The results of a recent technology security survey for thefinancial services sector might give the impression that theinsurance industry has awakened to the threat of cyber-risks. Butone analyst warns that there remains much room for improvement,with increased regulation likely to drive progress in locking downcarrier systems.

Meanwhile, insurers are not the only ones with tech securityconcerns, as independent agencies brace themselves to prevent theftof client information, another consultant observed.

Deloitte's survey--"2010 Financial Services Global SecurityStudy: The Faceless Threat"--asked more than 350 major financialinstitutions worldwide about their data security plans andoperations. The institutions interviewed by Deloitte included 50 ofthe top global insurers.

The study, in its seventh year, found that for the first timeorganizations are taking the initiative and embracing new securitytechnologies, becoming "early majority adopters" and no longercontent simply to react to tech advances.

Despite the economic downturn, for the first time the lowestpercentage of respondents, 36 percent, said that lack of sufficientbudget was a major barrier to ensuring information security,compared to 56 percent last year.

A growing security concern is malicious software originatingoutside of the organization, the survey revealed.

Deloitte reported that chief information security officers saythey are "far less confident that traditional controls will protecttheir organizations."

What is even more alarming is that the sophistication of theperpetrators is diminishing as malicious software can now bedownloaded online and sent out to wreak havoc on insurer computersystems.

There is growing concern with protecting access to informationas insurance companies are making investments in areas of securitybeyond entering a user name and password. Larger companies areplacing a higher priority on tightening access, the report notes,adding that one roadblock to advancing this solution is theexpense.

With this in mind, 42 percent of the survey participants saidthey are "somewhat confident" in being able to thwart internalattacks, while 34 percent said they are "very confident." When itcomes to preventing external attacks, 56 percent said they are"very confident."

The report found that larger companies are significantly moreadvanced in their security practices than medium-size and smallorganizations. Close to 80 percent of financial organizations ofmore than 10,000 employees said they train employees to identifyand report suspicious activity and also maintain a loss eventdatabase, while the number was closer to half for medium-size andsmall companies.

Broken down by industry, insurers ranked highest at 74 percentof respondents saying they train employees to identify and reportsuspicious activity, followed by banking institutions at 65percent.

However, only 54 percent of insurers said they have a documentedand approved information security strategy, outpaced by banks at 70percent.

A big majority of insurers--76 percent--said they have adocumented and approved information security governance structure,but the industry is outpaced here by payments and processors withthe high score of 86 percent, and banks at 82 percent.

Insurers scored highest with making identity and accessmanagement a top security initiative for 2010 at 51 percent, with54 percent saying they fully implement file encryption for mobiledevices.

Out of 17 categories the survey reviewed, insurers led in nineof them and scored the lowest in only two.

But to believe that the insurance industry is leading intechnology security implementation is to misread the results,according to Rick Siebenaler, a principal at Deloitte.

Of the financial institutions, banks have been far ahead ofinsurers on many technology issues, he said, noting that Deloitte'sreport is a strong indicator that the industry is beginning to makethe needed investments in security.

"Insurers are not leaders [on tech security], but they arelooking to close the gap," he said.

Bankers are ahead, he pointed out, because they have beensubjected to greater regulatory mandates--outside compliancepressure that both property and casualty and life insurers are justbeginning to feel.

"It is now evolving, and there is more policing taking place inthe insurance market segment," he said.

Examining individual companies, the motivation for improvingsecurity will depend on regulatory mandates or the organization'sown concern to secure data, explained Mr. Siebenaler.

Those insurers with a significant online presence, or which aremore consumer-oriented, have more drive to get security controls inplace. But insurers that do not see the Internet as a key componentin their marketing strategy and are more focused on cost managementand reduction do security on an as-needed basis, he pointedout.

There is a paradigm shift taking place in the industry, observedMr. Siebenaler. He explained that in the past, insurers viewedtechnology security as protection of their perimeter. Today, suchsecurity concerns go beyond the company's internal database andextend to cyberspace. This includes protection against theinadvertent transmission of sensitive data through e-mail byutilizing technology that monitors networks for that practice orencrypts it.

A breech of such data can do tremendous harm to a company from aliability and reputational standpoint, warned Mr. Siebenaler. Thereare also regulatory concerns at the federal and state levels thatcan impose significant fines for every record compromised.

"Insurers may be motivated by company mandates or what is intheir best interest, but they can't discern between them because itis in both their best interest and [mandated by] state regulationsthat [insurers] up their game in the security privacy area,"observed Mr. Siebenaler.

Similar security concerns haunt the retail side of the insurancedistribution system. Indeed, Christopher Baker, president ofSpecial Agent--an information technology consulting firm inHolbrook, Mass.--noted that while insurers are making theirnetworks more secure, thereby providing agents and brokers with adegree of security around personal information, that is no reasonfor them to ignore their own privacy exposures.

"It is a learning process for them, but many are not even surewhat they need to do," Mr. Baker said. Quite a few believe thatsecurity involves having some protection for each individualapplication, but that's not the case, he added, noting thatsecurity involves protecting the agency's network.

To do this properly, an agency needs strong password protectionand encryption of its network drivers, he suggested, as well asspecial training that may go beyond merely installing off-the-shelfsecurity software is not enough.

"They may think [their IT system] is locked down properly, butthere may be a backdoor open," he said. "It doesn't have to be agreat expense to set-up correctly, but it is money well spent."

In choosing a consultant, agency owners should follow the samedue diligence procedures they use when hiring vendors for any kindof service--especially getting references and referrals from theirpeers.

A great resource for additional information is localassociations, which often have a list of mandates and regulationsgoverning technology security, noted Mr. Baker.

After getting this information, the next step is implementingproper security precautions, in part by making sure passwords arestrong enough to prevent hacking and that the network's securitysystem is configured properly.

Like insurers, producers need to be aware of the transmission ofsensitive data through e-mails, which are notoriously unsecured.The best way to avoid exposing such data is by having a policy inplace that mandates users never electronically transmit certaininformation, Mr. Baker suggested.

He warned that just as with insurers, a breach of securityprotocols might not only subject an agency to fines fromregulators, but also damage its reputation with clients and futureprospects.

Security in the cyber age is not fool-proof, Mr. Beckeradmitted. "No one has a perfect answer. Each solution has its ownissues," he said.

However, one critical element of security that sometimes getsoverlooked is using "common sense."

For example, Mr. Becker said that when users are confronted withpop-ups and online questions or requests for downloads, it can bedifficult to judge what is legitimate and what is not. When indoubt, do not respond until getting clearance from someone directlyinvolved in IT security, he suggested.

Mark E. Ruquet is an associate editor with NationalUnderwriter, part of Summit Business Media's P&C Group,which includes Tech Decisions for Insurance.