How Does a Lloyd’s of London Insurer Decommission 2,800 Devices While Meeting FCA and PRA Dual Regulatory Requirements?
When a specialist Lloyd’s of London insurance syndicate merged with a larger underwriting group, the combined entity needed to consolidate two separate IT estates into one. This meant decommissioning 2,800 devices containing policyholder data, claims records, underwriting models, and actuarial analyses. With both the FCA and PRA requiring evidence of secure data disposal, and Lloyd’s own data governance framework adding further requirements, the project demanded a provider with genuine expertise in financial services compliance.
The Challenge
- 2,800 devices across two London offices and a disaster recovery site in Reading
- Dual regulatory oversight from both FCA and PRA requiring separate compliance evidence
- Lloyd’s data governance adding a third layer of compliance requirements
- Policyholder data subject to GDPR, Data Protection Act 2018, and insurance-specific regulations
- Underwriting models containing commercially sensitive proprietary algorithms
- Legacy systems including servers running specialised actuarial software on older hardware
- Merger timeline pressure requiring completion before the regulatory consolidation deadline
The syndicate had previously used an on-site degaussing service, but their auditors flagged that degaussing alone was insufficient for SSDs, which now comprised the majority of their storage media.
Our Solution
Regulatory Compliance Mapping: Before the project began, our compliance team mapped every FCA, PRA, and Lloyd’s requirement to specific actions in our destruction protocol. This compliance matrix was approved by both organisations’ Data Protection Officers before any equipment was moved.
Secure Facility Processing: All equipment was transported to our secure ISO 27001 certified facility. Devices were processed in a dedicated, access-controlled area with CCTV coverage throughout.
Tiered Destruction Protocol: Standard office equipment underwent NIST 800-88 Purge erasure. Servers containing underwriting models and actuarial data received HMG Infosec Standard 5 destruction with physical shredding. All SSDs were physically destroyed regardless of content, addressing the auditors’ previous concerns.
Regulatory Evidence Packs: Two separate compliance evidence packs were produced: one formatted for FCA/PRA regulatory submissions and one for Lloyd’s internal governance. Each included individual destruction certificates, chain-of-custody documentation, and a signed statement of compliance from our ISO 27001 certified facility manager.
Legacy System Handling: Older servers running bespoke actuarial software required careful handling. Drives were extracted, catalogued, and destroyed separately, with the remaining chassis stripped of any identifying labels before being sent for materials recycling.
The Results
“The compliance matrix approach was exactly what we needed. Having pre-approved documentation that mapped directly to FCA, PRA, and Lloyd’s requirements meant our regulators had no questions at all. The project was completed two weeks ahead of the consolidation deadline.”
— Chief Information Security Officer, Lloyd’s Syndicate
Key Takeaways
- Insurance companies face unique dual-regulatory requirements from both FCA and PRA
- Lloyd’s data governance adds additional compliance layers beyond standard financial services requirements
- Degaussing alone is insufficient for SSDs, requiring physical destruction
- Pre-approved compliance matrices streamline regulatory reporting
- Merger and acquisition projects require accelerated timelines with zero compromise on security
Frequently Asked Questions
What regulations apply to insurance company IT disposal?
Insurance companies are regulated by both the FCA and PRA, each with their own data handling requirements. Lloyd’s syndicates face additional governance requirements. GDPR and the Data Protection Act 2018 also apply to policyholder data. We map all requirements before any project begins.
Why is degaussing not enough for modern devices?
Degaussing works by disrupting the magnetic field on traditional hard drives (HDDs). However, SSDs store data using flash memory chips that are completely unaffected by magnetic fields. The only reliable destruction method for SSDs is physical shredding.
How do you handle merger and acquisition timelines?
We regularly work to tight regulatory deadlines. Our project management approach includes milestone tracking, regular progress reports, and the flexibility to accelerate collections when timelines demand it.
Ready to Discuss Your Insurance Company’s IT Disposal?
Whether you are a Lloyd’s syndicate, a composite insurer, or a specialist underwriter, Innovent Recycling provides the regulatory compliance expertise that the insurance sector demands.
