Are insurers too hesitant in building cloud solutions? Almost like a cliché, companies in the DACH region have a reputation for not using the development opportunities offered by cloud computing consistently enough. But it has long been worth taking a closer look. After all, the fact that service providers had little to gain for many years was mainly due to the regulatory experience of insurers. A situation that has since changed fundamentally. My conversation with Georg Weber, the contact to the supervisory authorities for Microsoft Deutschland, reveals just how extensive BaFin's (Germany´s Financial Supervisory Authority), the Bundesbank's and EIOPA's practical cloud know-how is. First of all, however, a few pointers on the application and data processing topics for which there is hardly any getting around cloud solutions.
Scope and maturity of solutions
What is the market penetration of cloud services in the insurance industry? Are companies still focusing on highly standardized services such as file sharing, unified communications or office applications that make their back office more productive and cost-effective? Or have we long been talking about far more complex solutions that directly address the core business? Well, there is no doubt that back office processes still account for a particularly large slice of the cloud cake. The strong progress of development in this area is due not least to the fact that regulatory risks appeared to be manageable much earlier than in the front office. In addition, the fact that the operational added value of a cloud solution in the back office is generally particularly easy to calculate had a positive effect.
Despite this, the number of solutions in which cloud technologies also contribute to value creation is rising. For example, Versicherungskammer Bayern is developing cognitive services in partnership with IBM to optimize its complaints management system. Or there is Provinzial Rheinland, which, in addition to large parts of its infrastructure, has also set up the customer portal of its subsidiary S-Direct in the Microsoft cloud and now even processes sensitive health data there. A closer market analysis shows that there are a number of projects, especially among the more complex cloud projects, which already have a long history and therefore high levels of maturity. In 2014, for example, the Talanx Group caused a real stir when it began outsourcing parts of its risk management system to the cloud. Together with Amazon Web Services and the cloud experts at direkt gruppe, the Hanover-based company set up a highly scalable IaaS platform to relieve the load on its internal server systems, for example for calculating the Solvency Capital Requirement and the Minimum Capital Requirement – operations that increase computing effort massively for a short time.
The latter scenario in particular shows that a steadily increasing number of data processing issues can only be solved in cloud environments. The precise provision of constantly increasing computing power with sufficient capacities is by no means the only driver of this development. Just as important is the fact that many of the most innovative methods of data analytics are available first and foremost in the public cloud. Integrating these tools into company-specific IT environments is complex and increasingly time-consuming. As a result, companies are increasingly lagging behind all those companies that have relied on the cloud right from the start. Against this backdrop, the adaptation of cloud technologies is becoming a factor for competitive differentiation.
Infrastructure for the platform economy
Regardless of this, most insurance companies in the DACH region do not yet generally outsource the "Systems of Record", which contain sensitive customer and business data. Nevertheless, the "Systems of Engagement", which build the bridge to the operational business, already run predominantly in the public cloud. In this mixed situation, hybrid infrastructures ensure that the two system worlds can be managed and developed in line with the overriding business objectives.
The integration service is by no means limited to the organization of data exchange between front, middle and back office. The hybrid cloud also provides the platform for further application rationalization. This central development work is concerned both with standardizing existing products and tariffs and with the rapid operationalization of new ideas. The aim is to roll out secure, high-yield products with the lowest possible time-to-market in all relevant markets. And with increasingly specific covers that reflect the different customer requirements as accurately as possible. This is precisely where cloud environments offer an ever-increasing number of possibilities to record the dispositions, behavior and preferences of potential customers. To develop the knowledge required for this, it is becoming increasingly important to integrate competent partner companies and their capabilities in a service-oriented way. In the context of this highly complex task, cloud platforms are proving to be the means of choice to sustainably take advantage of the development opportunities presented by the platform economy.
"The authorities certainly won't allow us to do that!"
Georg Weber is compliance expert for the banking and insurance sector at Microsoft Deutschland. He has been dealing intensively with the requirements of the financial supervisory authorities regarding the use of cloud solutions since 2014. In this interview, he provides insights into how strong the cloud expertise of the supervisory authorities has already become, how to measure the level of service provider compliance and why the decision for or against a cloud solution always has a strong personal component.
Question: The business of Azure is growing rapidly. Most recently, sales were up 59 percent. Can the insurance industry in the DACH region keep up with this pace?
Weber: Just a few years ago, I would have answered no to this question. Back then, we had a whole series of discussions with insurers, where we were ultimately told: "You know, the authorities certainly won't allow us to do that." But the situation has since changed fundamentally.
Question: In what way?
Weber: Both sides, i.e. the insurers together with their service providers as well as the supervisory authorities, above all BaFin and the Bundesbank, have built up massive know-how on how the cloud can be used securely in the area of conflict between data protection and information security. Some major milestones have included the publication of the "Insurance Supervisory Requirements on IT" (VAIT) in July 2018 and the publication of the "Guide to Outsourcing to Cloud Providers" in the following November. Our outsourcing contract has been adapted to these, and the guide in particular has provided clarification on some critical issues. In the course of contract negotiations, the supervisory authority became familiar with our contract and provides information to inquiring insurers on its suitability. Since then, we have noticed that insurers have become much less reluctant to use cloud solutions.
Question: A watertight contract is extremely important. But how can insurers recognize how well a service provider complies with these requirements in practice?
Weber: Well, there are currently no insurance-specific certifications of cloud service providers. A good alternative is offered by various certifications to industry standards, the suitability of which for a risk assessment has been confirmed by BaFin in the guide I mentioned previously. These include the relevant ISO certifications1, combined with the SOC Type II reports of AICPA. They provide sufficient insight into how well a service provider complies with regulatory requirements, as long as the provider also makes the audit reports available. Another good guide to the quality of a cloud service provider is the way it complies with the guidelines of the Financial Industry Regulatory Authority (FINRA) or the U.S. Securities and Exchange Commission (SEC). These include guidelines that govern the handling of certain information and documents, for example with regard to retention periods or the subsequent non-changeability of documents. In addition, BaFin and the Bundesbank, together with the BSI (Germany´s Federal Office for Information Security), have developed the Cloud Computing Compliance Controls Catalogue (C5). Since there is currently no independent C5 certification, the BSI recommends that the C5 criteria be reviewed as part of the SOC reports.
Question: Are there any application and data processing topics that insurers would be better off handling in-house in the coming years?
Weber: From a purely regulatory point of view, there is no reason to do so. The extent to which cloud services are actually used, however, depends very much on the risk culture and governance in the companies. While some companies tend to be more cautious about cloud issues, others are already proving to be much more open. But it must not be forgotten that the very personal attitudes and experiences of the individual stakeholders can also play a major role. This is particularly evident in data protection, where the Data Protection Officer is jointly liable, after all. Against this backdrop it is perfectly natural that those responsible sometimes come to very different decisions – for instance when it comes to what data they allow to be processed in the cloud.
Question: Do you have any customers who have a particular affinity for the cloud in this respect already?
Weber: We do indeed have quite a lot of customers that do. One example is Munich Re, which decided two years ago to process data from all data protection classes in the cloud. Just how far the insurer has already opened itself up to the cloud is also shown by the fact that it now even develops and markets its own apps. These include a TÜV-certified solution which enables insurers to carry out risk assessments for potential customers much more efficiently.