"Information security is still lagging, but not as much as in other areas of IT in insurance," said Chad Hersh, a Houston-based analyst with Celent, a research firm. "To put it simply, regulatory concerns insure that carriers are taking certain important steps toward securing IT applications infrastructure, but regulations can't do enough to set standards that would truly secure the enterprise."

According to Mr. Hersh, other than the largest carriers--which have budget and in-house expertise to achieve full security--insurance companies lag behind the rest of financial services industry in security readiness. There are exceptions, however, he noted.

"Some carriers have had small security problems that opened their eyes to much bigger issues," he said. "Maybe they've had a hacker in their system who doesn't steal anything or a Web site that gets vandalized. It makes them realize how vulnerable they are. They've seen the light."

Sectors Vary On Readiness

Asked about differences in readiness between the property-casualty and life-health insurance sectors, Mr. Hersh said the variance is "primarily around Web." He asserted that p-c companies "tend to be better on the personal lines side, because they rely much more heavily on [the Web]. Direct writers spend more time, effort and dollars to maintain a secure Web presence."

Mr. Hersh said the life side is limited to online viewing of information and some buying, "so they don't invest the same kind of effort in Web security." On things like extranets, however, life carriers are slightly more invested than their p-c counterparts in securing their enterprises, he noted.

Most insurers, however, "still have a long way to go," he said. Dangers include having a poor security policy--or even a good plan that is poorly enforced. "If an agent loses a laptop with passwords on it, that may not ever be reported," he observed.

"It's very difficult for every carrier to protect data on an extranet when 30,000 agents have access to that data and they are sharing information with assistants and associates," said Mr. Hersh. "Without use of something like a hard token, plus a password, it's virtually impossible to prevent some leakages."

A hard token is a small authentication device such as an electronic key or a smart card. Mr. Hersh recommended that companies invest in such devices.

With privacy requirements under the Health Insurance Portability and Accountability Act, as well as the threats seen in recent events such as the ChoicePoint data compromise, along with reports of employees stealing credit card numbers, "it seems like a small investment by comparison," he said.

Overall, said Mr. Hersh, the insurance industry needs to stop looking at individual aspects of security and start looking at securing the enterprise.

"The insurance industry has spent so much time avoiding sharing of data [between companies], but they are already sharing a lot of that stuff," he said. "There are so many entry points to data that it's falling increasingly under regulatory scrutiny. We have to shift to enterprise security rather than individual applications."

Emerging Tech Addressed

"Most of what's wrong at this point is a failure to address emerging technologies," according to Mr. Hersh. "Not a lot of carriers are looking at the fact that agents use public Wi-Fi hotspots," he warned, referring to wireless computing. By not looking at these things and focusing instead on automation capabilities, insurers may fall short on protecting privacy and security in the enterprise, he added.

Looking at hardware security, Mr. Hersh points to a lack of encryption of files once a machine's password is cracked. "All customer-related files should be encrypted on the machine on an ongoing basis," he said, predicting that new regulations with security and privacy will drive more attention in this area.

"I still don't see a lot of chief information security officers at most insurance companies," he concluded. "And there's still a lot of third-party hosting and [application service providers], where security is outside of your control."

"Generally speaking, financial services have been the leaders in security, largely due to regulatory requirements," according to Eric Ouellet, vice president in the security and privacy research group for the Gartner Group in Ottawa, Canada. "Banks are leading, but insurance companies are not far behind."

In terms of how well sectors of the insurance industry are prepared for security problems, Mr. Ouellet noted, "what we see is that life in general tends to lead, p-c is second, and reinsurance third. Health care is dragging behind all of those."

Larger insurers tend to be more prepared than smaller ones, he added, because they often have groups dedicated to regulatory compliance, whereas smaller companies don't.

Big Is Good

"Large carriers in general tend to be better organized, have a better understanding of security, and have better IT services," he said. "Smaller companies don't have that level of sophistication, because the tasks are typically shared among many groups. If you're a small company and you're doing health care [transactions], you're probably farther behind."

With HIPAA and other regulations, insurers are aware of security needs for certain aspects of their businesses, but that might not be the same across the enterprise. "Data may be protected in different places in different ways, so there's not the same level of consistency," he added.

Mr. Ouellet said improved data classification--"getting a better understanding of the data you have and applying the correct controls for that data"--is a key to security. "A lot of companies are lazy in protecting the data they have," he noted. "You have to look at it from a risk approach. Know what you have. Which areas have high risk? Then apply appropriate data controls.

"Everything is related to risk," he concluded. "Insurance companies understand risk, so when they don't do a good job with [security], it's kind of an irony."

Taking Security Seriously

"In general, it seems people are taking [security] seriously. Measures are being taken and companies are spending the money," according to Chuck Johnston, formerly an industry analyst with Meta and now group director of insurance for Siebel Systems in San Mateo, Calif.

"The biggest risk is that I don't know if people understand where the frontiers of information security are these days," he added. "I don't think the bar has been set, because it's such a fertile ground for the hackers. Think of the value of getting your hands on 100,000 credit card numbers. That information has huge monetary value."

He described hackers as "a large number of very smart people with limited morals. It's almost like cyber-smash-and-grab. You can draw real value out of information, even for the 24 hours you have it."

He added that the ability to stop such breaches can never be 100 percent. "There's a constant evolution of tightened security protocols--then someone punches a hole in them and you have to start over again," he explained. "Insurance is as good as any industry in fighting against intrusion. We're doing okay, but the bar keeps moving."

Mr. Johnston agrees with Mr. Ouellet that life insurance is the most prepared sector of the insurance industry when it comes to security, because most life insurers have an investment component, and investment firms tend to have the best security. "If you look at the value of the information stolen, it tends to be lower in p-c," he noted.

"Health is second best, because they've had to go through the HIPAA exercise. They had to take a hard look at security infrastructure in terms of who has access to data," he added.

For the future, the industry must engage in a "continuing monitoring process," according to Mr. Johnston. "IT needs to work with an organization's risk management operation. Every company will have to make a decision about what the level of appropriate risk is, and this needs to be evaluated on a timely basis. Things are changing faster than most organizations have planned for."

Caption for shot of laptop in chains:

Dangers include having a poor security policy or even a good one that's poorly enforced. "If an agent loses a laptop with passwords on it, that may not ever be reported," warns one expert.

Flag: Key Points

Head: Who's Best On Security?

Just how prepared is the insurance industry to meet security regulations and protect sensitive data? That depends on factors such as the industry sector or size of company being examined, analysts contend. In general, these experts say:

o Insurance companies lag behind the rest of financial services industry in security readiness.

o Life insurers in general pay more attention to security, followed by property-casualty carriers, then health insurers.

o Larger insurers tend to be more prepared than smaller ones, because bigger carriers often have groups dedicated to regulatory compliance, while small companies might not.

o Most insurers don't have a chief information security officer, and many outsource tech functions where security is outside their control.