04:25 PM
Message Mania
E-mail and instant messaging (IM) have become ubiquitous business tools and are part of almost everyone's daily routine. For insurers, the technologies provide easy ways to share information with distributors and employees, communicate effectively with customers and agents, and help claims adjusters transfer files to turn around claims -- all in real time.
But hackers, phishers, pharmers, spammers and other criminals all are out to score consumers' private data, and, unfortunately, lacking or substandard security for e-mail and IM leaves many insurance companies vulnerable to leaking clients' Social Security numbers, addresses and medical records, according to Ted DeZabala, principal in the enterprise risk services practice at New York-based Deloitte. "E-mail and IM introduce challenges into the IT environment," he says. "Viruses and worms can be transmitted through them, and when you are dealing with very sensitive data, and the protection and privacy of customer data, security is a big deal."
Adding to the challenge of securing customer data from the bad guys outside their walls, insurers also have to protect the information from internal threats. While internal threats can include employees who steal data for personal gain or expose it for malicious purposes, such as corporate espionage, internal security breaches often are the result of employee errors or oversights. The lack of proper procedures and guidelines for e-mail and IM usage -- or employees' lack of knowledge of such policies -- can expose sensitive data inadvertently. For example, well-intentioned employees may e-mail data to themselves so they can do additional work at home on weekends.
Further, insurers' relationships with outside providers can complicate e-mail and IM security. While a convenient means to communicate with and transmit data to business partners, e-mail and IM may not be secured with the same diligence at every firm. In addition, offshore outsourcing providers may reside in countries with different security standards and regulatory requirements.
Facing Threats
"Companies, in general, wrestle with any electronic means to take information out of the organization," observes Don Garvey, chief information security officer for Warren, N.J.-based Chubb Group of Insurance Companies ($48.1 billion in total assets). "Any mechanism that allows information to flow outside of your control is a threat." Often, however, insurance companies have failed to monitor e-mail and IM usage properly.
The brunt of the responsibility for ensuring compliance and acceptable security procedures usually falls on the CIO, something to which Kevin Murray, CIO of New York-based AXA Financial ($9.6 billion in annual revenue), can attest. "I have to make sure that our customer data is protected," he says. "We have an obligation to our customers to keep that data safe." Proper e-mail and IM security measures -- including both technology solutions and formalized procedures -- can help protect customer data against theft or loss, protecting carriers from litigation costs and decreased credibility resulting from a data breach, while helping them comply with customer privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB) and Sarbanes-Oxley (SOX).
To protect their networks, CIOs have created barriers using a variety of security products. Traditional security solutions include firewalls, offered by vendors such as Cisco (San Jose, Calif.); intrusion-detection applications by companies including Oracle (Redwood Shores, Calif.); authentication software from vendors such as CA (Islandia, NY); and biometric devices and electronic tokens provided by vendors such as RSA Security (Bedford, Mass.) and Alladin (Chicago). Still, 84 percent of organizations in North America have suffered security incidents in the past year, according to a CA study in which 84 of the 642 respondents were from financial services organizations. The study also discovered that the greatest losses to insurers due to security attacks are productivity, along with loss of trust, damage to reputation, embarrassment, loss of confidential information and loss of business revenue.
But as the cost of security lapses has become more evident, insurers have begun to address vulnerabilities related to the use of e-mail and IM with the addition of encryption software from providers such as PGP (Palo Alto, Calif.); spam filters from firms such as Ciphertrust (Sunnyvale, Calif.); anti-virus software by companies including IBM (Armonk, N.Y.); and content monitoring applications from companies such as Verdasys (Waltham, Mass.) to the security mix. "We did a study of our own, and 87 percent of the e-mail that comes into our building is spam," relates Charlie Carter, CIO for Grange Mutual Insurance ($1.6 billion in total assets) in Columbus, Ohio. "If you consider what it potentially is bringing in [such as viruses and worms], it gets worse. So it is a major concern for our IT [department]."