For insurance carriers, brokers and agencies, the ability to recover quickly from a systems outage or disaster is critical to their business-and, increasingly, may be mandated by law or industry oversight groups. As a result, business continuity has become a core management issue, whereas in the past it was an issue that was addressed by IT executives."The insurance industry is moving from recoverability toward resilience," says Ted DeZabala, national leader of Deloitte & Touche LLP's security services team. "This is a huge change of mentality, of management, and of technology for the insurance industry."
Pressure for more effective business continuity and disaster recovery planning comes from many directions. For instance, the Health Insurance Portability and Accountability Act (HIPAA) stipulates that health care providers and payers meet basic requirements for protecting and recovering critical data.
And, last year, the Securities and Exchange Commission (SEC) approved rules proposed by the National Association of Securities Dealers (NASD) and the New York Stock Exchange which require NASD and NYSE members to develop business continuity plans that establish procedures relating to an emergency or significant business disruption. This move will affect insurers that also offer financial services products.
Under the new rules, every NASD and NYSE member must develop a plan that addresses various aspects of business continuity, including data back-up and recovery, mission-critical systems, and alternate communications between the firm and its employees and the firm and its customers.
And, for publicly traded companies, the Sarbanes-Oxley Act of 2002 (SOX) has put the onus on IT departments to ensure that critical data is preserved and quickly accessible to decision makers and stockholders.
Redundant systems
For most insurers, around-the-clock customer service is a crucial business strategy to build customer loyalty. To achieve that goal, companies have created redundant infrastructures to pick up operations in the event of a system outage. Often, these secondary systems are a scaled-down copy of the first.
"The goal is to have all data captured in the producer systems, and then also captured someplace else, so there's always a back-up copy in the other location," says DeZabala.
Noridian Mutual Insurance Co., for example, maintains a dual data center strategy, with IBM and Unisys mainframe systems located more than one mile apart from each other in Fargo, N.D., the company's headquarters. Noridian also administers the Blue Cross and Blue Shield plan for North Dakota.
"We're replicating the production data between the two sites at all times. If for any reason we lose the primary data center, key data is immediately available over at our secondary data center," says Troy Aswege, Noridian's assistant vice president of information systems.
Maintaining a second data center can bring down a recovery time objective (RTO) to less than 48 hours. At Noridian Insurance, the second data center provides a backup site that can bring the business up within a day, if necessary. This benefit became apparent to Noridian Insurance in June 2000, when the Fargo area experienced catastrophic flooding as a result of a torrential rainstorm.
When Noridian built its headquarters 25 years ago, the land was an open field. Eventually, streets, buildings and parking lots sprung up around Noridian's building, which happened to be on the lowest point of the land.
"All the water came running at us, and our data center shut down," Aswege continues. "Our data center flooded. We went through a true emergency shutdown. But we were able to bring our backup data center online within a day."
It did take several days before customer service and data backup were fully restored. "The delay was not related to our inability to bring the systems up, it was more related to the conditions in town, and the condition of the building," Aswege says. "The technology proved itself, and our management recognized the value in that."
Hurricane proof
Other carriers are also looking closely at dual data center strategies. Blue Cross Blue Shield of Florida emerged unscathed after the state was slammed by four hurricanes within a six-week period, but is not taking any chances.
The Blues plan, which relies on offsite tape storage as backup for its critical systems, is looking at ways to keep operations up and running in the event of a direct hit on its data center by a major hurricane. "Our ability to recover could depend on if roads are passable, if planes are flying, and if trucks are available to ship my tapes," says Chris Gay, manager of disaster recovery for Blue Cross and Blue Shield.
The insurer is building a new data center, a hardened facility that will withstand a Category 5 hurricane. The ultimate goal of the dual center strategy is a 48-hour recovery of all critical systems, says Gay.
The Florida Blues' Jacksonville operations survived last year's bout of hurricanes, but the main challenges was maintaining coordination between members of its IT staff in the Orlando and Pensacola offices, which were temporarily shut down. As part of their solution, they used AlertFind from MessageOne, an Austin, Texas-based provider of business continuity services, to maintain e-mail correspondence.
In some instances, however, even the best-laid plans fall flat, and sheer grit and determination are required to recover. A few days before Hurricane Ivan hammered Florida, the megastorm had slammed into the Cayman Islands with 200-mile-an-hour winds.
British Caymanian In-surance, part of the Colonial Group International, had to get its operations back up and running to quickly service the needs of its customers on the devastated island. British Caymanian backs its data to a site maintained in Bermuda. Colonial Group's IT team backed up the carrier's data to tape and flew down to the Caymans in the wake of Ivan. However, the IT team found more than it bargained for.
"The degree of devastation that occurred here was far in excess of anything that was anticipated," says Ian Cummings, Colonial Group's vice president of information technology. The carrier had developed a business continuity plan that stated in the event of the company losing its business, it would temporarily relocate to a hotel. But after Ivan, there were no hotels.
"Our business continuity plan just didn't fly this time," Cummings says.
Torrential rain filled British Caymanian's data center-on the top floor of the four-story office-with five inches of water. Faced with power failure and structural damage, the IT team had to pick up their computers and carry them to drier land.
The IT employees had to maneuver their IBM iSeries system out of the damaged building by using scraps of wood and an air mattress to navigate the machine down 80 stairs.
"With staff I brought down from Bermuda, we were able to get all of our servers out of the building, and took them over to the life office location in the center of Georgetown," says Cummins. "We plugged it in, and they came up each time."
Cost considerations
Insurers will attest that technology disruption is costly to their business. But experts warn maintaining a second data center may be require more effort and capital than businesses anticipate.
For BayRisk Insurance Brokers, mirroring new data to a third-party vendor offered a more cost-effective solution. In October 2002, the Alameda, Calif.-based brokerage firm contracted with LiveVault Corp., Marlborough, Mass., to back up its database.
"We kept our tape backup in place, but we selectively backup certain data that is less critical to us," says Kevin Milroy, president of BayRisk.
But for some companies, the business necessity of a dual data center strategy-along with new regulatory pressures-far outweighs strict cost comparisons.
The NYSE and NASD mandate prompt recoverability of the entire trading lifecycle and giving customers rapid access to their data.
"Once you've made that investment to back up your portfolio, it's not a huge step to say, 'You know what, I'm building another data center anyway, I'm building redundant applications and redundant business processes anyway,'" DeLoitte's DeZabla says.
Joe McKendrick is a business writer based in Doylestown, Pa.
