Data Breaches Increasingly Costly, Especially in Financial Services
When reporters come knocking, few topics cause insurance executives to shut off the lights and draw the curtains more than IT security. It's no wonder. For those carriers that have properly secured their policyholders' sensitive personal information, it's counterintuitive to reveal their security methods to the public. And for those companies that are struggling to keep out hackers and identity thieves, well, it's hardly something they want to advertise.
But while insurers can hide from reporters (or, at least, deny interview requests), it can be much more difficult -- not to mention, bad for business -- to pretend as if no one is home when customers come calling. While existing policyholders (and, of course, emerging potential policyholders, specifically from younger demographics) increasingly expect insurance organizations to put more information, services and tools online, they've also come to demand that their carriers protect their privacy.
"The leading carriers -- those that are outpacing the market -- are putting serious functionality on their [Web] portals," confirms Karen Pauli, senior analyst for Needham, Mass.-based TowerGroup's insurance practice. "It's new-business processing, it's data gathering. It's not just inquiry anymore; it's real-time initiatives. Once the carriers have gotten robust functionality out there, then they're going to have to address this security issue."
Bilyana Savic, president of Insurance Insights, a Cleveland-based consulting firm catering to the life and health insurance sectors, describes the situation as a give-and-take relationship between increased functionality and new security risks. "Things like Internet underwriting for life and health insurance, doing payments, and issuing identification cards all open up a new frontier for potential fraud and abuse of information," Savic says. "As the shift to the consumer continues to grow, and as the consumer becomes a more vital player in the marketplace, particularly on the life-and-health side, the security challenges will continue to be modified accordingly."
Indianapolis-based WellPoint ($56.9 billion in 2006 revenue) is keenly aware of this dichotomy between functionality and risk. "More and more of our products and services began to be delivered through the Internet," recalls Shamla Naidoo, the carrier's vice president and chief security officer. "As we increased our use of the Internet to deliver these products and services, with it came great opportunity to reach more members and offer more service and products. But the challenges increased because we were using this untrusted communication method to reach those members and passing along some very sensitive data back and forth."
At the same time that customers are demanding increased online functionality, they're being inundated with warnings about the dangers of doing business in a digital age. Security breach horror stories from inside and outside of the insurance industry continue to make sensational headlines, and terms such as identity theft and data breach now are part of the public consciousness.
According to Bruce Bonsall, VP and chief information security officer (CISO) for Springfield, Mass.-based MassMutual ($456 billion in assets), customers specifically ask about the security of their personal data. "It started a couple years ago, and now it's very common," he says. "This is becoming more and more the trend -- people are becoming more aware of security issues and they're savvy enough to ask how their information is going to be protected."
As a result, while regulation remains a definite business driver of insurers' security efforts, TowerGroup's Pauli says, protecting a company's public reputation has become at least as important. "Unless you've been hiding in a closet," she notes, "you've witnessed what happened with TJX and other places like that."
Clearly, security has emerged not only as a business concern, but as a customer concern as well. As such, perhaps it's time for insurers to be a little more forthcoming about their IT security efforts. After all, with the right security plan in place and solid execution, an opportunistic carrier could develop a new kind of customer loyalty by establishing itself as an IT security stalwart.