Like many insurance companies, Esurance has become a lot more active about exploring opportunities for utilizing managed IT services and Software-as-a-Service (SaaS) applications to help drive down costs, and free IT staffers to focus on projects what deliver business value.

The San Francisco-based provider of direct-to-consumer auto insurance has been drawing upon managed data center services from 365 Main Inc. for the past five years after concluding a 5-year agreement with another data center provider it outgrew. Meanwhile, management plans to decide whether to shift to SaaS-based delivery models for e-mail and office productivity software by the second quarter.

Since Esurance was founded 10 years ago, the company has sold more than 1.5 million auto insurance policies, and insured more than 2.2 million drivers. As the company has grown, its partnership with San Francisco-based 365 Main has enabled it to expand its CPU cycles and server requirements as needed, according to Esurance CIO Phil Swift.

During the course of its agreements with 365 Main, Esurance has experienced just two minor service disruptions, each of which were quickly remedied and later audited and reviewed with Swift and his team, he says.

Swift's praise for the reliability and transparency of the operations at 365 Main is a testament to the service provider's dependability and operating philosophy. But it also reflects the kind of scrutiny that Swift and his colleagues paid to service-level agreements and other aspects of the contract over a 6-month negotiation effort with 365 Main.

"Esurance is run by data, and we spend a lot of time looking at it," Swift says. "We have very firm SLAs and we manage to them."

Due Diligence

Attention to detail is critical with managed services and SaaS agreements. That's largely because many hosted IT services agreements are still very much a work in progress and it's vital for IT decision makers and their legal departments to comb through vendor-generated contracts for inconsistencies, vagueness and language that could be detrimental to customers.

The maturity and consistency of vendor-generated contracts is "all over the board," says Joan Stormont, director of IT hardware/software for Nationwide Services Co., the IT infrastructure support arm for Nationwide in Columbus, Ohio. For instance, some managed services and SaaS providers with which the company has worked have done an effective job of clarifying SLAs and language around limits of liability that Nationwide requires, while others have not, says Stormont.

Nationwide, which has entered into 100 to 150 such agreements over the past five years, typically uses its own contract templates for Web hosting and SaaS agreements instead of vendor-provided contracts, says Stormont. The company updates its contract templates twice a year, based on experience and input it gathers from suppliers, Stormont says.

Before entering into managed services and SaaS agreements, it's important for insurers to specify upfront what's meant by system availability from a provider, and whether that means service between 8 a.m. and 6 p.m., or 24/7, notes Jeff Kaplan, managing director at THINKstrategies Inc., an on-demand services consultant in Wellesley, Mass.

For its part, Nationwide has taken a comprehensive approach toward reviewing the managed services and SaaS agreements it has entered. A battery of departments, including corporate security, risk management, the CTO of the business division being supported, general counsel and sometimes the company's chief Internet officer, typically reviews Nationwide's contracts, Stormont says. She adds that contract negotiations with managed services and SaaS providers typically take about 60 days.

As part of Nationwide's due diligence process, hosted services providers are required to complete a questionnaire from its security department to determine the various levels and effectiveness of their security strategies. It's an essential move, Stormont says, "especially if they're (the provider) going to be housing confidential policyholder data."

Insurance customers should also push service companies to provide transparency into their operations, including the ability to view network performance to help gauge system response times and latency, says Kaplan. Some vendors provide customers with Web-based dashboards via private portals to view system performance, he says.

San Francisco-based took this a step further a few years ago when it created a public site called, in which customers can log in to check live and historical data on system performance, maintenance schedules and security, Kaplan notes.

Before IT leaders at insurance companies start poring over contract details, they should first consider the change management or migration issues involved with moving from an internally provided IT function to a managed service, says Matt Foster, chief architect for Accenture's insurance software group in Chicago. This includes establishing which staff members from the insurer will be retained to help support the managed service. Insurance decision-makers also need to examine the interdependence of multiple systems used between the carrier's vendor partners and the insurer, and reconcile contract agreements between the two, Foster says.

Insurers and service providers also need to pre-determine how problem escalation will be resolved for a system disruption, and establish a chain of command between the two organizations, says Craig Symons, an analyst at Forrester Research Inc. in Cambridge, Mass. This can be accomplished, in part, by creating a set of responsibility assignment matrixes or RACI charts "to reconcile where the two parties have accountability and responsibility," Foster says.

Under Esurance's agreement with 365 Main, the insurance provider has retained responsibility for moving new or updated applications into production on the vendor's servers. Notes Swift, "We have access to the data center whenever we need it. That right of entry also comes in handy in case we detect an anomaly with a server's performance and decide to dispatch one of our own technicians to check it out across town at our San Francisco-based data center."

As Stormont notes, the security of a provider's network is a top concern for insurers, especially when proprietary or policyholder data is being stored off-premise by a third-party. But there are other security issues to consider, particularly for insurers that operate in different geographies. For instance, there are different requirements and restrictions on data retention and data transfer in the European Union and in parts of Latin America that IT executives have to incorporate into their planning with managed services providers, says Conrad Chuang, insurance industry marketing manager at Progress Software Corp. in Bedford, Mass.

The Fine Print

Larger insurers such as Nationwide have greater leverage in demanding that service providers use their contracts, Kaplan says. But even if insurers use a vendor's "paper," customers still have the right to make recommendations and negotiate revisions on contract terminology, he says. For example, if a system outage occurs, customers should determine with providers upfront if the vendor should be penalized and whether those charges should be made in the form of credits or give-backs, says Kaplan. There should also be a fair threshold for determining under what circumstances a customer can terminate an agreement, he adds.

"If you have a prenup, and you're getting divorced, it doesn't necessarily make you happier, but you're glad that you worked it into the agreement in advance," Kaplan says.

Customers should also pay close attention to contract parameters, especially when changes need to be made. "That's where most of the gotchas come" from a cost standpoint, Symons says.

For example, customers should know how much it would cost to add users to a 1,000-seat hosted e-mail agreement, and what the charges are to scale down its user base if needed, Symons says.

Exit clauses should be clearly worded in the event that a customer or supplier decides to terminate an agreement either for cause or other reasons. For its part, Nationwide makes sure it's not locked into a "payment stream" with suppliers after a contract has been terminated, Stormont says.

Insurers also need to add clarity about the terms under which proprietary data will be returned to them by the provider, including the turnaround time and the format for returning data. Stormont says Nationwide has only had to terminate two agreements over the past five years, and in both cases it had its proprietary data returned without issue.

"We usually ask for providing our data back at no additional charge," Stormont says, adding that most vendors comply. "It's something we've learned along the way," Stormont says.

Insurers should take that a step further and make sure suppliers are contractually obligated to destroy proprietary or policyholder data from their servers or storage systems upon termination of an agreement, Stormont says. Nationwide has included that terminology in its contracts, Stormont says.

In many respects, managed services and SaaS agreements are similar to more traditional outsourcing deals where IT executives discover that there's still quite a bit of oversight involved after a function has been transferred to a third party, Symons says. An insurance company's IT organization still needs to manage the relationship with the provider and make sure that the vendor is delivering on the SLAs on behalf of the business users.

Swift agrees. "From day one you've got to work with service providers, be honest with them and communicate your problems," he says. "We're very happy with 365 Main since they're transparent with us, and we're transparent with them."

This article can also be found at

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access