Almost without exception, life insurers view security related to
electronic interaction between themselves and customers as a cost
centre required to meet compliance demands. However, if applied
appropriately security can be a profitable source of competitive
advantage, believes Computer Science Corporation.

A study on digital security in the life insurance market concludes
that companies have the potential for significant value creation
through more strategic emphasis on security initiatives.

The 18-month study, undertaken jointly by technology vendor
Computer Science Corporation (CSC) with the American Council of
Life Insurers (ACLI), explores how carriers can better target their
security investments to support growth and efficiency initiatives
while also meeting compliance requirements.

The study builds on research CSC conducted in 2008 to examine the
impact of what it calls “digital trust,” which refers to the trust
information technology fosters by improving the security and
reliability of electronic transactions. Organisations that create
digital trust position themselves for market gain through enhanced
customer confidence, repeat business and referrals, CSC argues,
citing a growing body of data.

In the current study, CSC and ACLI asked how insurers who have
historically invested mightily in compliance better leverage that
investment in ways that contribute to greater data security.
Indeed, the research asks if it is possible for security to improve
the efficiency, effectiveness and attractiveness of the insurer,
and answers in the positive.

Through a series of interviews with attendees at the 2008 ACLI
Executive Round Table the researchers gained access to perform a
digital trust analysis on a sample of insurer security systems,
which ranged widely and contained a broad variety of components,
including portals, standalone sites, event reminders and online
aids for product examination and comparison.

The researchers generally expressed encouragement at the findings.
Under the examination of a digital trust projection, many insurers
employed practices designed to increase security that have the
potential to capture value currently untapped.

Capturing that value requires changes in security organisation,
security team composition, IT risk governance and security project
definition, in addition to the ways in which security requirements,
features, functions and technologies are chosen. The researchers
said that two concrete steps could be made by life insurers to seek
payoffs from existing systems or in the design process.

First, insurers should alter the IT risk governance model to
include enterprise value creation as an objective. This means
changing the traditional role of security as “gatekeeper” to one of
“value creator.” That is a huge change for security teams, which
now must address the business needs of the enterprise and start
setting operational goals that look at more than “simply repeating
the same functional or operational objectives for security,
independent of the underlying business objectives.”

Second, the researchers urge insurers to take steps immediately to
apply digital trust projection to deployed systems, concentrating
first on “value creation avenues” that have already proven
successful in other industries. The report identifies seven such
areas, including the distribution force, customer service and
portal systems supporting producers.

For example, the study analyses a number of electronic agent
platforms in support of customer service and distribution
management, where ACLI member insurers report cost reductions in
the millions and even greater reductions in field office staff
time. Using an approach that would also incorporate consideration
of generating products faster than the competition and improving
the ratio of sales conversions, the insurer could embrace digital
trust concepts such as secure electronic signature and interactive
customer support, and achieve greater value and greater

Another area cited by the report is the System for Electronic Rate
and Form Filing, which allows insurers to meet the patchwork quilt
of state regulatory approvals required for each new product

Bringing all of the component parts of a life insurance decision
online, in systems that can support everything from needs analysis
and comparison to contract signing and payment collection, can
ensure secure transactions in a way that greatly reduces upfront
processing costs.

“Anytime the enterprise can speed the sales transaction, increase
policy processing productivity, shorten the underwriting timeline
and reduce back office underwriting and underwriting support staff
by as much as 30 percent, then real business is being created,” the
report said.

Despite the obvious payoffs being achieved by these system
deployments, it does not appear that digital trust strategies were
at work in any of them, the researchers found. The role of security
in these systems is still that of gatekeeper, and while the study
found that all were acceptable in the sense of providing for
identification and authentication, encryption and storage, there
were no recorded cases of security teams bringing additional
enterprise value to the system.

Most of the security effort was applied during the latter stages of
development, and in every case, changes were needed later to
include new capabilities and conditions for compliance. Security
teams had neither obligation nor opportunity to introduce security
technology and features that would add further value to the system.
Thus, compliance was all that was achieved – and that is where the
researchers see an opportunity to bring value to the process.

Digital trust strategy would involve the security team much earlier
and more comprehensively in system development and product
creation, causing the generation of an entirely different security
architecture, one that would encompass captive agents as well as
independent agents, for example, thus broadening the sales

In conclusion, the report finds that in the life industry, security
and compliance are looked to exclusively as “constraints” rather
than as opportunities for realising business objectives.
Achievement of compliance and certification are seen as the only
measure of good security, with no connections from the security
teams to the business requirements underpinning system development
and deployment.

Without that connection, the report says, translating business
requirements, rather than merely compliance requirements, cannot