The cloud has now become an undisputedly fundamental piece of the puzzle on the path to the digital transformation of corporate IT. In the wake of this, insurance providers working with digital projects are occupying themselves with the change (disruption) taking place throughout their corporate IT structure and in all their applications and platforms – all against the backdrop of the search for cost reduction potentials and ways to optimise efficiency within the companies’ organisational structures. Cloud solutions, or rather SaaS solutions, make a significant contribution here.

In the past, companies bought their software (for example, on CD-ROM) and installed it locally. These days, however, applications can be obtained directly from the cloud as software as a service (SaaS). But in view of the necessary amount of operational data protection, SaaS cloud solutions must be subjected to critical evaluation. Companies should check whether measures need to be taken to ensure a legally adequate level of data protection, and if so, which ones, before using such solutions. It is not up to the companies using them to perform these evaluations, but primarily the providers of SaaS cloud solutions in particular. The following reference architecture provides an overview of the complex services and variety of components a service provider/IT service provider should provide and manage.


Overview of service providers’/IT service providers’ services and components (source: IT-Handbuch/10th edition – Westermann 2017)

These can involve very different applications and/or platforms as well as vastly different levels of complexity:

  • Microsoft 365 for standard office applications
  • CRM solutions for sales concerns
  • Portfolio solutions for insurance companies to map their core business
  • Platforms for insurance brokers to communicate with insurers

Insurance companies’ operational IT security is thus virtually shifted outward – that is, to the SaaS cloud service provider. As a result, IT service providers are being held more accountable when it comes to complying with the regulatory requirements placed on insurers. This means that all dependencies and interfaces must be factored in and considered.

Where are the data protection risks?

One of the key questions is what types of data (such as personal data) are transferred. The question of where the data transfer takes place – in other words, where the servers are located – must also be answered. There are now strict guidelines in place within the EU that normally ensure a high level of data protection for the cloud provider. If data is transferred to third countries (non-EU Member States or outside the EEA), an adequate level of data protection must be guaranteed there.

At the same time, additional requirements may apply to SaaS providers. Depending on the server location, framework conditions for operational data protection are also of great importance.

Regulations that need to be accounted for depending on the initial situation:
  • German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) – German Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT, VAIT)
  • German Federal Cyber Security Authority (Bundesamt für Sicherheit in der Informationstechnik, BSI) – Criteria Catalogue C5 (Cloud Computing Compliance Criteria Catalogue)
  • General Data Protection Regulation (GDPR)
  • German Criminal Code (Strafgesetzbuch, StGB)
  • EU data protection regulations
    • Data Act
    • Digital Operational Resilience Act (DORA)

A holistic view of the relevant security aspects

The thing that all the regulations under consideration have in common is that they involve a continuous process. Within the framework of the contractual expression of the relationship between an insurance provider and a service provider, consistency and therefore control on the part of the service provider must be ensured – for example, up to additional third-party providers, that is, additional external service providers.

In this context, establishing an internal control system (ICS) for corporate IT is an indispensable building block that plays a key role.

Our experts at adesso are clearly in a position to advise insurance providers on their way through the ‘regulatory jungle’ and thus, in the end result, to create an interlinkage between a company’s in-house ICS and the SaaS cloud environment.

This constitutes an essential contribution for insurance providers, which receive lasting tangible support in fulfilling their regulatory audit requirements.

You will find more exciting blog posts from the adesso world in our latest blog posts.

Also interesting:

Picture Dimitrios Archontakakis

Author Dimitrios Archontakakis

Dimitrios Archontakakis is Managing Consultant in the Center of Competence - SaaS at adesso. He has many years of in-depth experience in software development as a product manager for inventory management solutions for insurance and reinsurance.

Save this page. Remove this page.