Insurers Failing On Data Security: Survey

Regulatory compliance has taken the lead as the primary driver of data security in efforts by the insurance industry, according to a survey released by Ernst & Young.

But the New York-based consulting firm found, despite many security worries concerning mobile and Web-based technology and outside vendor handling of data, few insurers are taking proactive steps.

However, the firm said state and government regulations and the consequences of not complying with them have made security of information a boardroom issue.

Nearly four-fifths (79 percent) of insurance industry survey respondents cited compliance with regulations as the primary driver of information security in their companies during the past year, Ernst & Young said.

Insurance industry executives responding to the Ernst & Young survey, when asked to rank the top three types of regulations or requirements that impact their company's information security practices during the past year, cited internal controls, 67 percent; privacy, 58 percent; and "industry-specific regulations," 38 percent. Operational risk ranked fourth at 32 percent.

Ernst & Young said organizations are missing the rare investment opportunities that compliance offers to promote information security as an integral part of their business.

Bill Barrett, head of Ernst & Young's Technology and Security Risk Services practice in the firm's Financial Services Office, said: "Compliance is proving to be more of a distraction than a catalyst for information security becoming strategically aligned within insurance companies."

Mr. Barrett added, "One might assume that with the attention information security is receiving due to regulatory compliance, insurance organizations' information security postures would be improving and information security as a function would be becoming more integral to their strategic initiatives."

However, he said, "this is not happening on a consistent basis. The gap continues to widen between the growing risks brought on by rapid changes in the business environment and what information security is doing to address those risks. This pattern is consistent, regardless of a company's size."

Mr. Barrett noted that only 39 percent of the insurance companies surveyed "have an integrated risk framework that considers regulatory, corporate and security requirements--the same percentage of companies that told us they have separate compliance and information security organizations which separately address regulatory and security functions."

Only 14 percent of the insurance companies responding to the survey said they have "an integrated risk framework, validated by a third party that considers regulatory, corporate and security requirements."

Another portion of the survey found that business demands and the declining cost of wireless connectivity is driving the rapid, widespread adoption of mobile technology by insurance companies.

This new technology has created significant security worries for executives who were polled, with the three top concerns being Web applications, 52 percent; mobile computing, 46 percent; and removable media, 41 percent.

Ernst & Young said with mobile devices leaving the safety of the corporate control environment, the information assets and intellectual property they carry are increasingly becoming the responsibility of individuals to protect--a responsibility that many organizations have not yet fully addressed nor anticipated.

"Only 38 percent of insurance companies we surveyed provide for general users of information to be trained or made aware of the impact of information security issues with these technologies, and less than half receive training on responding to security incidents," Mr. Barrett noted.

Other rapidly developing technologies such as voice-over IP telephony, open source and server virtualization, which hold the potential of increasing organizations' competitive advantage, are reported to be a significant security concern among fewer than 15 percent of insurance companies.

Ernst & Young said insurance companies consider emerging technologies in general to be a growing security concern in the next 12 months. However, over a third of them have no plans to take action to address the concern during that time period or beyond.

Outsourcing, the poll found, is an information security threat as many insurance companies are not paying adequate attention to vendor risk management--the process of assessing and mitigating risks, including due diligence and regular reviews of practices and procedures supporting vendors' products and services.

Ernst & Young said its survey reveals that almost one-fifth of respondents do not address the issue of vendor risk management at all, and one-third report they have only informal procedures in place to do so.

"It is no longer enough for insurance companies to consider just their own information security issues and threats," Mr. Barrett said. "As the world becomes increasingly smaller, and with more and more information flowing between companies, all organizations need to consider the security of their business partners, outsourcing arrangements, suppliers and customers."

Unless attention is paid to these risks, "the value created by these arrangements can quickly diminish or disappear due to perceived or real security, privacy, or identity breaches. Organizations should also consider demonstrating their own commitment to good information security by applying recognized standards or becoming certified," said Mr. Barrett.

Although awareness about information security has risen as a critical issue among insurance company boards and executive management, they continue to focus information security activities on operational and tactical issues at the expense of addressing strategic concerns, according to Ernst & Young.

Mr. Barrett said proper data protection information with proper organizational alignment and execution can make significant contributions to an organization's strategic initiatives and overall risk management.

He added, "Organizations which employ information security in this way continuously involve business, IT and information security leaders in identifying specific areas where information security can contribute to strategic initiatives, such as mergers and acquisitions and outsourcing of business operations. They apply recognized information security standards, leading practices and the appropriate resources."

The consulting firm said its Global Information Security Survey 2005 included 107 respondents from insurance companies in the United States and 25 other countries.