SUPPORTING DIGITALISATION

OPINION: CLOUD

Public cloud

Innovation and operational resilience for insurers

Cloud service providers (CSPs) offer innovative services to support the business transformation of financial institutions. They allow agile accommodation of evolving customer expectations, and offer scalability and cost reduction potential to insurance companies.

Ways to transform safely and effectively

Insurers have long been looking for ways to transform safely and effectively, after all they are in the business of risk management and handle tremendous amounts of data. Given this, cloud transformation offers insurers that moment to modernise legacy infrastructure, break free of technical debt and leverage best-in-class capabilities to meet modern-day expectations from clients and consumers. Combining the strengths of cloud services with insurance companies allows for personalised experiences for customers of the insurance industry, transformation of the IT infrastructure by migration of (core) business processes to the cloud and end-to-end data management to unlock the potential of finance data available to insurance companies. Aligned with EU regulation and international standards such as the International Financial Reporting Standard (IFRS) 17, the public cloud drives modern insurance business and customer experiences.

Insurance companies take advantage of cloud-enabled capabilities to better process large amounts of risk data (e.g. climate, property, cyber, location and more). This helps insurers to protect, modernise, secure, and engage with customers, agents and brokers in totally new ways – reducing the time to process and streamlining traditional workflows from weeks and days to just minutes. This allows claims and underwriting departments to focus on the task, not the toil associated with decades of legacy technical debt. Most recently, the ability to deliver generative AI (genAI) capability safely and responsibly allows insurers to adopt new leading edge capability at scale throughout their organisations. It is important to recognise that public cloud solutions enable AI innovations. Access to cloud services is essential for a successful digital transformation in the insurance sector, accelerating deployment of technology, such as AI and machine learning, with careful consideration of responsibility and compliance.

A robust framework for operational resilience

Digital transformation in the financial sector requires a robust framework for operational resilience. Following the finalisation of the EU’s Digital Operational Resilience Act (DORA) – the incoming framework for third-party ICT service offerings to EU financial entities, including insurances – and soon also all its mandated technical standards, implementation and application of its rules by ICT providers is key. Consequently, we have put in place a robust compliance readiness program. It focuses on key initiatives to prepare for the new direct oversight for critical ICT third-party providers under the Regulation and supports customer compliance by the DORA deadline which is 17 January 2025. These initiatives span across DORA’s five pillars – digital operational resilience; third-party risk management; incident reporting and management; risk management and governance; and information and intelligence sharing.

Faced with the challenging short timeline for DORA preparation between the delivery of last technical standards by the European supervisory authorities (ESAs) (17 July 2024) and the application date (17 January 2025), it is helpful for cloud customers to receive provider support. The publication of documentation and customer resources by cloud providers – such as mappings against regulatory requirements to detail their approach, product offerings, and support for customer compliance – can be important tools to secure timely DORA compliance by the financial sector. Considering the DORA focus on contractual provisions in Article 30, updated contract terms (for example offered by Google Cloud in February 2024) bring early clarity for customers. The next eight months will show dedicated work by ICT third-party service providers to support an effective transition under DORA.

Customers can benefit from efficiency gains and assurance via threat-led penetration testing (TLPT) under DORA. The testing approach requires technical considerations to address the “end to end” testing whilst accommodating the nuances of the shared responsibility model. Our thought leadership via a technical non-paper aims to support the pooled testing approach with relevant principles that pick up on the regulatory technical standard work to be finalised by the ESAs by July 2024.

”Combining the strengths of cloud services with insurance companies allows for personalised experiences for customers of the insurance industry.”

“Malicious cyber activity has grown more frequent and disruptive, costing European businesses billions of euros each year.”

The opportunities for insurance companies to leverage public cloud solutions for digital transformation meet today’s unprecedented cybersecurity challenges. Malicious cyber activity has grown more frequent and disruptive, costing European businesses billions of euros each year and fraying public trust in the digital ecosystem. The financial industry has always acted under the top priority of security. Public cloud can achieve superior security outcomes according to the industry’s needs. Therefore, it is important to give the European insurance sector access to best-in-class security solutions. The EU Cloud Services Certification for Cybersecurity (EUCS) has the potential to advance European enterprise and public sector cybersecurity for the cloud. A discussion among member states of sovereignty requirements in the scheme has raised some concerns in the past. An October 2023 study by the European Centre for International Political Economy (ECIPE) found that exclusionary requirements in EUCS would “create operational inefficiencies and increased production costs for cloud services providers and cloud adopters,” ultimately undermining investments in domestic economies, resulting in “reduced international trade, competition, and innovation.” A constructive agreement of the European Commission, the European Union Agency for Cybersecurity (ENISA) and member states on EUCS will advance European security while ensuring that European industries maintain access to best-in-class cloud services from global providers. Ongoing discussions among member states in April and May and work by ENISA on the EUCS draft text show encouraging signs that policymakers want to reflect this understanding in the scheme.

DORA and EUCS are just some examples of how decisions by policymakers on the regulatory framework have a tremendous impact on the availability of public cloud benefits to the insurance sector and its customers. The European Commission intends to publish an EU Cloud Rulebook in the future, providing European entities with a compendium of guidance, best practices and existing requirements to support cloud adoption. A close engagement of cloud service providers with the financial services industry and EU regulators is important to facilitate Europe’s digital transformation and enable European innovators of today and tomorrow with access to high-performance cloud services.