Insurance companies and their customers have made great strides over the past few years toward interacting seamlessly through all sorts of new channels -- most notably mobile. But the executives in charge of information security and privacy at financial services companies see things differently than the average consumer does.
"Any company has to look upon a consumer-grade device as an untrusted device, whether it's used by employees or by customers," insists Roy Post, chief information security officer for New York-based AXA Equitable (nearly $169 billion in assets). "But for my personal life, I embrace all form factors for transactions."
For other insurance executives, however, conducting financial services transactions on the latest smartphone or tablet isn't exactly a no-brainer. "I would never bank on a mobile device to save my life," asserts Kirk Herath, chief privacy officer for Nationwide ($274 million in Q1 2012 net operating income). "I would not link a mobile device even to check balances. They just aren't secure."
Though Herath concedes that he is overly cautious by nature -- he is so acutely aware of the risks posed by malware that he won't even use online banking from a desktop computer unless he's securely behind Columbus, Ohio-based Nationwide's firewall -- he contends that even though mobile access to insurance policies and bank accounts has been established as table stakes for companies, smartphones -- especially the open platform of Google's Android operating system -- pose a threat about which consumers must be aware.
"The amount of malware out there [for Android] is astounding, and these devices are inherently insecure," Herath asserts. "The reason they're cheap and scalable is because they're insecure. A lot of people didn't like the BlackBerry because they couldn't download a ton of games and apps. But that's because it's a closed system, and it's 100 percent secure."
And therein lies the trade-off: convenience versus security. But insurers have to learn to live with the risks, because customers increasingly will expect mobile access. Policyholders demand capabilities such as mobile policy management and mobile bill payment. In P&C, claims reporting also is a popular mobile feature. For life insurance, balance checks are valued. And in the health sector, doctor finders are among the most popular mobile offerings. So what can insurers do to ensure that their customers aren't putting their personal information in danger when they access these mobile capabilities? Here are five keys to helping policyholders safely enjoy mobile convenience.
1. Bring Information Security to the Table Early
In the nearly 10 years that Post has been in charge of information security at AXA, he says he's seen the relationship between information security and other areas of the business reach an inflection point. Now information security is considered at the beginning of development of new customer-facing initiatives, instead of being tacked on as an afterthought toward the end of the line.
"I'm definitely seeing things going the right way when I talk to our architects," Post says. "As a mature organization, we have processes in place so that when business units and IT or business units and outside service providers are developing applications, security is brought to the table at a very early stage."
Nationwide's Herath, who has been dealing with privacy issues at Nationwide since 1999, says it's important for CISOs and other security executives to learn how to integrate themselves into the business so their input is valued and sought out instead of avoided or, worse, ignored. "I see from most of my peers -- when you start a program at any company, you start out unplugged, then you learn to plug yourself in," he explains. "If you're a complete wet blanket, they'll figure out ways of working around you. Then it's the worst of both worlds -- you can't get your job done, and they've introduced tons of operational risk into your business that will eventually come to roost in some sort of financial loss."
2. Establish a Threshold for Acceptable Risk
As insurers try to strike a balance between the optimal user experience for their apps and a secure, trustworthy experience, Herath says, they have to accept that, inevitably, there will be issues. "Mobile devices aren't architected for security -- they're architected for ease of use," he insists. "There's a constant balance we go through between ease of use and security. We understand if we locked everything down tight as a drum, we'd be totally secure, but we'd have no customers."
3. Consider App-Wrapping Technologies
AXA's Post says that as the firm looks to offer more functionalities to its customers via mobile applications, he's explored ways to keep the company's app segregated from potential dangers lurking elsewhere on the phone. These "app-wrapping" technologies, he suggests, offer a heightened sense of security. "What we've been doing on the client front has been very conservative, but I think these are a central part of the solution" to securely offer more capabilities, Post says.
The proliferation of mobile has led to an equal proliferation of operating systems, Post adds, and information security officers are therefore required to be aware of the many different kinds of risks. "With Windows we had a monoculture. Some were concerned that a supervirus would come out and attack all Windows machines anywhere, but that never happened," he says. "And now that we have iOS and Android and Mac in addition to Windows, what that now means is that we have to have deep expertise in not just one OS, but five."
An ancillary benefit of "app-wrapping" offerings, Post notes, is the ability to make the app portable among several mobile platforms.