The Netherlands (and EU regulation)

DNB: Insurers and pension funds have insufficient insight into outsourcing chains

On 6 April 2022, the Dutch Central Bank (De Nederlandsche Bank, DNB) published two news items about the management of outsourcing risks by insurers and pension funds. In 2020 and 2021, DNB reviewed the way in which insurers and pension funds manage outsourcing risks. DNB concludes that service providers to whom insurers and pension funds have outsourced critical or important business processes, in turn often outsource these business processes to third parties, as a result of which an outsourcing chain is created. According to DNB, more than half of the outsourcing arrangements involve the subcontracting of important functions.

DNB states that insurers and pension funds have insufficient insight into the subcontracts in this outsourcing chain, which means that sensitive information might be stolen or business processes might fail.

DNB lists a number of measures which insurers and pension funds can take to gain a better understanding and control of the outsourcing chain:

carrying out a risk analysis prior to the outsourcing and periodically updating this risk analysis in case of ongoing outsourcing;
monitoring compliance of the contractual agreements with the main service provider to ensure that significant subcontracting is reported to the insurer or the pension fund and to ensure that information security and continuity requirements also apply with regard to these subcontracts;
receiving and assessing assurance reports that describe the control measures taken by the main service provider and whether these measures have been effective. DNB notes that currently, assurance reports sent in practice have a limited scope and that insurers make only limited use of their contractual audit right; and
setting up and maintaining a central register of the major (sub-)outsourcing, in order for the insurer or the pension fund to assess the concentration risk and the continuity risk, which may arise when the insurer or the pension fund is too dependent on one individual subcontractor.

DNB expects insurers and pension funds to implement necessary improvements. (Sub-)outsourcings (as well as any changes thereto) by insurers and pension funds must be notified to DNB through the Digital Supervision Portal.

With regard to insurers, DNB draws the attention to the outsourcing requirements laid down in the Solvency II Directive (Directive 2009/138/EC) and the Guidelines on system of governance issued by the European Insurance and Occupational Pensions Authority (EIOPA) [link]. In addition, DNB expect that, as of 1 January 2021, insurers comply with the EIOPA Guidelines on outsourcing to cloud service providers [link]. Insurers should review and amend their outsourcing documentation to ensure that they comply with these guidelines at the latest by 31 December 2022.

Finally, DNB calls on insurers and pension funds to timely prepare for the Digital Operation Resilience Act (DORA), which is expected to enter into force end of 2024. DORA is an European regulation that aims to improve the digital resilience of the financial sector, among by others by managing outsourcing risks to critical IT service providers.

The news items from DNB are available here and here (Dutch only).