The promise behind every insurance brand is to protect the financial well being of the policyholders in the case of unexpected loss. This promise is explicitly made in every insurance policy. However, it didn't take long before insurers found themselves required to meet an implied promise - that of protecting people and their information assets.

The challenge insurers face today is to secure their clients' information, their own business information and intellectual property, comply with privacy laws and meet increasing regulatory requirements. These challenges become increasingly difficult with pervasive technologies such as mobile devices, laptops, cloud computing, etc.

Global privacy laws, the focus on enterprise risk management (ERM), and the continuing changes to governance, risk and compliance (GRC) requirements have elevated privacy and security to the boardroom as a core business function. Information security breaches can cause financial loss, reputational damage, and legal action from policyholders, affiliates and other parties.

Insurers will need to add security as a critical dimension in each of the layers that comprise enterprise architecture.


Accountability. Identifying who has overall accountability for establishing the information security policies and efficiently coordinating compliance requirements for the entire company.

Responsibility. Identifying who is responsible for the business processes in the insurance value chain, the workflows, and the performance of each task in the various departments and distribution channels.

Access. Identifying who can establish the appropriate level of access to technology services, corporate and client information (e.g., agents can only access his/her customers' details).

Privileges. Defining the amount of information that can be shared by insurers with their affiliates and subsidiaries, and what information access privileges will each type of user be granted.

Access Points. Defining the channels through which information/services can be accessed.

Monitoring. Establish effective monitoring to enable timely reaction to security risks and clear event details with forensically capable evidence.


Data Warehouses and Data Marts. Establishing standards and practices to minimize the risk associated with data proliferation, set security policies and procedures that define the type of information and data that will be stored in data warehouses and data marts, and who has what level of access.

Databases. Establishing access control and monitoring procedures to safeguard enterprise and client information, as well as procedures to protect data from corruption, theft, and unauthorized copying and distribution.

Information Flows. Creating information diagrams that map the flow of each information set from its origin, through storage and distribution. This includes defining for each department how information is created, stored, utilized, distributed and disposed.

Business Reports. Defining the security procedures for all mission critical reports utilized by the organization.

Records Management. Defining the records management/retention policies and procedures for all company records across all media.


Coding. Institutionalizing secure coding practices to address application vulnerabilities such as SQL injection and cross-site scripting.

Application. Designing role-based access control and fine-grained authorization to enforce data and application restrictions and comply with regulations.

Integration. Connecting various applications (e.g. connecting agent's application with carrier's back-end systems using SOA architecture).

Data Creation. Controlling the types of data that can be created using application systems (e.g. systems that can be used to create new customer identification numbers that tie them to social security numbers; encryption of sensitive data such as credit card numbers, passwords and identity card numbers).


Telecommunications and Networking. Ensuring data encryption across networks, and establishing security policies with respect to information in mobile devices.

Mainframes and Servers. Continuing the security procedures established for computers in most insurance companies today, but paying close attention to the security controls third-party service providers utilize when processing on behalf of the insurers.

Operating Systems. This is especially so during revisions and upgrades.

To protect the privacy of their clients, secure their client's information and protect their company's business information and intellectual property, insurers will have to understand the risks associated with the new technologies they are adopting.

Best practices include establishing privacy and security polices and procedures at the enterprise-level to protect all information assets of the enterprise, adding "security" as a dimension to both ERM and enterprise architecture, and adopting security tools and solutions aimed at increasing cost-effective information security.

Samuel Medina is head of Insurance Strategy & Growth and Brian Cummings is director of Information Risk Management Advisory Services, Global Consulting Practice, TCS North America, New York.


(c) 2009 Insurance Networking News and SourceMedia, Inc. All Rights Reserved.

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access