The evolution of real-time text communications technology, in which messages can be sent, received and viewed immediately-a.k.a. instant messaging (IM)-is a welcome one for most companies.As IM moves from being a novelty for teens and college students to a viable communications vehicle for business, many organizations realize its potential: to improve collaboration and productivity.
But although analysts predict IM will soon be as commonplace as e-mail, its popularity among insurance companies is tempered with considerable caution.
Their concern revolves around security and compliance issues. Risk management is a hefty consideration, and carriers conducting an IM cost/benefit analysis have much to consider: reliability testing, the training involved, where and how IM will be used, whether formal directives are required to maintain control, and whether the software's security and archival functionality is strong enough to comply with SOX and other regulations.
For Arrowhead Group, a San Diego, Calif., managing general agency, the decision whether to implement IM has its roots in regulatory compliance.
"At this time we are blocking IM within the organization," notes Steve Boyd, Arrowhead vice president. "Sarbanes Oxley-related regulations are a major reason for this."
As part of a larger initiative that includes a move to a new location, Arrowhead is considering IM in the future, however, especially if the company splits its IS group across three buildings in the San Diego area, as planned.
"We are spending a great deal of time focusing on our internal development process and are concerned about the potential for disconnect between project team members at remote locations," Boyd says. "We feel IM can be a very useful and productive tool for our development teams, so we've begun an evaluation of different IM products to see which ones can meet our needs while at same time provide us with some kind of auditing function."
Internal comfort zone
As agents and carriers evaluate the potential benefits of IM, many are seeing obvious advantages for internal implementation, but few are venturing beyond the firewalls of their own systems to use it to communicate to the outside world.
Boyd confirms that his company "more or less agreed" that an IM implementation would only be used internally.
Encompass Insurance, a Barrington, Ill., P&C subsidiary of Allstate, uses instant messaging on a very limited basis, and only within the Allstate network, says Neil Nelson, senior manager of business relationship management, protection technology service, at Encompass.
"IMs cannot cross the firewall, so we do not use them to communicate with our agents," says Nelson.
For both carriers and agents, interest in the new technology is clouded with concern about security.
"While we are huge believers in leveraging the latest proven technologies and tools to make our business processes more efficient and to speed communication and decision-making, we have decided that for the foreseeable future, we will not allow the use of IM," says Kieran Sweeney, president and CEO of Align General Insurance Agency Inc., San Diego. "Significant security concerns were the driving force behind this decision," he says.
Sweeney points to the industry's highly regulated environment as another concern. "We routinely receive and store consumers' personal information," he says. "As a result, we need to emphasize security in at least equal measure with functionality when choosing our business tools."
Best case, IM can foster potentially poor and unmanageable communication habits within the business environment, he says. Worst case, it could place the enterprise systems at greater risk to external penetration. "We see no compelling reason at this time to facilitate the use of IM," he adds.
LifeCare Assurance, a Woodland Hills, Calif., long-term care reinsurer, has its own instant messaging system, restricted to employees within the organization.
With both regulatory requirements and security in focus, the company has a clear mandate. "Any outside contacts must be through e-mail," confirms Anna Abrams, director of financial reporting at LifeCare.
The awareness that IM security threats rival those of e-mail technology, however, are cause for yet more concern.
As IM and peer-to-peer (P2P) networking becomes increasingly more popular, hackers are finding it easier to break in through IM buddy lists, say analysts.
In a study conducted last year by Cupertino, Calif.-based security software firm Symantec Corp., 19 of the 50 top viruses and worms used IM and P2P applications. This represents an increase of almost 400% in only one year, reports Symantec.
IMlogic, a Waltham, Mass., provider of IM enterprise software, is warning customers that the Tixanbot Trojan and Guapim worm are using instant messaging to spread.
The Guapim worm uses MSN Messenger and another leading public IM network, as well as other P2P file sharing networks to distribute links to download a variant of the Spybot worm.
Due diligence quandary
Along with the threats mentioned above, the IMlogic Threat Center had detected more than 140 new threats in the two-week period before press time.
Regardless of whether the consideration is security or compliance, carriers that decide to implement IM for internal or external use face the same quandary: due diligence.
To stay on top of the potential downsides of IM implementation, the IT department must monitor IM systems daily, train employees, and enforce a formal policy for its use and misuse, according to two groups that recently studied the phenomenon.
According to a study of organizations' use of electronic communications tools, risk management issues and compliance failures exist because "there is a gap between the implementation of new technologies (such as IM) and organizations' management of them through formal directives and training."
The "Electronic Communication Policies and Procedures" study, conducted by AIIM, a Silver Spring, Md., enterprise content management association, and Kahn Consulting Inc., a Highland Park, Ill., compliance and records management consulting firm, queried companies on the tools they use.
Formal policies needed
Nearly half of the 1,000 organizations surveyed (19% of which are in the insurance industry) allow employees to use instant messaging, nearly 20% more than 18 months ago.
Since the organizations' first study in 2003, 33% more respondents reported they had implemented formal policies for electronic communication. Yet, that figure still only represents 28% of the total that provide formal directives regarding its use.
Similar to LifeCare, Encompass, and Arrowhead, Align has evaluated the merits of formal policies that spell out usage requirements.
"Align's e-mail usage policy is well understood by our staff and allows us to achieve a speed of business that differentiates the company without creating new and unnecessary downside risks and exposures," says Align's Sweeney.
Sweeney says his agency does not plan to use IM until it can ensure that no one can bypass the corporate authentication systems, that it can safeguard and track the flow of confidential information, and that it can document its corporate communications."
