Region

Jurisdiction

Regulator

2024-09-26

Regulation on Outsourcing by Insurance and Reinsurance Undertakings (NBM Decision No 242/2024)

The National Bank of Moldova issued Decision No 242/2024 approving a comprehensive regulation that establishes mandatory oversight for insurance and reinsurance undertakings outsourcing operational functions or activities. The framework requires firms to conduct rigorous provider assessments, execute detailed outsourcing contracts with continuity and audit rights, and submit prior approval applications to the regulator before implementation. Existing arrangements must align with the new standards within nine months, with ICT outsourcing granted an eighteen-month transition period, while all new contracts trigger immediate prior authorization and ongoing risk management obligations.

Moldova

National Bank of Moldova

NATIONAL BANK OF MOLDOVA

D E C I S I O N on the approval of the Regulation on the outsourcing of functions and activities related to insurance or reinsurance activity by insurance or reinsurance undertakings

No 242 of 26.09.2024 (in force as of 03.10.2024)

Official Monitor of the Republic of Moldova No 418 Art. 774 of 03.10.2024

Pursuant to Article 43 paragraph (3), paragraph (8) and Article 115 paragraph (8) of the Law No 92/2022 on the insurance and reinsurance activity (Official Monitor of the Republic of Moldova, 2022, No 129-133, Art.229), as amended, the Executive Board of the National Bank of Moldova DECIDES:

The Regulation on the outsourcing of functions and activities related to insurance or reinsurance activity by insurance or reinsurance undertakings is hereby approved (attached).
The insurance or reinsurance undertaking which has outsourced functions and activities related to insurance or reinsurance activity up to the date of entry into force of this Decision: 2.1. shall ensure that the internal policies and procedures for the evaluation, management and control of outsourced functions and activities comply with the provisions of the Regulation referred to in point 1 within 9 months of the date of entry into force of this Decision; 2.2. shall ensure that the outsourcing contract concluded before the entry into force of this Decision complies with the provisions of the Regulation referred to in point 1 and shall submit it to the National Bank of Moldova within 9 months from the date of entry into force of this Decision. The provisions of Chapter III of the Regulation referred to in point 1 shall apply accordingly to amendments to outsourcing contracts; 2.3. shall ensure, in the case of ICT outsourcing, by way of derogation from points 2.1. and 2.2., compliance with the provisions of the Regulation referred to in point 1, within 18 months of the date of entry into force of this Decision.
This Decision shall enter into force on the date of its publication in the Official Monitor of the Republic of Moldova.
The first reporting in accordance with the form set out in the Annex to the Regulation referred to in point 1 shall be made for the situation as at 31.12.2024. CHAIRMAN OF THE EXECUTIVE BOARD OF THE NATIONAL BANK OF MOLDOVA Anca-Dana DRAGU No 242. Chisinau, September 26, 2024.

Approved by the Decision of the Executive Board of the National Bank of Moldova No 242 of September 26, 2024

REGULATION on the outsourcing of functions and activities related to insurance or reinsurance activity by insurance or reinsurance undertakings

Chapter I GENERAL PROVISIONS

The Regulation on the outsourcing of functions and activities related to the insurance or reinsurance activity by insurance or reinsurance undertakings (hereinafter - the Regulation) sets out the regulatory framework for the outsourcing of functions and activities related to the insurance or reinsurance activity (hereinafter - functions and activities) which includes minimum requirements for the assessment of the provider by the insurance or reinsurance undertaking (hereinafter - the insurance undertaking), minimum requirements for the outsourcing contract, peculiarities of outsourcing functions and activities, how to manage the risks associated with the outsourcing, prior approval and reporting on the outsourcing.
The concepts and expressions used in this Regulation shall have the meanings laid down in the Law No 92/2022 on the insurance or reinsurance activity (Law No 92/2022) and in the normative acts issued in its application.
The provisions of the Regulation relating to the insurance undertaking shall apply accordingly to the branches of the insurance undertaking in a third state, unless otherwise provided in this Regulation.
It is the primary responsibility of the insurance undertaking to assess the suitability of the service provider (hereinafter - the provider) to meet the requirements of this Regulation.
The insurance undertaking may decide on the outsourcing of tasks related to the functions and on the full or partial outsourcing of certain activities.
The purchase by the insurance undertaking of, but not limited to, the following goods or services shall not be considered as outsourcing: 6.1. activities which may be carried out, according to the express provisions of the legislation, only by a service provider, including the audit of financial statements; 6.2. market information services, including the provision of data by the rating agencies Standard & Poor′s, Fitch-IBCA, AM BEST or Moody′s; 6.3. the purchase of goods and services which are not carried out by the insurance undertaking, including legal advisory and/or representation services before courts and public authorities, cleaning, gardening and maintenance services for the undertaking's premises, medical services, maintenance services of the service machinery fleet, catering services, vending services, administrative services, travel services, registry, mail reception, secretarial and switchboard operator services, the purchase of goods necessary for the performance of activities or utilities (electricity, gas, water, telephone line, etc. ); 6.4. activities/operations which do not involve access by providers to the information about the insurance undertaking's customers, which constitutes confidential information about the customers and their activities or information about the insurance undertaking's activities.
The insurance undertaking shall publish and update whenever necessary on its official website at least the information on the outsourcing of functions and activities, the date of outsourcing, the name of the provider. Chapter II PROVIDER ASSESSMENT AND THE OUTSOURCING CONTRACT
The insurance undertaking, before concluding the outsourcing contract, shall assess the provider, except for an insurance undertaking, a legal entity from the Republic of Moldova, a

3 branch of an insurance undertaking from a third state, in the context of business reputation taking into account the provisions of point 9. 9. When assessing the provider according to the outsourced function or activity, the insurance undertaking shall consider at least the following: 9.1. the business model of the provider and its positioning on the market (nature, scale, complexity of its business, its financial situation, including key performance indicators, the organizational structure and ownership structure of the provider, including the group structure, if any); 9.2. the results of assessments and reviews reflected in the latest assessment report, where the provider is supervised by a competent authority; 9.3. the internal audit and/or financial statement audit reports for the last year of activity of the provider before outsourcing the function or activity, if any; 9.4. information on criminal record and criminal prosecution, sanctions imposed on the provider according to tax, customs legislation, as well as on measures and sanctions applied by any supervisory authority or professional body in the reference area in relation to the provider; 9.5. the existence of a conflict of interest with the provider and how this conflict can be managed or remedied; 9.6. information on the availability of policies regarding the confidentiality and security of data held as a result of outsourcing; 9.7. whether the legal entity provider holds the necessary license/authorization and qualified personnel to carry out the outsourced activity; 9.8. in the case of outsourcing of the actuarial function, whether the natural person provider holds the actuary's certificate of qualification as required by applicable legal requirements. 10. The method of requesting and evaluating the information, based on which the provider's assessment will be carried out, the form in which it is presented to the insurance undertaking (selfdeclarations, certificates or other documents issued by public authorities or other entities) are set out in the Outsourcing Policy for the functions or activities of the undertaking (hereinafter referred to as the Outsourcing Policy). 11. The insurance undertaking shall draw up a report on the results of the evaluation, signed by the member empowered by the board of the undertaking, including the final conclusion on the provioder's compliance with the criteria set out in the Outsourcing Policy and the requirements of this Regulation. 12. Any outsourcing must be subject to an outsourcing contract which is concluded in written form and contains at least the following: 12.1. detailed description of the outsourced function or activity; 12.2. quantitative and qualitative requirements specific to the outsourcing function or activity, allowing the insurance undertaking to assess and monitor, during the contract period, whether its performance is appropriate; 12.3. specification of the place of exercise/performance of the outsourced activity, including the obligation of the provider to inform the insurance undertaking in the event of any change of that location; 12.4. a clear definition of the rights and obligations of the insurance undertaking and the provider, aimed at ensuring the proper execution of the responsibilities of the outsourced function or activity and compliance with prudential requirements throughout the contract period; 12.5. contract resolution clauses; 12.6. provisions related to the protection of confidential information and other information protected by law, including in the area of personal data protection, the processing of this information and the preservation of its confidentiality by the provider to the same extent as the insurance undertaking;

4 12.7. provisions regarding the permanent monitoring and assessment by the insurance undertaking of the provider’s performance under the contract, so that it can promptly undertake the necessary measures; 12.8. the establishment of the provider’s obligation: 12.8.1. to cooperate with the National Bank of Moldova in the exercise of institutional duties; 12.8.2. to ensure access for the insurance undertaking, its auditors and the National Bank of Moldova to all data and operations carried out by the outsourcing service provider in the course of the provision of the services concerned, as well as access to its premises; 12.8.3. to establish the contract duration and the appropriate transition period, if the provider, after the termination of the outsourcing contract, would continue to provide the outsourced function or activity; 12.9. a detailed description of the rights and obligations of the parties in case of termination of the contract before the deadline, in order to ensure the continuity of the activities related to the outsourced function or activity; 12.10. provisions on ensuring the continuity of the performance of outsourced functions or activities, including as a result of the transfer of rights and obligations arising from the outsourcing contract, in case of application of one or more supervisory measures in case of deterioration of the financial situation or establishment of resolution of the insurance undertaking according to Law No 92/2022; 12.11. a description of the method for resolving disputes. 13. When drawing up the outsourcing contract, the insurance undertaking shall take into account the level of monitoring, evaluation, inspection and auditing that will be proportional to the size, risk profile, nature and business model, as well as the extent and complexity of the outsourced function or activity. 14. If the outsourcing contract includes multiple types of outsourced functions or activities, the insurance undertaking will expose in the contract the aspects that include all these types. 15. For the purposes of the provisions of the sub-item. 12.2., in assessing the appropriateness of the provider’s performance of the outsourced function or activity, the insurance undertaking may use information from the reports relating to the outsourced function or activity prepared by the internal audit, the reports prepared within the audit of the financial statements of the insurance undertaking and/or the internal audit and/or audit of the financial statements of the provider. Chapter III PRIOR APPROVAL OF OUTSOURCING 16. The insurance undertaking outsources functions or activities only after obtaining the prior approval of the National Bank of Moldova, according to the requirements set out in this Regulation. The authorization shall also extend to changes in outsourcing contracts. 17. In order to obtain prior approval of the National Bank of Moldova, the insurance undertaking shall submit a request to the National Bank of Moldova, attaching at least the following documents and information: 17.1. the decision of the undertaking’s board on outsourcing of the function or activity; 17.2. the report on the results of the provider assessment prepared in accordance with point 11; 17.3. the economic substantiation of the outsourcing of the function or activity and detailed description of this function or activity, including the reasons that justified the outsourcing; 17.4. the plan for the analysis and management of the risks associated with the respective outsourcing, including the measures to be implemented by the insurance undertaking in order to ensure the stability, performance and continuity at the level of the function or activity that is intended to be outsourced; 17.5. for the provider – legal entity, information including at least: name, IDNO; the headquarters, the types of activity, the licenses/authorizations, the capacity, the resources,

5 including human, IT and financial, the operating market and its market position, the organizational structure, the data on the relevant experience of the employees responsible for the performance of the outsourced activity, the business model of the provider, the nature, scale and complexity of its activity, the financial statements for at least the last 3 years of activity, the document attesting that the provider has no criminal record, the indication of the provider's belonging to the group and the specification of its inclusion or non-inclusion in the consolidated supervision at group level; 17.6. for the provider – natural person, information including at least: name, surname, IDNP; home address/service deployment address, actuary qualification certificate, information and documents on activities for the last 5 years, the document certifying that the person has no criminal record and is not being sought or is being prosecuted; 17.7. the outsourcing contract project; 17.8. Outsourcing policy, approved by the board of the undertaking; 17.9. the copy, signed by the insurance undertaking, of the license/ authorization/ qualification certificate of the provider actuary, if any, valid at the date of submission of the application. 18. Provisions of subpoint 17.2., subpoint. 17.5. and subpoint. 17.9. does not apply if the potential provider is an undertaking from the Republic of Moldova or a branch of the third-country undertaking. 19. The application, documents and information indicated in point 17 shall be drawn up in Romanian. If the documentation and/or information are incomplete, the National Bank of Moldova shall inform the insurance undertaking within 10 working days from the date of submission of the application. Within 20 working days from the date of receipt of the notification of the National Bank of Moldova, the insurance undertaking shall complete and submit to the National Bank of Moldova the missing documents and/or information. 20. If the insurance undertaking does not complete within the deadline set out in point 19 the set of documents and information, The National Bank of Moldova shall inform about the termination of the administrative procedure within 3 working days from the expiration of the granted deadline. 21. Within 30 days from the date of receipt of the complete set of documents in accordance with this Chapter, the National Bank of Moldova shall issue the prior approval on the outsourcing of functions or activities or shall reject the application, informing the insurance undertaking in writing of its decision. The National Bank of Moldova may set a longer deadline for issuing the decision that will not exceed 90 days, under the terms of the Administrative Code of the Republic of Moldova No 116/2018, with the information of the insurance undertaking. 22. Where the documents and information submitted pursuant to this Chapter are insufficient to take a decision on the application for prior approval concerning the outsourcing of the function or activity, The National Bank of Moldova shall be entitled to request the submission of additional documents and information. 23. The insurance undertaking is obliged to submit additional information and documents within the deadline indicated by the National Bank of Moldova, during which the deadline provided for in point 21 is suspended. 24. Prior approval for the outsourcing of functions or activities issued by the National Bank of Moldova is not transferable to another person and is valid only for the duration of the outsourcing contact between the insurance undertaking and the provider. 25. In case of rejection of the application for obtaining the prior approval of the National Bank of Moldova on the outsourcing of functions or activities, the grounds on which the application is rejected will be indicated. As a basis for rejecting the application for prior approval of the National Bank of Moldova on the outsourcing of functions or activities are considered the following: 25.1. submission of the wrong information to the National Bank of Moldova for the decision to issue the prior approval on the outsourcing of functions or activities;

6 25.2. if the information available to the National Bank of Moldova, including the results of the evaluation carried out according to point 8, and/or any known facts or circumstances of the National Bank of Moldova give rise to suspicions that the provider does not have a good business reputation; 25.3. non-compliance of the outsourcing contract project with the provisions specified in Chapter II; 25.4. non-compliance with the requirements stipulated in Article 43 paragraph (5) and paragraph (9) of the Law No 92/2022 and the normative acts of the National Bank of Moldova, as a result of outsourcing the respective function or activity; 25.5. identification of disproportionality, including the insufficiency of the control measures of the insurance undertaking in relation to the risks associated with the outsourcing or the finding of significant risks disproportionate to the benefits claimed by the insurance undertaking.

Chapter IV MANAGEMENT OF RISKS ASSOCIATED WITH OUTSOURCING 26. The insurance undertaking shall allocate sufficient resources to ensure compliance with the outsourcing requirements established by the National Bank of Moldova and shall take the necessary measures to ensure the continuity of the performance of the outsourced functions and activities, documentation and monitoring of outsourced functions and activities. 27. The insurance undertaking shall establish the Outsourcing Policy for the functions or activities of the insurance undertaking and shall ensure its implementation. The outsourcing policy includes the development of the main stages of the outsourcing process, the definition of the principles, responsibilities and processes related to outsourcing, including how to manage the risks associated with outsourced functions or activities and shall include at least the following: 27.1. establishing the responsibilities of the governing bodies, including their involvement: 27.1.1. in ensuring the provider's assessment, at the pre-contractual stage and periodically throughout the contractual stage; 27.1.2. in the proper monitoring and evaluation of the daily supervision of the insurance undertaking subject to outsourcing, including the management of risks associated with outsourcing, financial performance, as well as the organizational structure/structure of the provider's owners, so that any necessary measures can be taken promptly; 27.1.3. in appointing a member of the governing bodies of the insurance undertaking or the head of the respective key function, with overall responsibility for the outsourced key function; 27.2. planning the outsourcing of functions or activities, which includes at least the following: 27.2.1. explicitly considering, when performing the risk analysis before outsourcing, the potential effects of outsourcing functions and activities on certain important activities within the undertaking; 27.2.2. establishing the terms, conditions for carrying out the outsourced functions and activities and the requirements regarding them, including the requirements for selecting the provider, taking into account that it has sufficient resources, skills, competences, appropriate ethical standards or a code of conduct, considering also the quality of the performance of the outsourced functions and activities by the provider; 27.2.3. criteria and processes for identifying the functions and activities to be outsourced; 27.2.4. procedures for the identification, evaluation, monitoring and management of risks associated with outsourced functions and activities, including the impact on the financial activity and business continuity of the insurance undertaking, the risks that this may face as a result of outsourcing, the cost-benefit of the outsourcing project, and the establishment of the methods to be used to manage these risks, on a proportionality basis; 27.2.5. procedures for identifying, assessing, managing and mitigating potential conflicts of interest in the outsourcing process;

7 27.2.6. planning the continuity of outsourced functions and activities; 27.2.7. process of approval of outsourcing contracts; 27.3. establishing the method for implementing, monitoring, and managing the outsourcing process, which will include at least the following: 27.3.1. periodic assessment of the business reputation of the provider, except for an insurance undertaking, a legal entity from the Republic of Moldova, and a branch of the insurance undertaking from the third state, the, taking into account the provisions of point 8-11; 27.3.2. procedures for notification and response to changes in the outsourcing process or in the provider's situation, related to its financial position, organizational structure or ownership; 27.3.3. independent review of compliance with the requirements of its internal regulations; 27.3.4. processes of output and recovery of outsourced functions and activities; 27.3.5. monitoring of any index showing that the provider is unable to perform the outsourced functions and activities effectively in accordance with this Regulation; 27.4. establishing the adjustment and improvement of the internal control mechanism and of the internal audit function, of the internal reporting system, including reporting to the management body of the insurance undertaking about changes in the risk profile of outsourced functions and activities, to ensure that they do not affect the insurance undertaking's ability to conduct effective corporate governance; 27.5. clear establishment of the responsibilities within the insurance undertaking for monitoring and managing the requirements set out in the subpoint 27.3 and for the documentation, management and control of the outsourcing process. The documentation will also include the obligation to maintain an updated register on all outsourcing contracts at company level; 27.6. arrangement, maintenance and periodic testing, at least once a year, of the continuity plan, of the exit and recovery plans, as a result from exceptional situations identified on the basis of the risk analysis, if the provider intends to cease the activity/performance of the operation before the deadline stated in the outsourcing contract; 28. The outsourcing policy outlines the key stages of an outsourcing process, namely: 28.1. the decision-making phase, consisting of the decision to outsource or modify an outsourcing contract; 28.2. the pre-contractual stage, consisting of provider verification and evaluation, especially from the perspective of good business reputation, including its ability to deliver services in compliance with the quantitative and qualitative requirements established by the insurance undertaking, as well as the drafting of the contract and the specifications related to the services provided; 28.3. the contractual stage, consisting of: 28.3.1. implementation, monitoring and management of an outsourcing contract, including periodic evaluation, at least once a year, of the provider’s ability to continue fulfilling its outsourcing obligations; 28.3.2. monitoring the performance of the outsourcing contract by the compliance function and internal audit; 28.3.3. establishing the process of exit and/or recovery of outsourced functions or activities; 28.4. the post-contractual stage, consisting in managing the situations of termination of the contract and the interruption of the performance of the functions or activities outsourced by the provider, which includes at least the establishment of strategies to cease and desist the performance of the outsourced function or activity, the requirement of a documented exit and/or recovery plan for each outsourced function or activity, and, if such an exit/recovery is considered possible taking into account any interruptions to the performance of the outsourced function or activity or the unexpected termination of an outsourcing contract. 29. The regular internal audit assesses the timeliness and adequacy of the Outsourcing Policy, as the case may be, of the corresponding processes and procedures.

8 30. The insurance undertaking, in order to ensure a complex and efficient approach to the planning process and to ensure the continuity of activities related to risk management, in particular operational risk and concentration risk, associated to outsourced functions and activities: 30.1. ensures compliance with the policies regarding risk management related to these functions and activities of the business model of the insurance undertaking; 30.2. implements and maintains plans and procedures to ensure the continuity of outsourced and restoration functions and activities, as a result of exceptional situations identified based on risk analysis, respectively, periodically testing them, at least once a year, in order to ensure their compliance with the outsourcing policy and procedures. 31. In case of outsourcing of functions and activities to a provider from a third-country, the insurance undertaking must ensure that the outsourcing of the respective function and activity, to the extent that its performance requires licensing/authorization/registration from a competent authority in the provider’s country of origin, shall be carried out by a licensed/authorized/licensed third-country provider/registered to carry out that activity and supervised by a relevant authority in the country of origin. In case of outsourcing the actuarial function to a third-country provider, the actuary must have a certificate of qualification issued by the National Bank of Moldova.

Chapter V NOTIFICATION AND REPORTING OF OUTSOURCING 32. During the outsourcing of functions and activities, the insurance undertaking shall notify the National Bank of Moldova within 10 working days from the date of finding at least one of the following situations: 32.1. changes in the information submitted to the National Bank of Moldova, including changes that result in non-compliance of the provider with the conditions set out in this Regulation; 32.2. possible reintegration by the insurance undertaking of outsourced functions and activities, with the presentation of the detailed plan of actions and the concrete deadlines for their realization; 32.3. any significant developments that could affect the activity of the provider and/or their ability to fulfill their obligations, any measures taken by the insurance undertaking in these cases, including changing the provider, modifications in the terms of the outsourcing contract resolution. 33. The insurance undertaking shall submit to the National Bank of Moldova the Report on outsourced functions and activities in the form and manner set out in the annex to this Regulation, on a half-yearly basis, by 25 July, and, 25 January of the year following that of management. The reports shall be submitted in electronic form, in accordance with the Instruction on how to submit the reports in electronic form to the National Bank of Moldova, approved by the Decision of the Executive Board of the National Bank of Moldova No 245/2019. 34. The insurance undertaking shall report to the National Bank of Moldova, without delay, any incident or change of risk, including the change of the outsourcing service provider, which could significantly affect the effective management capacity of the insurance undertaking, its stability, performance, and continuity of activity.

Chapter VI INFORMATION AND COMMUNICATION TECHNOLOGY OUTSOURCING

Section 1 General provisions

9 35. This Chapter applies to the insurance undertaking which intends to outsource information and communication technology (ICT). 36. In case of ICT outsourcing, the insurance undertaking shall obtain the prior approval of the National Bank of Moldova in accordance with the requirements set out in Chapter III, point 38-39, in the appropriate manner, and point 40-41, as the case may be. 37. Notification and reporting to ICT outsourcing will be carried out according to the provisions of Chapter V, in the appropriate manner.

Section 2 ICT outsourcing contract and risk management associated with ICT outsourcing 38. In the case of ICT outsourcing, the insurance undertaking shall prepare the draft of the ICT outsourcing contract with the provider in accordance with the provisions of points 12 to 14, and shall include at least: 38.1. period of prior notification of changes that may occur to the contract; 38.2. the obligation of the provider, if necessary, to conclude a compulsory insurance contract related to specific risks; 38.3. information security and business continuity clauses, which shall contain at least the following: 38.3.1. specific security and continuity requirements submitted by the outsourced ICT insurance undertaking storing or containing personal data; 38.3.2. requirements for ensuring the accessibility, availability, integrity and confidentiality of insurance undertaking data within the provider's information system; 38.3.3. the obligation of the provider to store the insurance undertaking's data within the information systems and databases in a manner that allows identification, export/extraction and deletion of data at the request of the insurance undertaking; 38.3.4. requirements to the provider regarding the restoration time of ICT outsourcing services provided in the event of incidents; 38.3.5. the obligation of the provider to develop recovery plans for ICT outsourcing services provided to the insurance undertaking; 38.3.6. the obligation of the provider to carry out annual ICT outsourcing continuity tests with the reporting of the results to the insurance undertaking. 38.4. provisions on the right of access of the insurance undertaking to ICT and information, which shall include at least the following: 38.4.1. the obligation of the provider to allow the National Bank of Moldova, or any other entity, or persons delegated by the insurance undertaking, full access to all premises, equipment and systems used to provide ICT outsourcing services; 38.4.2. the right of the insurance undertaking and of the National Bank of Moldova to request and receive from the provider, without unjustified delays, audit logs and related backups, as a result of investigations, audit missions or in case of interruption of the relationship with the provider for any reason; 38.4.3. insurance undertaking's right to outsourced ICT audit. Where relevant, the insurance undertaking shall ensure that penetration testing of ICT outsourcing services provided to the insurance undertaking by the provider is possible; 38.5. provisions on ensuring effective risk management in case of termination of the relationship with the provider, which shall contain at least the following aspects regarding the right to terminate the relationship with the provider: 38.5.1. the possibility of termination of the relationship with the provider at least in the following cases: 38.5.1.1. non-compliance of the provider with the legal provisions related to the field of ICT, information security, personal data or business continuity;

10 38.5.1.2. identification of impediments capable of affecting the performance or quality of the provision of ICT outsourcing services by the provider; 38.5.1.3. the existence of critical vulnerabilities that may affect the information security and personal data of the insurance undertaking's customers, which the provider refuses to remedy or the time forecasted for the remedy may have a negative impact on the customers of the insurance undertaking; 38.5.2. a transition period in case of termination of the relationship with the provider or transfer to another provider, with the provider’s obligation to support the insurance undertaking; 38.5.3. the obligation of the provider to create mechanisms that will allow the identification and deletion of all data related to the insurance undertaking, including data related to the process of providing the ICT outsourcing services by the provider, except in cases where data pertaining to the insurance undertaking must be retained to comply with legal requirements. 39. The insurance undertaking, in addition to the provisions of Chapter IV, shall define requirements for ensuring the continuity of ICT, information security, performance and quality of ICT outsourcing and shall evaluate at least the following: 39.1. the potential impact of any interruption or disruption in the delivery by the provider of ICT outsourcing; 39.2. the viability of ICT outsourcing in the short and long term, including related financial costs; 39.3. impact of ICT outsourcing on insurance undertaking employees; 39.4. legal and reputational aspects of ICT outsourcing; 39.5. the impact of ICT outsourcing on the insurance undertaking's ability to manage ICT and information security risks; 39.6. the impact of ICT outsourcing on the ability of the insurance undertaking to carry out audit missions, including outsourced services; 39.7. the impact of ICT outsourcing on operational risk; 39.8. the potential impact of ICT outsourcing on the quality of services provided to insurance customers; 39.9. concentration risk, including the risk of contracting a service provider that has a dominant market position or is not easily substitutable; 39.10. the aggregate risk resulting from the outsourcing of multiple functions and activities of the insurance undertaking to the same provider; 39.11. the risk of the insurance undertaking losing control over ICT outsourcing; 39.12. whether the provider is subject to supervision by the competent authorities; 39.13. In the case of cloud systems or services providers (a distributed assembly of systems/data storage whose services are available on demand, accessed via a network, with an unknown exact physical location), the risks associated with the type of cloud used (public/private/hybrid) and the physical location of data storage/processing; 39.14. the risk of portability of the technologies used by the provider; 39.15. the possibility to expand or reduce the volume of ICT outsourcing without reviewing contractual arrangements; 39.16. the ability of the insurance undertaking to transfer the ICT outsourcing to another provider, including estimated costs, time needed, difficulties that may arise; 39.17. the undertaking’s ability to reintegrate outsourced ICT into the activities of the insurance undertaking. 40. In the case of ICT outsourcing in a third country, the insurance undertaking shall identify the country risk of the provider concerned. When identifying the country risk associated with the respective provider, the insurance undertaking shall evaluate at least the following: 40.1. the complexity of regulations on ICT outsourcing, personal data protection and insolvency; 40.2. the risk of political instability that could have an impact on the provider;

11 40.3. the climate and environmental risk where the provider's equipment is located; 40.4. cultural and/or language issues with respect to the insurance undertaking's expectations of ICT outsourcing services; 40.5. the time zone in which the provider is located and the availability of its personnel to remedy incidents in a timely manner. 41. When outsourcing ICT to the cloud, the cloud provider must hold the following certificates, valid for the duration of the ICT outsourcing activity: 41.1. holding the ISO/IEC 27017:2015 certificate; 41.2. holding the ISO/IEC 27018:2019 certificate; 41.3. holding the ISO/IEC20000-1:2018 certificate.

Section 3 Control of outsourced ICT activities 42. The insurance undertaking shall, in order to ensure that it effectively manages the risks associated with the reintegration of outsourced ICT, upon the interruption of the relationship with the provider, will undertake at least the following measures: 42.1. developing a strategy for reintegration of outsourced ICT, which will ensure the continuity of the undertaking's activities, compliance with the regulatory framework and avoid the impact on the quality of customer service in case of interruption of the relationship with the provider; 42.2. ensuring that the strategy referred to in subpoint 42.1 contains at least the following: 42.2.1. objectives of the strategy; 42.2.2. impact analysis and risk analysis of the ICT outsourcing reintegration process; 42.2.3. identification of the technical-organizational, human and financial resources, including the time needed to implement the strategy; 42.2.4. assigning roles and responsibilities for managing the strategy; 42.2.5. critical success factors in the reintegration process; 42.2.6. performance and quality indicators of the outsourced services to be monitored by the undertaking and which will trigger the implementation of the strategy; 42.3. review, at least once a year, the reintegration strategy for outsourced ICT to ensure its viability. 43. The insurance undertaking, in order to ensure an efficient supervision of ICT outsourcing, will comply with the provisions of point 29 and at least the following: 43.1. Sufficient allocation of technical, financial, including human resources with knowledge to ensure effective monitoring of ICT outsourcing; 43.2. monitoring, on an ongoing basis, the performance and quality of the outsourced ICT provided by the provider to ensure that they meet the requirements set out in the contract. The performance assessment may be carried out through, but is not limited to, the following sources: reports on the provider's service delivery, performance, quality, continuity indicators, independent reviews, certifications, continuity test reports; 43.3. periodic review and reporting to the governing body of the insurance undertaking on changes in the risk profile related to ICT outsourcing.

12 Annex to the Regulation on the outsourcing of functions and activities related to insurance or reinsurance activity by insurance or reinsurance undertakings

ASIG 0201 Form code the code of the insurance or reinsurance undertaking

ASIG 2.1 Report on outsourced functions and activities by insurance or reinsurance undertakings as at __________ 20__

No . Name of outsourc ed function / activity State identificati on number of the natural/leg al person provider Name/ First name, surna me of provid er Countr y of residen ce code Legal address/ residenc e/ address where the provide r's services are provide d Start date of validit y of the contra ct End date of validit y of the contra ct Provide r's email address Date of prior approv al Not e A B 1 2 3 4 5 6 7 8 9 1 2 ... n

Executor and phone number _____________

The way of preparing the Report on functions and activities outsourced by insurance or reinsurance undertakings

The report includes the list of functions and/or activities outsourced by the insurance or reinsurance undertaking (hereinafter - the undertaking) and in force at the reporting date.
The column A indicates the order number of the record in the report.
The column B indicates the name of the outsourced function/activity.
In column 1, indicate the state identification number of the natural/legal person provider as follows:

13 4.1. for resident natural persons - the state identification number (IDNP) of the natural person, or the series and number of the ID card in cases when they are used/assigned as a personal identification number according to the legislation in force; 4.2. for resident legal entities and resident individuals engaged in entrepreneurial activity - the state identification number (IDNO) of the legal entity/individual engaged in entrepreneurial activity, or the tax code assigned by the tax authority - in case the resident legal entity in accordance with the legal acts in force does not have an IDNO; 4.3. for non-resident natural persons - the state identification number of the person, assigned by the competent authorities of the country of residence, and if it is not included in the identity card, the series and number of the identity card presented, preceded by the alpha 2 code of the country in which the non-resident is registered, shall be indicated; 4.4. for non-resident legal entities and non-resident natural persons engaged in entrepreneurial activity, the state identification/registration number or the tax code assigned by the authorized body in the country of origin of the non-resident shall be indicated, preceded by the alpha 2 code of the country where the non-resident is registered; 5. In column 2 indicate the Name/ First name, surname of the service provider. 5.1. for natural persons (resident or non-resident) - name, surname and patronymic (if any), according to the person's identity document issued by the competent authorities in the country of residence; 5.2. for resident legal entities - the abbreviated name of the resident legal entity, as indicated in the document confirming the state registration of the legal entity; 5.3. for non-resident legal entities - the name of the non-resident legal entity according to the document confirming the state registration of the legal entity, issued by the authorized body in the country of origin of the non-resident; 6. In column 3 the alphabetical code (Alpha 3) of the provider’s country of residence according to ISO code 3166 shall be indicated. 7. In column 4, indicate the provider’s legal address/domicile/address where the services are provided and other correspondence addresses, if any. The information will be reflected according to the examples below: Domicile: Postal code , mun.__________, str. _____, , bl., ap.; Legal address: Postal code __, mun., str. , , bl., ap.; Correspondence address: postal code , mun., str.________, bl., ap.; Where appropriate, two addresses will be reflected, separated by the symbol " ; ". 8. In column 5, indicate the starting date of validity of the outsourcing contract of the function/activity, in the format: dd.mm.yyyy (ex.: 30.06.2024). 9. In column 6 indicate the end date of validity of the outsourcing contract for the function/activity in the format: dd.mm.yyyy (ex.: 30.06.2029). For reports that have an indefinite validity period, the following shall be indicated 31.12.2099. 10. In column 7, indicate the e-mail address of the provider. 11. In column 8, indicate the date of obtaining the prior written approval of the National Bank of Moldova for the outsourcing by the undertaking of the function/activity. 12. In column 9 will reflect the information related to the outsourced functions and activities that the undertaking considers important to specify in the Report on a case-by-case basis.