Just as insurers have differing objectives, products and operational footprints, they embrace different cloud strategies and models to achieve them. Two-thirds of insurers include hybrid models in their public cloud adoption strategies. About a quarter, 24%, will not consider a hybrid model and the remaining respondents either don’t know it or have not yet decided on their strategy.
Increased flexibility, complexity of existing platforms, agility, innovation and cost were all cited as reasons for using hybrid cloud models. Almost three-quarters of the companies that plan to adopt hybrid cloud models expect to use more than one public cloud provider, while 25% plan to combine three or more cloud providers.
Three in ten respondents referenced plans to move 100% of their infrastructure into public cloud environments. Respondents said that legacy IT infrastructure, lock-in periods to existing systems and technology, and regulatory considerations were barriers to full-fledged public cloud adoption. In some cases, respondents explained that it was impossible, largely for technical reasons, to migrate all applications to the cloud or do so all at one time.
Cited by 59% of respondents, data security risk is the most serious concern for insurers moving their business to the public cloud. Compliance risk (44%), regulatory risk (43%) and people, and skillset risk (33%) were other common concerns. Small insurers seem to consider compliance risk to be more important than larger firms. Third-party services risk and service-level performance risk are not considered major concerns, suggesting that insurers have a high level of trust toward the public cloud providers.
This trust in cloud providers’ performance is also reflected in the challenges cited by respondents, who mentioned mainly internal challenges, such as cultural change, legacy systems, and internal knowledge and capabilities. Only 30% of the insurance companies in Europe are concerned about the US Cloud Act, perhaps because cloud providers were transparent in addressing this topic and the sense that this residual risk is manageable. Cloud providers’ robust key management functions, including customer managed encryption keys, may also provide confidence.
In terms of specific regulations that are on respondents’ radars, the General Data Protection Regulation (GDPR) and country-specific or regional rules are the top concerns, cited by 91% and 87% of respondents, respectively.
Beyond clear business objectives and requirements, defining the right strategy starts with a thorough analysis of legacy environments and a full assessment of the cloud readiness of existing applications. A plan for cloud provider management should be considered critical as well, given that most insurers will use multiple providers. A cloud target operating model (including security operation) and a central, multi-cloud management platform should factor in cost management, performance management or Infrastructure as Code (IaC), which can help simplify the orchestration of infrastructure.