Cyber Terrorism: Is the Insurance IndustryPrepared?
A sampling of insurers in an exclusive survey by the InsuranceInformation Institute and Tech
Decisions indicates companies have beefed up their security after9/11. Other security studies
also show theres cause for concern.
BY JOHN SPAGNUOLO

Cyber terrorism was a major concern of the IT world long beforeSeptember 11, 2001. But the events of that day made companies moreaware of their vulnerability to terrorism of all kinds. As firmscontinue to adopt and rely on more sophisticated technologies,their exposure to potential cyber attacks grows.

The Insurance Information Institute (III), in conjunction withTech Decisions, conducted an exclusive survey of a sampling ofinsurance companies regarding cyber security and the insuranceindustry. Respondents represented carriers totaling nearly 25percent of the property/casualty premiums written in the UnitedStates. The goal of this survey was to find out how 9/11 affectedthe way companies view the potential threat of cyber terrorism andwhat actions they have taken to protect themselves.

One hundred percent of respondents agreed the threat of cyberterrorism is real. When asked what area of their computer systemsthey were most concerned with, 57 percent cited their back-endsystems. The remaining 43 percent were most worried about their Website. Concerns about e-mail came in last, with no companiesconsidering it the main focus of their worry.

When asked if they had added any security-related funding totheir budgets for 2003, 63 percent of respondents answered yes, andtwo-thirds said their company had added new measures to safeguardtheir computer systems after 9/11. Commenting on these results,Robert Hartwig, chief economist at III, says, Increases in ITsecurity expenditures in the insurance industry mirror increases inmost other industries. Insurers were upgrading IT securityinfrastructures well before September 11th in response to theincreased threat from malicious attacks.

Examples of measures taken include:
employee education;
increasing security protocol;
adding encryption hardware and software;
improving monitoring systems to detect intrusions; and
upgrading anti-virus programs and operating systems to latestversions.

Hartwig explains insurers are determined to keep ahead of the ITsecurity curve because of their fiduciary responsibility tomillions of policyholders and because not doing so eventually wouldmake them more vulnerable to attackwhether from cyber terrorists ormischievous teenagers.

Measures Taken

Eighty-nine percent of respondents have implemented new measuresregarding disaster preparedness as a result of 9/11,including:
integrating crisis management teams;
updating business-continuity plans;
adding back-up data centers;
conducting more frequent disaster-recovery testing;
focusing on the preparedness of business partners;
making more frequent risk assessments; and
conducting analyses of critical staffing, data, and equipment.

When asked if they had a staff person in the IT departmentassigned to security risk, all respondents answered yes. Onaverage, 82 percent of these employees jobs are dedicated to thisfunction. Seventy-eight percent said they did not rely on outsideconsultants for security.

While most companies consider themselves prepared for a majorcyber attack, some commented that smaller insurance companies maynot have as many resources as they do to contribute to cybersecurity.

Other Cyber Statistics

The chances of any company becoming a victim of a cyber attack arenot small. According to CERT Coordination Center, a federallyfunded research and development center operated by Carnegie MellonUniversity that tracks Internet security problems, the number ofincidents reported rose by 377 percent between 2000 and 2002,increasing from 21,756 to 82,094. An incident may involve one siteor possibly thousands of sites. CERT also indicates the number ofpotential system vulnerabilities has in-creased by 379 percent,reaching a total of 4,129 in 2002. Possible effects of a cyberattack include denial of service, unauthorized use, loss/ misuse ofdata, and loss of public confidence regarding an organization.

The Computer Security In-stitute (CSI), in cooperation with theComputer Intrusion Squad
of the San Francisco Federal Bureau of Investigation (FBI),released the results of its 2002 Computer Crime and SecuritySurvey. Respondents included 503 computer security practitioners inU.S. corporations, government agencies, financial institutions,medical institutions, and universities. According to CSI, thefindings confirm the threat from computer crime and otherinformation security breaches continues unabated and that thefinancial toll is mounting. Ninety percent of respondents(primarily large corporations and government agencies) detectedcomputer security breaches within the last 12 months, and 80percent acknowledged financial losses due to computer breaches.Forty-four percent (223 respondents) were willing and/or able toquantify their financial losses, reporting $455,848,000 infinancial losses.

The population of intruders that pose a threat to a networkgrows each day. Todays intruders are different from those of 10years ago. A hacker does not have to be a sophisticated programmerto be able to harm a computer system. Intruders now can use theInternet to educate themselves, and they have access to easy-to-usetools that allow them to do large amounts of damage in shortperiods of time. Intruders can be professional criminals,international terrorists, industrial spies, teenagers, and perhapseven an employee.

Financial institutions under Federal Trade Commission (FTC)jurisdiction currently are required to secure customer records andinformation. As part of the implementation of the Gramm-Leach-Bliley Act, the FTC has issued the Safeguards Rule that requiresfinancial institutions to develop a written information securityplan that describes their program to protect customer information.According to the FTC Web site, the plan must be appropriate to thefinancial institutions size and complexity, the nature and scope ofits activities, and the sensitivity of the customer information ithandles. Each financial institution must:
designate one or more employees to
coordinate the safeguards;
identify and assess the risks to customer information in eachrelevant area of the companys operation and evaluate theeffectiveness of the current safeguards for controlling theserisks;
design and implement a safeguards program and regularly monitor andtest it;
select appropriate service providers and contract with them toimplement safeguards; and
evaluate and adjust the program in light of relevant circumstances,including changes in the firms business arrangements or operations,or the results of testing and monitoring of safeguards.

Resources

CERT Coordination Centeran organization that responds to Internetsecurity problems. Its staff members provide technical advice andcoordinate responses to security compromises, identify trends inintruder activity, work with other security experts to identifysolutions to security problems, and disseminate information to thebroad community. It also analyzes product vulnerabilities,publishes technical documents, and presents training courses.(www.cert.org)

Computer Security Institute (CSI)an association of in-formationsecurity professionals. It has thousands of members worldwide andprovides a wide variety of information and education programs toassist practitioners in protecting the information assets ofcorporations and governmental organizations. (www.gocsi.gov)

Information Analysis and Infrastructure Protection (IAIP)adirectorate of the Department of Homeland Security, which includesthe former National Infrastructure Protection Center along withfour other government entities. This effort brings representativesfrom U.S. government agencies, state and local governments, and theprivate sector together in a partnership to protect our nationscritical infrastructures. (www.dhs.gov)

Insurance Information Institute (III)recognized by the media,governments, regulatory organizations, universities, and the publicas a primary source of information, analysis, and referralconcerning insurance. (www.insurance.info)

John Spagnuolo is director of new media at New York-basedInsurance Information Institute.

CLAIMS TOOLS
Risk Managers, Brokers Assisted by Travelers e-CARMATool

Travelers introduced the latest enhancements to its riskmanagement resource, e-CARMA, which will deliver 18 standardreports, as well as point-and-click report analysis that enablesrisk managers and brokers to select specific data such as locationand accident-analysis codes to produce customized reports.

New to e-CARMAs standard report set are claims inventory, losttime summary and detail, loss stratification, and loss limitationreports that offer additional analytical tools to e-CARMA users.Risk managers and brokers can identify trends by using the LossAnalysis Drill Down, e-CARMAs data-mining feature that permitsdrill down by location and accident type.

Matthew Carden, vice president, risk management informationservices for Travelers, says, This latest evolution is furtherevidence of our commitment to the kind of customer-driven productdevelopment and service that enables Travelers insureds to quicklyrecognize and address key claim trends.

Also, e-CARMA offers report scheduling capability, automatedclaim alerts, and a relational database, as well as making the mostcurrent claims information instantly available. The schedulingfunction allows users to submit a report request once for thereport to run automatically monthly, quarterly, or yearlyandnotifies users by e-mail that their reports have been run and theirinformation is viewable. Customer-set claims alerts immediatelynotify users of sudden and significant activity on new and existingclaims. The e-CARMA relational database permits seamlesscustomization to meet the customers specific needs.

Safeco Introduces Online Commercial LinesTool

A new online resource available to commercial lines agents forSafeco can help agents calculate replacement costs and actual cashvalue for all types of commercial buildings. Called BVS-Commercial, the tool uses specific commercial propertycharacteristics and localized material and labor costs to calculatebuilding valuations. Agents can generate basic reports bycompleting five fields: ZIP code, occupancy, number of stories,gross floor area, and construction type. More detailed, customizedvaluations are also available.

Our new valuation tool provides Safeco agents with an excellentindication about insurance-to-value, but its
not intended to replace professional appraisals, says Mike Schack,the assistant director of automation for Safeco Business Insurance.Marshall & Swift/Boeckh developed the product to replaceSafecos paper guide. The information can be accessed through thecompanys agents-only Web site.

The system includes drawings, diagrams, and definitions from adrop-down help menu. It can generate and print or e-mail detailedprofessional reports that show the breakdown of all constructionmaterials and other data that impact the correct amount of coverageneeded.

WHOS USING WHAT

West Bend Mutual Insurance Co. has selected Afni InsuranceServices to develop an interface between IVANS TransformationStation and West Bends billing inquiry system. This will provideaccess to billing data for agency management systems. Afni also wasselected by Progressive Insurance to connect the carriers billinginformation with Afnis CSR24 policyholder self-service module.

American Medical Security Group (AMSG), a health-benefitsprovider, has selected Zix Corp. to provide enterprisewidee-messaging protection services for AMSGs 570,000 members. Inaddition, Blue Cross and Blue Shield of Kansas selected Zix to helpcomply with HIPAA security guidelines.

UnumProvident has announced a partnership with Global IQX to useConnectInsure, a Web-based quoting service that will allowinsurance professionals to conduct online quotations and enrollmenttransactions. UnumProvident provides income-protection insurancethrough the ConnectInsure Web site.

RBC Liberty Insurance has reached an agreement with COSSDevelopment Corp. in which COSS will develop and deploy desktop andWeb-based point-of-sale technology solutions for RBCs Liberty LifeInsurance and Liberty Insurance Services.

Protective Life Corporation and Union Central Life Insurance Co.have each licensed a custom data-integration solution fromInnovative Systems, Inc., called i/Lytics SECURE. The solution willhelp the insurers comply with the mandates of the USA PatriotAct.

Great American Life Insurance Co. and AMS Services, Inc., havecompleted Great Americans insurance program for social servicesagencies and nonprofit organizations using PS4 Plus. AMS also hasreleased a list of carriers that have adopted TransactNOW tosupport billing and claims inquiries. The list of carriers includesChubb Group of Insurance Companies, Encompass Insurance, TheHartford Financial Services Group, Kemper Auto and Home,Progressive Insurance, Safeco Property and Casualty InsuranceCompanies, The St. Paul Companies, and Travelers PropertyCasualty.

Ohio Casualty Insurance Co. has begun rolling out inquiryfunctions using IVANS Transformation Station from the IVANSInsurance E-Commerce Solutions Division. The system works throughthree different agency management systems used by Ohio Casualtyagents. Ohio Casualty also has installed Mitchell InternationalsWeb-based claims workflow solution for automobile physical damageclaims.

AmFed Companies, a workers compensation provider, has chosen theExample Platform product suite from Duck Creek Technologies thatwill give AmFed the ability to build and maintain its own ratingand issuance system.

Blue Cross & Blue Shield of Rhode Island has deployed theSimply Smart business process management software from Pegasystemsto improve customer-service quality and to personalize customerinteractions.

Equitable Life of Canada has signed a software licensingagreement with Whitehill Technologies, Inc., to use WhitehillsEnterprise software to enhance the way system-generatedpolicyholder documents are produced and distributed.

Safeco Insurance Corp. has reached an agreement withInsuranceNoodle to distribute Safecos small commercial insuranceproducts to more than 3,600 independent commercial insuranceagencies using the InsuranceNoodle platform.

Fortis Benefits Group has gone live with a multichannel intakeand claims management system from FINEOS Corporation called FINEOSDisability Claims Manager, which will allow multiple people to viewand work on claims at the same time.

Tryg, the largest insurance company in Denmark, has selectedComputer Sciences Corporation to manage Trygs IT operations.

Guardian Insurance has signed a contract agreement with PatniComputer Systems in which Patni will supply Guardian with ITsupport for new life and annuity products, gap analysis, and ITsystems installation.

First Insurance Co. of Hawaii, Ltd., is running live with PROMOSTechnology, a personal auto real-time transaction-based systembased on ACORD XML standards. PROMOS is a product from SpeedBuilderSystems.

Sage Life, a South African insurer, has signed a licensingagreement and implemented Amarta Life Fast Start, a product ofSherwood International.

Co-operative Insurance Companies has licensed the imaging andworkflow solutions from AcroSoft for use in the insurers claimsdepartment.

Korean Re and China International Re have signed membershipagreements with inreon to take part in the reinsurance industryonline marketplace operated by inreon.

Unitrin Specialty Lines Insurance has signed a licensingagreement with Fiserv Advanced Insurance Solutions (AIS) to use theFiserv AIS claims workstation for Unitrins nonstandard automobile,motorcycle, and personal watercraft insurance products.

Farmers Insurance Group has entered into agreements withTrumbull Services LLC. and Credit Collection Services (CCS).Farmers will use the Subrosource subrogation software fromTrumbull. The CCS agreement provides Farmers with subrogationrecovery services.

Columbia Insurance Group has selected Thazar to provide theinsurer with enterprisewide business intelligence through itsINSsight product.

The Phoenix Companies Inc. has licensed Product Profiler fromComputer Sciences Corporation, the software companys first productdefinition software based on a new industry standard thatintegrates with annuity systems.

Kemper Auto and Home announced the certification of applicationservice provider IBQ Systems for real-time XML rating of Kempersproducts through the IBQ SEMCI interface.

RISK MANAGEMENT
Tool Helps HartfordCustomers Determine Accident Losses

There are more than just the obvious costs involved in a workplaceaccident, and a new cost-estimation tool, Losstimator, developed byThe Hartford, helps insured companies track all expenses associatedwith accident claims. The obvious costs include medical expensesand salary for injured employees and repairing or re-placing anydamaged property. But Brian Hayes, executive technical consultantat The Hartford Financial Services Group, estimates indirect costsaccount for the majority of an accidents costas much as four to 10times the direct expenses.

Losstimator helps businesses understand the total cost of aworkplace accidentincluding indirect expenses. The insurerintroduced the tool at the Risk & Insurance Management Societys(RIMS) national conference in April. Businesses often overlook avariety of costs, especially indirect costs, when considering thetotal value of a workers compensation claim, says Hayes. Wevecreated the Losstimator to help quantify all the costs associatedwith a workplace accident so that they can be easily understood byfinancial professionals and used in determining the resources toput into safety and other loss-prevention programs.

Indirect costs of an accident can in-clude time spentinvestigating and reporting the accident, loss in productivity ofco-workers who are distracted by the accident, or the need foradditional training to help fill in for the injured worker. Inthese tough economic times, showing financial professionals exactlyhow much a workplace accident can ultimately cost makes it easierto justify the expense of accident prevention, says Hayes.

Flexibility is an important benefit of the Losstimator. Riskmanagers or business owners can adjust the modeled information,creating company-specific scenarios to meet their needs. Once thedata is entered, the Losstimator will estimate either the cost of asingle accident or an entire accident year. Depending on the userspreference, cost calculations can be based on an estimatedaggregate of accidents that occur in the industry or on actualcosts from a specific incident at that company. Additionally,accidents are classified as low, medium, or high severity, allowinga variety of scenarios to be modeled. The Losstimator thenestimates indirect costs, including those associated with theinjured worker, co-workers, lost profit, property, and othergeneral and administrative costs.

The Losstimator estimates indirect costs based on the number ofworker hours lost. These include costs associated with the injuredworker, co-workers, management, property, and general costs, suchas lost profit from site closure and legal fees.

It is important to have a good loss-control program in place tohelp manage risk, says Hayes. The Losstimator can help quantifytotal costs and demonstrate the financial gains effective riskmanagement programs can provide.

WEB SITE
Easy Access to Detailed Contract Info

Pacific Lifes annuity Web site has been enhanced to providebrokers, agents, and other registered representatives with detailedcontract information. Pacific Life hopes the Web site will unburdenrepresentatives from unwieldy books

of business and allow them to target specific client groups. Thenew features are located in the contract management section of theannuity Web site at www.pacificlife.com.

Phil Teeter, vice president of technology for the annuities andmutual funds division of Pacific Life, believes the en-hancementswill make doing business on the Web site easier and more timeefficient. Financial professionals committed to providing superiorservice to their clients while expanding their business will findthese upgrades invaluable, he says.

The Web site will allow sales reps to sort their variableannuity books by the date the contracts were issued. This allowsthe reps to identify which clients have become eligible to addoptional features to their contracts. The scheduling tool alsoallows the representatives to plan any client communication inadvance of the eligibility date.

Improved filtering features allow reps to search for variablecontracts that contain multiple investment options, filter theircontract list by the type of plan in which the client is invested(such as an IRA or a tax-sheltered annuity), find clients enrolledin automatic withdrawal programs, and track the status of exchangeand transfer business.

Representatives also can go to the Web site to review andservice contracts, access product information and performancestatistics, download forms and sales tools, and obtain portfoliomanager information.

UPDATE
Lloyds Platform Rolling Out Under New Name

Project Blue Mountain, the insurance operating platformdeveloped by Lloyds, has found its first takers in the form of fourLondon-based insurers and two international insurance brokers. Inaddition, when the product is rolled out later this year, it willdo so under the brand name Kinnect. This will take place when thebusiness begins live operations.

The insurers that signed letters of intent are ACE EuropeanGroup, Amlin, Beazley, and Wellington. Marsh and Willis are the twobrokers. Ashok Gupta, CEO of Project Blue Mountain, says, We willwork closely with these six companies to help them implement moreefficient processes and to fine-tune our own offering.
Project Blue Mountain/Kinnect is an international venture sponsoredby Lloyds to enable commercial lines trading partners tocommunicate risk data electronically for quicker and higher-qualitybusiness completion, more productivity, and profitability byoffering a secure business platform.

Business process is a long-standing problem for the globalinsurance industry, says Gupta. We believe we are part of theindustry solution. Recent letters of intent reflect we now have aworking platform able to deliver significant benefits in improvingthe effectiveness and efficiency of data transfer betweenestablished trading partners.