BY ARA C. TREMBLY
In an industry that makes its money by assessing and avoiding risk, one would think that ensuring data security is a slam dunk. But while the insurance industry has made gains in this area, substantial challenges remain, several analysts contend.
“While carriers have made significant progress, in part to avoid other carriers' missteps (for example, stolen laptops) and [to establish] a rigid regulatory process (such as compliance officers, legal departments, etc.), carriers are only [one] piece of the puzzle,” according to Chad Hersh, a principal at New York-based analyst firm Novarica.
“While they can control their infrastructure and that of their employees and captive agents, other important pieces of the puzzle are out of their control,” he noted.
“For example, independent agents' laptops—which contain important client data (potentially including [private] health data), underwriting guidelines, etc.—could easily be susceptible to everything from programs that log keystrokes in order to allow a hacker to compromise a secure carrier Web site, to physical theft without adequate security measures in place, such as encrypted files, encrypted hard drives, passwords, etc.”
He emphasized that “while third-party administrators and vendors can offer promises and indemnity, security flaws still remain outside a carrier's control.”
According to Mr. Hersh, there are several daunting security challenges facing the insurance industry today.
Aside from the lack of control over critical portions of the value chain, “compliance remains challenging,” to meet the standards set under the Health Insurance Portability and Accountability Act of 1996. He added that compliance with SAS 70 (accounting standards for audits of service firms) and the Sarbanes-Oxley Act (involving corporate governance) are also a “constant struggle.”
“One of the biggest challenges, though, is simply the huge number of disparate systems, legacy and otherwise, at most carriers,” he said. While these systems might be individually secure and compliant, every significant change that affects all systems (Y2K, regulatory changes, etc.) presents another opportunity for a problem across the information technology board, he noted.
He also pointed out that older systems may not always have the ability to support modern security protocols, causing carriers to make them secure simply by not providing outside access to them.
In response, he said changes need to be made, such as legacy system replacements, while warning that addressing third-party security is a big problem.
“Until carriers decide they are willing to risk upsetting independent agents [by forcing] better security provisions and more severe penalties into contracts with vendors, TPAs, etc., or until regulators treat agents the way they treat carriers, no truly effective solution may exist,” he concluded.