There are several security challenges facing the industry today, in Hersh's view. Aside from the lack of control over critical portions of the value chain, "compliance remains challenging" to meet the standards set under HIPAA, he points out. Compliance with SAS 70 (accounting standards for audits of service firms) and the Sarbanes-Oxley Act are a "constant struggle," he adds.

"One of the biggest challenges, though, is simply the huge number of disparate systems, legacy and otherwise, at most carriers," he says. While these systems might be individually secure and compliant, every significant change that affects all systems presents another opportunity for a problem across the information technology board, he cautions. Making matters worse, he continues, older systems may not always have the ability to support modern security protocols, causing carriers to make them secure simply by not providing outside access to them.

In response, Hersh advises changes, such as legacy system replacements, need to be made but warns addressing third-party security is a big problem. "Until carriers decide they are willing to risk upsetting independent agents [by forcing] better security provisions and more severe penalties into contracts with vendors, TPAs, etc., or until regulators treat agents the way they treat carriers, no truly effective solution may exist," he states.

"Carriers have made good progress on securing their systems, and the more they consolidate systems, the easier this task becomes," says Hersh.

Donald Light, senior analyst with Boston-based Celent, believes insurance companies, "except for possibly the very smallest ones, have made significant strides in improving data security in terms of keeping unauthorized users away from data and also physically protecting the locations of the data."

Agents and TPAs, however, "are much more of a mixed picture," he indicates. "Basic firewall protection and anti-phishing software [often] are in place, but a more sophisticated hacker trying to get into those organizations is going to have less of a difficult time than with an insurance company."

The protection of physical assets remains a security challenge for many insurance organizations, asserts Light. "Smart phones are another source of vulnerability, because by definition they are becoming more able to interact with e-mail and other forms of data that are available within the firewall," he observes. "A smart phone's ability to attack systems is going to be seen as a softer point of entry for the bad guys."

Yet another threat is internal, in the form of disgruntled current or recent former employees, "especially when they are within IT and have higher levels of network access," he reports. "There have been a few court cases in which [such employees] have planted disruptive devices or data bombs to get information they should not have access to."

Will technology eventually solve the industry's problems?

"Like in so many other things, technology is one of the three legs of the stool," maintains Light. "People and processes are the other legs. Everyone with a smart phone or everyone who takes a notebook outside the company's walls has to understand his or her security vulnerability. Technology can solve some issues but only in conjunction with security policies and processes. Staff members must understand this is part of their job."

The future of security in insurance depends on external events, suggests Light. "Certainly this is a ripe area for legislation," he says. Events such as the loss of data and data attacks "will help [the industry] become more security-conscious and spend the money and carry out the steps." However, he adds, "if things get quiet for a year or two . . . the total progress will be less. IT departments and management as a whole have dozens of priorities they have to address. Data security is one of those priorities. But is it in the top five? The top 10? The top 100?" This is a critical question, he notes, warning the level of priority placed on data security will determine how successful future security measures will be.