What insurance companies need to consider when moving to the cloud
Two out of three companies in Germany are now using the cloud, according to the industry association Bitkom. It's an upward trend. The insurance industry is no exception. When moving to the cloud, insurance companies should not only think about their responsibility to customers, but also about regulations.
Any CIO and CTO could probably easily list the obvious advantages of cloud solutions. The cloud can offer benefits in terms of scalability and cost, and can expand IT flexibility. In the insurance industry, there are now "typical" scenarios for the effective use of this technology.
Typical cases for cloud applications in the insurance industry
By using the cloud, for example, computing clusters can be quickly formed to calculate complex mathematical models. With "grid computing," results are available much faster.
Digital communication and customer channels, such as the ability to be presented on devices with Amazon's Alexa, would be inconceivable without the cloud. The flexibility and scalability of the cloud are equally advantageous in agile software development. And in the practical implementation and planning of projects, platforms for collaboration facilitate the entire process. Backup and archiving solutions in the cloud offer unlimited storage space at a fraction of the cost of creating physical storage space of the same size. The analysis of large amounts of data and the use of machine learning systems (such as Big Data and AI) are now also largely carried out on platforms in the cloud.
Finally, the cloud is the basis for interfaces (APIs) that offer joint solutions in cooperation with fintechs and insurtechs.
Customer data is inevitably processed in the cloud of an insurer. This means that compliance aspects need to be taken into account, and all the more now that the General Data Protection Regulation (GDPR) has entered into force.
Compliance as a criterion in the selection of providers
In addition to the regulations, there are strategic considerations that must be taken into account before data is moved to the cloud. The German Federal Financial Supervisory Authority (BaFin) has compiled the most important issues in condensed form in an orientation guide. It recommends carrying out a risk analysis to investigate key issues.
The "criticality" analysis assesses whether the outsourcing of data and processes is critical for the company in the event of disruptions. The suitability of the cloud provider must also be examined. What are the cloud provider's capabilities, the infrastructure, its economic situation and its status under company law?
The risks to the integrity, availability, confidentiality and authenticity of the data must also be examined. In this context, the risks of foreign jurisdictions accessing the data must also be examined.
An often overlooked risk is the extraordinary termination of the contract with the provider. How can data loss be prevented? How can the transfer of data to a new service provider be safeguarded?
When choosing a cloud provider, certificates can provide information on compliance. In Germany, the Federal Office for Information Security's two C5 test standards and the Federal Ministry of Economics and Energy's Trusted cloud Data Protection Profile for cloud Services (TCDP) can offer information on compliance.
The Germany Federal Office for Information Security's C5 (Cloud Computing Compliance Controls Catalog) explicitly refers to data security. The C5 deals almost exclusively with measures to protect information security and transparency. A C5 certificate thus refers to the security level of the provider's cloud.
The German Federal Ministry of Economics and Energy's (BMWi) Trusted Cloud Data Protection Profile for cloud Services (TCDP) was developed from a data protection perspective. In addition to its data protection and data security aspects, the TCDP contains criteria for quality and transparency. It also addresses the drafting of contracts.
By selecting a provider that can has obtained both certificates, insurance companies can avoid making any mistakes with regard to compliance.
The cloud relieves IT of the burden of compliance
The GDPR recognizes the principle of joint responsibility in connection with the storage of personal data. This principle must be made transparent to the customer. Cloud providers themselves are now prepared for these cases and have the appropriate templates for these types of contracts.
Regardless of the external relationship with the customer, cooperation with a cloud provider relieves insurance companies of the burden of complying with legal certainty. When operating a cloud solution hosted in its own data center, an insurance company is responsible for:
- Physical security of the hardware
- Security of the infrastructure and network
- Security of the platform
- Security of the application
- Data security
Depending on the service and the contractual arrangements, the cloud provider will take responsibility for at least the first two or three points. This will ease the burden on your own IT department.
By selecting a provider that can present test certificates, the insurance company proves that it has fulfilled its statutory duty of care for the selection of a suitable service. The provider is thus responsible for the security of the cloud solution. When securing data in the cloud, the insurer is still responsible for a number of tasks. These tasks include:
- Access restrictions and employee identity management
- Securing applications that have been moved to the cloud
- Encryption and security of connections between data centers, the cloud and cloud services and employee IT
- Measures against cyberattacks from the cloud on internal systems, including the configuration of firewalls
The advantages of the cloud for insurance companies are undeniable. In view of the diversity of solutions offered on the market, the specific challenges that may arise during migration (data conversion, the creation of integrity and interfaces) and the strategic issues involved, it is still a good idea to seek external support.
With our many years of expertise, we are happy to offer you support for all of the above-mentioned issues. For more information about how we can support you, please contact us.