Today, my house has multiple locks on every door, and it has become second nature to turn on the security system every time I leave. It never seems odd to me until I consider that, growing up, we routinely left the doors and windows wide open when we left the house.

In business, it seems inconceivable an insurer could operate without the firewalls, virus protection, private network software, and a host of other security technologies that protect information assets. But consider that information securityat least of the electronic varietystill is a relatively new activity.To put it in perspective, in the early 90s, [our] security team was eight people, says Bruce Bonsall, CISO at MassMutual Financial Group, Springfield, Mass., a number that may well have been eight greater than many other companies. Now, we have 30 people, and the number of issues has grown equally. With each new technology comes new vulnerabilities and exploits; every time we figure out how to use it, someone else figures out how to abuse it, and this game of one-upmanship keeps us very busy.

There is one important difference, however, between the current states of information security and home security. Regulation does not require you to lock your doors; in contrast, federal regulationsin particular, Gramm-Leach-Bliley, HIPAA, USA PATRIOT, and Sarbanes-Oxleyall have security-related components that affect the insurance industry. At the state level, various NAIC-modeled and other regulations affect carriers as well, perhaps the most notable (or notorious) of which is Californias SB 1386 that requires insurers to disclose any breach of security regarding customer data.