The San Francisco-based provider of direct-to-consumer auto insurance has been drawing upon managed data center services from 365 Main Inc. for the past five years after concluding a 5-year agreement with another data center provider it outgrew. Meanwhile, management plans to decide whether to shift to SaaS-based delivery models for e-mail and office productivity software by the second quarter.
Since Esurance was founded 10 years ago, the company has sold more than 1.5 million auto insurance policies, and insured more than 2.2 million drivers. As the company has grown, its partnership with San Francisco-based 365 Main has enabled it to expand its CPU cycles and server requirements as needed, according to Esurance CIO Phil Swift.
During the course of its agreements with 365 Main, Esurance has experienced just two minor service disruptions, each of which were quickly remedied and later audited and reviewed with Swift and his team, he says.
Swift's praise for the reliability and transparency of the operations at 365 Main is a testament to the service provider's dependability and operating philosophy. But it also reflects the kind of scrutiny that Swift and his colleagues paid to service-level agreements and other aspects of the contract over a 6-month negotiation effort with 365 Main.
"Esurance is run by data, and we spend a lot of time looking at it," Swift says. "We have very firm SLAs and we manage to them."
Due Diligence
Attention to detail is critical with managed services and SaaS agreements. That's largely because many hosted IT services agreements are still very much a work in progress and it's vital for IT decision makers and their legal departments to comb through vendor-generated contracts for inconsistencies, vagueness and language that could be detrimental to customers.
The maturity and consistency of vendor-generated contracts is "all over the board," says Joan Stormont, director of IT hardware/software for Nationwide Services Co., the IT infrastructure support arm for Nationwide in Columbus, Ohio. For instance, some managed services and SaaS providers with which the company has worked have done an effective job of clarifying SLAs and language around limits of liability that Nationwide requires, while others have not, says Stormont.
Nationwide, which has entered into 100 to 150 such agreements over the past five years, typically uses its own contract templates for Web hosting and SaaS agreements instead of vendor-provided contracts, says Stormont. The company updates its contract templates twice a year, based on experience and input it gathers from suppliers, Stormont says.
Before entering into managed services and SaaS agreements, it's important for insurers to specify upfront what's meant by system availability from a provider, and whether that means service between 8 a.m. and 6 p.m., or 24/7, notes Jeff Kaplan, managing director at THINKstrategies Inc., an on-demand services consultant in Wellesley, Mass.
For its part, Nationwide has taken a comprehensive approach toward reviewing the managed services and SaaS agreements it has entered. A battery of departments, including corporate security, risk management, the CTO of the business division being supported, general counsel and sometimes the company's chief Internet officer, typically reviews Nationwide's contracts, Stormont says. She adds that contract negotiations with managed services and SaaS providers typically take about 60 days.
As part of Nationwide's due diligence process, hosted services providers are required to complete a questionnaire from its security department to determine the various levels and effectiveness of their security strategies. It's an essential move, Stormont says, "especially if they're (the provider) going to be housing confidential policyholder data."
Insurance customers should also push service companies to provide transparency into their operations, including the ability to view network performance to help gauge system response times and latency, says Kaplan. Some vendors provide customers with Web-based dashboards via private portals to view system performance, he says.
San Francisco-based Salesforce.com took this a step further a few years ago when it created a public site called trust.salesforce.com, in which customers can log in to check live and historical data on system performance, maintenance schedules and security, Kaplan notes.
Before IT leaders at insurance companies start poring over contract details, they should first consider the change management or migration issues involved with moving from an internally provided IT function to a managed service, says Matt Foster, chief architect for Accenture's insurance software group in Chicago. This includes establishing which staff members from the insurer will be retained to help support the managed service. Insurance decision-makers also need to examine the interdependence of multiple systems used between the carrier's vendor partners and the insurer, and reconcile contract agreements between the two, Foster says.
Insurers and service providers also need to pre-determine how problem escalation will be resolved for a system disruption, and establish a chain of command between the two organizations, says Craig Symons, an analyst at Forrester Research Inc. in Cambridge, Mass. This can be accomplished, in part, by creating a set of responsibility assignment matrixes or RACI charts "to reconcile where the two parties have accountability and responsibility," Foster says.
Under Esurance's agreement with 365 Main, the insurance provider has retained responsibility for moving new or updated applications into production on the vendor's servers. Notes Swift, "We have access to the data center whenever we need it. That right of entry also comes in handy in case we detect an anomaly with a server's performance and decide to dispatch one of our own technicians to check it out across town at our San Francisco-based data center."
As Stormont notes, the security of a provider's network is a top concern for insurers, especially when proprietary or policyholder data is being stored off-premise by a third-party. But there are other security issues to consider, particularly for insurers that operate in different geographies. For instance, there are different requirements and restrictions on data retention and data transfer in the European Union and in parts of Latin America that IT executives have to incorporate into their planning with managed services providers, says Conrad Chuang, insurance industry marketing manager at Progress Software Corp. in Bedford, Mass.
Be the first to comment on this post using the section below.