System outages, data breaches, internet service interruptions, oh my: Anyone following tech news hears about these events regularly. (And maybe you uncomfortably wonder what’d happen if one of those tech catastrophes hit your organization?)
Would you have a plan in place, or be floundering? For any insurer, even a fairly short outage (one to three days) could cause costly setbacks, and anything beyond five days might as well be no-man’s-land.
The recent CrowdStrike outage shows why insurers need a safety net that legacy and many modern legacy core systems can’t give them. By contrast, the cloud-native (and cloud-agnostic) flexibility of EIS Platform means it can be a foundation for insurance business continuity.
First a Bug, Then a Swarm: Anatomy of an Outage
CrowdStrike, a cybersecurity vendor to half the Fortune 500, attempted to update its Falcon Sensor anti-malware platform on July 19. The glitch crashed all Windows PCs and devices that received it (about 8.5 million machines). CrowdStrike traced the outage to a bug in Content Validator: a system intended to detect glitchy updates.
The outage forced airlines worldwide to cancel thousands of flights on the 19th and over the following days. Financial institutions experienced disruptions or failures within internal systems and customer-facing apps. Emergency call centers went down all over the US for hours-long stretches.
And that just scratches the surface of the outage’s effects.
Microsoft regional director and cybersecurity expert Troy Hunt called it the largest in world history. Companies affected by the outage likely lost over $5 billion in revenue and gross profit. Many affected systems were back up the same day or by June 20, but full recovery will likely take weeks.
Modern Legacy’s Lack of Contingency
Insurers still using legacy or modern legacy core systems are effectively playing chicken with their business continuity. This is just as true of modern legacy systems that’ve been lifted-and-shifted to the cloud as it is of those relying on centralized server infrastructure.
Why? Above all, systems that are only “cloud-based” in name are usually migrated to one specific public cloud provider — AWS, Microsoft Azure, Google Cloud, etc. If the cloud goes down for any reason, the system goes down with it, and all the mission-critical operations it supports grind to a halt.
The system vendor can give the affected customer the base code to redeploy the system, but full recovery from the ground up takes six to nine months, and the business losses an insurer undergoes in that time might be fatal. (This is no better than what you’d deal with post-outage if you had fully on-premises core infrastructure.)
Being tied to a single cloud also comes with potential regulatory headaches.
First off: In certain jurisdictions, cloud providers must maintain the approval of the regulatory bodies that’ve given them licenses to operate. These agencies (the UK’s Financial Conduct Authority, various EU organizations and their national counterparts in member states, etc.) can take away those licenses at any time, and repeated outages or breaches can quickly erode regulators’ trust.
Additionally, because insurers are essentially outsourcing a critical service, regulators require them to (upon request) attest to the resilience of that service’s provider (and the provider’s sub-supplier ecosystem). Carriers must also offer proof that they could seamlessly continue operations in the event of a “stressed exit” (i.e., a cloud provider outage). Insurers with modern legacy systems hosted by a single cloud vendor don’t have a suitable plan for such an event and face significant risk as a result.
Cloud-Native + Cloud-Agnostic = Cloud-Secure
We know that the cloud providers and other critical vendors insurers rely upon don’t suffer outages or breaches regularly. But they happen often enough — and, increasingly, to devastating effect — that having a flexible safety net is a must. (Or think of it this way: Having no plan isn’t a risk any smart organization should take on, least of all one in the business of protecting from risk.)
As cloud-native coretech, EIS Platform has been expressly engineered for cloud-based operational excellence. But for resilience purposes, the platform’s cloud-agnostic nature matters more. Though it’s paired with a single cloud of your choice like AWS or Azure upon deployment, it’s compatible with all the major offerings, and can also accommodate private cloud infrastructure.
If Azure has an outage, EIS starts moving your operations to AWS (or another cloud of your choice, public or private). This helps minimize downtime and all the losses that come with it. Replace with – This provides the insurer with choice, whether they decided to move to an alternate cloud provider, are forced to do so, or decided to provide the service inhouse – all options are open
We also offer “SaaS escrow:” It requires advance setup but further strengthens your safety net: If EIS itself suffers a catastrophic outage or busines failure, you can immediately step in and take over the environment and applications you built on the EIS platform from a cloud repository, alongside the instructions and documentation for your IT team to run the core operations. In essence business continuity is a paper exercise, not a technical one..
Protect Yourself Sooner, Not Later
On Jan. 17, 2025, the Digital Operational Resilience Act (DORA) takes full effect in the EU, emphasizing the need for “multi-line operational resilience” among other key provisions.
This means insurers operating in or planning to enter the EU market must ensure their core systems aren’t tied to a single cloud provider. Failure to comply could result in significant penalties and operational disruptions.
But whether or not you operate in the EU, consider the potential consequences of not being prepared: an unexpected outage with your sole cloud provider, or system provider could leave your systems down for days, resulting in substantial financial losses and damage to your reputation. (Just imagine the chaos if customer claims systems weren’t accessible during a natural disaster, or if your underwriting platform went down during a peak renewal period.)
Having a cloud-native and cloud-agnostic solution like EIS Platform mitigates these risks by allowing seamless transition between multiple cloud environments, ensuring continuous operations even if one provider fails. Additionally, SaaS escrow gives you the additional ‘insurance’ of access to your critical applications and data in case of a catastrophic failure, with the ability to ‘step-in’ further strengthening your operational resilience.
Talk to an EIS colleague now and start setting your company up for an ambitious — but well-guarded — path. Taking proactive steps now will ensure regulatory compliance and protect your business from unforeseen disruptions, safeguarding your operations and maintaining customer loyalty.
The post How the CrowdStrike Outage Illustrates Insurers’ Need for Resilience appeared first on EIS.