Case Study: Cunningham Lindsey

Cunningham Lindsey UK is part of a global organisation that specialises in managing claims on behalf of major insurance companies, brokers and large organisations. All claims are handled through ClaimsLink, the company’s proprietary IT system, which is fundamental to the operation of the business. This system has been certificated to the information security management system (ISMS) standard BS7799 part 2.

First | Previous | Next | Last

Introduction to Cunningham Lindsey

Cunningham Lindsey UK is one of the leading chartered loss adjusting companies in the country.  It is part of the Cunningham Lindsey group, an international claims and incident management organisation that provides a comprehensive, 24-hour service to brokers, insurers and large corporations across the world.

Cunningham Lindsey UK has specialists in fields such as property, construction, agriculture, law, finance and bio-chemical engineering, to offer a professional response for clients dealing with complex commercial and high net worth insurance claims.

With 30 offices throughout the UK and 1,400 employees, Cunningham Lindsey manages insurance claims on behalf of major insurance companies, insurance brokers and large organisations such as Virgin and Railtrack.

The company handles thousands of claims at any one time – from domestic burglaries to major commercial and industrial fires – and all claims, from initial contact to completion, are processed through ClaimsLink, the company’s proprietary IT system.

ClaimsLink is fundamental to the operation of the business, and was certificated by LRQA to the information security management system (ISMS) standard BS7799 part 2 in 2004.

Cunningham Lindsey’s objectives include:

• Ensuring business continuity by protecting the integrity of the ClaimsLink system and the important data it carries. This includes a strict policy covering the physical security of all premises and IT assets, back-up systems, a disaster recovery plan and ongoing security training for all employees.



• Introducing best practice for all its systems in order to demonstrate to major customers that they can trust Cunningham Lindsey with their data and policyholders’ data. BS7799 also enables the company to monitor its progress and ensure continual improvement.



• Generating and retaining business by being able to maintain and demonstrate appropriate systems and controls for the management of its information security risks using guidance provided by ISO 17799 as recommended to the insurance industry by the Financial Services Authority (Ref: Systems & Controls Sourcebook 3A.5.10 & 11). However, Cunningham Lindsey have decided to take the additional step of gaining certification which will also produce benefits in terms of time and cost-savings when submitting tender documents.

Cunningham Lindsey’s IT Manager, Mark Dobson, simplifies the reasons: “Insurance companies trust us with their confidential information and policyholder data, and we wanted BS 7799 so we could reassure them that their trust was well placed.  We could not afford for the claims system to be unavailable for any substantial period of time.” said Mark Dobson.

First | Previous | Next | Last

Starting the journey

“ClaimsLink is the heart of the company. This is why we chose it for BS7799. Even though it is only one application, it is pivotal to what we do.”

Keith Robinson, IT Director, Cunningham Lindsey

With 1,400 employees spread throughout 30 regional offices, Cunningham Lindsey is dependent on its IT systems for communications and efficient operations. And with its major insurance industry clients demanding a certain level of service – defined by formal service level agreements (SLAs) – it is vital that the company is in a position to comply.

“Our clients will say they want us to be in touch with them within a certain number of days, contact their client within a certain time, and get the claim settled within a certain timeframe,” said Cunningham Lindsey’s IT Manager, Mark Dobson. “ClaimsLink is the platform on which we deliver this level of service. It drives the whole process and ensures that we meet our SLA targets.”

“Our whole business is processing claims.  Every claim goes through ClaimsLink and at key times of the day there could be up to 800 people using the ClaimsLink application from 30 offices around the country.”

ClaimsLink is also the repository for the claim documentation on every single insurance claim. Any failure would be serious.

Having recognised the importance of ClaimsLink to the business, Cunningham Lindsey decided to formalise its existing information security system and seek to achieve industry best practice to ensure that it was doing everything possible to protect the data in its possession, both for its clients and for its own business continuity.

BS7799 was chosen as the best way of achieving this level of information security. It had the added advantage of introducing an element of continual improvement, and enabled the company to demonstrate its capabilities via independent certification. This would be important in achieving new business and retaining existing clients.

Cunningham Lindsey set out to achieve BS7799 specifically for ClaimsLink. The software application represents more than 80% of its IT assets, and Mark Dobson said: “From the insurance company’s point of view, this is where we store all their information. Even though it is only one application, it is pivotal to what we do. It is the application that we use to carry out our business.”

Cunningham Lindsey decided to achieve BS7799 by February 2004 – a tight timescale of six months – and sought a specialist consultancy to help.

First | Previous | Next | Last

Developing the system

“ClaimsLink is important across our whole business, and as access to the system is gained by access to the premises, the security of our offices – swipe cards, visitors’ book – all become encapsulated.”

Mark Dobson, IT Manager

Cunningham Lindsey’s first step to achieving BS7799 was to appoint Red Island Consulting Ltd. Part of the £20 million turnover IT specialist, Panacea Services, Red Island is one of the UK’s leading BS7799 consultancies, and was the first to achieve BS7799:2002.

“We considered a number of BS7799 consultancies, and with Red Island we liked what we saw,” said IT Manager, Mark Dobson. “They did a free of charge gap analysis to determine the steps needed to be taken and were very professional.”

The first stage was to create security forums that would identify and classify information assets, measure their importance and the risks faced, and then see how those risks could be mitigated.

“Everyone was involved in the security forums. We had to work out what was the effect on the business if we could not access ClaimsLink for an hour, a day or a week – or what would happen if the public gained access to this confidential information. BS7799 is all about valuing your information assets, identifying the risk and establishing procedures to mitigate these risks.”

The primary elements of information security - availability, integrity and confidentiality – were explored, which resulted in a clear picture of asset values and the risks attached to them. As the system developed, Cunningham Lindsey realised that some of its existing processes needed to be formalised and refined, and various new procedures and precautions were put in place. From visitors’ books to physical security, everything was approached in terms of best practice. Informal arrangements, such as not allowing CD players on PCs, the scanning of incoming emails and having PCs locked to desks, were maintained and brushed up.

“It is not only about IT. Information security affects physical premises, so we had to bring in facilities management and human resources as well. We had the full cooperation of our business support managers, across all 30 sites, to ensure that back-ups are done properly and that all the guidelines are being followed.”

Cunningham Lindsey established a rolling training programme throughout the UK – an extension of their existing Data Protection Act training – which includes awareness of BS7799. Every member of staff has to read the standard and sign to show that they have done so.

A guide to BS7799 is posted on the company intranet – a constantly updated, user-friendly site that also carries news headlines about BS7799 and other issues. Employees around the country can add details of security incidents and upload them to be reviewed by the next security forum. “This process has brought us into line with industry best practice in information security. We had to improve certain areas, but it has prioritised what we wanted to do and given us the tools to take control.”

First | Previous | Next | Last

Certification with LRQA

“As far as best practice is concerned, we could have put the systems in and not sought certification. But we wanted the recognition that certification brings. We believe that certification will help us secure existing work and also win new business by demonstrating to our clients how important we consider information security.”

Keith Robinson, IT Director

Cunningham Lindsey chose Lloyd’s Register Quality Assurance (LRQA) as their certification body on the recommendation of Red Island Consulting Ltd. Then began an intensive period of activity to ensure that certification was achieved on time.

LRQA conducted the Stage 1 audit prior to Christmas 2003, followed by the Stage 2 audit in February 2004 and the company gained formal certification the following month.

Mark Dobson recalled what was involved: “This was an intensive period and it required a lot of hard work to ensure we were ready for the assessment visit. Our assessor was very detailed in his approach, and while there were some aspects we needed to pay attention to following the initial visit, we felt this was part of the maturing process of the system.

“While we had started at quite a high level, the assessment has made us raise our game, and we will have to keep raising our game to retain the certificate.

“We have an internal audit system in place in all our branches, and the security forum reviews things on an ongoing basis. We want an ongoing relationship with LRQA, and I want to be in a position when our assessor visits to be able to show him that we have exceeded his expectations.”

Cunningham Lindsey (at the time of writing) is the only loss adjuster in the UK to have achieved the BS7799 certification.

First | Previous | Next | Last