News, insights, innovations.

SECURITY

Cyber Risks Require Enterprise-wide Defense Position by Insurers

Effective management of cyber threats re- quires an enterprise-wide approach using the input of risk managers, information technology experts, security, human resources, the general counsel, and line management, according to insurance and risk management officials.

Too many companies are making a mistake by managing risks in different departments, says William Barr, vice president for the Chubb Group of Insurance Companies in Pleasanton, Calif., during an interview at the recent Strategic Stake-holders e-Crime Congress in London. He urges companies to establish enterprise-wide risk management programs, overseen by either the CEO or a chief risk officer reporting to the CEO.

Many companies still view the IT department as being the primary source of cyber-risk control. However, Barr believes not all IT executives have the expertise needed to manage risk, particularly since cyber risks can generate non-IT-related exposures involving physical, human, and capital resources.

With such a silo approach, the effectiveness of cyber-security efforts often depends upon how well IT directors or CIOs understand the cyber-threat issue, as well as their interest level in the exposure. Ive seen situations where a physical security director who deals with the security of sites and cargo and the like is tapped on the shoulder and told, Youre now also the cyber-security director, says Barr.

You really have to have somebody who is knowledgeable on both sides of the issue to be able to manage the threat, he says. That person also has to be knowledgeable or enlightened enough to understand that, even if they have that knowledge, they cant manage it themselves.

Chris Mandel, president of the New York-based Risk and Insurance Manage-ment Society (RIMS), admits e-threats may not be a priority for those risk managers who concentrate on property/casualty or hazard exposures, simply because these arent areas that have touched them much from an insurance standpoint. But if youre pursuing a broader approach to risk, you have no choice but to make sure that IT risk is one of the many things [examined in a companys risk profile], says Mandel, assistant vice president of enterprise risk management for USAA in San Antonio, Texas.

My first bit of adviceand its part of my platform for the year that Im president of RIMSis that everybody needs to step out and sign up for that broader application of the risk management model for their enterprise, he says. You can call it what you want, but in my view, the future for us is getting outside of that hazard-risk realm and getting involved in any and all material risks that could affect the enterprise.

Mandel says RIMS recognizes the value of putting more attention and resources to the effects of cyber crime. But when you deal with risks on an enterprise-wide basis, you deal with so many things, its only going to get so much of our attention going forward. But I think in the future, more of our members will have that as a part of their list of exposures that receive an allocation of their time.

Barr believes e-threats have not been included in the threat assessments of some companies and have not wound their way into proactive and reactive programs to minimize threats.

In the proactive area, he says, some companies have failed to develop a corporate culture to make sure the employees know how to respond to security issues, particularly to the cyber threats.

While the firewall is the first line of defense, he says, if you dont have a knowledge firewall on the employees side, then you have significant gaps in your program.

He recommends companies analyze what would happen if an unprotected supplier, business partner, or customer were to experience a business interruption or go out of business due to a cyber disaster. Its important to determine what measures these firms have taken to protect themselves, he emphasizes.

Most traditional disaster recovery plans have ignored or downplayed cyber threats, Barr says, noting a plan has to address e-threats and has to be reassessed and tested for flaws constantly. He believes the majority of a corporations e-threat vulnerabilities are software related.

However, there are also organizational flaws that allow these problems to exist. Barr cites the example of assigning untrained people to do security, not authorizing any fix at all, or authorizing a short-term fix when a long-term solution is required.

To address the e-risk problem effectively, Barr encourages corporate insurance buyers to partner with law enforcement officials (who can put cyber criminals behind bars), government officials (who create the laws and regulations required to arrest them), and other industry peers (to create best practices).

Marylu Korkuch, vice president and federal affairs director for Chubb, says to combat e-threats, the insurer is emphasizing the importance of teamwork within a company and across an industry, as well as with government and law enforcement.

I dont know too many risk managers outside of the high-tech industry who on a regular basis meet with and communicate with their IT counterparts, she says. I also will tell you that not too many people in the IT world will go and seek out their risk managers. Lisa S. Howard

Who's Using What

CUNA Mutual Group has selected ZixVPM from Zix Corporation to provide secure e-messaging for its life and health insurance customers.

Invivia, the holding company for The American Life Insurance Company of New York and Conseco Variable Annuity Company, has selected the Systems Engineering Group product Payouts to process fixed and variable annuities.

Americo Financial Life and Annuity Company of Kansas City has completed the installation of RisQ software, a risk management tool, from Annuity Systems Inc.

American International Investors Trust is using the Genelco Application Service Provider business model from Genelco Software Solutions to assist the insurer as it enters the Latin American market.

Old Mutual has adopted the ObjectStar Integration business integration software from ObjectStar International, Inc., to improve its time to market for new products.

Wayne Mutual Insurance completed the final phase of its conversion to the Results International Systems, Inc., outsourcing solution to provide end-to-end processing for all its product lines.

National Life Insurance Company has extended its relationship with Advanced Impact for use of the companys latest wealth management product, Wealth Strategies financial planning software.

CIGNA Corporation has selected FAST Data Search as its enterprise search solution from Fast Search and Transfer, a developer of search and real-time alerting technologies.

Community Health Group, a Chula Vista, Calif.-based HMO, has reached agreement with Perot Systems Corp., of Plano, Tex. on a five-year technology upgrade agreement that will include a healthcare claims administration software system.

Unigard Insurance Group, of Bellevue, Wash. has agreed to utilize the IVANS Transformation Station for its personal and commercial lines as an integrated component of its agency management system from Applied Systems.

Lexington Insurance Group, an American International Group, Inc. (AIG), company, will receive policy issuance and rating support from Cover-All Technologies, Inc., through an agreement Cover-All has reached with American International Technology Enterprises, still another AIG company.

Trends

Gartner Analyst Predicts Changes in Front and Back Offices for Insurers

Prediction no. 1: The insurance front office will be reinvented to present a new face to partners, distributors, and customers.

Prediction no. 2: Back-office systems and infrastructure efforts will be amplified to strengthen the corporate backbone.

These two predictions for the insurance industry from Gartner, Inc., research director Kimberly Harris are part of her research note Insurance in 2003: Strategy Reassessment and Realignment.

The demands of the front office will continue to be a primary focus for insurers this year, she says, adding strategies will shift from channel-specific CRM projects to cross-channel collaboration and targeted sales and service efforts. Besides the emphasis on CRM, insurers will study underwriting practices and concentrate on financial and wealth management.

As for her second prediction, Harris asserts insurers need to examine systems that support the core processes of the companyclaims and policy administrationas well as the business operationsenterprise resource planning. She suggests insurers turn to a three-year IT road map that outlines systems, architectures, and technologies needed to perform key business tasks.

Looking ahead in preparation for the world in 2006, Harris believes insurers should leverage and share IT knowledge across the enterprise, find new approaches to risk management needs, examine options for extending and supporting legacy systems, and develop outsourcing strategy.

She writes that even though insurers are being pressured to improve operating efficiencies, less than 20 percent will have processes and technologies in place by 2006 to respond to real-time market and customer demands.

Legacy Systems

Host Access Solutions to the Rescue

The major carriers in the insurance industry usually have more money to throw at a technology problem than their smaller counterparts, but bigger often means unwieldy, too. And when youre talking unwieldy, you are usually talking legacy systems. In a recent METAspectrum evaluation conducted by META Group, the research consultant focusing on information technology found that 90 percent of large organizations will be utilizing host access products over the next five years to externalize legacy applications via Web services.

META Group evaluated 11 vendors for the study and determined the host access sector has undergone a great deal of consolidation and merger activity over the last three years. While the vendors achieved some success in selling traditional emulation products, heavy promotion did not spur a major increase in Web-to-host products.

META determined IBM is the clear vendor leader because of its technology and solid financial base. While there are a number of challengers to IBM, most lack the financial resources and the breadth of product offerings, according to the study. While some challengers have solutions applicable to certain customer segments, they do not have the market presence to become a broad player.

Mark Vanston, program director with META Groups enterprise data center strategies service, says, We expect host access products to continue playing an important role for large organizations. Web-to-host access solutions can reduce the cost of legacy integration, enabling organizations to leverage existing assets and capitalize on new IT opportunities.