olly - Fotolia

Insurance brokers fear regulatory action over SSP Worldwide cloud outage

Insurance brokers hit out at disaster recovery arrangements, fearing two-week outage could put them at risk of action by Financial Conduct Authority

SSP Worldwide stands accused of misleading users about the robustness of its disaster recovery regime, as insurance brokers await details of how its two-week cloud platform outage will be viewed by industry regulators.

A large number of UK brokers, who rely on SSP Worldwide’s Pure Broking platform to issue quotes and track renewals, were struggling to trade for a fortnight after a datacentre power outage knocked the cloud-based service offline on 26 August.

The situation has prompted concern over whether brokers’ inability to work during the downtime puts them at risk of enforcement action from regulators, despite SSP’s systems being at fault.

The broker community is regulated by the Financial Conduct Authority (FCA), but the third-party providers whose services they use to run their organisations are not.

Matt Hodges-Long, managing director of business continuity provider Continuity Partner, said the FCA may seek clarification from brokers about whether their disaster recovery plans were sufficient to mitigate the risk SSP’s problems posed to customers.

“If this situation leads them to discover that X number of consumers were going around uninsured as a result of this, and they deem that to be unacceptable, then the FCA has the power to take enforcement against the firms it regulates,” he told Computer Weekly. “They cannot abdicate their responsibility, as the FCA regulates them to do their job, not one of their suppliers.”

According to a report in Insurance Age magazine, the FCA asked SSP for a list of those affected by the outage on 2 September, with brokers given the opportunity to have their names removed from the list.

The FCA’s request angered some brokers, who told Computer Weekly they feared the regulator could use it as a “hit list” of firms to take punitive action against in the wake of the outage.

“What the FCA might do about this, as the regulator, is a source of uncertainty, along with what the repercussions of what all this might be,” said Hodges-Long.

Computer Weekly contacted the FCA for details on what action, if any, it could take in this case, but it declined to comment.

Testing the limits

The SSP incident could constitute the first major test of the FCA’s guidance, published in July 2016, on how the firms it regulates should approach their use of cloud. This includes seeking assurances from suppliers before signing up to use their services.

Under the guidance, FCA-regulated companies are expected to conduct due diligence before moving any part of their business to the cloud.

As such, the guidance advises firms to have a clear business continuity strategy in place to cater for any downtime their supplier may experience.

“Firms should document their strategy for maintaining continuity of operations, including recovery from an event, and their plans for communicating and regularly testing the adequacy and effectiveness of this strategy,” the FCA guidance states.

Hodges-Lane points out that such a strategy should not render a company unable to cope when its chosen cloud provider runs into technical difficulties.

“Companies need to make sure they have adequate infrastructure in place to support their operations, but they also must be able to stand on their own two feet and find a workaround regardless of what processes a provider has in place,” he said.

“If both the supplier’s and the company’s backup plans fail and they end up losing business, they need to ensure they can recover any money lost through an insurance policy that is structured in a correct way.”

Brokering a defence

A number of brokers contacted by Computer Weekly following the outage claim they did perform due diligence, but the information SSP gave them was not all it seemed.

The Solihull datacentre where the outage occurred is owned and operated by SSP, which also relies on two colocation facilities in Acton, west London, and Northampton to provide its services to customers.

According to several brokers, who spoke to Computer Weekly on condition of anonymity, their contracts with SSP only reference the use of two such facilities, and state that one will failover to the other if the primary site is unavailable.

“It also mentions that they will restore the service within three business days once the decision has been taken to move sites,” said one broker.

‘Seamless’ process

Another broker, quoting SSP’s own marketing materials, said the company had given it the impression that switching between the two sites would be a relatively “seamless” process, when in reality it took the company two weeks to restore its services.

“SSP has two datacentres, one located in southern England, the second in the Midlands,” the SSP website states. “Our disaster recovery options include the ability to copy all your data between the two datacentres every 15 minutes via a dedicated high-speed connection.

“Each datacentre acts as a backup for the other, ensuring that if one datacentre is unavailable, the other can take over.”

However, an SSP spokesperson confirmed that the Solihull datacentre is backed up on a daily basis, but is not one of the two sites referred to on its website, much to the dismay of many brokers who had assumed it was.

Computer Weekly asked SSP for its response to brokers who felt misled over its disaster recovery statements, and was told the company could not comment on the specific details of customer contracts.

SSP went on to say that its focus remained on restoring services to all customers and, once that was complete, launching a full internal investigation into the fallout from the outage.

Read more about datacentre power outages

In a follow-up statement to Computer Weekly, the company confirmed that more than 90% of its customers were either operational again or close to going live again on the platform.

“We will be writing to each [affected customer] this week to reiterate our apologies for the inconvenience caused by the outage and provide a rebate of service fees,” said SSP CEO Lawrence Walker in the statement.

While brokers are likely to welcome the offer of a rebate, it is unclear at this point whether this sum will cover the costs incurred by being unable to trade since SSP Pure Broking went offline, in terms of lost business and staff overtime costs.

Post-mortem plans

The British Insurance Brokers’ Association (BIBA), which represents about 2,000 general insurance brokers across the UK, is to hold a post-mortem into the outage with SSP and ascertain the robustness of its disaster recovery setup.

In a statement to Computer Weekly, BIBA CEO Steve White said brokers would be free to discuss compensation terms during its proposed meeting, before outlining the complexities SSP is likely to face when negotiating terms.

“Brokers were affected in a number of different ways, to differing time frames,” said White. “We also believe there are a variety of different contractual terms in place dealing with outages, but nevertheless brokers will be free to discuss whatever they wish with SSP.”

Read more on Software-as-a-Service (SaaS)