The results of a recent technology security survey for the financial services sector might give the impression that the insurance industry has awakened to the threat of cyber-risks. But one analyst warns that there remains much room for improvement, with increased regulation likely to drive progress in locking down carrier systems.
Meanwhile, insurers are not the only ones with tech security concerns, as independent agencies brace themselves to prevent theft of client information, another consultant observed.
Deloitte's survey--"2010 Financial Services Global Security Study: The Faceless Threat"--asked more than 350 major financial institutions worldwide about their data security plans and operations. The institutions interviewed by Deloitte included 50 of the top global insurers.
The study, in its seventh year, found that for the first time organizations are taking the initiative and embracing new security technologies, becoming "early majority adopters" and no longer content simply to react to tech advances.
Despite the economic downturn, for the first time the lowest percentage of respondents, 36 percent, said that lack of sufficient budget was a major barrier to ensuring information security, compared to 56 percent last year.
A growing security concern is malicious software originating outside of the organization, the survey revealed.
Deloitte reported that chief information security officers say they are "far less confident that traditional controls will protect their organizations."
What is even more alarming is that the sophistication of the perpetrators is diminishing as malicious software can now be downloaded online and sent out to wreak havoc on insurer computer systems.
There is growing concern with protecting access to information as insurance companies are making investments in areas of security beyond entering a user name and password. Larger companies are placing a higher priority on tightening access, the report notes, adding that one roadblock to advancing this solution is the expense.
With this in mind, 42 percent of the survey participants said they are "somewhat confident" in being able to thwart internal attacks, while 34 percent said they are "very confident." When it comes to preventing external attacks, 56 percent said they are "very confident."
The report found that larger companies are significantly more advanced in their security practices than medium-size and small organizations. Close to 80 percent of financial organizations of more than 10,000 employees said they train employees to identify and report suspicious activity and also maintain a loss event database, while the number was closer to half for medium-size and small companies.
Broken down by industry, insurers ranked highest, with 74 percent of respondents saying they train employees to identify and report suspicious activity, followed by banking institutions at 65 percent.
However, only 54 percent of insurers said they have a documented and approved information security strategy, outpaced by banks at 70 percent.
A big majority of insurers--76 percent--said they have a documented and approved information security governance structure, but the industry is outpaced here by payments and processors with the high score of 86 percent, and banks at 82 percent.
Insurers scored highest with making identity and access management a top security initiative for 2010 at 51 percent, with 54 percent saying they fully implement file encryption for mobile devices.
Out of 17 categories the survey reviewed, insurers led in nine of them and scored the lowest in only two.
But to believe that the insurance industry is leading in technology security implementation is to misread the results, according to Rick Siebenaler, a principal at Deloitte.
Of the financial institutions, banks have been far ahead of insurers on many technology issues, he said, noting that Deloitte's report is a strong indicator that the industry is beginning to make the needed investments in security.
"Insurers are not leaders [on tech security], but they are looking to close the gap," he said.
Bankers are ahead, he pointed out, because they have been subjected to greater regulatory mandates--outside compliance pressure that both property and casualty and life insurers are just beginning to feel.
"It is now evolving, and there is more policing taking place in the insurance market segment," he said.
Examining individual companies, the motivation for improving security will depend on regulatory mandates or the organization's own concern to secure data, explained Mr. Siebenaler.
Those insurers with a significant online presence, or which are more consumer-oriented, have more drive to get security controls in place. But insurers that do not see the Internet as a key component in their marketing strategy and are more focused on cost management and reduction do security on an as-needed basis, he pointed out.
There is a paradigm shift taking place in the industry, observed Mr. Siebenaler. He explained that in the past, insurers viewed technology security as protection of their perimeter. Today, such security concerns go beyond the company's internal database and extend to cyberspace. This includes protection against the inadvertent transmission of sensitive data through e-mail by utilizing technology that monitors networks for that practice or encrypts it.
A breech of such data can do tremendous harm to a company from a liability and reputational standpoint, warned Mr. Siebenaler. There are also regulatory concerns at the federal and state levels that can impose significant fines for every record compromised.
"Insurers may be motivated by company mandates or what is in their best interest, but they can't discern between them because it is in both their best interest and [mandated by] state regulations that [insurers] up their game in the security privacy area," observed Mr. Siebenaler.
Similar security concerns haunt the retail side of the insurance distribution system. Indeed, Christopher Baker, president of Special Agent--an agency management system vendor in Holbrook, Mass.--noted that while insurers are making their networks more secure, thereby providing agents and brokers with a degree of security around personal information, that is no reason for them to ignore their own privacy exposures.
"It is a learning process for them, but many are not even sure what they need to do," Mr. Baker said. Quite a few believe that security involves having some protection for each individual application, but that's not the case, he added, noting that security involves protecting the agency's network.
To do this properly, an agency needs strong password protection and encryption of its network drivers, he suggested, as well as special training that may go beyond merely installing off-the-shelf security software is not enough.
"They may think [their IT system] is locked down properly, but there may be a backdoor open," he said. "It doesn't have to be a great expense to set-up correctly, but it is money well spent."
In choosing a consultant, agency owners should follow the same due diligence procedures they use when hiring vendors for any kind of service--especially getting references and referrals from their peers.
A great resource for additional information is local associations, which often have a list of mandates and regulations governing technology security, noted Mr. Baker.
After getting this information, the next step is implementing proper security precautions, in part by making sure passwords are strong enough to prevent hacking and that the network's security system is configured properly.
Like insurers, producers need to be aware of the transmission of sensitive data through e-mails, which are notoriously unsecured. The best way to avoid exposing such data is by having a policy in place that mandates users never electronically transmit certain information, Mr. Baker suggested.
He warned that just as with insurers, a breach of security protocols might not only subject an agency to fines from regulators, but also damage its reputation with clients and future prospects.
Security in the cyber age is not fool-proof, Mr. Baker admitted. "No one has a perfect answer. Each solution has its own issues," he said.
However, one critical element of security that sometimes gets overlooked is using "common sense."
For example, Mr. Baker said that when users are confronted with pop-ups and online questions or requests for downloads, it can be difficult to judge what is legitimate and what is not. When in doubt, do not respond until getting clearance from someone directly involved in IT security, he suggested.