Although insurers have scrutinized IT security more closely post-9/11 and in preparation for HIPAA and USA PATRIOT Act compliance, a recent LOMA (Atlanta) study, "Data Privacy, IT Security and Disaster Recovery in Financial Services," reports that many financial services organizations have not paid enough attention to these functions. The study, authored by Steve Forbes, senior vice president of research, LOMA, explores the technological and managerial issues that are associated with the issues of data privacy, IT security and disaster recovery within financial services companies.
The main reasons for the continuing security short-falls, according to Forbes, have to do with the increasing complexity and interconnectivity of information systems that support complex products through more distribution channels. Along with this complexity comes more numerous vulnerabilities to interferences with IT processes and data security, Forbes explains.
To reduce these vulnerabilities, he advises, insurers should utilize virtual private networks (VPNs) to deliver data to customers over the Internet. Data encryption is also important for protection as data is transmitted from one party to another, but this is not 100 percent reliable, he notes. "Data encryption is fairly powerful when it's used properly," says Forbes. "However, every data encryption code can be broken with sufficient effort." To reduce the risk of broken code, Forbes advises CIOs to change the encryption key frequently. Also, "the more bits that are used, the harder it is to decrypt," says Forbes. "One-hundred-twenty-eight-bit keys are better than a smaller number of key bits."
The LOMA study also suggests that vulnerability to security breaches can be prevented when extra care is taken during the employee hiring process. Also, IT executives can protect data through limitation of employee access to all information except that which is necessary for them to perform their job functions.
Where it is plausible, duties can be spread among employees so that a particular employee doesn't see the entire content of another individual's data. Internal firewalls should also be built into systems to enforce this policy, the study recommends, and Forbes further advises the prompt dismissal of individuals who don't adhere to these rules.
The LOMA report also encourages due diligence performance when dealing with a third-party provider. "It's important to make sure partners are adhering to the same IT security and data privacy policies" as the insurer, explains Forbes.
Is Your Firm Practicing Good Security Strategies?
-- Utilizing a VPN for data delivery.
-- Practicing data encryption.
-- Limiting employee access to data.
-- Taking care in the employee hiring process.
-- Performing due diligence of third-party provider security policies.
-- Designing appropriate contractual provisions with partners.
Clearly define penalties for contractual adherence failure.