Analysts link security readiness to size, industry sector

With information security regulation increasing and criminal hacker activity on the rise, insurance companies understandably are concerned about the tightness of their own ships, especially in an age where a “misplaced” disk, a stolen laptop or simple social engineering can expose thousands of customers to activities such as identity theft and fraud.

And customers aren’t the only ones at risk. Insurers that fail to provide adequate protection of private information may face stiff fines or even jail time in today’s regulatory climate. But just how prepared is the insurance industry to meet regulations and to protect sensitive data? Industry analysts’ opinions vary.

“Information security is still lagging but not as much as in other areas of IT in insurance,” says Chad Hersh, Houston-based analyst with Celent, a research firm. “To put it simply, regulatory concerns ensure that carriers are taking certain important steps toward securing IT applications infrastructure. But regulations can’t do enough to set standards that would truly secure the enterprise.”

According to Hersh, other than the largest carriers that have the budget and in-house expertise to achieve full security, insurance companies lag behind the rest of the financial services industry in security readiness. There are exceptions, however, he notes. “Some carriers have had small security problems that opened their eyes to much bigger issues. Maybe they’ve had a hacker in their system who doesn’t steal anything or a Web site that gets vandalized. It makes them realize how vulnerable they are. They’ve seen the light.”

Sectors vary on security readiness

Asked about differences in readiness between the property-casualty and life-health sectors, Hersh says the variance is “primarily around the Web.” He asserts that p-c companies “tend to be better on personal lines side, because they rely much more heavily on [the Web]. Direct writers spend more time, effort and dollars to maintain a secure Web presence.”

Hersh says the life side is limited to online viewing of information and some buying, “so they don’t invest the same kind of effort in Web security.” On things like extranets, however, life carriers are slightly more invested than their p-c counterparts in securing their enterprises, he notes.

Most insurers, however, “still have a long way to go,” he says. Dangers include having a poor security policy or a poorly enforced security policy. “If an agent loses a laptop with passwords on it, that may not ever be reported,” he observes.

“It’s very difficult for every carrier to protect data on an extranet when 30,000 agents have access to that data and they are sharing information with assistants and associates,” says Hersh. “Without use of something like a hard token, plus a password, it’s virtually impossible to prevent some leakages.”

A hard token is a small authentication device such as an electronic key or a smart card. Hersh recommends that companies invest in such devices. With HIPAA privacy requirements and the threats seen in recent events such as the ChoicePoint data compromise and reports of employees stealing credit card numbers, “it seems like a small investment by comparison,” he says.

Overall, says Hersh, the insurance industry needs to stop looking at individual aspects of security and start looking at securing the enterprise. “The insurance industry has spent so much time avoiding sharing of data [between companies], but they are sharing a lot of that stuff already,” he states. “There are so many entry points to data that it’s falling increasingly under regulatory scrutiny. We have to shift to enterprise security rather than individual applications.

Emerging tech needs to be addressed

“Most of what’s wrong at this point is a failure to address emerging technologies,” he continues. “Not a lot of carriers are looking at the fact that agents are using public Wi-Fi [wireless computing] hotspots.” By not looking at these things and focusing instead on automation capabilities, insurers may fall short on protecting privacy and security in the enterprise.

Looking at hardware security, Hersh points to a lack of encryption of files once a machine’s password is cracked. “All customer-related files should be encrypted on the machine on an ongoing basis,” he states. He predicts that new regulations with security and privacy will drive more in this area.

“I still don’t see a lot of chief information security officers at most insurance companies,” he concludes. “And there’s still a lot of third-party hosting and ASPs, where security is outside of your control.”

“Generally speaking, financial services have been the leaders in security, largely due to regulatory requirements,” states Eric Ouellet, Ottawa, Canada-based vice president in the security and privacy research group for the Gartner Group. “Banks are leading, but insurance companies are not far behind.”

In terms of how well sectors of the insurance industry are prepared for security problems, Ouellet notes, “What we see is that life, in general, tends to lead, p-c is second and reinsurance third. Health care is dragging behind all of those.” Larger insurers tend to be more prepared than smaller ones, he adds, because they often have groups dedicated to regulatory compliance, whereas smaller companies don’t.

Big is good

“Large carriers, in general, tend to be better organized, have a better understanding of security and have better IT services,” he says. “Smaller companies don’t have that level of sophistication, because the tasks are typically shared among many groups.

“If you’re a small company and you’re doing health care [transactions], you’re probably farther behind,” he continues. With HIPAA and other regulations, insurers are aware of security needs for certain aspects of their businesses, but that may not be the same across the enterprise. “Data may be protected in different places in different ways, so there’s not the same level of consistency,” he adds.

Ouellet says better data classification–”getting a better understanding of the data you have and applying the correct controls for that data”–is a key to security. “A lot of companies are lazy in protecting the data they have,” he notes. “You have to look at it from a risk approach. Know what you have. Which areas have high risk? Then apply appropriate data controls.

“Everything is related to risk,” he concludes. “Insurance companies understand risk, so when they don’t do a good job with [security], it’s kind of an irony.”

Taking security seriously

Chuck Johnston, formerly an industry analyst with MetaGroup and now group director, insurance, for Siebel Systems, San Mateo, Calif., notes that, “In general, it seems people are taking [security] seriously. Measures are being taken and companies are spending the money. The biggest risk is that I don’t know if people understand where the frontiers of information security are these days. I don’t think the bar has been set, because it’s such a fertile ground for the hackers. Think of the value of getting your hands on 100,000 credit card numbers. That information has huge monetary value.

“Hackers are a large number of very smart people with limited morals,” he continues. “It’s almost like cyber-smash and grab. You can draw real value out of information, even for the 24 hours you have it.” He adds that the ability to stop such breaches can never be 100%. “There’s a constant evolution of tightened security protocols, then someone punches a hole in them and you have to start over again,” he explains. “Insurance is as good as any industry in fighting against intrusion. We’re doing OK, but the bar keeps moving.”

Johnston agrees with Ouellet that life insurance is the most prepared sector of the insurance industry when it comes to security, because most life insurers have an investments component, and (investment firms) tend to have the best security. “If you look at the value of the information stolen, it tends to be lower in p-c,” he notes.

“Health is second best, because they’ve had to go through the HIPAA exercise. They had to take a hard look at security infrastructure in terms of who has access to data,” he notes.

For the future, the industry must engage in a “continuing monitoring process,” says Johnston. “IT needs to work with an organization’s risk management operation. Every company will have to make a decision about what the level of appropriate risk is, and this needs to be evaluated on a timely basis. Things are changing faster than most organizations have planned for.”

Better data classification, or “getting a better understanding of the data you have and applying the correct controls for that data,” is a key to security, according to one expert.

The insurance industry needs to stop looking at individual aspects of security and start looking at securing the enterprise