Technology Decisions

Security Details

The good news for insurance carriers that are concerned with security issues is strategy and management practices are more important than new technology investments.

When problems occur in business, the first question (or possibly the second question, since Whose fault is it? usually comes first) is, How much is this going to cost us? If the problem is security, insurance carriers often are quite ready to throw money and additional technology at it, but a new study by Celent Communications points to less expensive problem-solvers. In a lot of cases, its a matter of assessment of strategy and management practices, says Matt Josefowicz, manager of the insurance group at Celent.

Issues such as ensuring proper procedures are being followed and patches are being applied regularly to systems do not take a great deal of money. All these kinds of low-dollar-amount things are more a matter of management and practice than they are of buying a lot of new firewalls and things like that, he explains. It means taking the time to do an internal network audit and trying to understand where your vulnerabilities are. Once you find them, its not very expensive to fix them.
The insurance industry is doing well with respect to security, Josefowicz believes, and this is one area in which the industrys notorious conservatism has played an important role. Since insurers have spent the better part of a century maintaining a low profile in the business world, they also have stayed off the radar of those looking to attack high-profile companies from the outside, he says. Of the companies we spoke with [for this study], a lot of them were focusing on this strategy and assessment step, he adds. [Insurers] certainly arent any worse off than other industries.

That said, hacking and intrusion definitely are a concern [for insurers], but viruses and system management are right up there, [too], Josefowicz asserts. In addition, he cites a recent study by the Computer Security Institute across all industries that reported threats from hackers outside the company were about even with threats from within the company. When you are dealing with financial data, you have to be careful whom you are giving access to, he says.

Sloppy management of systems allows viruses to infect a company. Viruses are a huge productivity threattaking down desktops, says Josefowicz. If a worm is let loose inside the enterprise, it has the potential to cause serious damage. That is a top concern for companies because [viruses and worms] take people out of production for days.

One area where insurers arent keeping up with other industries is in having a top security person, in many cases a chief information security officer, in place. Most insurers have at least a few dedicated people within IT focused on security, but they are not necessarily at the CISO level, reports Josefowicz. Its less common in insurance than other industries, where the appointment of a CISO is quite common. For insurers, final responsibility on security issues generally rests with the CIO. In the insurance industry, [security] is just another thing thats been handed to the CIO, he adds. Nevertheless, he asserts, the lack of CISOs in the insurance industry doesnt signify insurers are taking the issue less seriously than other industries.

The use of consultants for security issues is a recommended practice. You should definitely bring in outside people to look at your security just to get a fresh perspective, advises Josefowicz. The insurance industry can have real tunnel vision, so its advantageous to bring in outside consultants who can take a look at your network with a fresh perspective. Such consultants can be costly but not nearly as pricey as having a top-level person on staff. Its very expensive to maintain a true IT security guru in-house, he says.

A practice insurers have not focused on is bringing security people into discussions when new software applications are being considered for the business. A lot of sensitive data is stored and protected at an application level, notes Josefowicz. If theres one thing insurers need to be doing, it is making sure IT security is coordinated with selecting applications as well as platforms.

ROBERT REGIS HYLE