GROWTH STRATEGY REVIEW

By G. Edward Kalbaugh

INFORMATION SECURITY IS CRITICAL
TO RISK MANAGEMENT

Network security technology combats potential problems

Much of the malicious activity is conducted in stealth mode ... [which is] largely hidden except to highly trained network security experts using sophisticated detection methods and devices.

The letter received by my son from his bank was typically bureaucratic in tone. "We are sorry to inform you that the CJ's Wholesale Club¹ database was compromised and a number of credit card numbers stolen. However, we are pleased to inform you that we have enclosed your new credit card." Immediately thereafter he learned that someone in the Dominican Republic was living like Donald Trump on his credit card. He'll probably stay with the bank, but I'll let you guess if he is still a member of CJ's.

Is the public generally aware that this type of privacy breach is taking place more frequently and with increasing impact on the financial health of companies? Probably not before the deadlines imposed by the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), or the Gramm-Leach-Bliley Act (GLBA), when most companies preferred to keep hidden any indication of vulnerability or exploitation of their information assets and breaches of customer privacy.

However, now that the acts referred to above are in effect, those same companies operate under glass. They must self-assess and certify the risks for business processes that affect consumer privacy and company financial reporting. In many ways, insurance agents will become partners with their clients in monitoring and controlling these information security risks. See the box on page 97, "Guidelines For Achieving Security of Information Assets."

The real financial impact from information security breaches is not in direct costs. It is in the form of indirect costs, such as lost sales, weakened customer and trading partner relations, and legal liabilities. These indirect costs, while hard to measure, can be substantial. For example, a company with a $1 billion market cap that suffers a 5% drop in market valuation will have lost $50 million.

In the case of public companies, as illustrated above, the costs of information security breaches are relatively easy to measure, thanks to free market trading. In fact, recent research conducted by Martin Loeb, professor at the University of Maryland's Smith School of Business, and member of the team preparing the 2004 CSI/FBI Cybercrime Study, indicates that information security breaches in which confidentiality is violated cause a measurable negative impact on stock market value of slightly more than 5% of their market valuation. In the case of private companies, we have no reliable way to measure the indirect impact on value caused by information security breaches.

For both public and private companies, insurance carriers have not yet perfected actuarial metrics sufficient to underwrite the major indirect costs of information security breaches. And if insurance companies were to perfect their actuarial and underwriting requirements, would their policyholders be willing to pay the resulting premium? Remember the $50 million loss in the example above? At reasonable multiples, the company's market cap equates to about $200 million in revenue. Accordingly, the insurance premium could represent around 10% of revenue, a number no CEO could ever afford to authorize.

So what can be done?

Before exploring the answer to that question, it is important to understand that almost all information, and the processes and controls related to that information, flow through and are implemented in network infrastructures that span cyberspace. And cyberspace is comparable to a war zone.

While the impact of high profile attacks such as SQL Slammer and SoBig gain attention, much of the malicious activity is conducted in stealth mode by hostile nations and individuals constantly probing our critical infrastructure networks for vulnerabilities to be exploited at some opportune time. This stealth activity remains largely hidden except to highly trained network security experts using sophisticated detection methods and devices.

These experts understand that most companies are ill equipped to defend against any coordinated attack on information assets. This is because, in most companies, network defenses are built around isolated devices providing single specific functions independent of other devices. These single solutions, or "point" solutions as they are sometimes called, cannot defend against coordinated attacks that exploit multiple vulnerabilities.

Information security industry experts are beginning to recognize this weakness and are urging security companies to respond with better systems for protecting information assets. As a result, the larger network security companies are attempting to stitch their individual products together into an integrated solution. However, these stitched-together attempts do not achieve the desired solution, which is to provide a platform that unifies and automates the security monitoring and management of all devices on the network, and that provides active and continuous threat avoidance.

Such a solution would enable insurance companies to reliably assess and certify the information security preparedness of their commercial policyholders as part of the underwriting process.

An illustration of how this process would be accomplished can be provided by describing a typical implementation of SolventView^TM, an information security platform from Allegent Technology Group. SolventView integrates with all network devices and provides central command and control management network security across the enterprise.

When SolventView is installed on a network, it automatically discovers all the devices on the network and records their specific configurations in a database called a Configuration Library. It then automatically performs a vulnerability assessment of those devices and records that information in the Configuration Library as well.

SolventView then automatically fixes some of the vulnerabilities by reconfiguring the devices or installing software such as patches. For those it cannot automatically fix, it notifies network security personnel, who administer the corrective action.

These actions take place within the guidelines of information security best practices and company polices, which are recorded in a policy database.

From that point forward, SolventView automatically and proactively monitors and manages the security of all devices and assets on the network, including business applications and databases. For example, if an authorized user were to attempt deletion of a medical record, a HIPAA policy would be invoked to prevent the deletion. In another example, if an unauthorized device attempted connection to the network, it would be denied access under best practice security rules or corporate security policy.

The implications for the insurance industry of such an information security system are immense. Companies that implement a system such as SolventView would signifi-cantly reduce exposure to risk and significantly improve mitigation should any breach occur. Just as important, insurance underwriters would have a reliable, comprehensive view of the information processing infrastructure and how it is protected. This transparency is essential to improving the underwriting and coverage of information security risks.

Insurance agents should make their best efforts to ensure that their clients with significant information assets and processing exposure have adequate network security systems in place. However, such technology is only one weapon for businesses to use in combating information security breeches. To do a complete job, agents will need to utilize strategies involving broad risk management practices and insurance protection. *

The author

G. Edward Kalbaugh is a partner with Allegent Growth Strategies, a financial and management advisory firm that helps agencies grow organically and through merger and acquisition. Allegent's offices are located at 100 Crossways Park Drive West, Suite 104, Woodbury, NY 11797. Ed can be reached at (516) 364-7034.

____________________________________

¹ This is a real example, but the name is changed to maintain the company's privacy, something they failed to do.

GUIDELINES FOR ACHIEVING
SECURITY OF INFORMATION ASSETS

Technology plays a major role in helping achieve security of information assets. But ultimately, the protection of assets rests primarily with the people involved, especially since the majority of malicious events are the result of internal activity. Accordingly, we offer the following guidelines for agents to assist their clients.

1. Security policies must be documented and enforced.

2. Mission-critical data must be regularly backed up and safely stored.

3. Passwords must exceed 10 characters and be changed often.

4. Physical and electronic authentication should be enforced.

5. Mission-critical data should be properly encrypted.

6. All network security devices should be monitored, preferably on a 24/7 basis.

7. An information security risk assessment and a policy compliance audit should be conducted at least once per quarter.