GROWTH STRATEGY REVIEW
The role and opportunity for insurance agents
By G. Edward Kalbaugh
Insurance agents, as trusted advisors and insurance experts, are in an excellent position to help clients with security issues.
Author's Note: This article makes no attempt to address security issues related to the tragedy of September 11, 2001, which affected us all in a personal way. The article's focus is on security issues related to increased commercial dependence on the Internet by businesses.
Few would deny that security is now a major part of our lives and a priority focus of commercial clients for 2002, and beyond.
But as companies assess potential vulnerabilities and determine how best to protect their assets, what role and opportunity is there for insurance agents in this process?
First, let's examine security issues and put them in perspective. Before the Internet, the primary concern of businesses was protection of physical assets. Now, with increased dependence on the Internet, protection of information assets requires equal--or more--diligence. According to the Gartner Group, by 2004, business-to-business e-commerce will generate $7.3 trillion in transactions. This is not "dot.com" fluff, but real business transactions. This e-business takes place in several online environments:
* Intranets that enable organizations to apply Web-based technology to their internal networks to facilitate existing and new processes
* Extranets that extend intranets and allow selected partners and customers access to corporate information
* Online Sales to extend product/service distribution and channel efficiencies
* E-marketplaces to create online exchanges where organizations can buy and sell, access new markets, reduce cost and inventory and increase speed to market
* Supply-Chain Integration where business partners can collaborate and integrate critical processes
* Common Online Applications such as e-mail and its attachments, personal digital appliances and cellular devices where people interact with one another on personal as well as business levels.
As these environments rapidly expand into all parts of the world, due to the global nature of the Internet, the security threats will increase and become more severe. For example, the FBI recently reported that the number of "cyber crimes" has doubled and that the issues are becoming more difficult to manage. Underscoring this is the fact that one virus is reported to have cost businesses $6.7 billion in repairs and lost productivity. In addition, The American Society for Industrial Security recently reported that Fortune 1000 companies lost $45 billion to theft of information.
While security attacks can come from the inside, most come from outside of a company. These attacks usually involve theft of information, fraud, and disruptions due to viruses, denial of services and system penetration of various degrees. These security attacks impact companies in four major ways:
Company Valuations--Companies suffer indirect as well as direct losses due to security attacks. Adverse publicity can be a nightmare that erodes vendor, customer and investor confidence, and quickly drives stock values down.
Legal Liabilities--Complex interrelationships created by e-business set the stage for even more complex legal ramifications following security breaches, even if a company is involved only indirectly.
Impairment of Relationships--Companies depend heavily on relationships with customers, vendors, partners and others in the conduct of business. Disruption of these relationships can severely impact the ability of companies to conduct business.
Theft of Proprietary Information--According to security experts, theft of proprietary information causes most of the direct financial losses suffered by businesses. For most companies, proprietary information represents a significant portion of overall assets, so these security attacks represent a real direct threat. For example, information about strategies, sales plans, products, or customers that are stolen by insiders or competitors can cause serious financial loss that is extremely difficult to recover, even with aggressive and competent litigation. This is especially true when privacy is violated.
What can insurance agents do?
As trusted advisors and insurance experts, insurance agents are in an excellent position to help clients with security issues. This help can come in the form of what is commonly referred to as ERM or "Enterprise Risk Management."
ERM is essentially a holistic view of the business from the perspective of risk assessment, avoidance, mitigation, and continuity/recovery. These four functions of ERM include a combination of technology and human processes that examine every facet of the business to determine how to best protect assets. ERM can be complex and involve a fairly diverse set of skills and expertise. Accordingly, insurance agents will have to partner with experts in order to deliver a full ERM service capability. For example, Allegent brings in a strategic partner, eCommSecurity, to perform the online security audit portion of the ERM assessment function. eCommSecurity personnel are recognized experts in centrally managed online security services and products that address high availability, distributed data and automatic disaster recovery capabilities.
Some of the major phases of an ERM project include the following:
1. Perform an Initial Assessment to determine risk factors, potential exposure, and what mechanisms are in place--or needed--to address any issues or concerns. This is essentially a data collection and synthesis process that is made more difficult and time-consuming by the size and complexity of the business, even with automated tools that facilitate the tasks involved.
2. Develop Policies and Goals that match security needs with business realities, such as availability of financial, human and other resources. Policies and goals should be published, actively supported by management and reinforced periodically in order to ensure buy-in.
3. Develop Security Standards that complement policies and goals and that take into account all assets and the systems and technology within the enterprise.
4. Develop and Implement Risk Management Programs that address risk avoidance, mitigation, and continuity/recovery. For example, risk avoidance and mitigation may include protective measures combined with insurance to transfer some of the risk. Continuity/recovery might include implementation of a product such as eCommSecurity's "Automatic Disaster Recovery" platform, a smart networking technology that provides real time automatic disaster recovery.
5. Continuously Educate and Train personnel regarding all aspects of phases 1 through 4 of the ERM program.
6. Continuously Perform Compliance Audits to ensure that all facets of the ERM program are working and up to date.
In summary, by further understanding ERM and by partnering with experts, insurance agents may be able to offer the same services to their clients as the large national brokers and consulting firms. This added capability has the potential to generate fee revenue for insurance agents, to surface additional insurance coverage areas, to protect agents from potential liability issues, and to enhance client relationships and interdependency. *
The author
G. Edward Kalbaugh is partner of Allegent Growth Strategies, a full-service consulting firm specializing in services to the insurance industry.
He can be contacted by e-mail at info@allegentgsi.com or by phone at (516) 364-7034.