Message Mania

E-mail and instant messaging offer convenient communications and often boost productivity, but the technologies also can expose financial institutions to privacy breaches, embarrassment and litigation. To combat the threat, insurers are stepping up efforts to monitor e-mail and IM, and improve security procedures.

Balancing the Good With the Bad

For the modern insurance enterprise, then, the challenge becomes balancing the productivity gains offered by e-mail and IM with the security threats they introduce and the costs of mitigating these risks. But carriers' IT departments tasked with increasing security around e-mail and IM typically face limited budgets. "IT security has had limited resources as electronic data became more important, and IT security wasn't given the statutes to keep up with the evolving technology," according to Kevin Kalinich, managing director of professional risk solutions at Aon (Chicago). "In 2001 and 2002, carriers knew what to do, but they didn't have the resources until 2005 and 2006 -- after carriers, such as AIG, started losing information."

In 2005, according to Ray Wagner, research vice president at Gartner (Stamford, Conn.), the average IT organization allotted 4 percent to 6 percent of its budget -- or about $30 million -- to security. "The highest-security organizations are balancing security within their budget," he explains. "Those companies putting more money into security spending are ensuring that they stay out of the headlines."

Chubb uses a balanced approach to security spending within its IT budget, according to the carrier's Garvey. "Quantifying how much to spend on security is hard," he acknowledges. "IT spends more and more every year on tools to meet security needs and compliance, and it isn't always spent by the security department." For instance, customer analytics software may have added security functionality.

In addition, at Chubb, keeping security initiatives a priority also means investing part of its IT security budget on employee security education and creating a corporate culture that fosters employee awareness of the insurer's security standards. "We permit our employees to use e-mail for personal use, and if someone wants to use IM, we don't block it," relates Garvey. "However, we do give our employees guidelines because, for the most part, the bigger risk is not the employees doing a malicious deed; it is the employees who make bad business decisions."

Chubb has developed an educational program for employees on the use of e-mail and IM. If employees are sending information outside of the company for business reasons, it must be encrypted in some way. "If information is not encrypted and it is then forwarded to 10 other people, then there is a problem," says Garvey. "So we focus on purchasing the technology that can really lock that information down."

To limit the amount of confidential information that leaves the organization, Chubb has built its own internal authentication and reporting system, and the carrier uses PGP encryption to protect data leaving the company. Employees who want to take work home can send the files through secured BlackBerry devices from Waterloo, Ontario-based Research in Motion or through laptops that the carrier provides to employees. "It all boils down to recognizing emerging technologies and having an active and robust awareness about our security and the prominence of the information we deal with on a daily basis," says Garvey.

Of course, one way to eliminate security vulnerabilities arising from a technology's use is to ban the technology. To ensure compliance with the SEC's e-mail capture mandate, for example, AXA Financial has chosen to ban IM from being used on all company computers. "There can be advantages and disadvantages to allowing IM, but we've opted not to allow IM," relates AXA's Murray. But, he points out, "We have spent a lot of time, energy and investment to capture every e-mail to be in compliance with SEC legislation."

"Compliance can help quantify risk," says Aon's Kalinich. "If a company can determine its compliance to HIPAA, GLB and SOX, then those are good benchmarks to get entities to a minimum standard" for security protocols.

Deloitte's DeZabala stresses, however, that security efforts must go beyond compliance requirements. "Security needs to be embedded throughout the organization and the infrastructure that supports compliance efforts," he says.

AXA Financial's efforts include a pilot utilizing biometric smart cards to log on to laptops and e-mail. The devices then ask for both a password and a fingerprint scan for user authentication. "You can't get into the system without the biometric smart card, and we also use security tokens for gaining entrance into the network," says Murray.

To further protect customer data, Murray has set up AXA's security system in three levels. "You really need three levels of security," he says. According to Murray, AXA Financial's first level of security includes perimeter security, firewalls and spam protection. The second level is made up of network security programs, antivirus scans and authentication that will "allow gateway to the Internet," he explains.

But it is AXA Financial's third level that ensures the carrier maintains compliance. IT uses software to scan both inbound and outbound e-mails with a rules engine to pick up suspicious e-mails, Murray relates. The rules engines are programmed to flag suspicious keywords and phrases. All company e-mails are captured using AXS-ONE (Rutherford, N.J.) compliance and surveillance software, which encrypts and stores e-mails on direct-access storage devices for regulatory purposes. Still, Murray says, "I'm constantly looking for better security because you can't let your guard down."

2 of 4