risks that the supply chain introduces into the business itself.
This type of regulation is not something new. Financial institutions were the first sector whose regulators have established guidelines to follow in outsourcing services.
Firstly, the document that the European Committee of Banking Supervisors (CEBS) published in December 2006, and which consisted of 12 guidelines for its application in the outsourcing of “material activities”, understanding as those whose failure or weakness may impact compliance with its regulatory functions and obligations, all of which require a regulatory license, or those that may have an impact on risk management.
The European Banking Authority (EBA) published in 2017 new guidelines establishing supervision and auditing requirements for those material activities that are outsourced with cloud service providers. The recent EIOPA document is practically a copy of these EBA guidelines, limiting their application to critical or important services, rather than those understood as "materials", which seem to include a broader scope.
However, the EBA published a new guidelines document in February 2019, which consolidates the two documents mentioned above, and which extends the application, not only to cloud services, but to all services in those who outsource the functions related to these material activities. It would not be surprising that in the near future, EIOPA would expand the scope of services that insurers should include in supervision.
On the other hand, what is the point that only cloud providers are monitored? Undoubtedly, all entities have many other suppliers whose activity, or rather, in which a security incident can have a serious impact on the business, which may affect its continuity, cause an information leak, causing damage direct or indirect financial, reputational damage, etc. In summary, logic dictates that all providers that can impact be monitored based on a concept of proportionality, and not just cloud service providers.
That said, both EIOPA and its EBA model open up the possibility that for supervision to be more efficient, instead of each entity evaluating its suppliers individually, but always maintaining responsibility, they can use mechanisms such as shared audits or certifications and audits carried out by third parties, provided they meet a series of conditions.
At LEET Security we have shown how our rating offers these conditions, so that there are already several entities, both in the financial sector and the insurer, that are using it, since it facilitates both the required pre-contract evaluation and supervision during the provision of services. The table below offers a comparison of the suitability of different models to the requirements for the use of third-party certifications and audits established by the EIOPA:
And this is not all ... just a few days ago, the European regulator of the stock markets, ESMA, with correspondence in Spain to our CNMV, has just published a public consultation, in exactly the same terms that, firstly the EBA and later the EIOPA, issued in their day with the aim to identify, address and monitor the risks associated to outsourcing of cloud services, and that the EBA expanded to all outsourced services. In Spain we have a saying that says: "When your neighbor's beard you see peel, put yours to soak." Basically, take the hint!
All you need is LEET!
Subscribe to our newsletter here.
You can follow us on twitter.com/leet_security