The Secure Cloud for Insurance Carriers

Michael Stoeckert, CTO, ProAssurance

Michael Stoeckert, CTO, ProAssurance

Public clouds are the most recognized form of cloud in many industries, but private and hybrid clouds dominate regulated industries. In a private cloud, all resources in the operating environment are dedicated to a single client. This ensures the client’s data never shares virtual space with another company. Many collocation providers now offer private cloud services, housing part of the major cloud providers’ computing processes.

In a hybrid cloud, a carrier manages some resources in-house while other functions are managed externally. They typically connect data centers to public clouds for non-sensitive data and private clouds for sensitive data. Organizations can also use the private cloud for backups of data and disaster recovery instead of maintaining an IT infrastructure at a secondary location.

If an insurance company has to divert scarce and valuable resources to overcoming operational issues and deficiencies in their IT platforms, it cannot increase productivity.


Some insurers are in an extremely soft market (lower claims severity and frequency). In addition, the NAIC Model Law—and regulatory initiatives from the New York State DFS and others—have further challenged these companies to keep pace. With new requirements in place for additional reporting and auditing, carriers have assumed a larger regulatory burden, and they will need additional resources to meet the updated compliance standards.

Insurers find themselves confronted by three major challenges to:

1. Maintain or lower the total cost of ownership
2. Ensure a high level of security
3. Regulate and audit the cloud


Total cost of ownership (TCO) measures the costs to run a system over its life time. Itis the most effective metric for comparing the costs of cloud computing and installed software. Not only does it incorporate fees paid to vendors, but also equipment and staff costs.

Carriers turn to the private cloud for these reasons: to do more with the same resources and to maintain the TCO of the IT ecosystem. Traditionally, insurers have relied heavily on large, internally built proprietary systems to serve front, middle, and back office functions. This is due to the cyclical nature of computing needs during high-volume periods like financial closes and renewals.

For example, a carrier might choose to migrate their email function to the private cloud, while performing other tasks requiring a high level of integration (core systems like policy and claims) within their own IT infrastructure. Because older technology costs more to service and maintain, a company can typically lower its management and maintenance expenses by moving its email function to the cloud.

Today, with shrinking margins and heightened regulatory requirements, carriers are looking to move some functions not core to their business strategy. This shift can alleviate some of the pain they experience from overgrown internal systems—and ultimately help them maintain or lower TCO. Insurers need to choose the most experienced provider available to achieve full realization of the cloud’s powerful efficiencies and tangible savings.


It is important to recognize that one cannot completely mitigate security risk in the cloud (or in internal systems for that matter). However, steps can be taken to significantly reduce risk. A crucial step in reducing risk is vendor selection. The right vendor will work with customers in order to maximize cloud security. The key is making security a collaborative effort between vendor and client.

Increasingly, organizations will demand cloud providers be ready to help them make the case to board members, investors, and regulators on a range of security issues.

Every carrier needs the full assurance that their business-critical data environment is protected by a robust vulnerability management process. It is imperative that patches—which not only add features but mitigate risk—are tested and deployed based on the risk exposure.

To be secure in the cloud, an insurer must work with its vendor to ensure the vendor is just as serious about security as the carrier. The organization can’t delegate responsibility for its security so it’s imperative to have a trusted and proven vendor.


Insurers need a service provider that clearly demonstrates its cloud environment and processes address both industry-specific and universal compliance requirements. Providers must demonstrate they have embedded the appropriate services, controls, and procedures to support a customer’s compliance requirements.

The National Association of Insurance Commissioners (NAIC) and State Departments of Insurance have a profound impact on the technology departments of carriers— requiring them to enhance many of their applications and infrastructure.

Under some state regulations, insurers will be required to certify compliance to law with a regulatory body on a periodic basis.

To measure the risk and regulatory impact of carriers, regulators can inspect links in the data management process from the carrier and data center—through the cloud computing provider and other third parties. An insurer’s cloud provider must have extensive experience in the complexities of this regulated industry and a track record with hosting private and hybrid clouds.


Today’s realities make cloud computing a logical fit for insurance carriers. Their clients demand a combination of flexibility, efficiency, and support for the completion of large workloads at high speed.

Hybrid cloud computing can represent the cornerstone of a powerful business strategy, combining reduced costs and increased regulatory responsiveness while maintaining a high level of security.

Clouds let companies redeploy valuable resources to undertake more business development initiatives. The key to accessing this technology is assuring the chosen cloud provider has the depth of knowledge and experience required for carriers in today’s insurance markets.

Many insurers will enter into cloud computing with a primary goal of moving capex to opex. They will quickly see the cloud is really an entry point to becoming more efficient by continuing the evolution of technology architectures, management tools, and operational processes.

Read Also

Effective Communications between CISOs and Key Stakeholders

Effective Communications between CISOs and Key Stakeholders

Kevin P. Gowen, Chief Information Security Officer, Synovus
Giving Cybersecurity a Business Lens

Giving Cybersecurity a Business Lens

Grant McKechnie, Chief Information Security Officer at Endeavour Group
Setting The Right Security Culture

Setting The Right Security Culture

Mackenzie Muir, Chief Information Security Officer at Allianz Australia
Ways to Thrive in the Ever-Evolving Cybersecurity Landscape

Ways to Thrive in the Ever-Evolving Cybersecurity Landscape

Yonesy Núñez, the Chief Information Security Officer at Jack Henry™
Future Of Cyber Security: Responding To Threats With Confidence

Future Of Cyber Security: Responding To Threats With Confidence

Bernard Gavgani, Group CIO, BNP Paribas
Meeting the Cybersecurity Challenge

Meeting the Cybersecurity Challenge

Scott Self, CIo, Tennessee Valley Authority