Other than sharing common products, the differences between the top tier of insurance carriers and their smaller rivals can be enormous. Those differences are even more apparent when looking at the issue of security. Larger insurers have a target on their back that the mid-tier don’t have to deal with, but with smaller IT staffs, the mid-tier and smaller carriers have to not only keep up with known threats but also be on the lookout for attacks that weren’t foreseen when they first decided to let customers—and the attackers that come with them—inside their perimeter.
Larger insurance carriers are proactive, according to David Helms, vice president of the cyber security center of excellence, the consulting arm of Salient Federal. The top tier recognize the Internet and mobile computing are strategic to their business, which changes a carrier’s security posture.
Mid-tier carriers are just beginning to move in that direction, adds Helms.
“Generally you have one or two IT guys doing security and it’s more on a part-time basis,” he says. “We find [the mid-tier] to be receptive to help and recognize their own vulnerability. The business models the bigger carriers have been using are things [the mid-tier] wants to follow—a Web interface or mobile solutions. That gets them thinking about their threat boundary.”
Whether it is harder or easier for carriers the size of BrickStreet Mutual Insurance to keep things secure is a matter of opinion.
“In some respects it’s easier,” says Skip Langlois, director of internal audit for BrickStreet, a regional workers’ comp carrier located in West Virginia. “We only have 340 employees so we don’t have the bureaucracy that a lot of organizations run into. On the flip side, we only have 340 employees and you are talking to the only two people (himself and the carrier’s information security officer) that are primarily involved in security at the company.”
The advantage BrickStreet might have over some of its competitors is there is a focus on security at the senior management level. Also, BrickStreet is just six years old—having migrated from a state entity into a private company—so it doesn’t have the legacy issues that older companies deal with.
Helms points out that attackers often look for a “big-name brand” when they are scouting for vulnerabilities, but hackers also are seeking “targets of opportunity,” which affects smaller insurers.
“Attackers scan the entire Internet and if a target of opportunity shows up, they are going to take it—regardless of your size—and at least explore it, particularly if the target is a financial services company,” says Helms.
Historically, insurance carriers have been more reactive to security challenges compared to other financial services sectors, but Vikram Bhat, a director for Deloitte, feels insurers are shifting their posture to becoming more proactive and understanding where the security landscape is changing and how they must react to those changes.
“Clearly, being proactive starts with basic blocking and tackling,” says Bhat. “[Insurers] need to understand where the critical assets are. Assets include not only core applications but people, as well. The risk landscape is changing and the bad actors are as concerned as much about people as they are physical assets.”
The change also includes advanced capabilities around cyber intelligence, event monitoring and correlation as well as piecing together data across various parts of the security landscape to look for anomalies, adds Bhat
One reason why insurers have trailed other parts of the financial services sector is because the regulatory requirements in banking and securities traditionally have been more stringent, according to Bhat.
“That’s where the interest was for the bad actors,” he says. “So the maturity there is better, although different organizations offer different scales. Now there’s a realization by insurance carriers to improve their security because there is more at stake.”
Information risk management requires a balance, though, according to Dan Greteman, CIO of Allied Group, part of the Nationwide Insurance family of companies. If you have security issues, employees and customers are unhappy and if you don’t have any issues the company is perceived as being too aggressive in its approach to security.
“We have an information risk management organization that is focused in terms of where are the risks,” says Greteman. “It could range from technology risks to business risks. We have a good framework of proactive risks. We use a heat map to assess different risks, we actively address them, we test them, and we have procedures around how we pilot or test different capabilities. There is a great mixture of reactive and proactive procedures.”
Keeping up with new threats is difficult for mid-tier and small insurance companies, explains Deepesh Randeri, information security officer for BrickStreet. That is why BrickStreet depends on third parties to provide them information, whether it is SANS or vendors such as McAfee.
“We do proactive log monitoring with systems-generated logs,” says Randeri. “A vendor monitors out logs for critical devices. They do a lot of research because they are in the business of keeping things secure and keeping their customers in the loop. Whenever they anticipate new threats, we get notified and they recommend certain parameters for our core devices so if we were to be attacked the logs would track that.”
Mobile computing also has both pluses and minuses when it comes to security, points out Helms. It is important to allow customers to do business the way they want to do it, but the security issues can’t be ignored.
“Mobility is a great, enabling way to do business and respond to your customer requirements, but at the same time it smears data across what we used to think was a distinct boundary of our enterprise,” says Helms. “The problem with mobility is the boundary doesn’t exist anymore. It moves back and forth quickly and pervasively. Wrapping those communication mechanisms, ensuring the integrity of the endpoints, and ensuring only the right entitlements are exposed to the right users is a big challenge, but it is a key to customers and agents in the field.”
Mobility, like any new technology, offers huge opportunities, but with opportunity comes risk, explains Bhat. Users are embracing the technology at a number of levels, ranging from understanding the policy structure and the discussion around bring-your-own-device.
“It goes from understanding how mobile devices are really used, what data and transactions you are conducting on those devices, and figuring out what you will allow and not allow,” says Bhat. “There is still a lot we don’t know about this topic, but people are figuring it out. There is no one right answer to figuring out how to make it secure and what construct in which to make it happen.”
If you look at the consumerization of technology and the additional devices that make users more productive, Greteman believes as an organization you have to be responsive to them.
“When we look at the issue of personally-owned devices as well as tablets in the field, it’s critical to the business,” he says. “These are easy-to-use use items that make people more productive and facilitate a greater exchange between agents and policyholders. It’s here to stay and people need to be prepared for it.”
If you are looking at devices that are connected into your organization, Greteman maintains you need the ability to segment the two.
“Technology needs to support the idea that if someone loses their personal device you can wipe the machine remotely so there is no sensitive information on the devices,” he says.
With smartphones, Greteman points out it is less likely that people are creating materials on their phone, whereas the screens on tablets are big enough for most uses.
“You have to have a segmented posture on the devices, whether it is an Apple, Android or other device when it comes to tablets vs. smartphones,” he says. “For the last two years we’ve put structure around it and worked to define solutions for the business and personal components. We have a large number of folks on personally-owned devices from the phone perspective and a smaller number on tablets because not as many people have tablets. Their size also is a factor in the creation of materials.”
Social media creates security issues at two levels, explains Bhat. First, businesses have to look at social media more carefully than most people do in the sense that what people put out in social media can result in the bad actors gaining the ability to gather intelligence and get more specific in their targeting.
“Understanding what information goes out there and what is visible to the external world becomes critical,” says Bhat.
The second aspect involves the legal and regulatory issues where there is an uncontrolled use of social media sites.
“Like any other evolving technology, what companies need to do is to look at it from the construct of whether they have controls in place across various parts of the enterprise,” says Bhat.
With four different generations in the work force, Greteman points out there are different dynamics around social media.
“The concept of being personally connected and linked to your personal life is a reality and in many ways we look at it and embrace it,” says Greteman.
Helms has three questions insurers need to address about security and social media: Are our employees engaged in social media in a way that is exposing our internal data? Is any of our proprietary information leaking out into these social networks? Is there a possibility of any customer data—even inadvertently—being communicated in those environments?
“Often times it comes back to the old fashioned approaches such as email phishing,” he says. “That’s still the easiest way to get inside the corporate boundary. Attackers go through social networks and develop social profiles. They identify a person you trust and send you an email with a link you would not think twice about clicking. The development of that information is one of the more significant threats than even a proprietary data leakage.”
Helms points out that federal mandates such as HIPAA and Sarbanes-Oxley have raised security as an issue to the executive and board level with real consequences for a company’s leadership if these areas aren’t handled correctly.
Not all executives understand what needs to be done, though. Helms has spoken to many executives who view security as a “bolt on” to their system.
“The last thing [executives] think about is whether the system is secure, but when you imagine your system in the beginning it’s whether your system is resilient and available when customers want to use it and will it maintain confidentiality,” he says. “We try to get security out of the back end and into the front end and build in security as part of the development process. Every time they think of a new feature or capability, part of that iterative development process is that security needs to be part of that conversation.”
Helms points out customers should be more diligent when they are doing financial transactions.
“There is a strong criminal element that is interested in what kind of information they can get—from your accounts or credit cards,” he says. “Customers expect their provider to address security challenges and believe the responsibility is on the provider.”
The BrickStreet board was very much involved getting the company set up.
“They were making sure we were doing things the way they needed to be done,” says Langlois. “One of the things we do that some companies may not be doing is a code of conduct. Usually it is written by the legal department or HR. Our audit committee of the board has taken responsibility so much so that our board members attest on a regular basis that they have read the code. This applies to vendors as well as the board and they report annually if they have any conflicts of interest. If they do, it is documented in a board resolution and the board members have to state in the resolution how they are going to address that conflict.”
Security didn’t become a big issue until companies began doing business on the Internet 10 years ago, points out Langlois.
As a start-up company, “we didn’t have to build momentum for security,” he says. “Plus, we have a CEO that wants to know if there is a problem and has no problem if people come in with an issue because he wants to fix things. We’ve been given a lot of latitude to do best practice. We are doing things you don’t typically see from a company our size.”
Randeri also takes great pride in what Brick Street has done over a short period of time.
“We are bleeding edge with a lot of the [security measures] we are taking,” says Randeri. “That’s primarily because we have the blessing of the board and senior management. We had a Fortune 500 company ask us for a copy of our security plan.”
Both Langlois and Randeri believe it is imperative that everyone within the company is on the same page when it comes to security.
“We had to make sure our employees were security conscious enough that they were not passing personally identifiable information (PII) via plain text email,” says Langlois. “We had to make sure our employees were savvy enough to not leave claims or policy documents on tables when they were done for the day. We did a lot of education right at the beginning and even today we have yearly awareness training and it is incorporated into new-employee orientation. We are trying to build a culture. Our employees are security conscious right now. We’ve taken steps to be as protected as we can.”
Security professionals have to be right all the time, explains Randeri, so that means being proactive and performing vulnerability tests.
“We do vulnerability assessments on an annual basis,” he says. “That’s not a requirement by a regulatory body; that is our plan. We make sure we mitigate the vulnerabilities that have been identified, we make sure we do a complete review of our LDAP server or Windows active directory so only those people that need to have access do have access—the principle of least privilege.”
There is an awareness of the topic of security at the higher levels of the company, but how much investment is made is dictated by the regulatory climate and oversight.
“If there are incidents that get a lot of attention or if a board member asks the right questions or a C-suite executive gets behind it, the combination of these factors drives the spend level throughout an organization,” says Bhat. “In general, people have to fight for dollars and that’s why we always recommend to clients that they have an information security strategy. You need to be able to optimize the spending of resources on these items. Sometimes that takes time, but that’s the right way to do it.”
Reacting to incidents is the easiest way for security units to gain funding because as people attack the company, either through the website or some other area, it is easier for the executive leadership to see the impact of those risks.
The other side is what is your posture and your investment stance regarding potential future threats, according to Greteman.
“We look at our risk posture constantly,” says Greteman. “We’ve got a very intuitive framework which we use to understand where we are, what to worry about, and what we need to do to mitigate. Having transparency and understanding with your board is important and I believe we are there.”
Greteman doesn’t worry about how the insurance industry is perceived in regards to security as much as he worries about his own company. In that regard he feels Allied stands up well among the competition, citing the Ponemon Institute for the second year in a row naming Nationwide as one of the most trusted companies in terms of privacy in the U.S.
That doesn’t mean Allied can ever afford to relax. Greteman doubts that the issue of security will ever disappear.
“Anytime there is money, personal information, and the ability to do harm to folks, you are going to have people out there trying to take advantage of that,” he says.
Newer technology adds risk, but Greteman wonders how far companies take it.
“I feel good about where we are as an organization—a great mix of reactive and proactive,” he says. “We attend security events across industries and speak to others to get a good perspective on what they are dealing with. It doesn’t matter if you are a financial services company, an insurance company or a telecommunications company, likely you have very similar dynamics. We are learning from them and I believe we’ve had very good results. As we move into new models and packaged software, we need better integration to make sure we are protecting our policyholder data and personal information.”