Lessons to learn
26 Sep 2016
The recent problems with the SSP Pure Software as a Service platform have caused enormous disruption to those businesses who depended on its availability. Increasingly, the insurance press has been full of brokers expressing their anger and frustration that this could have happened in the first place and remain unresolved for so long.
So, what are the lessons to be drawn from this unfortunate episode?
All too often, businesses enter into IT relationships without undertaking appropriate due diligence particularly if the vendor is well-known in the industry and other similar businesses are using their products and services.
Unfortunately, as the SSP example demonstrates all too clearly, reliance on the ubiquity or prominence of a supplier or product in a sector is no guarantee of a reliable and effective end-result.
Whenever you are committing a key part of your business operations to a third-party it is essential that you have a clear understanding of the risks and their potential impact on your business and that you establish appropriate responses in mitigation.
A phrase that we always use when advising clients on possible outsourced solutions is that you can delegate responsibility to a third-party for infrastructure or data processing services but you cannot abdicate responsibility.
In other words, the onus is on you to ensure that any third-party on whom you are reliant takes full account of your business continuity and disaster recovery (DR) requirements in the provision of their service to you.
In the case of using cloud-based services, this means identifying the vulnerabilities in the data processing systems and IT infrastructure proposed (particularly single points of failure) and ensuring that you have appropriate responses in place which may not be provided by the supplier in question.
For example, although it might appear attractive and cost-effective to use one supplier for everything, this is rarely the best answer as very few suppliers are good at data processing systems and infrastructure and you are restricting your options for building in resilience to your IT setup if you place most or all of your eggs in one basket.
You should review in detail the supplier's own DR strategy, ensure it is tested at an appropriate frequency and ask for evidence of the test outcomes. Any outsourced service should be incorporated into your own DR plans and tested accordingly on at least an annual basis. You should also implement an additional DR facility that is independent of the supplier.
This can be structured as a "cold" rather than "hot" facility such that it might take a day or so to become active but you should never have your data totally at the mercy of one supplier.
If there is specific data that is especially key to your operations, policy-holder details or claims information for example, then you should keep an additional copy of this data available outside the live platform.
We would also strongly recommend that you take expert advice, both legal and technical, before entering into a contract for cloud-based services.
Suppliers are notoriously complacent regarding the impact on your business if their systems fail and it is imperative that you have defined and imposed your own requirements on any such arrangements. This is often easier to achieve if you have someone with the relevant experience and expertise advising you who is independent of the supplier concerned.
In summary, you have obligations to your policy-holders, your underwriters and other stake-holders and it is your responsibility to ensure that you have taken appropriate measures to meet your commercial and legal commitments.
But, of course, you can only respond to "known knowns" and you need to ensure that you have a full and clear understanding of the issues and risks you should have addressed.
John Singer - IT assurance partner at PKF Littlejohn