Ventiv Resource Library
Issue link: https://ventiv.uberflip.com/i/297270
360º | Aon eSolutions 2 3 Let's focus on our European clients first. The EU has some of the world's most stringent laws and regulations around data privacy and security. Given the requirements our EU clients and prospective clients operate within, they simply weren't comfortable with having their data—especially confidential, personally identifiable information (PII)—hosted outside the EU. By bringing our clients' data inside the EU, in a data center subject to EU laws and regulations, we have mitigated those concerns. Canada has similarly strict data laws, and other countries are moving in that direction. It simply made sense to operate a data center outside of the United States to address those concerns. There is also the more general, overriding question of data security and privacy, regardless of the region. The U.S. and EU data centers are at the heart of RIScloud ® , which is Aon eSolutions' fully owned, staffed and managed cloud- based infrastructure. RIScloud is the risk, insurance and safety market's only technology infrastructure certified by third-party audits to be compliant in its entirety with ISO 27001:2005, SSAE 16/ISAE 3402 and URAC HIPAA Security standards. Basically, whether we're talking about the U.S. or anywhere else, RIScloud has unparalleled third-party credentials that attest to its technology infrastructure, polices and procedures. These add up to a very high level of security that our clients can count on. In terms of how we deliver our solutions, Aon eSolutions' RIScloud is different than the newer, public-cloud-based RMIS solutions out there. We don't outsource any of the IT infrastructure, data loading and conversion, development, quality assurance or any other functions. Our certifications cover the entirety of our operations and our management of our clients' data. That's important especially to our EU clients because it means that a risk manager or her information security team knows with absolute certainty that their data is always in our possession, and always in the geographic location specified. We know who has access to that data at all times, and our policies and procedures strictly limit who within eSolutions can access that data. Yes, they'll often have such certifications, but if you ask to examine them closely, you'll find that they apply only to portions of their tech- nology infrastructure, policies and procedures. There are no gaps in the third-party audits that have been done on us. Let's take the example of global load balancing, which is relevant because it has to do with the location of client data and where the application is hosted. Our newer competitors subcontract hosting services to public cloud providers. At peak loads, these providers often use global load balancing tech- nologies to redistribute internet traffic and processing power to less utilized locations: it might be the U.S., Australia, China, India, Europe. You'll never know unless you have provisions within your contract restricting the physical location of your data, which the vast majority of customers don't have. Well, not all of them are concerned, but we think they should be. Our philosophy is that it's better for a risk manager, when selecting a third-party business solution like RiskConsole, to have complete and transparent knowledge of what controls and security safeguards apply to the confidential, protected data entrusted to them. The fact of the matter is, whenever an organization introduces a third-party hosted business solution to their organization, there will be risks. If features and functionalities are similar, we think there should be one deciding question: Which business solution best mitigates the risks inherent in outsourced technology? Who knows, the risk manager's organization may be lucky and there won't be any data breaches; however, if there is a data breach, that risk manager is likely to find out that the certifications they thought were protecting the organization didn't cover the business solution entirely. The resulting investigations might not be pretty. WHAT ARE THE CONCERNS THAT INTERNATIONAL CLIENTS HAVE ABOUT THE LOCATION OF THEIR DATA AND APPLICATIONS? THOSE THIRD-PARTY CERTIFICATIONS SPEAK TO THE SECURITY LEVELS THAT RISCLOUD PROVIDES, BUT WHAT DOES IT HAVE TO DO WITH HOW—AND WHERE—AON eSOLUTIONS HOSTS CLIENT DATA? SO, WHY SHOULD THE ORDINARY RISK MANAGER, WHEREVER IN THE WORLD THEY WORK, BE CONCERNED ABOUT WHERE THEIR DATA AND APPLICATIONS ARE BEING HOSTED? THESE NEWER COMPETITORS ALSO HAVE ISO OR SSAE/ ISAE CERTIFICATIONS, DON'T THEY? FOR MORE INFORMATION, PLEASE CONTACT: Scott Wilson VP, Hosting and IT Operations 770.308.5499 scott.wilson@aon.com