A: Taft, Mayer, Brown, Rowe & Maw: Compliance programs, including those for e-mail, are like a chain. Each link is critical to the entire chain, and if one breaks down, the entire chain snaps. E-mail compliance programs require several measures, all aimed at different parts of the chain. Insurance companies must have robust and reliable system security when it comes to e-mail. Another link in the chain is user behavior. Users must be educated regarding the institution's policies and procedures for e-mail, attachments and downloads. A third link is technology procedures so that information systems personnel can respond to industry-wide threats and quickly make security patches.
A: Dawes, Omniva: Consistent enforcement of corporate policies requires both end-user training regarding these policies and tools and technology to automate policy enforcement. Automation is an important component to a comprehensive solution, as a corporation cannot rely on end-users always remembering to apply policies appropriately. Ideally, to avoid impacting employee e-mail productivity, a technology solution can automate compliance to the point that end-users do not need to be aware of the system unless they try to violate a corporate policy. In addition, tools can provide the detailed reporting that demonstrates that you are in compliance.
Q: How can insurers prepare for future risks, like new or updated regulations, looming viruses and security breaches, and greater use of instant messaging (IM)?
A: Trudeau, SurfControl: All of these challenges pose great risks. Today's increasingly sophisticated blended threats, like the recent MyDoom virus, introduce new transmission risks. It is more important than ever before for insurance companies to increase network security measures. Filtering technology can help manage content risks like spam, viruses and instant messaging, as well as demonstrate an organization's attempt to comply with the latest federal regulations.
A: Kapuria, @stake: An increasing number of insurance firms are pursuing offshore outsourcing initiatives to avail themselves of cost benefits and growing capabilities overseas. These types of initiatives can change the risk profile of a company as information and control moves from corporate governance to third-party environments. Some important considerations when conducting diligence and acceptance of an offshore initiative must include digital security planning, infrastructure/application assessments and security management evaluation.
Q: What risks arise when insurers communicate with agents, adjusters and other remote workers outside their firewalls? What steps can insurers take to protect themselves?
A: Trudeau, SurfControl: This is a very big issue. Workers accessing the Internet through wireless hot spots, or hotel services, for example, can threaten corporate e-mail security, from the content accessed or actions taken while "unplugged," and the potential exposure to viruses, worms and Trojans. Insurance companies should develop Internet and e-mail use policies that can be extended to all employees regardless of location. These policies should be clearly communicated to employees. Then, technology that supports these policies needs to be deployed.
A: Kapuria, @stake: Insurance companies must employ solutions to maintain their security and compliance posture outside and inside the organization. With the transfer of critical information to agents, adjusters and other remote workers who are not under the direct control of a corporate security office, the risk profile of that information changes. Insurance companies, which send sensitive information like Customer Non Public Information [NPI], should conduct diligence on what their compliance requirements are regarding information security and privacy. Upon establishing this understanding, the next step is reviewing the methods of communication employed and the legal responsibilities that both the insurance company and the recipients must adopt.
A: Taft, Mayer, Brown, Rowe & Maw: The potential for a security breach is one of the most obvious risks in allowing a mobile workforce. There are currently many good technology measures available to help create a secure mobile workplace. These measures include things like multiple layers of security codes for system entry, enforcement regarding access codes and the encryption of transmitted data. Another risk of a mobile workforce is the lack of centralization of important documents and information. Important business information is increasingly locally stored on the [traveling] worker's computer. Often, this information is never downloaded back to the central or regional storage points. As a result, this important information can be lost or compromised due to computer error, or employee attrition. Insurance companies must create and enforce work policies and procedures regarding the capture, storage and backing up of this information.