In an industry that makes its money by assessing and avoidingrisk, one would think ensuring data security is a slam-dunk. Butwhile the insurance industry has made gains in this area,substantial challenges remain, analysts contend.

"While carriers have made significant progress, in part to avoidother carriers' missteps (for example, stolen laptops) and [toestablish] a rigid regulatory process (such as compliance officers,legal departments, etc.), carriers are only [one] piece of thepuzzle," according to Chad Hersh, a principal at New York-basedanalyst firm Novarica.

"While they can control their infrastructure and that of theiremployees and captive agents, other important pieces of the puzzleare out of their control," he notes.

"For example, independent agents' laptops easily could besusceptible to everything from programs that log keystrokes inorder to allow a hacker to compromise a secure carrier Web site tophysical theft without adequate security measures in place, such asencrypted files, encrypted hard drives, and passwords."

There are several security challenges facing the industry today,in Hersh's view. Aside from the lack of control over criticalportions of the value chain, "compliance remains challenging" tomeet the standards set under HIPAA, he points out. Compliance withSAS 70 (accounting standards for audits of service firms) and theSarbanes-Oxley Act are a "constant struggle," he adds.

"One of the biggest challenges, though, is simply the hugenumber of disparate systems, legacy and otherwise, at mostcarriers," he says. While these systems might be individuallysecure and compliant, every significant change that affects allsystems presents another opportunity for a problem across theinformation technology board, he cautions. Making matters worse, hecontinues, older systems may not always have the ability to supportmodern security protocols, causing carriers to make them securesimply by not providing outside access to them.

In response, Hersh advises changes, such as legacy systemreplacements, need to be made but warns addressing third-partysecurity is a big problem. "Until carriers decide they are willingto risk upsetting independent agents [by forcing] better securityprovisions and more severe penalties into contracts with vendors,TPAs, etc., or until regulators treat agents the way they treatcarriers, no truly effective solution may exist," he states.

"Carriers have made good progress on securing their systems, andthe more they consolidate systems, the easier this task becomes,"says Hersh.

Donald Light, senior analyst with Boston-based Celent, believesinsurance companies, "except for possibly the very smallest ones,have made significant strides in improving data security in termsof keeping unauthorized users away from data and also physicallyprotecting the locations of the data."

Agents and TPAs, however, "are much more of a mixed picture," heindicates. "Basic firewall protection and anti-phishing software[often] are in place, but a more sophisticated hacker trying to getinto those organizations is going to have less of a difficult timethan with an insurance company."

The protection of physical assets remains a security challengefor many insurance organizations, asserts Light. "Smart phones areanother source of vulnerability, because by definition they arebecoming more able to interact with e-mail and other forms of datathat are available within the firewall," he observes. "A smartphone's ability to attack systems is going to be seen as a softerpoint of entry for the bad guys."

Yet another threat is internal, in the form of disgruntledcurrent or recent former employees, "especially when they arewithin IT and have higher levels of network access," he reports."There have been a few court cases in which [such employees] haveplanted disruptive devices or data bombs to get information theyshould not have access to."

Will technology eventually solve the industry's problems?

"Like in so many other things, technology is one of the threelegs of the stool," maintains Light. "People and processes are theother legs. Everyone with a smart phone or everyone who takes anotebook outside the company's walls has to understand his or hersecurity vulnerability. Technology can solve some issues but onlyin conjunction with security policies and processes. Staff membersmust understand this is part of their job."

The future of security in insurance depends on external events,suggests Light. "Certainly this is a ripe area for legislation," hesays. Events such as the loss of data and data attacks "will help[the industry] become more security-conscious and spend the moneyand carry out the steps." However, he adds, "if things get quietfor a year or two . . . the total progress will be less. ITdepartments and management as a whole have dozens of prioritiesthey have to address. Data security is one of those priorities. Butis it in the top five? The top 10? The top 100?" This is a criticalquestion, he notes, warning the level of priority placed on datasecurity will determine how successful future security measureswill be.