Regulatory update - Cloud computing and data offshoring

Patrick Bracher

In July 2025 the Financial Sector Conduct Authority and the Prudential Authority issued Joint Communication 2 of 2025 to inform financial institutions, including insurers, that they are developing a Joint Standard dealing with cloud computing and data offshoring. The Standard will regulate the utilisation by insurers of data offshoring whether by cloud computing or other means.

Entering into formal cloud computing arrangements is outsourcing. As with any outsource, the decision requires an analysis of the outsourcing policy of the insurer and its risk appetite. The main consideration is taking reasonable measures to ensure the confidentiality, integrity and availability of their data once it is held by someone else.

Insurance is an international institution that crosses borders all the time. The Protection of Personal Information Act recognises that the transfer of personal information outside South Africa may be necessary for the performance of the contract between the data subject whose information it is and the responsible party who may be an insurer or a broker, for instance. When reinsurance, or insurance options, are sought offshore it is inevitable and necessary that personal information will be transferred offshore. There are a number of practical provisions in POPIA that allow such transfers.

The reason for the Communication is to alert financial institutions, including insurers and brokers, that a regulatory instrument is on the way and the Authorities have expectations in regard to the way in which insurers will deal with data. The Authorities will monitor how financial institutions have approached the integration of cloud computing and data offshoring risks into their governance, risk management and reporting processes.

Before a Joint Standard is introduced, the Authorities will, as required by the Financial Sector Regulation Act, publish the Joint Standard for public consultation when it has been drafted. It is therefore time for all financial institutions governed under the FSR Act to start thinking carefully about outsourcing already done and outsourcing intended as the need for cloud computing grows. Insurers are urged by the Authorities to collect, maintain, manage and analyse data for the best possible outcome for the industry and policyholders.  As AI continues to advance exponentially, outsourcing decision have to be carefully taken with due respect to the outsourcing requirements in Joint Standard 1 of 2024.

Patrick Bracher
Norton Rose Fulbright South Africa
August 2025