Cloud storage benefits for insurers

Cloud storage is becoming increasingly popular with insurers and other financial services organisations, and there are some very good reasons for that.

Frazer Walker Partner Ian Chisholm explains why the cloud is becoming the platform of choice for core insurance applications instead of self hosting.

1. Cloud storage is much more cost effective than running inhouse private data centres, as most insurers did in the 1980s-1990s. The costs of owning and operating these large, high-cost assets to the standard now required by regulators, and to meet customer expectations, is prohibitive for most organisations.
2. The specialist skillsets required from a small army of IT staff to operate data centres around the clock is beyond the reach of most insurers, brokers and other industry participants. Keeping those skillsets current and at an appropriate level of redundancy (ie duplicating resources in case of system failure) would stretch organisations’ staffing and training budgets.
3. The ever-increasing range of services offered by public cloud providers, such as artificial intelligence, machine learning, and Internet of Things data processing, is well beyond the reach of even the largest corporations to establish inhouse. Insurers need to focus on their core business and value creation. Being experts in operating data centres is not part of that.

Ian says external suppliers are better placed to build, own and operate the services provided via the cloud, enabling insurers to focus on customer needs and expectations and core value creation for policyholders.

Risk swaps

However, Ian warns that changing an organisation’s business model to include cloud storage swaps one set of risks – such as business continuity, disaster recovery, incident management and the excessive technology costs per policy or per claim in running inhouse data centres – with a new set of risks. That is, all the risks associated with having your computer network directly linked to the internet.

The growth of the internet, combined with the use of public or private cloud-hosted offerings, has no doubt helped the rapid escalation of cyber crime over the last decade, whether from state actors or criminal organisations.

That’s why regulators, such as the Australian Prudential Regulation Authority (APRA), have mandated prudential standards for all financial services institutions to manage internet and technology supply chain risks.

APRA’s prudential standards include CPS 234 Information Security, CPS 231 Outsourcing and CPS 232 Business Continuity Management. APRA produced a 2015 paper on Outsourcing involving cloud computing services, which was updated in 2018.

Tripartite reviews

APRA is well aware of the risks for institutions around customer data assets and has been promoting tripartite risk reviews using CPS 234. Most organisations are to complete the reviews by September 2022.

Ian says the Office of the Australian Information Commissioner also maintains a keen eye on organisations’ compliance with privacy laws, whether from cyber breaches or accidental disclosure. Consequently most chief risk officers have teams monitoring and reporting actual or potential privacy breaches. It is also why most new IT projects now conduct Privacy Impact Assessments to identify and mitigate privacy risks in the project’s design phase, rather than as an afterthought.

“Boards must be cognisant of cloud opportunities and their risks, as they are now being held to account for the good governance of organisations’ information and technology,” Ian says.

High-level discussions

Frazer Walker has had discussions at executive and board level on the risks and benefits of cloud services, and how that fits within an insurer’s risk appetite. It is a conversation about risk appetite and trade-offs between cyber risks and operational and financial risks.

While some insurance organisations may be somewhat reluctant to embrace cloud services, Ian says the economics and feature-rich environments are just too strong a proposition.

Inhouse data storage remains an option for non-core, peripheral systems that don’t require rigorous up-time, redundancy or resilience. Ian says some organisations still approach smaller systems in this way.

Test first

For example, proof-of-concept systems, non-critical spreadsheets and some development or low-level testing environments could be run on local servers. However, that approach, while cost effective, may not be ideal, depending on the system requirements.

“It’s always a case of test and learn first, then redevelop and move to a more rigorous, robust environment as the system becomes more important for the organisation,” Ian says.

And he warns that local data storage centres are not immune from cyber attacks because they are generally connected to the internet-enabled corporate network.

Ian’s perspectives on cloud storage for insurance industry organisations were included in an article in Insurance Business online last month. You can read more here.

For more information, please contact Ian: ian.chisholm@frazerwalker.com.