Cloud services are becoming more and more popular among brokers. But in spite of the potential benefits, they can also bring unexpected hazards. Ian Singer focuses on one of the key risks.
There are good reasons why the Cloud is becoming increasingly important in the IT landscape for brokers of all shapes and sizes:
The need to support mobile workers.
The difficulty in designing and building a resilient and effective IT infrastructure in-house.
The economic realities requiring you to make best use of available financial resources – and so on.
But all too often brokers are tempted into IT relationships without undertaking appropriate due diligence. This is especially true if the provider is well-known and other similar businesses are using their products and services. Unfortunately, opting for a supplier or product just because they are prominent in the sector is no guarantee of a reliable and effective end-result.
Whenever you are committing a key part of your business operations to a third-party, it’s essential that you have a clear understanding of the risks and their potential impact on your business and that you set up appropriate responses to mitigate them. A phrase we always use when advising clients on possible outsourced solutions is that ‘you can delegate responsibility to a third-party for infrastructure or data processing services but you cannot abdicate that responsibility’. In other words, the buck stops with you and you must ensure that any third-party on whom you rely takes full account of your business continuity and disaster recovery (DR) needs in the provision of their service to you.
In the context of cloud-based services, you should identify the vulnerabilities in the data processing systems and the IT infrastructure proposed to support them (particularly single points of failure) and ensure that you set up appropriate responses, as these may not be provided by the supplier. What’s more, although it might seem attractive and cost-effective to use one supplier for everything, this is rarely the best answer. Why? Because very few suppliers are good at both data processing systems and infrastructure, and that means you are probably relying on a supplier with average expertise for a crucial part of your IT setup if you put most or all of your eggs in one basket.
You should review in detail the supplier’s own DR strategy. Make sure it is tested regularly enough and ask for evidence of the test outcomes. You must incorporate any outsourced service into your own DR plans and test it at least once a year. It’s also vital to implement an additional DR facility that is independent of the supplier. You can structure this as a ‘cold’ rather than ‘hot’ facility, which means it could take a day or so to become active. But you should never have your data totally at the mercy of one supplier. So, if there is specific data that is especially key to your operations, policy-holder details or claims information for example, you should keep an additional copy that is available outside the live platform.
We would also strongly recommend that you take expert advice, both legal and technical, before entering into a contract for cloud-based services. Suppliers are notoriously complacent about the impact on your business should their systems fail and it is crucial that you define and impose your own requirements on any such arrangements. This is often easier if you have someone independent of the supplier with the relevant experience and expertise to advise you.
Remember that you have obligations to your policy holders, your underwriters, regulators and other stakeholders and that it’s your responsibility to ensure you are meeting your commercial and legal commitments. But, of course, you can only respond to ‘known knowns’ so it’s important to have a full and clear understanding of the issues and risks you need to address.