Analysts link security readiness to size, industry sector
With information security regulation increasing and criminal hacker activity on the rise, insurance companies understandably are concerned about the tightness of their own ships, especially in an age where a “misplaced” disk, a stolen laptop or simple social engineering can expose thousands of customers to activities such as identity theft and fraud.
And customers aren’t the only ones at risk. Insurers that fail to provide adequate protection of private information may face stiff fines or even jail time in today’s regulatory climate. But just how prepared is the insurance industry to meet regulations and to protect sensitive data? Industry analysts’ opinions vary.
“Information security is still lagging but not as much as in other areas of IT in insurance,” says Chad Hersh, Houston-based analyst with Celent, a research firm. “To put it simply, regulatory concerns ensure that carriers are taking certain important steps toward securing IT applications infrastructure. But regulations can’t do enough to set standards that would truly secure the enterprise.”
According to Hersh, other than the largest carriers that have the budget and in-house expertise to achieve full security, insurance companies lag behind the rest of the financial services industry in security readiness. There are exceptions, however, he notes. “Some carriers have had small security problems that opened their eyes to much bigger issues. Maybe they’ve had a hacker in their system who doesn’t steal anything or a Web site that gets vandalized. It makes them realize how vulnerable they are. They’ve seen the light.”
Sectors vary on security readiness
Asked about differences in readiness between the property-casualty and life-health sectors, Hersh says the variance is “primarily around the Web.” He asserts that p-c companies “tend to be better on personal lines side, because they rely much more heavily on [the Web]. Direct writers spend more time, effort and dollars to maintain a secure Web presence.”
Hersh says the life side is limited to online viewing of information and some buying, “so they don’t invest the same kind of effort in Web security.” On things like extranets, however, life carriers are slightly more invested than their p-c counterparts in securing their enterprises, he notes.
Most insurers, however, “still have a long way to go,” he says. Dangers include having a poor security policy or a poorly enforced security policy. “If an agent loses a laptop with passwords on it, that may not ever be reported,” he observes.
“It’s very difficult for every carrier to protect data on an extranet when 30,000 agents have access to that data and they are sharing information with assistants and associates,” says Hersh. “Without use of something like a hard token, plus a password, it’s virtually impossible to prevent some leakages.”
A hard token is a small authentication device such as an electronic key or a smart card. Hersh recommends that companies invest in such devices. With HIPAA privacy requirements and the threats seen in recent events such as the ChoicePoint data compromise and reports of employees stealing credit card numbers, “it seems like a small investment by comparison,” he says.
Overall, says Hersh, the insurance industry needs to stop looking at individual aspects of security and start looking at securing the enterprise. “The insurance industry has spent so much time avoiding sharing of data [between companies], but they are sharing a lot of that stuff already,” he states. “There are so many entry points to data that it’s falling increasingly under regulatory scrutiny. We have to shift to enterprise security rather than individual applications.
Emerging tech needs to be addressed
“Most of what’s wrong at this point is a failure to address emerging technologies,” he continues. “Not a lot of carriers are looking at the fact that agents are using public Wi-Fi [wireless computing] hotspots.” By not looking at these things and focusing instead on automation capabilities, insurers may fall short on protecting privacy and security in the enterprise.
Looking at hardware security, Hersh points to a lack of encryption of files once a machine’s password is cracked. “All customer-related files should be encrypted on the machine on an ongoing basis,” he states. He predicts that new regulations with security and privacy will drive more in this area.
“I still don’t see a lot of chief information security officers at most insurance companies,” he concludes. “And there’s still a lot of third-party hosting and ASPs, where security is outside of your control.”