Data Centre strategy for insurers
Deciding on a strategy for your data centre can be a tricky process for any business. Deciding on a data centre strategy if your business happens to be insurance is a whole new level. Every business, regardless of its nature, is reliant on technology to some degree in today's world. For insurance businesses this reliance is, in many ways, far greater. The risks that surround the data centre strategy for an insurance business are more complex and require more consideration before decisions are made.
Deciding on a strategy for your data centre can be a tricky process for any business. Deciding on a data centre strategy if your business happens to be insurance is a whole new level. Every business, regardless of its nature, is reliant on technology to some degree in today’s world. For insurance businesses this reliance is, in many ways, far greater. The risks that surround the data centre strategy for an insurance business are more complex and require more consideration before decisions are made.
Take, for example, the Cloud. For many businesses the Cloud represents a great way for the IT to flex and adapt as the business changes over time. The Cloud, when adopted in a considered manner, (there is no such thing as ‘one size fits all’ and there are very few businesses that can operate effectively entirely in the Cloud), can be very cost effective. For an insurance business there is more to think about than, “what parts of my IT infrastructure would be suited to a Cloud environment”. It is easy, for instance, to think that placing your development environment in a Public Cloud service such as Amazon Web Services or Microsoft Azure, but there are other considerations that come into play.
The Cloud is, in general, secure. But what about sovereignty? That is a whole different issue. If the Public Cloud service that you use is owned by an organisation from outside of the UK, what level of protection do you have? The EU used to have an agreement with the US called ‘Safe Harbor’ but that got challenged in the European Courts and was deemed not to provide sufficient protection for personal data. As a consequence the EU and US spent a lot of time and effort negotiating a new agreement called ‘Privacy Shield’ that came into force on the 12th July 2016. However, since the UK has voted to leave the EU, the validity of this in relation to UK companies comes into question. Using Public Cloud could be a significant risk for a UK insurance company.
Of course, there is Private Cloud too. And there are plenty of UK companies offering Private Cloud services. However, the question of security around that Private Cloud may be a consideration. Where is the Private Cloud located? Is the data centre that it is served from secure? Does the Cloud operator own the data centre? If not, who does? Who has access to the Private Cloud environment? Are staff from the Cloud operator that work on it vetted? If so, how? There are lots of considerations to be made.
One answer may be to keep all services in-house. That is certainly an option. But can you guarantee the security of the data? There are various studies that suggest that theft of data by employees is rising. Some of the lower estimates of the amount of data loss due to employee theft is around 40%, some of the higher ones put it at 75%. The probability is that it is somewhere in between, but can you provide the level of security to protect against this threat internally? If your business is insurance, it probably isn’t data centres too. An on-premise data centre can be a significant risk for any business. For an insurance company that relies totally on the data it holds, the risk is huge.
Is it in an area that is subject to risk? Is there a flood risk in the area? What about terrorism, is it likely to be a target for terrorism? What about transport links – is it always going to be accessible when you need to? The list is long. London Docklands is in an area that the Environment Agency say is likely to flood at least once in 20 years. Many London businesses have their primary data centre there and their secondary, (or disaster recovery), facility in Slough – just a few miles further down the same river that will first have flooded their primary facility! Imagine the embarrassment as an insurance company of having to explain to the regulator how your primary data centre flooded and the one you chose as a backup flooded too because it was on the same river as the first one?
There is no strategy for data centres that is a ‘one size fits all’ solution. Every business must weigh up the risks and decide which risks are acceptable to the business and which are absolutely not. For an insurance business, those risks must also be assessed alongside regulatory and security requirements. The type of insurance being offered, the nature of the data you hold, your appetite to risk, may all influence the strategy too. Deciding on a data centre strategy for your insurance business can be challenging but MIGSOLV can help. At MIGSOLV we have provided advice on data centre strategy to a number of insurance companies. We also have one of the most secure, risk free, data centres anywhere in the UK. Why not get in touch and find out how we can help you with your data centre strategy?