Daniel Liptrott, Managing Director at NCC Group
Many organisations use business-critical cloud hosted applications to carry out day-to-day operations, but some may not be aware of the potential consequences of losing access to this software.
Organisations that outsource these applications must ensure that access to the information held is continuously available.
According to guidelines released by the Financial Conduct Authority (FCA) last summer, companies failing to adhere to legal considerations, risk management and international standards when outsourcing to the cloud and third parties could face disciplinary action, including fines.
This is something that the customers of SSP Worldwide, whose Pure Broking platform is used by 40 per cent of UK insurance brokers to trade, may understand all too well.
SSP has suffered from intermittent data centre outages over the last year, which left its Pure Broking platform out of action for two weeks in August, over one day in November, and a few hours as recently as January 2017. This has been a costly lesson for the 300 brokers that rely on the Pure Broking software, and many are concerned that they could be facing disciplinary action from the FCA.
As well as potentially being subject to fines, users of this software would have been unable to carry out essential work in delivering excellence to their customers. This would have impacted employees and their ability to carry out day-to-day operations, as well as the delivery of services to the brokers’ customers. The potential consequences of being unable to access a business-critical piece of software should be considered by all financial services organisations, so that they can avoid damage to their reputation and a negative impact on their bottom line. They therefore need to ensure that Software-as-a-Service (SaaS) providers have adequate measures in place to meet the FCA guidelines, and are able to continuously monitor and identify risks to critical applications.
Although there are many benefits that come with the adoption of SaaS applications, there are also numerous risks that organisations, particularly those in the financial sector, should be aware of. Subscribing to third-party services means relying on their applications being continuously available. This could put organisations and their business operations at risk if the service provider goes out of business or experiences an outage, like SSP Worldwide.
However, this risk may be justified by the value of outsourcing applications to third-party providers. Software can increase efficiency, streamline operations and help to cut costs. It can be argued that investing in technology is increasingly necessary for businesses within the financial services sector which often face emerging competition from fintech companies.
The FCA has strong guidance to protect organisations, but navigating the finer details can be difficult, especially because third-party service providers often rely on external data centres for storage and software hosting, and have links to other companies. This can make it difficult for businesses to ensure that their critical software is always available, both legally and practically.
Often, it’s easier to enlist a third-party to monitor the relationships between the SaaS provider and its cloud service provider or data centres. Not only does this mean that the customer can be aware of any issues regarding its business critical applications, but it can be forewarned if the SaaS provider does not make the hosting payments due to the infrastructure provider – sometimes a sign of potential financial issues.
If the worst should happen, financial organisations need to ensure that they are still able to access their business-critical applications and have a plan to rebuild or migrate the application. For example, having a copy of the software or application source code means that these programs can be rebuilt or migrated easier than without. Making regular backups of important data will offer further peace of mind and ensure that the business can continue to operate if their applications are unavailable for any reason.
Outsourcing to third-party software is a great way for financial services organisations to stay competitive, but they should maintain a degree of caution if they want to avoid any nasty surprises, and the FCA guidelines provide a good starting point.