SECURITY

Cyber Risks Require Enterprise-wide Defense Position byInsurers

Effective management of cyber threats re- quires anenterprise-wide approach using the input of risk managers,information technology experts, security, human resources, thegeneral counsel, and line management, according to insurance andrisk management officials.

Too many companies are making a mistake by managing risks indifferent departments, says William Barr, vice president for theChubb Group of Insurance Companies in Pleasanton, Calif., during aninterview at the recent Strategic Stake-holders e-Crime Congress inLondon. He urges companies to establish enterprise-wide riskmanagement programs, overseen by either the CEO or a chief riskofficer reporting to the CEO.

Many companies still view the IT department as being the primarysource of cyber-risk control. However, Barr believes not all ITexecutives have the expertise needed to manage risk, particularlysince cyber risks can generate non-IT-related exposures involvingphysical, human, and capital resources.

With such a silo approach, the effectiveness of cyber-securityefforts often depends upon how well IT directors or CIOs understandthe cyber-threat issue, as well as their interest level in theexposure. Ive seen situations where a physical security directorwho deals with the security of sites and cargo and the like istapped on the shoulder and told, Youre now also the cyber-securitydirector, says Barr.

You really have to have somebody who is knowledgeable on bothsides of the issue to be able to manage the threat, he says. Thatperson also has to be knowledgeable or enlightened enough tounderstand that, even if they have that knowledge, they cant manageit themselves.

Chris Mandel, president of the New York-based Risk and InsuranceManage-ment Society (RIMS), admits e-threats may not be a priorityfor those risk managers who concentrate on property/casualty orhazard exposures, simply because these arent areas that havetouched them much from an insurance standpoint. But if yourepursuing a broader approach to risk, you have no choice but to makesure that IT risk is one of the many things [examined in a companysrisk profile], says Mandel, assistant vice president of enterpriserisk management for USAA in San Antonio, Texas.

My first bit of adviceand its part of my platform for the yearthat Im president of RIMSis that everybody needs to step out andsign up for that broader application of the risk management modelfor their enterprise, he says. You can call it what you want, butin my view, the future for us is getting outside of thathazard-risk realm and getting involved in any and all materialrisks that could affect the enterprise.

Mandel says RIMS recognizes the value of putting more attentionand resources to the effects of cyber crime. But when you deal withrisks on an enterprise-wide basis, you deal with so many things,its only going to get so much of our attention going forward. But Ithink in the future, more of our members will have that as a partof their list of exposures that receive an allocation of theirtime.

Barr believes e-threats have not been included in the threatassessments of some companies and have not wound their way intoproactive and reactive programs to minimize threats.

In the proactive area, he says, some companies have failed todevelop a corporate culture to make sure the employees know how torespond to security issues, particularly to the cyber threats.

While the firewall is the first line of defense, he says, if youdont have a knowledge firewall on the employees side, then you havesignificant gaps in your program.

He recommends companies analyze what would happen if anunprotected supplier, business partner, or customer were toexperience a business interruption or go out of business due to acyber disaster. Its important to determine what measures thesefirms have taken to protect themselves, he emphasizes.

Most traditional disaster recovery plans have ignored ordownplayed cyber threats, Barr says, noting a plan has to addresse-threats and has to be reassessed and tested for flaws constantly.He believes the majority of a corporations e-threat vulnerabilitiesare software related.

However, there are also organizational flaws that allow theseproblems to exist. Barr cites the example of assigning untrainedpeople to do security, not authorizing any fix at all, orauthorizing a short-term fix when a long-term solution isrequired.

To address the e-risk problem effectively, Barr encouragescorporate insurance buyers to partner with law enforcementofficials (who can put cyber criminals behind bars), governmentofficials (who create the laws and regulations required to arrestthem), and other industry peers (to create best practices).

Marylu Korkuch, vice president and federal affairs director forChubb, says to combat e-threats, the insurer is emphasizing theimportance of teamwork within a company and across an industry, aswell as with government and law enforcement.

I dont know too many risk managers outside of the high-techindustry who on a regular basis meet with and communicate withtheir IT counterparts, she says. I also will tell you that not toomany people in the IT world will go and seek out their riskmanagers. Lisa S. Howard

Who's Using What

CUNA Mutual Group has selected ZixVPM fromZix Corporation to provide secure e-messaging forits life and health insurance customers.

Invivia, the holding company for The AmericanLife Insurance Company of New York and Conseco Variable AnnuityCompany, has selected the Systems EngineeringGroup product Payouts to process fixed and variableannuities.

Americo Financial Life and Annuity Company of KansasCity has completed the installation of RisQ software, arisk management tool, from Annuity SystemsInc.

American International Investors Trust is usingthe Genelco Application Service Provider business model fromGenelco Software Solutions to assist the insureras it enters the Latin American market.

Old Mutual has adopted the ObjectStarIntegration business integration software from ObjectStarInternational, Inc., to improve its time to market for newproducts.

Wayne Mutual Insurance completed the finalphase of its conversion to the Results InternationalSystems, Inc., outsourcing solution to provide end-to-endprocessing for all its product lines.

National Life Insurance Company has extendedits relationship with Advanced Impact for use ofthe companys latest wealth management product, Wealth Strategiesfinancial planning software.

CIGNA Corporation has selected FAST Data Searchas its enterprise search solution from Fast Search andTransfer, a developer of search and real-time alertingtechnologies.

Community Health Group, a Chula Vista,Calif.-based HMO, has reached agreement with Perot SystemsCorp., of Plano, Tex. on a five-year technology upgradeagreement that will include a healthcare claims administrationsoftware system.

Unigard Insurance Group, of Bellevue, Wash. hasagreed to utilize the IVANS Transformation Stationfor its personal and commercial lines as an integrated component ofits agency management system from AppliedSystems.

Lexington Insurance Group, an AmericanInternational Group, Inc. (AIG), company, will receive policyissuance and rating support from Cover-All Technologies,Inc., through an agreement Cover-All has reached withAmerican International Technology Enterprises, still another AIGcompany.

Trends

Gartner Analyst Predicts Changes in Front and Back Offices forInsurers

Prediction no. 1: The insurance front office will be reinventedto present a new face to partners, distributors, and customers.

Prediction no. 2: Back-office systems and infrastructure effortswill be amplified to strengthen the corporate backbone.

These two predictions for the insurance industry from Gartner,Inc., research director Kimberly Harris are part of her researchnote Insurance in 2003: Strategy Reassessment and Realignment.

The demands of the front office will continue to be a primaryfocus for insurers this year, she says, adding strategies willshift from channel-specific CRM projects to cross-channelcollaboration and targeted sales and service efforts. Besides theemphasis on CRM, insurers will study underwriting practices andconcentrate on financial and wealth management.

As for her second prediction, Harris asserts insurers need toexamine systems that support the core processes of thecompanyclaims and policy administrationas well as the businessoperationsenterprise resource planning. She suggests insurers turnto a three-year IT road map that outlines systems, architectures,and technologies needed to perform key business tasks.

Looking ahead in preparation for the world in 2006, Harrisbelieves insurers should leverage and share IT knowledge across theenterprise, find new approaches to risk management needs, examineoptions for extending and supporting legacy systems, and developoutsourcing strategy.

She writes that even though insurers are being pressured toimprove operating efficiencies, less than 20 percent will haveprocesses and technologies in place by 2006 to respond to real-timemarket and customer demands.

Legacy Systems

Host Access Solutions to the Rescue

The major carriers in the insurance industry usually have moremoney to throw at a technology problem than their smallercounterparts, but bigger often means unwieldy, too. And when youretalking unwieldy, you are usually talking legacy systems. In arecent METAspectrum evaluation conducted by META Group, theresearch consultant focusing on information technology found that90 percent of large organizations will be utilizing host accessproducts over the next five years to externalize legacyapplications via Web services.

META Group evaluated 11 vendors for the study and determined thehost access sector has undergone a great deal of consolidation andmerger activity over the last three years. While the vendorsachieved some success in selling traditional emulation products,heavy promotion did not spur a major increase in Web-to-hostproducts.

META determined IBM is the clear vendor leader because of itstechnology and solid financial base. While there are a number ofchallengers to IBM, most lack the financial resources and thebreadth of product offerings, according to the study. While somechallengers have solutions applicable to certain customer segments,they do not have the market presence to become a broad player.

Mark Vanston, program director with META Groups enterprise datacenter strategies service, says, We expect host access products tocontinue playing an important role for large organizations.Web-to-host access solutions can reduce the cost of legacyintegration, enabling organizations to leverage existing assets andcapitalize on new IT opportunities.