Are Your Systems Safe?

The insurance industry was one of the last to open its private gates to the Internet. Apprehension about exposing confidential customer information and other proprietary data to the outside world prevented insurance companies from jumping too quickly on the e-business bandwagon.

But in the past 12 months, several major carriers-including State Farm Mutual Automobile Insurance Co., Allstate Insurance Co. and Safeco Corp.-began selling policies online. Some carriers also provide Internet support for submitting and checking the status of claims. And, as insurers move into broader financial services, they're making plans to enable customers to access investment information online and via handheld wireless devices.

As insurers bare their wares, their initial suspicion of the Internet has transformed into fully justified, high-priority information-security vigilance. "Insurance companies and all financial institutions store huge amounts of confidential information, and they are among the largest users of technology," says Tracey Vistoli, cyber solutions manager at Warren, N.J.-based Chubb & Son, which sells cyber insurance to financial institutions. "Mix confidential information with technology and what do you have? You've got an area of exposure that is so vast and so great that they've not seen anything like it before."

The area of exposure is indeed great, and criminals and other interlopers are homing in on it. Cyber crimes and information security breaches are widespread and diverse, according to the San Francisco-based Computer Security Institute (CSI), which conducts an annual survey of computer security practitioners in U.S. corporations and government agencies.

In its fifth survey, conducted with the San Francisco Federal Bureau of Investigation Computer Intrusion Squad, CSI found:

* 90% of those surveyed had detected computer security breaches over the past year.

* 74% acknowledged financial losses.

* 25% detected penetration from outside their company.

* 85% detected computer viruses.

E-business poses several types of risk to companies, including insurers, says Ken Tyminski, vice president and chief information security officer, The Prudential Company of America, Newark, N.J. The risks include compromises to data integrity and confidentiality, as well as to the availability of the company's system.

Private guard is gone

A company may not be able to prevent, detect or react to unauthorized access, he explains. For example, "you may not even know that someone is getting in who shouldn't get in, or worse than that, you may know somebody is getting in and you can't identify who they are or where they're coming from."

Who are these cyber criminals? They could be transnational crime organizations, "script kiddies," or freelance or mercenary-type hackers who want to crack into a system just for the thrill of it, says Tyminski.

In addition, there are disgruntled former employees who want to make a statement or "ethically flexible" current employees who know they shouldn't be accessing certain areas of the company's system but rationalize that it's okay, explains Neil Cooper, senior manager of the security practice at New York-based PricewaterhouseCoopers.

"Insurance companies have been living in a private subdivision with a private guard in front-in terms of the data they had," says Sajay Rai, Americas security and technology solutions group leader and partner at New York-based Ernst & Young.

With this e-enabled economy, however, a lot of information is available either through business-to-business exchanges or marketplaces or companies' own Web sites, Rai says. "It's almost like they've gotten rid of the private guard in front and now people are just coming into the subdivision and they can roam around 24 by 7."

Knock-knock, Who's there?

As carriers begin processing transactions with customers over the Internet, authentication becomes a key issue. "When we interact with people in the old model-one-on-one, face-to-face-you usually have a pretty good idea that you know the person you're interacting with," Tyminski says. In the new model, "we need to make sure that we can authenticate that the person at the other end is really who they purport to be," he says.

The importance of authentication to e-commerce is evident in the marketplace. Worldwide revenues for authentication, authorization and administration software grew 41% in 1999, and was projected to grow 33% more in 2000, according to IDC, a Framingham, Mass.-based technology research and consulting firm. At $2.1 billion in 1999, this was the largest segment of the security software market analyzed by IDC (which included firewall, encryption and anti-virus software).

Perhaps the most common form of Internet authentication is a user ID and password. Prudential uses two-factored authentication for people who come into the network remotely, which involves using a randomly generated token that is valid for a short duration, along with a PIN to log in.

Biometric technology that identifies a person by fingerprint, retina or voice is also advancing and holds promise in authenticating customers, as does public key infrastructure (PKI), says Gerald Giesler, senior vice president, information technology, Chubb & Son.

PKI, which provides a method of obtaining a digital certificate issued by a trusted third party, can be effective for certain applications, such as business-to-business exchanges, according to security experts. But the technology has several shortcomings: it's expensive, difficult to implement and not yet standardized.

"If I register with VeriSign (a third-party certificate authority) and the vendor I'm doing business with is registered with IVANS, then that vendor can't check my digital certificate," Giesler notes.

In addition, digital certificates could actually lessen security if not used carefully or in conjunction with another authentication procedure.

"Imagine that you have a bunch of private keys and these algorithms are stored on your laptop computer, but you haven't protected your laptop and it's stolen," Tyminski says. "Somebody gets on it, and they can just access the private key. They can send things and purport to be you. In that case, user ID and password may have been better."

The proactive approach

Because security threats are constantly changing, insurers that have not installed the most recent security technologies may be in for a rude awakening.

"We're in a different world now and some of the security products that worked a few years ago aren't as effective now," says Dave Kroll, director of marketing and security research at Finjan Software Inc., a San Jose, Calif.-based company that provides code behavior-monitoring technology.

For example, antivirus software architecture was built in the 1980s when viruses traveled very slowly on floppy disks. Then the Web hits and the "I love you" worm travels the world in minutes, and in hours causes billions of dollars in damages, Kroll says. "A lot of companies are looking for a more proactive approach."

Security professionals are realizing that instead of testing their networks once a year for holes where hackers can get in, they now have to monitor their networks dynamically. This is necessary, Chubb's Giesler says, because "nanoseconds after we find a hole, chances are a hacker just found a hole."

Vulnerability assessments, penetration tests, intrusion detection, and adequate logging and monitoring are vital to safeguarding information accessible via an insurers network, Prudential's Tyminski says. "These are things you need to do on an ongoing basis."

The security industry has come a long way in the area of intrusion detection and monitoring, according to Ernst & Young's Rai. "Fifteen or 20 years ago, when I first delved into this topic, nothing was available. Now, we're not far from predictive neural solutions where-based on the data and patterns-we can predict when the next attack is going to occur or when the server is going to go down."

The enemy within

Intrusion detection and monitoring is an effective method of dealing with outside intruders breaking into a system, but it doesn't address the problem of employees who are accessing confidential information without authorization. And it is a problem.

In 1997, 40% of respondents to the CSI survey reported unauthorized access to their systems by insiders; while in 2000, that number had risen to 71%.

As a result, companies are beginning to rethink the use of role-based security, says PWC's Cooper. With role-based security, employees only have access to the information they need to perform their job function. "That's a way of protecting customer information and a lot of companies are taking that path," he says.

Similarly, carriers are beginning to consider the issue of entitlement. For example, what transactions will they allow under what conditions?

"You may have a trader who works for you, and you may allow him to conduct high-volume, high-worth transactions when he's in the office, but do you want him conducting those transactions when he's on the road?" Prudential's Tyminski asks.

"With entitlements you can say, he can only do that transaction when he's at this location."

An insurance company might decide that a customer can move money around in a variable life insurance policy only four times a year. "The customer is authorized to move the data, but they're entitled to do it only four times a year," he says.

A matter of trust

Not only do employees present a potential threat to the security of customer data, but so do contractors and business partners.

"When you had a closed network, you knew who was coming to you and you knew where your perimeter was," Tyminski says. As insurers begin connecting with independent brokers, dealers, general agencies and other contractors via the Internet, they have to be aware of the trust relationship that exists, he says.

"If I've authorized you to come in and I have good standards in place, but you're allowing people into your site without the same level of standards, I'm only as protected as your standards protect you."

That trust relationship extends to application service providers (ASPs). If an ASP exposes an insurers' critical assets to the outside world, that insurer would have to impose the same level of due diligence on the ASP's security as it would on it's own security, Chubb's Giesler says.

On the othe hand, he says, "if there's an application that I'm trying to get out there really fast, and I want to do it in a secure way, one advantage of using an ASP is they may already have security protection in place that I don't have."

Securing customer data from being altered or stolen is a continual effort for insurance companies.

"We deal with alerts we get from security organizations telling us to watch out for this or that virus, and alerts we get from our virus-scan software vendor saying update your software-as well as with actual situations that arise when a virus gets through all our defenses," Chubb's Giesler says.

Indeed, all the security in the world can't stop a determined hacker from breaking into a system, experts say. "When you enter the security space, you have to do so with the humility of saying. 'We can't protect against everything. That is a fact of life,'" Giesler says.

What is it worth?

Therefore, companies have to determine what their key assets are and what they have to do to protect those key assets, he adds.

"You don't want to put a $100 lock on something that's only worth $5," Prudential's Tyminski says.

Chubb's IT security group is now conducting systematic reviews with business units to determine what data requires the most protection, what threats exist against those assets, and what safeguards need to be in place that are not already there.

"The issue is: What is the business mandate for security, as opposed to what are all the things we can do technologically to be secure-which are infinite," Giesler says.

"They're also very expensive if you try to do all of them-prohibitively expensive."

For reprint and licensing requests for this article, click here.
Analytics Data security Compliance Data and information management Security risk
MORE FROM DIGITAL INSURANCE