Q: Why is identity management so important, and what are the biggest challenges insurers face in that area?
A: Kirk Herath, Nationwide: Identity management is the key to the most important aspect of information security: access controls. Only authorized parties are permitted to have access to information. So permitting unauthorized parties access to information is a breach of security that now, under 23 different state laws, requires you to notify your customers.
A: Craig Shumard, CIGNA: One of the largest challenges is ensuring employees only have access to the information needed to do their jobs -- and nothing else. Both customers and key regulations such as HIPAA mandate this "minimum necessary" principle. At CIGNA, we have implemented Role Based Access Control (RBAC). RBAC has improved access controls by basing rights on predefined job roles, which not only increases consumer confidence and ensures regulatory compliance, but also has reduced security administrative costs.
Another challenge is implementing "federated identity" capabilities, so that customers can use their existing authentication and authorization credentials from their own networks to gain access to their information stored in their insurers' networks. Increasingly, customers are requesting this feature. Federated identity is further complicated because tools in this arena still are developing from competing identity management standards groups.
A: Elliott Zember, FoxT Technologies: Sarbanes-Oxley has increased the emphasis on the automation and transparency of financial and IT controls. Too, the recent mandates for disclosure of security breaches and loss of consumer data expand the scope of HIPAA and Gramm-Leach-Bliley Act (GLBA) mandates. These trends have increased corporate awareness of the need for more-robust identity and access management policies, procedures and IT controls.
Q:. How are insurers working to secure customer data and rebuild consumer confidence?
A: Herath, Nationwide: Under federal and state law, we're required to secure customer nonpublic personal information. Therefore, over the past six years, all financial services companies have developed detailed information security and privacy policies and procedures. Most companies also have initiated employee training programs to make employees aware of these policies and procedures as well as their responsibilities under them.
A: Mark Ford, Deloitte & Touche: Laws such as Sarbanes-Oxley, HIPAA and GLBA, as well as other regulations, have come to fruition due to a clear and present demand from the public to hold companies accountable for their actions, which include the use and protection of personal information. These regulations are driving a change in the way corporate America is responding to the application, maintenance and monitoring of control and security throughout the enterprise. From a process and technology point of view, identity management has emerged as a key support structure for building a controlled and secure enterprise. Again, identity management is a complex enterprise solution that can help to solve these types of issues; however, you must first understand the key business drivers for implementing an identity management solution and make sure that your identity management strategy will meet your business goals, one of which may be to provide protection to private information.
A: Zember, FoxT: While a company's network security may have state-of-the-art external authentication and access controls, the different technology platforms and operating systems may not. Public company or not, each insurer must consider internal application access controls, user roles and authentication, segregation of duties, and a very robust network architecture that monitors and reports on internal access violations and attempts to penetrate security, and reports to management both the good news and the bad news. The only way to insure customer confidence and increase the level of trust is to install the necessary controls and then report on the results of those controls to consumers.