|
Insurers have made increasing use of cloud computing in recent years. Cloud services were initially applied to business support functions, such as customer management or collaboration applications. Currently, cloud computing is being used in core business functions, such as product development, distribution, underwriting or claims administration.
Cloud computing brings a number of benefits to the insurance industry. It lets insurers share available-on-demand networks, servers, storage, application and services that can be rapidly scaled up or down, and accessed anytime and anywhere. In this way, cloud computing allows insurers to quickly launch new products and services, make business processes more efficient and reduce information technology (IT) costs.
The use of third-party cloud computing services may pose risks that are different from traditional outsourcing arrangements. Besides the operational risks of any outsourcing activity, cloud computing may pose additional risks to the insurance sector, given:
Authorities apply their frameworks for general outsourcing and for governance, risk management and information security to cloud computing. Some authorities include cloud-specific sections in these frameworks. Other authorities have issued cloud-specific recommendations or supervisory expectations. Regardless of the approach taken, cloud computing arrangements are subject to regulatory requirements only if they are deemed as material. However, the criteria for deciding whether such arrangements are material vary across jurisdictions.
Regulatory frameworks have a number of common requirements and expectations for cloud computing. Authorities generally focus on:
Also, authorities are generally using non-binding guidance through principles and recommendations and adopting a proportionate approach (ie tailored to reflect the size, complexity or risk profile of financial institutions or outsourced service).
Cloud computing outsourcing arrangements are generally supervised as part of the oversight of operational risks. Authorities usually assess cloud computing practices as part of insurance companies’ off-site and on-site reviews of operational risk, following a risk-based approach. Before an insurer enters into a cloud servicing agreement, some authorities require notification, while others prescribe a consultation or approval process: the approaches to this communication vary widely. At the very least, most authorities expect informal communication from insurers on their material cloud computing plans.
This study yields some useful insights on the emerging regulatory and supervisory approaches for cloud computing in the insurance sector. Some key specific considerations for insurance authorities include: