GFSC Guidance Note on Outsourcing and Third Party Risk Management for Banks and Insurers

Version: 2 Publication Date: 28/03/2025 www.gfsc.gi GFSC Guidance Note Outsourcing and Third Party Risk Management for Banks and Insurers

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 2 Management for Banks and Insurers Table of Contents 1 Introduction...................................................................................................................................... 4 2 Definitions and Scope....................................................................................................................... 6 Outsourcing ...................................................................................................................................... 6 Expectations for non-outsourcing third party arrangements.......................................................... 7 Third Party ICT Arrangements.......................................................................................................... 8 Third party arrangements subject to regulatory requirements ...................................................... 8 3 Proportionality ................................................................................................................................. 8 Intragroup outsourcing .................................................................................................................... 9 Leveraging existing regulatory frameworks...................................................................................10 Non-significant firms......................................................................................................................10 Governance and internal controls .................................................................................................10 Access, audit, and information rights ............................................................................................11 Third-country branches..................................................................................................................11 4 Governance and Record-Keeping...................................................................................................12 Governance ....................................................................................................................................12 Board engagement and outsourcing..............................................................................................12 Shared responsibility model...........................................................................................................12 Empty shells ...................................................................................................................................13 Outsourcing and the regulated individuals’ regime.......................................................................13 Outsourcing policy..........................................................................................................................13 Record-keeping ..............................................................................................................................15 5 Pre-Outsourcing Phase...................................................................................................................16 Materiality assessment ..................................................................................................................16 Definition........................................................................................................................................16 Timing and frequency of materiality assessments ........................................................................17 Criteria for assessing materiality....................................................................................................17 Criteria that will generally render an outsourcing arrangement automatically material .............17 Other materiality criteria to take into account..............................................................................18 GFSC Consent under Section 83A FSA 2019...................................................................................19 Due diligence..................................................................................................................................19 Risk assessment..............................................................................................................................20 Firm or group-wide concentration risk ..........................................................................................20 6 Outsourcing Agreements ...............................................................................................................21 Material outsourcing agreements..................................................................................................21 7 Data Security ..................................................................................................................................22

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 3 Management for Banks and Insurers Data classification ..........................................................................................................................23 Data location ..................................................................................................................................23 Data security ..................................................................................................................................24 8 Access, Audit and Information Rights............................................................................................25 GFSC information gathering and investigatory powers.................................................................25 Non-material outsourcing arrangements ......................................................................................27 Material outsourcing arrangements..............................................................................................27 Pooled audits and third party certificates and reports..................................................................28 Third party certificates and reports...............................................................................................28 Onsite audits ..................................................................................................................................29 Pooled audits..................................................................................................................................29 9 Sub-Outsourcing.............................................................................................................................30 Firms’ oversight of sub-outsourcing ..............................................................................................30 Written agreement ........................................................................................................................31 Termination rights..........................................................................................................................31 10 Business Continuity and Exit Plans.................................................................................................32 Business continuity.........................................................................................................................32 Stressed exits..................................................................................................................................33 Governance of business continuity plans and exit plans...............................................................34

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 4 Management for Banks and Insurers 1 Introduction 1.1 This Guidance Note sets out the GFSC’s expectations of how firms within its scope should comply with regulatory requirements and expectations relating to outsourcing and third party risk management. In particular: • Chapter 2 elaborates on the definition of ‘outsourcing’ for the purposes of the Financial Services Act 20191 (the ‘FSA 2019’), the Financial Services (Insurance Companies) Regulations 20202 (the ‘Insurance Companies Regulations’) and the Financial Services (Credit Institutions and Capital Requirements) Regulations 20203 (the ‘CICR Regulations’). It also notes that there are arrangements between firms and third parties that fall outside this definition (‘third party arrangements’) and are consequently outside of the scope of existing requirements on outsourcing and some of the detailed expectations in this Guidance Note. However, these third party arrangements are still subject to the Core Principles within the Financial Services (Core Principles and Consumer Duty) Regulations 20244 (the ‘CPCD Regulations’)5 and other requirements and expectations on business continuity, governance, operational resilience, and risk management (including but not limited to cyber risk). • Chapter 3 clarifies how the principle of proportionality applies to the expectations in this Guidance Note. In particular, to intragroup outsourcing and to ‘non-significant firms’ (as defined in paragraph 3.9 of this Guidance Note). • Chapter 4 sets out the GFSC’s expectations on governance and record keeping. • Chapter 5 sets out the GFSC’s expectations for firms during the pre-outsourcing phase. It addresses the materiality and risk assessments of their outsourcing and other third party arrangements (including consent applications under Section 83A of the FSA 2019 where required), and firms’ due diligence on third parties. • Chapter 6 lists the areas that the GFSC expects written agreements relating to material outsourcing to address as a minimum. The following four areas are then examined in detail in Chapters 7–10: o data security (Chapter 7); o access, audit, and information rights (Chapter 8); o sub-outsourcing (Chapter 9); and o business continuity and exit strategies (Chapter 10). 1.2 This Guidance Note is relevant to all: • Gibraltar credit institutions, building societies, and systemically important investment firms (hereafter ‘banks’); • insurance and reinsurance firms and groups (hereafter ‘insurers’); and • Gibraltar branches of overseas banks and insurers (hereafter ‘third-country branches’). Entities in scope of this Guidance Note are collectively referred to as ‘firms’. 1.3 The aims of this Guidance Note are to: 1 https://www.gibraltarlaws.gov.gi/legislations/financial-services-act-2019-4690 2 https://www.gibraltarlaws.gov.gi/legislations/financial-services-insurance-companies-regulations-2020-4808 3 https://www.gibraltarlaws.gov.gi/legislations/financial-services-credit-institutions-and-capital-requirements￾regulations-2020-4801 4 https://www.gibraltarlaws.gov.gi/legislations/financial-services-core-principles-and-consumer-duty-regulations￾2024-7324 5 References to ‘Core Principles’ in this Guidance Note are to the Core Principles within the CPCD Regulations

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 5 Management for Banks and Insurers • facilitate greater resilience and adoption of the cloud and other new technologies; • complement the requirements and expectations on operational resilience in the Financial Services (Operational Resilience) Regulations 20236 (the ‘Operational Resilience Regulations’) and the GFSC’s Guidance Note on Operational Resilience; and • implement the: o European Banking Authority (EBA) ‘Guidelines on outsourcing arrangements’7 (EBA Outsourcing GL). This Guidance Note clarifies how the GFSC expects banks to approach the EBA Outsourcing GL in the context of its requirements and expectations. In addition, certain chapters in this Guidance Note expand on the expectations in the EBA Outsourcing GL, for instance Chapters 7 (Data security) and 10 (Business continuity and exit plans);8 and o relevant sections of the EBA ‘Guidelines on ICT and security risk management’9 (EBA ICT GL). 1.4 In line with the GFSC’s Policy Statement on the Interpretation of EU Guidelines and Recommendations following Gibraltar’s Withdrawal from the EU10 , the following Guidelines, which came into force after IP completion day11 (31 December 2020), have not been implemented: • European Insurance and Occupational Pensions Authority (EIOPA) ‘Guidelines on outsourcing to cloud service providers’12 (EIOPA Cloud GL); • EIOPA ‘Guidelines on information and communication technology security and governance’13 (EIOPA ICT GL); and • European Securities and Markets Authority (ESMA) ‘Guidelines on outsourcing to cloud service providers’14 (ESMA Cloud GL). 1.5 However, these draft Guidelines have been taken into consideration and the GFSC considers that the expectations in this Guidance Note are at least equivalent to them in effectiveness and substance. This Guidance Note complements and strengthens the requirements and expectations under the Operational Resilience Regulations and the Operational Resilience Guidance Note and aims to promote consistency among banks and insurers. The Guidance Note should be the primary source of reference for firms when interpreting and complying with outsourcing and third party risk 6 https://www.gibraltarlaws.gov.gi/legislations/financial-services-operational-resilience-regulations-2023-7067 7 https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855- 8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1 8 The terms contingency and continuity plan stem from European legislation and are used interchangeably in this Guidance Note. 9https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2020/GLs %20on%20ICT%20and%20security%20risk%20management/872936/Final%20draft%20Guidelines%20on%20ICT%2 0and%20security%20risk%20management.pdf 10https://www.fsc.gi/uploads/GFSC%20Policy%20Statement%20on%20EU%20Guidelines%20and%20Recommenda tions.pdf 11 IP completion day is an abbreviation for “Implementation Period” completion day, which marked the end of the period during which the UK and Gibraltar continued to be subject to EU rules 12 https://www.eiopa.europa.eu/publications/guidelines-outsourcing-cloud-service-providers_en 13 https://www.eiopa.europa.eu/publications/guidelines-information-and-communication-technology-security￾and-governance_en 14 https://www.esma.europa.eu/document/guidelines-outsourcing-cloud-service-providers

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 6 Management for Banks and Insurers management requirements. Firms with operations in both Gibraltar and the EU should comply with applicable Guidelines in respect of their EU operations. 1.5 To ensure a consistent approach across firms to which this Guidance Note applies, the expectations in this Guidance Note apply to all forms of outsourcing and, where indicated, other non-outsourcing third party arrangements entered into by firms. In addition, this Guidance Note includes specific examples, references, and chapters (e.g. Chapter 7) which aim to address the specific characteristics of cloud usage and set out conditions that can help give firms assurance and deploy it ‘in a safe and resilient manner’. In developing the expectations in this Guidance Note, including in relation to cloud usage, the GFSC has taken into account international standards including but not limited to the: • Basel Committee on Banking Supervision (BCBS) ‘Principles for operational resilience’ (BCBS Operational Resilience Principles)15; • Financial Stability Board (FSB) ‘Effective Practices for Cyber Incident Response and Recovery’ (FSB Effective Practices)16; • Financial Stability Board (FSB) ‘Effective Practices for Cyber Incident Response and Recovery’ (FSB Effective Practices)17; and • International Organisation of Securities Commissions’ (IOSCO) [draft] ‘Principles on Outsourcing’18 . 1.7 To promote clarity and certainty, this Guidance Note references other regulatory requirements that govern outsourcing (and in some cases other third party arrangements) by firms. Firms are required to comply with the obligations in these sources. This Guidance Note should therefore be read alongside and interpreted consistently with all relevant sources of law. 2 Definitions and Scope Outsourcing 2.1 For the purposes of this Guidance Note the term ‘outsourcing’ should be taken to mean ‘an arrangement of any form between a firm and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself’. This definition derives from Regulation 3(1) of the Insurance Companies Regulations . In line with the EBA Outsourcing GL, when considering whether an arrangement with a third party falls within the definition of outsourcing, firms should consider whether the third party will perform the relevant function or service (or part thereof) on a recurrent or an ongoing basis. 2.2 Existing requirements on outsourcing, including Articles 30-32 of Commission Delegated Regulation (EU) 2017/565 (‘MODR’)19 (as it forms part of Gibraltar law) and Article 274 of the Financial Services 15 https://www.bis.org/bcbs/publ/d509.pdf 16 https://www.fsb.org/wp-content/uploads/P191020-1.pdf 17 https://www.fin.gc.ca/activty/G7/pdf/G7-cyber-risk-management-gestion-risques-cybernetiques-eng.pdf 18 https://www.iosco.org/library/pubdocs/pdf/IOSCOPD654.pdf 19 Unless otherwise stated, any references to EU or EU derived legislation refer to the version of that legislation which forms part of the body of EU law which was retained in Gibraltar.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 7 Management for Banks and Insurers (Solvency 2)(Technical Standards) Regulations 2025 (the ‘Solvency 2 Technical Standards’) 20 , only apply to ‘outsourcing’ as defined in paragraph 2.1. They do not apply to other arrangements between firms and third parties which fall outside the definition of outsourcing. In line with the definition in the G7 Third Party Elements and EBA ICT GL, this Guidance Note defines a ‘third party’ as ‘an organisation that has entered into a business relationship or contract with a firm to provide a product or service’. Expectations for non-outsourcing third party arrangements 2.3 The GFSC’s overarching aim is for firms to apply adequate governance and controls to all third party dependencies that can impact its statutory objectives. Examples include those that support the provision of important business services or carry a high level of risk. The BCBS Operational Resilience Principles refer to this principle as ‘third party dependency management’. 2.4 The EBA Outsourcing GL provide examples of arrangements between banks and third parties which ‘as a general principle [banks] should not consider as outsourcing’ (hereafter referred to as ‘non￾outsourcing third party arrangements’) (see paragraph 28 of the EBA Outsourcing GL). Non￾outsourcing third party arrangements are not covered by the granular requirements applicable to outsourcing arrangements referred to in paragraph 2.2. Other examples of non-outsourcing third party arrangements may include but are not limited to: • purchases of hardware, software and other ICT products, such as: o the design and build of an on-premise IT platform; o the purchase of data collated by third party providers (data brokers), e.g. geospatial data or data from in-app device activity, social media, etc; and o ‘off the shelf’ machine learning models, including samples of the data used to train and test the models, open source software, and machine learning libraries developed by third party providers; and • in the case of insurers, the use of aggregators, such as pricing comparison platforms, and delegated underwriting. 2.5 As some non-outsourcing third party arrangements may also impact the GFSC’s objectives, the GFSC expects firms to assess the materiality and risks of all third party arrangements irrespective of whether they fall within the definition of outsourcing. Firms should use all relevant criteria in Chapter 5 in their assessments (however, some criteria may be inapplicable to certain non￾outsourcing third party arrangements). 2.6 Where a firm deems a non-outsourcing third party arrangement ‘material’ or ‘high risk’, it should implement proportionate, risk-based, suitable controls. These controls do not necessarily have to be the same as those that apply to outsourcing arrangements. However, the controls should be appropriate to the materiality and risks of the third party arrangement and as robust as the controls that would apply to outsourcing arrangements with an equivalent level of materiality or risk. It follows that firms should apply stricter controls to material, non-outsourcing third party arrangements than to non-material outsourcing arrangements. 2.7 The GFSC reminds firms that the following requirements apply to all third party arrangements irrespective of whether or not they fall under the definition of ‘outsourcing’: 20 https://www.gibraltarlaws.gov.gi/legislations/financial-services-solvency-2-technical-standards-regulations￾2025-7559

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 8 Management for Banks and Insurers • Core Principles 2, 3 and 12; • in the case of individuals, Part 8 of the FSA 2019; • Regulations 14, 33, 42, 60 and 154 of the CICR Regulations (banks) and Part 4 and Part 10 of the Insurance Companies Regulations (insurers); and • all relevant requirements in the Operational Resilience Regulations. 2.8 In line with the expectations in Chapter 4 of this Guidance Note, firms may implement a holistic, single third party risk management policy covering outsourcing and non-outsourcing third party arrangements. Alternatively, they may have separate policies on each of those respective areas provided that they are aligned, consistent, effective, and suitably risk-based. Third Party ICT Arrangements 2.9 The following standards apply to all third party ICT arrangements: • EBA ICT GL, including but not limited to Sections 3.2.3, 3.3.2, 3.4.5, and 3.7 (in particular, paragraph 86). These GL should be interpreted consistently with: the Operational Resilience Regulations, the Operational Resilience Guidance Note and the expectations in this Guidance Note; and • relevant legal requirements and standards on ICT security and data protection, including but not necessarily limited to Regulation (EU) 2016/679 (‘GDPR’), and the Data Protection Act 2004 (the ‘DPA’). 2.10 The GFSC also encourages firms to take into account global standards on ICT risk management, including but not necessarily limited to the toolkit in the FSB Effective Practices (in particular, paragraphs 13, 18, 19 and 20, 33 and 36), and the G7 Third party Elements. Third party arrangements subject to regulatory requirements 2.11 Certain arrangements among regulated financial institutions, including between firms that are not part of the same group and between firms and financial market infrastructures, do not fall within the definition of outsourcing in paragraph 2.1. These arrangements include clearing, settlement, custody services, and certain services provided by Lloyd’s of London, all of which are subject to specific regulatory requirements. They are also subject to the requirements in paragraph 2.7 of this Guidance Note. 2.12While these arrangements do not fall under the definition of outsourcing, they are third party arrangements that can give rise to significant risks to the GFSC’s objectives and should be subject to appropriate monitoring and risk-based controls. The GFSC therefore expects firms that are parties to these arrangements, either as service providers or service recipients, to leverage applicable, existing regulatory requirements to manage relevant risks and promote an appropriate level of resilience. 3 Proportionality 3.1 Firms should meet the expectations in this Guidance Note in a manner appropriate to: their size and internal organisation; the nature, scope, and complexity of their activities; and the criticality or importance of the outsourced function, in line with the principle of proportionality.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 9 Management for Banks and Insurers 3.2 Proportionality and the materiality of outsourcing arrangements (see Chapter 5) are separate but complementary concepts, and firms should consider the links between the two. Proportionality focuses on the characteristics of a firm, including its systemic significance. ‘Materiality’ assesses the potential impact of a given outsourcing or third party arrangement on a firm’s safety and soundness, including: its operational resilience; its ability to comply with legal and regulatory obligations; the risk that firms’ ability to meet these obligations could be compromised if the arrangement is not subject to appropriate controls and oversight; and (for insurers) its ability to provide an appropriate degree of protection for those who are or may become policyholders. Proportionality and materiality can change over time and firms should reassess both as appropriate. Intragroup outsourcing 3.3 Intragroup outsourcing is subject to the same requirements and expectations as outsourcing to service providers outside a firm’s group and should not be treated as being inherently less risky. 3.4 Although intragroup outsourcing is subject to the same requirements as outsourcing to service providers outside a firm’s group, in line with Article 31(4) of MODR and Article 274(2) of the Solvency 2 Technical Standards, firms may comply with some of these requirements proportionately depending on their level of ‘control and influence’ over the entity that is providing the outsourced service. 3.5 Control and influence may vary depending on the characteristics of a group. For instance, a firm that outsources to a subsidiary may have greater control and influence than one that outsources to its parent company. The following factors may also be relevant when determining the level of control and influence: • the group’s governance structure, including the level of connectivity between the firm’s and group’s boards, board committees, executive committees, internal control functions and/or other relevant functions (e.g. technology); • the allocation of regulated functions and responsibilities throughout the group; • the ability of a firm to alter its intragroup outsourcing arrangements and/or influence their terms and conditions to ensure they meet its Gibraltar regulatory obligations and manage relevant firm and Gibraltar-specific risks; and • the consistency and robustness of group wide standards controls, policies, and procedures, (e.g. on business continuity). 3.6 Depending on its level of control and influence in respect of intragroup outsourcing arrangements, a firm may, where it is in a group that is subject to group supervision, for example: • adjust its vendor due diligence, although it should still carefully assess whether a potential service provider that is part of its group has the ability, capacity, resources, and appropriate organisational structure to support the performance of the outsourced function or third party service; • rely on the group’s potentially stronger negotiating and purchasing power to enter into group￾wide arrangements with external third parties; • adapt certain clauses in outsourcing agreements (a written agreement is always required – even in intragroup arrangements; see Chapter 6); • rely on group policies and procedures as long as they comply with their Gibraltar legal and regulatory obligations and allow them to manage relevant risks, (e.g. group cyber-security or data protection policies, such as binding corporate rules for international data transfers);

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 10 Management for Banks and Insurers • rely on a centralised group process for overseeing external third party service providers, including the exercise of access, audit, and information rights, provided that this process appropriately takes into account and documents any legal entity-specific risks and allows for legal entity-specific risk mitigation where necessary; and • rely on business continuity, contingency, and exit plans developed at group level, provided that they adequately safeguard their operational resilience. In all cases, firms are still expected to implement appropriate systems, processes and controls so that their board, senior management and regulated function holders have sufficient oversight in respect of all outsourcing arrangements and are satisfied that any risks arising from these arrangements are appropriately mitigated. Leveraging existing regulatory frameworks 3.7 Where relevant, firms may be able to leverage compliance with existing requirements in other areas of regulation to help meet their regulatory obligations in respect of their intragroup outsourcing arrangements. 3.8 Firms may also leverage their end-to-end mapping of important business services under Regulation 7 of the Operational Resilience Regulations to document and map their intragroup and other dependencies. Non-significant firms 3.9 There is no definition for a ‘significant’ firm under Gibraltar law and it is for firms to determine their own significance. For the purposes of this Guidance Note, firms that provide statutory policies of insurance, and firms (whether banks or insurers) whose size, interconnectedness, complexity and business type give them the capacity to cause at least some disruption to the Gibraltar financial system by failing, or by carrying on their business in an unsafe manner, should consider themselves ‘significant’. 3.10 ‘Non-significant’ firms may meet certain expectations in this Guidance Note in a proportionate manner. The GFSC’s supervisory scrutiny of firms’ outsourcing arrangements may also reflect their significance. Governance and internal controls 3.11 The GFSC recognises that new and growing firms frequently tend to rely more extensively on outsourcing and third party products and services given the benefits they can bring in terms of lower barriers to entry, cost savings, and in some cases increased operational resilience. However, to meet the Threshold Conditions (which in this Guidance Note should be taken to mean those in the FSA 2019 as well as those in the Insurance Companies Regulations and the CICR Regulations, as applicable) on an ongoing basis, all firms must retain appropriate non-financial resources, including to effectively oversee these outsourced and third party services (see Chapter 4). 3.12 While all firms should have appropriate non-financial resources to oversee their outsourcing arrangements, individuals across business lines and internal control functions responsible for doing so in non-significant firms may be less specialised and have general responsibility for areas such as compliance, IT, or risk management. Likewise, although non-significant firms’ outsourcing policies

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 11 Management for Banks and Insurers should include the minimum requirements outlined in Chapter 4, the length and complexity of their policies may reflect the complexity, materiality, and number of the firm’s outsourcing relationships. Access, audit, and information rights 3.13 Although all firms are in principle able to use the access, audit, and information-gathering tools highlighted in Chapter 7, including third party certification and pooled audits, these tools may be particularly useful for non-significant firms as a means of mitigating the cost and resource implications of conducting individual onsite audits. However, non-significant firms should still be satisfied that whichever method they use allows them to meet their individual legal and regulatory obligations, and align to their risk appetite. Third-country branches 3.14 Outsourcing arrangements by Gibraltar branches of third-country firms (third-country branches) are subject to the requirements in Regulation 42(1) of the CICR Regulations (banks) and Regulation 50 of the Insurance Companies Regulations (insurers). 3.15 Since Friday 1 January 2021, the provisions referred to in paragraph 3.15 apply to Gibraltar branches of European Economic Area (EEA) firms that were previously operating in Gibraltar under passporting. 3.16 While the application in Gibraltar of outsourcing requirements and expectations on third-country branches diverges from the approach set out in the EBA Outsourcing GL, which do not treat the provision of services by EU firms to their branches in the EEA as ‘outsourcing’, it is justified by the: • importance of effective risk management and controls in all third-country branches deemed to be systemic due to their potential impact on financial stability in Gibraltar; and • need to treat all third-country branches consistently. 3.17 At a minimum, the GFSC expects third-country branches to have: • a clear, documented list of their intragroup outsourcing arrangements, which should identify those deemed material; • documented written agreements, such as service level agreements, for all intragroup outsourcing arrangements (in particular those deemed material), setting out expected service levels and key performance indicators (KPIs); • appropriate monitoring and oversight of their intragroup outsourcing arrangements, including appropriate visibility of the whole firm's or parent's material sub-outsourced service providers and supply chain by internal control functions and, if applicable, other areas such as technology; • effective processes and mechanisms for escalating concerns, issues, and regulatory feedback relating to their intragroup outsourcing arrangements to the whole firm or group. 3.18 The GFSC recognises the need to apply the expectations in this Guidance Note proportionately to third-country branches. In addition to the guidance on intragroup arrangements in paragraph 3.5, third-country branches can rely on:

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 12 Management for Banks and Insurers • due diligence, materiality assessments, and risk assessments of third-parties outside their group undertaken by and on behalf of the whole firm provided that they take into account their Gibraltar regulatory obligations (see Chapter 5); • contractual arrangements between third parties outside their group and the whole firm or group (see Chapter 6); • audits of external third party service providers performed by or on behalf of the whole firm or group as long as they provide them with appropriate assurance and information to comply with their Gibraltar regulatory obligations; and/or • firm or group-wide business continuity plans and exit strategies. Systemic wholesale branches should, however, take reasonable steps to develop local business continuity, contingency planning, and exit strategies (if available) covering any activities or services which they provide that could impact Gibraltar’s financial stability. 4 Governance and Record-Keeping 4.1 This chapter sets out the GFSC’s expectations on: • board engagement on outsourcing; • allocation of responsibilities; • outsourcing and regulated individuals regime under Part 8 of the FSA 2019; • outsourcing policies; and • record-keeping, in particular regarding the Outsourcing Register. 4.2 In this chapter, the term ‘board’ refers to the board of directors or equivalent body in a firm. Governance Board engagement and outsourcing 4.3 Boards and senior management, in particular individuals performing regulated functions, cannot outsource their responsibilities. Firms that enter into outsourcing arrangements remain fully accountable for complying with all their regulatory obligations. This is a key principle underlying all requirements and expectations regarding outsourcing and non-outsourcing third party arrangements, including the expectations in this Guidance Note. 4.4 Firms’ boards should: • set the control environment throughout the firm, including the appetite and tolerance levels in respect of outsourcing and third party risk management; • ‘bear responsibility for the effective management of all risks to which the firm is exposed’, including by: o appropriately identifying and [having an] understanding of the firm’s reliance on critical service providers; and o ensuring that the firm has (from board level downwards) appropriate and effective risk management systems and strategies in place to deal with outsourced service providers. The GFSC expects management information on outsourcing provided to the board to be clear, consistent, robust, timely, and well-targeted, and to contain an appropriate level of technical detail to facilitate effective oversight and challenge by the board.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 13 Management for Banks and Insurers Shared responsibility model 4.5 As part of ensuring effective governance of an outsourcing arrangement, the GFSC expects firms to define, document, and understand their and the service provider’s respective responsibilities. In the case of cloud computing, the term commonly used to help firms and cloud providers understand their respective obligations is the ‘shared responsibility model’. 4.6 Below is an example of how the shared responsibility model operates in the case of data outsourced to cloud service providers: Cloud service providers tend to operate under the ‘shared responsibility model’ whereby: • the firm is responsible for what’s in the cloud and the cloud service provider is responsible for the provision of the cloud; • firms remain responsible for correctly identifying and classifying data in line with their legal and regulatory obligations, and adopting a risk based approach to the location of data. They also remain responsible for configuration and monitoring of their data in the cloud to reduce security and compliance incidents; • cloud service providers assume responsibility for the infrastructure running the outsourced service, e.g. data centres, hardware, software etc.; and • firms and service providers share other responsibilities depending on the service model, e.g. Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), etc. Empty shells 4.7 Firms should avoid becoming ‘empty shells’ that are incapable of meeting the Threshold Conditions. The following FSA 2019 Threshold Conditions are particularly relevant: • Effective Supervision o being capable of being effectively supervised by the GFSC; and o being a ‘fit and proper person’21, which should include retaining a clear and transparent organisational framework and structure. • Appropriate Resources o conducting their business in a sound and prudent manner, including having appropriate non-financial (as well as financial) resources. Outsourcing and the regulated individuals’ regime 4.8 The GFSC generally expects an individual performing the Chief Operating Officer (COO), Head of Risk Management or Head of Compliance regulated function within a firm to be assigned with the responsibility for ensuring a firm’s compliance with its regulatory obligations in relation to outsourcing. 21 In accordance with the fourth Threshold Condition set out in Schedule 12 of the FSA 2019, and Regulation 44 of the Insurance Companies Regulations or Regulation 13 of the CICR Regulations, as applicable.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 14 Management for Banks and Insurers 4.9 The responsibility for the oversight of outsourcing services should encompass the firm’s overall framework, policy, and systems and controls relating to outsourcing. Responsibility for individual outsourcing arrangements may still lie with relevant business lines or other areas of the firm. Outsourcing policy 4.10 Firms’ boards should approve, regularly review, and implement a written outsourcing policy. As noted in Chapter 2 of this Guidance Note, firms may apply this policy or parts thereof to all third party arrangements. This policy should align to and draw upon other relevant firm policies and strategies. For instance: • business model and strategy; • business continuity; • conflicts of interest; • data protection; • ICT; • information and cyber security; • operational resilience; • (if applicable) ring-fencing; and • risk management. 4.11 Firms should make outsourced and third party providers aware of relevant internal policies, including those on outsourcing, ICT, information security, or operational resilience. Where firms’ policies include confidential or sensitive information, firms can omit or redact it and only share those sections relevant to the performance of the outsourced or third party service. Sharing these policies with third party service providers does not dilute firms’ responsibilities in terms of managing their outsourcing and third party arrangements, but can help third party service providers get a better understanding of firms’ regulatory obligations and other relevant aspects such as their risk tolerance and expected service levels. 4.12 As discussed further in Chapter 10, firms’ business continuity plans under Regulation 42 of the CICR Regulations (banks) and Regulation 43(6) of the Insurance Companies Regulations (insurers) should take into account: • the possibility that the quality of the provision of material outsourced services deteriorates to unacceptable levels; • the potential impact of the insolvency or other failure of the service provider or the failure of the service (see Chapter 10); and • where relevant, political and other risks in the service provider’s jurisdiction. 4.13 There is no ‘one-size-fits-all’ template for firms’ outsourcing policies, and the policy does not have to be contained in a single document. Firms and groups are responsible for developing and maintaining a policy that is appropriate to their complexity, organisational structure, and size (see Chapter 3). 4.14 The outsourcing policy should be principles-based and may be supported by detailed procedures developed, approved, and maintained below board level. However, it should be sufficiently detailed to provide adequate guidance for firms’ staff on how to apply its requirements in practice. At a minimum, it should cover the areas in Table 1.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 15 Management for Banks and Insurers Table 1: Contents of the Outsourcing Policy General • The responsibilities of the board, including its involvement, as appropriate, in decisions about material outsourcing. • The involvement of business lines, internal control functions, and other individuals (in particular, regulated individuals) in respect of outsourcing arrangements22 . • Links to other relevant policies (see paragraph 4.8). • Documentation and record-keeping. • Procedures for the identification, assessment, management, and mitigation of potential relevant conflicts of interest23 . • Business continuity planning (BCP) (see paragraph 4.10). • Differences, if any, between the approach to: i. intragroup outsourcing vs outsourcing to external service providers; - ii. material vs non-material outsourcing; iii. outsourcing to service providers regulated by the GFSC vs unregulated service providers; and iv. outsourcing to service providers in specific jurisdictions outside Gibraltar. Pre￾outsourcing & onboarding • The processes for vendor due diligence and for assessing the materiality and risks of outsourcing arrangements (including notification to the GFSC under Core Principle 12 or application for consent under Section 83A FSA 2019 where required). • Responsibility for signing-off new outsourcing arrangements, in particular material outsourcing arrangements. Oversight Procedures for the ongoing assessment of service providers’ performance, including where appropriate: - • day-to-day oversight, including incident reporting, periodic performance assessment against service level agreements, and periodic strategic assessments; • being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, or sub-outsourcing); • independent review and audit of compliance with legal and regulatory requirements and policies; and • renewal processes. Termination Exit strategies and termination processes, including a requirement for a documented exit plan for material outsourcing arrangements where such an exit is considered possible, explicitly catering for the unexpected termination of an outsourcing agreement (a stressed or unplanned exit), and taking into account possible service interruptions (and the firm’s impact tolerance for important business services)(see Chapter 10). Record-keeping 22 See paras. 50–51 of the EBA Outsourcing Guidelines in respect of the role of the internal audit function in particular. 23 See paras 45-47 of the EBA Outsourcing Guidelines.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 16 Management for Banks and Insurers 4.15 The GFSC expects all firms to keep appropriate records of their outsourcing arrangements. The records should also be sufficient to enable the firm to fulfil the expectations concerning concentration risk set out in paragraph 5.24. Firms should also make any information on their outsourcing and third-party arrangements of which the GFSC would reasonably expect notice available to it in accordance with Core Principle 12. The GFSC may, if appropriate and justified, also request data on firms’ outsourcing arrangements under Section 132 of the FSA 2019. 4.16 The EBA Outsourcing GL set out the expectation that banks maintain an up-to-date register of information on all their outsourcing arrangements, distinguishing between those which are material and those which are not (‘Outsourcing Register’). 5 Pre-Outsourcing Phase 5.1 The GFSC expects firms to: • determine the materiality of every outsourcing and third party arrangement; • perform appropriate and proportionate due diligence on all potential service providers; and • assess the risks of every outsourcing arrangement irrespective of materiality. Materiality assessment Definition 5.2 ‘Material outsourcing’, for the purposes of this Guidance Note, should be interpreted as the outsourcing of services of such importance that weakness, or failure, of the services would cast serious doubt upon the firm's continuing satisfaction of all relevant Threshold Conditions or compliance with the Core Principles. 5.3 Materiality should be read as incorporating the concept of a ‘critical or important operational function’ in relevant retained EU legislation. The requirements in Article 31 of MODR or Regulation 274(5) of the Solvency 2 Technical Standards apply only to the outsourcing of critical or important operational functions. 5.4 This Guidance Note uses ‘material outsourcing’ instead of ‘critical or important’ for clarity and to help firms avoid confusion with different but partly overlapping terms that exist in financial regulation. For all intents and purposes, the GFSC considers that a ‘material outsourcing’ arrangement encompasses a ‘critical or important outsourcing’ arrangement in relevant retained EU legislation. Moreover, the criteria that firms should take into account when identifying ‘material outsourcing’ arrangements is substantively aligned to the criteria for identifying ‘critical or important outsourcing arrangements’ under the EBA Outsourcing GL with a few justified exceptions, such as those that reference operational resilience requirements (see paragraphs 5.11–5.13 below). 5.5 However, outsourcing and non-outsourcing third party arrangements that do not involve ‘critical or important functions’ might still be ‘material outsourcing’ if they could affect the GFSC’s regulatory objectives. Examples may include outsourcing arrangements involving personal or sensitive data or carrying high reputational risk. 5.6 Although the term ‘material outsourcing’ in this context is limited to outsourcing arrangements, the concept of materiality itself and the criteria in this chapter apply to all third party arrangements.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 17 Management for Banks and Insurers Firms should determine the materiality of all third party arrangements using all relevant criteria in this chapter. 5.7 As the definition of materiality is tied to an individual firm’s ability to meet its required Threshold Conditions on an ongoing basis and comply with the Core Principles, materiality should be assessed at an individual firm level. Where a group or parent company assesses the materiality of an outsourcing arrangement on the group as a whole, individual firms may rely on information and findings from the group-wide assessment. However, each firm should also take reasonable steps to come to an informed view as to the materiality of the arrangement on it as an individual firm. Timing and frequency of materiality assessments 5.8 Firms are responsible for assessing the materiality of their outsourcing and third party arrangements. Materiality may vary throughout the duration of an arrangement and should therefore be (re)assessed: • prior to signing the written agreement; • at appropriate intervals thereafter, e.g. during scheduled review periods; • where a firm plans to scale up its use of the service or dependency on the service provider; and/or • if a significant organisational change at the service provider or a material sub-outsourced service provider takes place that could materially change the nature, scale, and complexity of the risks inherent in the outsourcing arrangement, including a significant change to the service provider’s ownership or financial position. 5.9 Where a firm expects an outsourcing or third party arrangement to become material in the future, it should take reasonable steps to ensure that it can comply with all applicable expectations for material outsourcing arrangements in Chapters 6 to 10 and obtain the GFSC’s consent under Section 83A of the FSA 2019 (see below) before the materiality threshold is crossed. If a non-material outsourcing or third party arrangement becomes material due to a severe but plausible scenario, such as a pandemic, firms should consider whether additional measures to safeguard their operational resilience are warranted, such as revisions to contractual provisions. The firm should also let the GFSC know as soon as possible. Criteria for assessing materiality 5.10 Firms should develop their own processes for assessing materiality as part of their outsourcing or third party risk management policy (see Chapter 4). However, to ensure consistency across firms’ assessments, the GFSC expects firms to take into account certain criteria, as set out below. Criteria that will generally render an outsourcing arrangement automatically material 5.11 A firm should generally consider an outsourcing or third party arrangement as material where a defect or failure in its performance could materially impair the: • soundness, stability or resilience of the Gibraltar financial system; • firms’: o ability to meet the Threshold Conditions; o compliance with the Core Principles;

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 18 Management for Banks and Insurers o compliance with any other relevant legislation and requirements; o safety and soundness, including its: ▪ financial resilience, i.e. assets, capital, funding, and liquidity; or ▪ operational resilience, i.e. its ability to continue providing important business services; and o ability to provide an appropriate degree of protection for those who are or may become policyholders in line with the GFSC’s statutory objectives (where the firm is an insurer). 5.12 The GFSC also expects firms to classify an outsourcing arrangement as material if the service being outsourced involves an: • entire ‘regulated activity’, e.g. portfolio management24; or • ‘internal control’ or ‘key function’, unless the firm is satisfied that a defect or failure in performance would not adversely affect the relevant function. Other materiality criteria to take into account 5.13 The GFSC expects firms to have regard to all applicable criteria in Table 2 below, both individually and in conjunction, when assessing the materiality of an outsourcing or third party arrangement not otherwise covered by paragraphs 5.8 and 5.9. Although in practice many material outsourcing and third party arrangements involve ICT products or services (e.g. cloud), the presence of a given ICT product or service does not, in itself, automatically render an outsourcing arrangement material. Table 2: Materiality Criteria Direct connection to the performance of a regulated activity. Size and complexity of relevant business area(s) or function(s). • The potential impact of a disruption, failure, or inadequate performance on the firm’s: business continuity, operational resilience, and operational risk, including: • conduct risk; • ICT risk; • legal risk; and • reputational risk. ability to: • comply with legal and regulatory requirements; • conduct appropriate audits of the relevant function, service, or service provider; and • identify, monitor and manage all risks. obligations under: • any relevant legislation; • the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity of the institution or payment institution and its clients, including but not limited to GDPR and the Data Protection Act 2004. 24 See also paragraphs 62 and 63 of the EBA Outsourcing Guidelines regarding the outsourcing of entire regulated (banking) activities to service providers located outside the EEA.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 19 Management for Banks and Insurers counterparties, customers, or policyholders. early intervention, recovery and resolution planning and resolvability. The firm’s ability to scale up the outsourced service. The firm’s ability to substitute the service provider or bring the outsourced service back in-house, including estimated costs, operational impact, risks, and timeframe of an exit in stressed and non-stressed scenarios. GFSC Consent under Section 83A FSA 2019 5.14 Section 83A of the FSA 2019 requires regulated firms to “obtain the GFSC’s consent to any material change that the firm proposes to make to its business plan, financial resources or corporate governance arrangements which may affect the firm’s continuing satisfaction of the threshold conditions in relation to any of the regulated activities for which the firm has permission; or which is a specified material change”. As set out in the GFSC Guidance Note that accompanies the provision25 “entering, or significantly changing a material outsourcing arrangement” falls within scope of this obligation. As such, firms are required to obtain the GFSC’s consent before entering into or significantly changing any such outsourcing arrangement. The obligation under Section 83A also applies where an outsourcing arrangement that was not initially deemed material is planned to become so (see paragraph 5.5). Where an outsourcing arrangement that was not initially deemed material becomes, or is expected to become material due to events or circumstances outside a firm’s control, the firm should notify the GFSC as soon as possible. 5.15 In some circumstances, it might be appropriate to submit an application under Section 83A before a final outsourcing provider has been selected. An example of this is if a firm is planning a major migration programme and is still trying to select a provider from a shortlist. 5.16 Firms should use the Section 83A Application Form26 for any consent applications made under this provision. 5.17 Although the obligation under Section 83A only applies to material outsourcing arrangements (in this context), material non-outsourcing third party arrangements constitute ‘information of which [the GFSC] would reasonably expect notice’ within the meaning of Core Principle 12. As such, firms should notify the GFSC when entering into or changing such arrangements. In addition to this, where a firm has considered whether an outsourcing arrangement that it plans to enter into or change is ’material’ for the purposes of Section 83A, and concluded that it is not, firms should still notify the GFSC of the matter under Core Principle 12. Due diligence 5.18 The GFSC expects firms to conduct appropriate due diligence on the potential service provider before entering into an outsourcing arrangement, and to identify a suitable alternative or back-up providers where available. If no alternative or back-up providers for a material outsourcing arrangement are available, firms should consider alternative business continuity, contingency planning, and disaster recovery arrangements to ensure they can continue providing relevant important business within their impact tolerances in the event of material disruption at their chosen service provider (see Chapter 10). 25https://www.fsc.gi/Materialchange_regulatedfirm_business 26 See link above

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 20 Management for Banks and Insurers 5.19 In the case of material outsourcing, the GFSC expects firms’ due diligence to consider the potential providers’: • business model, complexity, financial situation, nature, ownership structure, and scale; • capability, expertise, and reputation; • financial, human, and technology resources; • ICT controls and security; and • sub-outsourced service providers, if any, that will be involved in the delivery of important business services or parts thereof. 5.20 The due diligence should also consider whether potential service providers: • have the authorisations or registrations required to perform the service; • comply with GDPR (Regulation (EU) 2016/679 as it forms part of Gibraltar law), the Data Protection Act 2004, and other applicable legal and regulatory requirements on data protection; • can demonstrate certified adherence to recognised, relevant industry standards; • can provide, where applicable and upon request, relevant certificates and documentation (e.g. data dictionaries); and • have the ability and capacity to provide the service that the firm needs in a manner compliant with Gibraltar regulatory requirements (including in the event of a sudden spike in demand for the relevant service, for instance as a result of a shift to remote working during a pandemic). A ‘general’ track-record of previous performance may not be sufficient evidence by itself. Risk assessment 5.21 Firms should, in a proportionate manner, assess the potential risks of all third party arrangements, including outsourcing arrangements, regardless of materiality. As part of the risk assessment, the GFSC expects firms to consider: • operational risks based on an analysis of severe but plausible scenarios, for instance a breach or outage affecting the confidentiality and integrity of sensitive data and/or availability of service provision (see Chapter 10); and • financial risks, including the potential need for the firm to provide financial support to a material outsourced or sub-outsourced service provider in distress or take over its business, including as a result of an economic downturn (‘step-in’ risk)27 . 5.22 The GFSC expects firms to carry out risk assessments in the circumstances referred to in paragraph 5.6 and also if they consider that there may have been a significant change to an outsourcing arrangement’s risks due to, for instance, a serious breach/continued breaches of the agreement or a crystallised risk. 5.23 A firm’s risk assessment should balance any risks that the outsourcing arrangement may create or increase against any risks it may reduce or enable the firm to manage more effectively (for instance, a firm’s resilience to disruption). The assessment should also take into account existing or planned risk mitigation, e.g. staff procedures and training. 27 See BCBS Guidelines on identification and management of step-in risk, 25 October 2017: https://www.bis.org/bcbs/publ/d423.pdf

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 21 Management for Banks and Insurers Firm or group-wide concentration risk 5.24 The GFSC expects firms and groups to periodically (re)assess and take reasonable steps to manage: • their overall reliance on third parties; and • concentration risks or vendor lock-in at the firm or group, due to: o multiple arrangements with the same or closely connected service providers; o fourth party/supply chain dependencies, for instance, where multiple otherwise unconnected service providers depend on the same sub-contractor for the delivery of their services; o arrangements with service providers that are difficult or impossible to substitute; and/or o concentration of outsourcing and other third party dependencies in a close geographical location, such as one jurisdiction. This type of concentration may arise even if a firm uses multiple, unconnected third party service providers, for instance, a business process outsourcing or offshoring hub. 6 Outsourcing Agreements 6.1 In line with Article 31(3) of MODR (banks) and 274(3)(c) of the Solvency 2 Technical Standards (insurers), all outsourcing arrangements must be set out in a written agreement. 6.2 Where there is a master service agreement that allows firms to add or remove certain services, each outsourced service should be appropriately documented, although not necessarily in a separate agreement. 6.3 Firms should ensure that written agreements for non-material outsourcing arrangements include appropriate contractual safeguards to manage and monitor relevant risks. Moreover, regardless of materiality, firms should ensure that outsourcing agreements do not impede or limit the GFSC’s ability to effectively supervise the firm or outsourced activity, function, or service. Material outsourcing agreements 6.4 Written agreements for material outsourcing should set out at least: • a clear description of the outsourced function, including the type of support services to be provided; • the start date, next renewal date, end date, and notice periods regarding termination for the service provider and the firm; • the governing law of the agreement; • the parties’ financial obligations; • whether the sub-outsourcing of a material function or part thereof is permitted and, if so, under which conditions; • the location(s), i.e. regions or countries, where the material function or service will be provided, and/or where relevant data will be kept, processed, or transferred, including the possible storage location, and a requirement for the service provider to give reasonable notice to the firm in advance if it proposes to change said location(s); • provisions regarding the accessibility, availability, integrity, confidentiality, privacy, and safety of relevant data (see Chapter 7);

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 22 Management for Banks and Insurers • the right of the firm to monitor the service provider’s performance on an ongoing basis (this may be by reference to KPIs); • the agreed service levels, which should include qualitative and quantitative performance criteria and allow for timely monitoring, so that appropriate corrective action can be taken if these service levels are not met; • the reporting obligations of the service provider to the firm, including a requirement to notify the firm of any development that may have a material or adverse impact on the service provider’s ability to effectively perform the material function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements; • whether the service provider should take out mandatory insurance against certain risks and, if applicable, the level of insurance cover requested; • the requirements for both parties to implement and test business contingency plans. For the firm, these should take account of their impact tolerances for important business services. Where appropriate, both parties should commit to take reasonable steps to support the testing of such plans; • provisions to ensure that data owned by the firm can be accessed promptly in the case of the insolvency, resolution, or discontinuation of business operations of the service provider; • the obligation of the service provider to co-operate with the GFSC, as resolution authority, including persons appointed to act on their behalf (see Chapter 8, including the section on the GFSC’s information gathering and investigatory powers); • for banks, a clear reference to the GFSC’s resolution powers, especially under Regulations 68 and 71 of the Financial Services (Recovery and Resolution) Regulations 2020 (implementing Articles 68 and 71 of Directive 2014/59/EU (BRRD)), and in particular, a description of the ‘substantive obligations’ of the written agreement in the sense of Regulation 68 of these Regulations); • the rights of firms and the GFSC to inspect and audit the service provider with regard to the material outsourced function (see Chapter 8); • if relevant: o appropriate and proportionate information security related objectives and measures, including requirements such as minimum ICT security requirements, specifications of firms’ data lifecycles, and any requirements regarding to data security (see Chapter 7), network security, and security monitoring processes; and o operational and security incident handling procedures, including escalation and reporting; and • termination rights and exit strategies covering both stressed and non-stressed scenarios, as specified in Chapter 10. As in the case of business contingency plans, both parties should commit to take reasonable steps to support the testing of firms’ termination plans. Firms may elect to limit contractual termination rights to situations such as: o material breaches of law, regulation, or contractual provisions; o those that create risks beyond their tolerance; or o those that are not adequately notified and remediated in a timely manner. 6.5 If an outsourced service provider in a material outsourcing arrangement is unable or unwilling to contractually facilitate a firm’s compliance with its regulatory obligations and expectations, including those in paragraph 6.4, firms should make the GFSC aware of this. 7 Data Security

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 23 Management for Banks and Insurers 7.1 In this chapter, the term ‘data’ should be interpreted very broadly to include confidential, firm sensitive, and transactional data. It may also cover open source data (e.g. from social media) collected, analysed, and transferred for the purposes of providing financial services as well as the systems used to process, transfer, or store data. The expectations in this chapter apply to material outsourcing arrangements and other third party arrangements that involve the transfer of data with third parties in line with the EBA ICT GL. This chapter should also be interpreted consistently with requirements under data protection law. 7.2 Where a material outsourcing or third party agreement involves the transfer of or access to data, the GFSC expects firms to define, document, and understand their and the service provider’s respective responsibilities in respect of that data and take appropriate measures to protect them. 7.3 Where a material outsourcing or third party agreement involves the transfer of data, the GFSC expects firms to: • classify relevant data based on their confidentiality and sensitivity; • identify potential risks relating to the relevant data and their impact (legal, reputational, etc.); • agree an appropriate level of data availability, confidentiality, and integrity; and • if appropriate, obtain appropriate assurance and documentation from third parties on the provenance or lineage of the data to satisfy themselves that it has been collected and processed in line with applicable legal and regulatory requirements. 7.4 Some risks relating to data that the GFSC expects firms to consider include but are not necessarily limited to unauthorised access, loss, unavailability, and theft. Data classification 7.5 Firms are responsible for classifying their data. While the GFSC does not prescribe a specific taxonomy for data classification, it expects firms to implement appropriate, risk-based technical and organisation measures to protect different classes of data (e.g. confidential, client, personal, sensitive, transaction) when: • developing and implementing their outsourcing policy and other relevant policies and strategies in paragraph 4.10 (business continuity, contingency planning, disaster recovery, ICT, information security, operational resilience, and risk management); and • sharing data with third parties, including but not limited to as part of an outsourcing arrangement. Data location 7.6 As noted in Chapter 10, the GFSC recognises the potential benefits for operational resilience of firms using cloud technology to distribute their data and applications across multiple, geographically dispersed availability zones and regions. This approach can strengthen firms’ ability to respond and recover from local operational outages faster and more effectively, and enhance their ability to cope with fluctuations in demand. 7.7 The GFSC also recognises the potential negative consequences of restrictive data localisation requirements on firms’ innovation, resilience, and costs. None of the expectations in this Guidance

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 24 Management for Banks and Insurers Note and in particular this section should be interpreted as explicitly or implicitly favouring restrictive data localisation requirements. 7.8 However, the GFSC expects firms to adopt a risk-based approach to the location data that allows them to simultaneously leverage the operational resilience advantages of outsourced data being stored in multiple locations and manage relevant risks, which may include: • legal risks stemming from conflicting or less developed relevant legal or regulatory requirements in one or more of the countries where the data may be processed; • challenges to firms’ and the GFSC’s ability to access firm data in a timely manner if required (e.g. as part of their enforcement, resolution, or supervisory functions) due to local law enforcement, legal, or political circumstances; and • other potential risks to the availability, security, or confidentiality of data, for instance, high risk of unauthorised access or ICT risks stemming from inadequate data processing equipment. 7.9 As part of their due diligence and risk assessment in the pre-outsourcing phase, firms should identify whether their data could be processed in any jurisdictions that are outside their risk tolerance and, if so, bring this to the attention of the third party when negotiating the contractual arrangement in order to discuss adequate data protection and risk mitigation measures. Data security 7.10 The GFSC expects firms to implement appropriate measures to protect outsourced data and set them out in their outsourcing policy (see Chapter 4) and, where appropriate, in their written agreements for material outsourcing (see Chapter 6). 7.11 The GFSC expects firms to implement robust controls for data-in-transit, data-in-memory, and data￾at-rest. Depending on the materiality and risk of the arrangement, these controls may include a range of preventative and detective measures, including but not necessarily limited to: • configuration management. This is a particularly important measure, as for example, in the context of cloud, misconfiguration of cloud services can be a major cause of data breaches; • encryption and key management; • identity and access management, which should include stricter controls for individuals whose role can create a higher risk in the event of unauthorised access, (e.g. systems administrators). Firms should be particularly vigilant about privileged accounts becoming compromised as a result of phishing attacks and other leaking or theft of credentials in line with paragraph 31 of the EBA ICT GL; • the ongoing monitoring of ‘insider threats’, (i.e. employees at the firm and at the third party who may misuse their legitimate access to firm data for unauthorised purposes maliciously or inadvertently). The term ‘employee’ should be construed broadly for these purposes and may include contractors, secondees, and sub-outsourced service providers (see Chapter 9); • access and activity logging; • incident detection and response; • loss prevention and recovery; • data segregation (if using a multi-tenant environment); • operating system, network, and firewall configuration; • staff training;

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 25 Management for Banks and Insurers • the ongoing monitoring of the effectiveness of the service provider’s controls, including through the exercise of access and audit rights (see Chapter 8); • policies and procedures to detect activities that may impact firms’ information security (e.g. data breaches, incidents, or misuse of access by third parties) and respond to these incidents appropriately (including appropriate mechanisms for investigation and evidence collection after an incident); and • procedures for the deletion of firm data from all the locations where the service provider may have stored it following an exit or termination, provided that access to the data by the firm or the GFSC is no longer required (see Chapters 8 and 10). When deciding when to delete data, firms will need to consider their obligations under data protection law and their potential data retention obligations. 7.12 Where data is encrypted, firms should ensure that any encryption keys or other forms of protection are kept secure by the firm or outsourcing provider. The data protected by encryption (although not necessarily the encryption keys themselves) should be provided to the GFSC in an accessible format if required, in accordance with Core Principle 12 and other potentially relevant regulatory requirements. 7.13 The ability of service providers to respond to customer-specific data security requests may vary depending on the service being provided. Generally, the more standardised the service, the more difficult it might be for the service provider to accommodate these requests. The GFSC’s focus is on the overall effectiveness of the service provider’s security environment, which should allow firms to meet their regulatory and risk management obligations and be at least as effective as their in-house security environment. As long as service providers can provide assurance that this is the case, the GFSC does not have specific expectations around customer-specific requests. 8 Access, Audit and Information Rights GFSC information gathering and investigatory powers 8.1 Independent of the expectations on access, audit, and information rights set out later in this chapter, the GFSC has a range of statutory information-gathering and investigatory powers, some of which may apply directly to outsourced service providers as well as firms. The GFSC expects firms to make service providers aware of the powers and requirements as set out in Table 3 below, which is not exhaustive. However, failure to do so will not affect their applicability. Table 3: GFSC statutory information-gathering or investigatory powers Firms (all, banks or insurers) Outsourcing (all or material) Statutory Power Description Directly applicable to service providers as well as firms? All All Section 132(7) FSA 2019 The GFSC may require any person- (a) to provide any information or produce any document specified in a relevant notice issued under Section 132(1) of the Yes

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 26 Management for Banks and Insurers FSA 2019 if it appears to the GFSC that the person is in possession of that information or document; or (b) to attend before the GFSC, at a specified time and place, to- (i) answer questions appearing to the GFSC to be relevant; and (ii) provide any information or produce any document appearing to the GFSC to be relevant. All All Section 132(7A) Where it appears to the GFSC that there are reasonable grounds to suspect that a provision made by or under the FSA has been contravened, or for the purpose of assisting a foreign regulator in accordance with Section 50 of the FSA, the GFSC may require a person- (a) to provide any information or produce any document to the GFSC which appears to the GFSC to be in that person’s possession and relevant; or (b) to attend before the GFSC, at a specified time and place, to – (i) answer questions appearing to the GFSC to be relevant; and (ii) provide any information or produce any document appearing to the GFSC to be relevant, where the GFSC is satisfied that doing so is necessary or expedient for the purposes of exercising its functions in connection with the suspected contravention or assisting the foreign regulator. Yes All All Section 132(7B) The GFSC may retain any document which is produced under subsections (1), (7) or (7A) of section 132 for so long as it is necessary to retain it in connection with the exercise of its functions under this Part. Yes All All Section 136(2)(b) FSA 2019 The GFSC may by notice require (a) an authorised person (‘A’); (b) any other member of A’s group; (c) a partnership of which A is a member; or (d) a person who has at any relevant time been a person falling within (a), (b) or (c), who is, or was, at the relevant time, carrying on a business, or any member of its group or partnership (past or present) to appoint a No

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 27 Management for Banks and Insurers ‘skilled person’ to provide the GFSC with a report on any matter about which the GFSC may reasonably require information in connection with the exercise of the functions conferred on it by or under. Insurers All Regulation 51 of the Insurance Companies Regulations An insurer which outsources a function or an insurance or reinsurance activity to a service provider must ensure that (a) the service provider cooperates with the GFSC in connection with the outsourced function or activity; (b) the undertaking, its auditors and the GFSC have effective access to data related to the outsourced function or activity; and (c) the GFSC has effective access to the service provider’s business premises and is able to exercise that right of access. Yes Banks All Section 285(1)(a)(i) FSA 2019 The GFSC, in its capacity as the Gibraltar Resolution Authority, may exercise the powers provided under section 132 in the discharge of its functions. Yes Non-material outsourcing arrangements 8.2 The GFSC expects firms to adopt a risk-based approach to access, audit, and information rights in respect of non-material outsourcing arrangements. In doing so, they should take into account the arrangement’s riskiness and the likelihood of it becoming material in the future (see Chapter 5). Material outsourcing arrangements 8.3 Building on Chapter 6, the GFSC expects firms to take reasonable steps to ensure that written agreements for material outsourcing arrangements provide firms, firms’ auditors, the GFSC (including in its capacity as the resolution authority), and any other person appointed by firms or the GFSC, with full access and unrestricted rights for audit and information to enable firms to: • comply with their legal and regulatory obligations; and • monitor the arrangement. 8.4 Access, audit, and information rights in material outsourcing arrangements should include where relevant: • data, devices, information, systems, and networks used for providing the outsourced service or monitoring its performance. This may include, where appropriate, the service provider’s policies, processes, and controls on data ethics, data governance, and data security; • the results of security penetration testing carried out by the outsourced service provider, or on its behalf, on its applications, data, and systems to ‘assess the effectiveness of implemented cyber and internal IT security measures and processes’; • company and financial information; and

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 28 Management for Banks and Insurers • the service provider’s external auditors, personnel, and premises. 8.5 The GFSC considers that it is not sufficient for firms merely to negotiate adequate access, audit, and information rights; these must also be used when appropriate. The purpose of the rights outlined in this chapter is to support firms’ identification, assessment management, and mitigation of any identified risks relating to a material outsourcing arrangement. The appropriate exercise of these rights is key to providing the assurance that such an arrangement is being provided as agreed with the outsourced provider and in line with regulatory requirements. Pooled audits and third party certificates and reports 8.6 The GFSC expects firms to exercise their access, audit, and information rights in respect of material outsourcing arrangements in an outcomes-focused way, to assess whether the service provider is providing the relevant service effectively and in compliance with the firm’s legal and regulatory obligations and expectations, including as regards operational resilience. 8.7 Firms may use a range of audit and other information gathering methods, including: • offsite audits, such as certificates and other independent reports supplied by service providers; and • onsite audits, either individually or in conjunction with other firms (pooled audits). 8.8 Firms can choose any appropriate audit method as long as it enables them to meet their legal, regulatory, operational resilience, and risk management obligations. The level of assurance expected will, however, become more onerous depending on proportionality (i.e. whether the firm is significant (see Chapter 3)) and the materiality of the arrangement (see Chapter 5). For instance, a significant firm that outsources an important business service for which it has set a low impact tolerance should demand a higher level of assurance. Third party certificates and reports 8.9 Certificates and reports supplied by service providers may help firms obtain assurance on the effectiveness of the service provider’s controls. However, in material outsourcing arrangements, the GFSC expects firms to: • assess the adequacy of the information in these certificates and reports, and not assume that their mere existence or provision is sufficient evidence that the service is being provided in accordance with their legal, regulatory, and risk management obligations; and • ensure that certificates and audit reports meet the expectations in Table 3. Table 3: Expectations for certificates and audit reports Scope • Key systems and controls identified by the firm (e.g. applications, infrastructure, data centres, and processes). • Compliance with relevant requirements (e.g. EBA Outsourcing GL). Content • Up-to-date information. • Reviewed regularly to reflect updates to the service provider’s controls, new or revised legal, regulatory requirements, or expectations and recognised standards.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 29 Management for Banks and Insurers • Where available, the GFSC encourages the use of online, real-time reporting tools. Expertise, qualification and skills • The auditing or certifying party and the person at the firm responsible for reviewing the certificate or report should have appropriate expertise, qualifications, and skills. Process • Test the effectiveness of the service provider’s key systems and controls. • Be performed in line with recognised standards. 8.10 In material outsourcing arrangements, the GFSC expects firms to retain the contractual rights to: • request additional, appropriate, and proportionate information if such a request is justified from legal, regulatory, or risk management perspectives; and • perform onsite audits (individual or pooled) at their discretion. Onsite audits 8.11 Before an onsite audit, the GFSC expects firms, individuals, and organisations acting on their behalf to: • provide reasonable notice to the service provider, unless this is not possible due to a crisis or emergency, or because it would defeat the purpose of the audit. Such notice should include the location and purpose of the visit and the personnel that will participate in the visit; • verify that whoever is performing the audit has appropriate expertise, qualifications, and skills; and • take care if undertaking an audit of a multi-tenanted environment, (e.g. a cloud data centre), to avoid or mitigate risks to other clients of the service provider in the course of the audit (e.g. availability of data, confidentiality, impact on service levels). 8.12 Certain types of onsite audit may create an unmanageable risk for the environment of the provider or its other clients, for example, by impacting service levels or the confidentiality, integrity, and availability of data. In such cases, the firm and the service provider may agree alternative ways to provide an equivalent level of assurance, for instance, through the inclusion of specific controls to be tested in a report or certification. The GFSC expects that firms should retain their underlying right to conduct an onsite audit. For material outsourcing arrangements, the GFSC would expect the firm to inform their supervisor if alternative means of assurance have been agreed. Pooled audits 8.13 Pooled audits may be organised by groups of firms sharing one or more service providers or facilitated by the service providers. They may be performed by representatives of the participating firms or specialists appointed on their behalf. Pooled audits can be more efficient and cost effective for firms and less disruptive for service providers running multi-tenanted environments. They can also help spread costs and disseminate best industry practices with regard to audit methods among firms.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 30 Management for Banks and Insurers 8.14 Where pooled audits lead to common, shared findings, the GFSC expects each participating firm to assess what these findings mean for it individually, and whether they require any follow-up on their part. 9 Sub-Outsourcing 9.1 The EBA Outsourcing GL define ‘sub-outsourcing’ as ‘a situation where the service provider under an outsourcing arrangement further transfers an outsourced function to another service provider’, which may also include part of an outsourced function. 9.2 Sub-outsourcing, which is also sometimes referred to as ‘chain’ outsourcing, can amplify certain risks in material outsourcing, including: • limiting firms’ ability to manage the risks of the outsourcing arrangement, in particular, where there are large chains of sub-outsourced service providers spread across multiple jurisdictions; and • giving rise to additional or increased dependencies on certain service providers, which the firm may be fully aware of or may not want. Firms’ oversight of sub-outsourcing 9.3 The GFSC expects firms to assess the relevant risks of sub-outsourcing before they enter into an outsourcing agreement. It is important that firms have visibility of the supply chain, and that service providers are encouraged to facilitate this by maintaining up-to-date lists of their sub-outsourced service providers. 9.4 The GFSC expects firms to pay particular attention to the potential impact of large, complex sub￾outsourcing chains on their operational resilience, including their ability to remain within impact tolerances during operational disruption. Firms should also consider whether extensive sub￾outsourcing could compromise their ability to oversee and monitor an outsourcing arrangement. 9.5 Firms should assess whether sub-outsourcing meets the materiality criteria set out in Chapter 5, which includes the potential impact on the firm’s operational resilience and the provision of important business services. Firms should only agree to material sub-outsourcing if: • the sub-outsourcing will not give rise to undue operational risk for the firm in line with Regulation 42(1) of the CICR Regulations (banks) and Regulation 50(2)(b) of the Insurance Companies Regulations (insurers); and • sub-outsourced service providers undertake to: o comply with all applicable laws, regulatory requirements, and contractual obligations; and o grant the firm and the GFSC equivalent contractual access, audit, and information rights to those granted to the service provider. 9.6 Firms should ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm’s relevant policy or policies.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 31 Management for Banks and Insurers This includes establishing that the service provider has in place robust testing, monitoring, and control over its sub-outsourcing. 9.7 If the proposed material sub-outsourcing could have significant adverse effects on a material outsourcing arrangement or would lead to a substantive increase of risk, the firm should exercise its right to object to the material sub-outsourcing and/or terminate the contract. 9.8 There may be situations where the same service provider has a direct contractual relationship with a firm and is also a sub-outsourced service provider to that firm. An example might be a firm that has an agreement with a cloud service provider that provides services to one or more software vendors used by that firm. In those situations, where appropriate, firms may leverage their direct contractual relationship with that service provider to assess its resilience in respect of all the services it relies on that provider for, including as a material sub-outsourced service provider. Written agreement 9.9 In line with Chapter 6, the GFSC expects written agreements for material outsourcing to indicate whether or not material sub-outsourcing is permitted, and if so: • specify any activities that cannot be sub-outsourced; • establish the conditions to be complied with in the case of permissible sub-outsourcing, including specifying that the service provider is obliged to oversee those services that it has sub￾contracted to ensure that all contractual obligations between the service provider and the firm are continuously met; • require the service provider to: o obtain prior specific or general written authorisation from the firm before transferring data (see Article 28 GDPR); and o inform the firm of any planned sub-outsourcing or material changes, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes to sub-contractors and to the notification period. Firms should be informed sufficiently early to allow them to at least carry out a risk assessment of the proposed changes and object to them before they come into effect; • ensure that, where appropriate, firms have the right to: o explicitly approve or object to the intended material sub-outsourcing or significant changes thereto; and o ensure that the firm has the contractual right to terminate the agreement in the case of specific circumstances, (e.g. where the sub-outsourcing materially increases the risks for the firm or where the service provider sub-outsources without notifying the firm). Termination rights 9.10 The following are some non-exhaustive examples of situations where a firm may consider exercising its contractual right to terminate the outsourcing agreement include if: • without notifying the firm, the outsourced service provider changed its list of material sub￾outsourcers to include a firm that had a significant history of data breaches and operational outages;

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 32 Management for Banks and Insurers • a material sub-outsourced provider has failed to grant the firm and/or the GFSC equivalent access, audit, and information rights; • a significant incident at a sub-outsourcer caused extensive and unmanageable operational disruption to a firm so that it could no longer stay within its impact tolerances for important business services; • a sub-outsourced service provider repeatedly causes the outsourced provider to fail to meet KPIs and service expectations that have been agreed with the firm; • a sub-outsourced service provider enters into insolvency proceedings or other legal proceedings that may materially impact the delivery of its services; and • actions taken following an incident fail to deliver appropriate remediation. 10 Business Continuity and Exit Plans 10.1 For each material outsourcing arrangement, the GFSC expects firms to develop, maintain, and test a: • business continuity plan; and • documented exit strategy, which should cover and differentiate between situations where a firm exits an outsourcing agreement: o in stressed circumstances, (e.g. following the failure or insolvency of the service provider (stressed exit)); and o through a planned and managed exit due to commercial, performance, or strategic reasons (non-stressed exit). 10.2 The GFSC’s primary focus when it comes to business continuity plans and exit strategies is on the ability of firms to deliver important business services provided or supported by third parties in line with their impact tolerances in the event of disruption. Consequently, notwithstanding the importance of effectively planning for non-stressed exits, the main focus of this chapter is on business continuity and stressed exits. Business continuity 10.3 Firms should implement and require service providers in material outsourcing arrangements to implement appropriate business continuity plans to anticipate, withstand, respond to, and recover from severe but plausible operational disruption. 10.4 An important objective of the access, audit, and information rights in Chapter 8 is to enable firms and the GFSC to assess the effectiveness of service providers’ business continuity plans. In particular, they should be able to assess the extent to which they may enable the delivery of important business services for which a firm relies (wholly or in part) on the service provider, within the firm’s impact tolerance in severe but plausible scenarios. 10.5 In material cloud outsourcing arrangements, the GFSC expects firms to assess the resilience requirements of the service and data that are being outsourced and, with a risk-based approach, decide on one or more available cloud resiliency options, which may include: • multiple data centres spread across geographical regions;

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 33 Management for Banks and Insurers • multiple active data centres in different availability zones within the same region, which allows the service provider to re-route services if a data centre goes down; • a hybrid cloud (i.e. a combination of on-premises and public cloud data centres); • multiple or back-up vendors; • retaining the ability to bring data or applications back on-premises; and/or • any other viable approach that can achieve and promote an appropriate level of resiliency. 10.6 There is no hierarchy or one-size-fits-all combination of cloud resiliency options. The optimal option or combination of options will depend on various factors, including but not limited to the: • size and internal organisation and the nature, scope, and complexity of the firm’s activities (proportionality); • potential impact of the outsourcing arrangement on the provision of important business services by the firm (materiality); and • the relative costs and benefits of different options, taking into account the risks that failure or prolonged operational disruption may pose to the firm’s clients, the firm’s safety and soundness, the orderly operation of the financial markets, the soundness, stability or resilience of the Gibraltar financial system, and (for insurers) policyholder protection. 10.7 If a significant firm wants to outsource its core banking platform to the cloud, the GFSC may expect it to adopt one or more of the most resilient options available to maximise the chances to maintain its resilience in the event of a serious outage. Conversely, if a non-significant firm wishes to do so, then a less resilient but nonetheless robust option or combination of options could be appropriate. 10.8 The GFSC expects firms to consider the implications of deliberately destructive cyber-attacks when establishing or reviewing data recovery capabilities, either individually or collaboratively. 10.9 In line with Core Principle 12, in the event of a disruption or emergency (including at an outsourced or third party service provider), firms should ensure that they have effective crisis communication measures in place. This is so all relevant internal and external stakeholders, including the GFSC, other international regulators, and, if relevant, the service providers themselves, are informed in a timely and appropriate manner. Stressed exits 10.10 Firms’ exit plans should cover stressed exits and be appropriately documented and tested as far as possible. 10.11 A key objective of the stressed exit part of exit plans is to provide a last resort risk mitigation strategy in the event of disruption that cannot be managed through other business continuity measures, including those mentioned in the previous section, (e.g. the insolvency or liquidation of a service provider). 10.12 The GFSC does not prescribe or have a preferred form of exit in stressed scenarios. Its focus is on the outcome of the exit, (i.e. the continued provision by the firm of important business services provided or supported by third parties), rather than the method by which it is achieved.

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 34 Management for Banks and Insurers 10.13 The GFSC does, however, expect firms to identify viable forms of exit in a stressed exit scenario, and give meaningful consideration to those that best safeguard their operational resilience, which may include but not be limited to: • bringing the data, function, or service back in-house/on-premises; • transferring the data, function, or service to an alternative or back-up service provider; or • any other viable methods. 10.14 Insurers should specifically consider important policyholder premium and claims information held by outsourcing providers or downstream distribution channels which could be affected by stressed exits. 10.15 The GFSC expects firms to consider the available tools that could help facilitate an orderly stressed exit from a material outsourcing arrangement. Such tools are constantly evolving, in particular in technology outsourcing, including cloud, and may include: • new potential service providers; • technology solutions and tools to facilitate the switching and portability of data and applications; and • industry codes and standards. 10.16 The GFSC recognises that, in an intragroup outsourcing context, firms’ exit options might be more limited than in other scenarios. This is particularly true for third-country branches, which are unable to enter into standalone contractual arrangements with third parties. Nevertheless, the GFSC expects third-country branches to take reasonable steps to try and identify options, however limited, to maintain their operational resilience. 10.17 Firms should also actively consider temporary measures that can help ensure the ongoing provision of important business services following a disruption and/or a stressed exit, even if these are not suitable long-term solutions, (e.g. contractual or escrow arrangements), allowing for continued use of a service or technology for a transitional period following termination. Governance of business continuity plans and exit plans 10.18 Firms should begin to develop their business continuity and exit plans, in particular for stressed exits, during the pre-outsourcing phase once they have determined that a planned outsourcing arrangement is material (see Chapter 5). Doing so will enable them to: • use the due diligence process to identify potential alternative or back-up service providers; • estimate the cost, resourcing, and timing implications of the proposed business continuity or exit plan in both stressed and non-stressed scenarios as part of the risk assessment; • identify data they may need to access, recover, or transfer as a priority in a disruption or stressed exit; and • define the key KPIs and key risk indicators which, if breached, may trigger an exit (both stressed and non-stressed). 10.19 Firms should evaluate what would be involved in delivering an effective stressed exit and use this to formulate plans for such an exit, assisting them to identify any assets and skills required. As soon

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 35 Management for Banks and Insurers as practically possible, firms should seek to test the stressed exit plans to ensure they are functional and meet expectations around impact tolerances and costs, etc. 10.20 Once an outsourcing arrangement has been implemented, firms should test their business continuity and exit plans on a risk-based approach. Where possible and relevant, this testing should align to, support, or even be a component of firms’ scenario testing under Regulation 8 of the Operational Resilience Regulations. For instance, one of the severe but plausible scenarios that firms may select for this testing could involve a failure or disruption at a third party or their supply chain, based on previous incidents or near misses within the organisation, across the financial sector and in other sectors and jurisdictions. In line with paragraph 6.4 and the FSB Effective Practices, firms and third parties should commit to support the testing of such plans. 10.21 Consistent with the EBA ICT GL, firms should also update their business continuity and exit plans with lessons learned from these tests, including with new risks and threats identified and changed recovery objectives and priorities (if any). 10.22 Firms should assign clear roles and responsibilities for business continuity and exit plans. Subject to proportionality, they may establish cross-disciplinary teams to develop, document, test, and execute their business continuity and exit plans, especially in stressed scenarios (which may include communicating with the GFSC and other relevant stakeholders in the event of disruption). Based on the size and complexity of the firm, these teams may include relevant business lines, control functions, technical experts (e.g. IT specialists), and be chaired by an appropriate regulated individual. Firms should also allocate responsibility for signing off business continuity and exit plans, including updates thereafter, and the decision to activate them. 10.23 When developing business continuity and exit plans, firms should define the objectives of the plan, including what would constitute successful business continuity or a successful exit in both stressed and non-stressed scenarios, by reference to measurable criteria such as costs, functionality, time, and the firm’s impact tolerances for important business services. 10.24 Firms should take reasonable steps to test exit plans; in particular, those relating to stressed exits. The extent and nature of testing will vary depending on the type of outsourcing arrangement and corresponding exit plan. For instance, a firm running a hybrid cloud structure may take into account the potential back-up functions located in its private cloud elements. Likewise, a firm that keeps backup copies of data which it has outsourced to the cloud outside the cloud environment may focus its testing on assessing the ongoing consistency of both sets of data and reconciling them as appropriate. Firms should also assess and take reasonable steps to manage any operational risks that may be caused or increased by the actual testing (e.g. data theft). 10.25 Business continuity and exit plans should be reviewed periodically to take into account developments that may change the feasibility of the business continuity measures or an exit, for example: • an increase in the number of availability zones or regions offered by a current service provider; • changes to the firm’s business requirements; • the emergence of new, potentially viable alternative providers; and/or • developments in technology or other tools to facilitate the porting of data and applications, (e.g. among cloud providers or between firms’ on-premises environments and the cloud). Table 4: Contingency planning in outsourced insurance policy administration

Gibraltar Financial Services Commission Guidance Note on Outsourcing and Third Party Risk 36 Management for Banks and Insurers Contingency planning –best practice in insurers Insurers should consider the following best practices when conducting their contingency planning: • Proposals to act collaboratively with other insurers who share a common outsourcer, in the event of outsourcer failure. • Evidence of awareness of the challenges of utilising step-in rights where there are shared services. • Evidence that the contingency plans had been signed off at an appropriately senior level given the criticality of the outsourced service. • A list of named contacts and details of individuals and teams responsible for implementing the contingency plan. • Evidence that contractual provisions took contingency planning into consideration, for instance, by including provisions on: i. step-in rights; ii. provisions to transfer employees of the service provider to the insurer under the Employment Act (Amendment) Regulations 2010; and iii. access by the insurer to necessary data and systems of the service provider. • Consideration of a range of scenarios in which a contingency plan may need to be used, including: i. financial and/or operational failure of the service provider; and ii. if the service provider enters or is at risk of entering into administration or liquidation. • An assessment of the: i. substitutability of the service being outsourced; ii. availability of alternative service providers; iii. cost and resource implications of implementing a given contingency plan. For example, if an insurer intends to bring an outsourced service back in-house as part of its contingency plan, it should consider whether it would require more staff, where these staff would be based, and whether the necessary infrastructure is in place to support its continued delivery of the service; and iv. time it would take to implement a given contingency plan. • Evidence that key assumptions made in the assessments have been tested.

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2026 Gibraltar Financial Services Commission