Regulating and supervising the clouds: emerging prudential approaches for insurance companies
The increasing use of cloud computing services for core functions brings undoubted benefits to the insurance sector. However, these services also pose unique risks, given the shared use of computing resources; the sensitivity of the data involved; the cross-border nature of service provision; and the concentration of market providers. This paper outlines the emerging regulatory and supervisory approaches that 14 authorities have implemented to deal with these risks. Most of these authorities apply existing frameworks on outsourcing, governance, risk management and information security to insurers' cloud computing activities. In some cases, authorities have issued cloud-specific recommendations and guidance, with a special emphasis on information security, data confidentiality, recovery and resumption capabilities and audit rights. Insurers' cloud computing activities are generally included in the supervision of operational risks. In addition, authorities are making increasing use of thematic reviews and informal contacts with cloud providers.
JEL classification: G22, M15, O33