This the second article which rounds out the issues covered in the previous post.
If you want to know why these issues of ratings and insuring continuity are important, I direct the reader to this article about on-line file hosting site Carbonite.
So, as I stated in the first post of this series, I was booked by what looked like a large, well financed client; well, as my client's went (with the exception of France Telecom) they were large-ish. These folks were a 100+ year old regional insurance company that specialized in professional lines. What's that, you ask? Professional and specialty underwriters serve, well, professions, verticals, and businesses. They usually are not auto, home, or life insurers, but they are often resold by multiline carriers. Why should you know this? Huh!
Professional lines insure business operations risks with certain carriers targeting coverage by profession; their expertise and actuarial models require specialization in order to correctly price the risk of business interruption, and to price the premiums and payouts that indemnify the customers of professional and industrial services operations. One simple example: field service coverage, in which the technical organization are covered against customer claims of damages, losses, and liabilities that occur in the course of repairing equipment. The other side is, of course, simple coverage for interruption of operations. Some engineering disciplines (Civil, structural, design, architectural, aviation, you get the idea) can buy coverage for E&O (errors and omissions).
Ya Ya, what does this have to with hosted services and SAAS PAAS Cloud? Answer: Insuring business continuity was a game of physical premises insurance, which evolved into records and facilities, and now, today, optionally covers servers, workstations. software, and systems. It is a mishmash of offerings, and many industries have varying degrees of dependencies on internal IT infrastructure. The insurance products for Small and Medium businesses are semi-flexible, while mega enterprises have core needs that exceed what professional lines can provide, and instead rely on customized underwriting for the Fortune 1000.
Local agents that sell specialty products for professionals and vertical businesses have been focused on premises IT and servers, Client / Server, and just lately, Intranets. After speaking to several insurance industry types that watch this space, I got the feeling that they vaguely understand that hosted services for business ops are different than the Web hosting services that their clients use, and the similarities are superficial. The move to hosted applications is creating a new dynamic in the offering of professional lines of insurance, and they ( the royal "they") saw it coming a little late.There were many meetings that insurance types kept saying to me, "underwriting the Web hosting, right?", and I said, "no, we have to sit down and you need a briefing, there is an evolution occurring in the delivery of applications that are crucial to your insured's operations, and have very little to do with a public facing internet marketing presence; you client's internal IT ops are going off site, you need to get your arms around the underwriting and reinsurance issues of services continuity, not just internal IT disruptions.".
The folks at the company who brought me in knew this already, they hired me, and now their IT and marketing people were, predictably, repeating what they had said to their lines of business product managers. However, my specialty is fostering the creation of new services within cultures that may be a bit behind the state of the art, so I was right in the zone. Also, a picture and a demonstration is worth a thousand words, and all will be well.
So now, if we have got this far, lets finally beak down the issues of certification, indemnification, and continuity services.
Let's now forget the underwriting and actuarial domain, and look at issues that are important to SAAS and Cloud hosting clients. I can speak with modest authority, because I am in the process of converting my consulting practice in product strategy management for larger IT and internet companies (with a focus on web applications for professional productivity), and transitioning my services towards SME's exploring SAAS and Capital-Line-of-Business cut over to Cloud host services. I include here the concerns of clients developing on PAAS, although these particular client issues have a special color, the reassurances sought via certification, indemnification, and continuity rating services are very similar.
There are basically two models for providing assurances to services consumers, such as as those small and medium businesses that might be considering ditching in-house servers and "clouding up":
1) Insure the service providers
2) Insure the clients against failures of particular hosted services or sets of services.
3) Insure the client against general business continuity disruptions related to IT failures
As for #1 - Insuring providers, this is simple and straightforward from a client standpoint. If your provider is covered, are you not supposedly covered against the worst eventualities? The short answer is no. You can't verify the coverage is what the provider says it is, that they are current in their premiums, or that they will use the coverage for insuring your operations and your continuity.
Furthermore, there are issues with indemnification of giants and start ups alike; the giants are more or less immune from operational liquidity concerns while also too big to insure specific (read your) services instance, and the start ups are either uninsured, un-insurable, or will not provide sufficient disclosure to attain an operational rating or subject themselves to underwriting audits.
So, for now, let's forget the service providers insurance. If they carry any commercial line coverage, that's good for them, and may or may not be good for you, and any good comes too late.
As for #2 - The small and medium business can be insured against business continuity disruptions, with riders for internal IT equipment failures. As of a few months ago, and to the best of my sole ability to survey the industry, there are no carriers offering specific coverage packages for hosted services. The upshot is, if a claim is entered and the incident is a remote providers fault, there emerges a fairly broad and deep chasm of uncharted waters. I have spoken to certain specialty carriers in the course of working for my former client, and they were contemplating offering limited types of coverage. They would probably offer coverage for services indemnification where the provider is a giant like an Amazon or Microsoft - as these providers up time can be quantified, and their backup liquidity is not currently in question. A natural question arises, and the carriers I spoke to had no ready answers: "what are you insuring, then?" The best I could get, "some multiple of the cost of services lost".
In other words, since AWS and other cloud providers usually credit services interruptions with usage credits, the best you are going to get, if anything from an insurer, is a payment of some token multiple for what you would have paid for services from the provider - NOT costs incurred for the loss of business continuity. If any commercial line carrier knows of any such services that I have missed, please leave a comment.
As for #3 - There is comprehensive business continuity and operations policies that go beyond premises, disasters, and some have options for an IT systems rider. I covered this above. You can try and ask your commercial lines provider if a disruption is the result of a remote computing services provider being at fault for non-delivery of services (outages) are you covered, they will most likely give you blank stare and ask to get back to you with a , "no, you are not covered".
So, with the recent failure of retail cloud storage providers being so prominent, where does this leave the industry?Answer: With Ratings, Certifications, and underwriting agreements that allow third party services to backstop failures (even for competitors), that specifically cover narrow, technical services delivery, such as storage,transactions, and communications.
More in the next post, or I will extend this post.