By category, the top IT security concerns for U.S. insurers are network technology vulnerabilities, application/database security and user access issues, according to “IT Security Issues Update,” a report from Novarica, an insurance technology consulting company. Configuration issues and “other,” rounded out the top five.
According to the survey, most insurers will increase IT security spending in 2014, and nearly all plan to keep spending at least level, Novarica said. External threats, such as network technology vulnerabilities and mobile device issues, were considered higher priorities than internal controls, such as network configuration.
Among L/H/A carriers, almost two-third plan to increase spending, Novarica said. L/H/A carriers tend to lag P&C insurers on technology, Novarica said, so the larger number of carriers with plans to increase spending may reflect plans for technology spending along with increased deployment of new systems and mobile devices.
While annual IT security audits are considered best practice and are the norm, Novarica said, more than 10 percent had not done an external audit in the past year. About 20 percent of P&C and 30 percent of L/H/A carriers conduct audits more than once per year, according to the survey; 12 percent said they had not conducted an external IT security audit in the past year, including 25 percent of midsized P&C carriers, those ranging from $100 million to $1 billion. They instead may have conducted internal audits or have justifiable reasons for deferring an external security audit, but an annual audit by an external firm should be considered as a minimum for due diligence Novarica said.
The rapid growth of mobile has added to insurers’ IT security concerns, Novarica said. Most carriers have policies and technology measures in place to manage the security of company-owned devices, but fewer have them for employee-owned devices, and even fewer still have them for devices owned by agents and other non-employees, according to the survey results.
Policies and security measures in place for mobile devices:
Category | Policy | Technology |
Company-owned mobile phones | 88 | 74 |
Company-owned tablets | 82 | 67 |
Employee-owned (BYOD) mobile phones | 73 | 61 |
Employee-owned (BYOD) tablets | 67 | 51 |
Devices owned by non-employee agents, etc. | 44 | 29 |
The results are based on responses from a survey of 95 insurer CIO members of the Novarica Insurance Technology Research Council. Participants in the snap poll included 10 large and 9 midsize life/annuity insurers and 21 large and 55 midsize P&C insurers.
