Global Reinsurance, in association with SAP and Deloitte Consulting, recently hosted a roundtable discussion on systems and risk.
The participants were:
David Wilson: Welcome everybody to this Roundtable, which has been organised by Global Reinsurance magazine. The topic is `21st Century Systems and Risk'.
So, perhaps I might start by asking each of you to introduce yourselves and give us an idea of your responsibilities within your company. Perhaps I could start with you John?
John O'Neill: I'm the commercial products director of Cunningham Lindsey. We're a worldwide firm of loss adjusters with offices throughout the globe. What we're seeing now is that more and more claims that we're dealing with feature technology in some shape or form. So I look at how digital risk is affecting the work we do, and I'm here to contribute on that side from the claims aspect.
Rex Parry: I'm a partner from Eversheds. My specialist area is IT and e-commerce. I advise businesses of all sizes and types in a huge range of sectors on issues relating to IT and e-commerce.
Harry Croydon: I'm the CEO of SafeOnline. SafeOnline was set up specifically to address risk insurance issues. We deal with products covering digital risks and we sell them principally in the US, but numbers are growing in the UK and now in Spain as well.
Lloyd O'Keefe: I'm from SAP and I'm the business development manager for our sales unit. My responsibility is for promoting firstly the solutions that we are developing specifically for the banking sector commissions for core space and core banking, and secondly the insurance sector, where we are developing solutions specifically around supporting policy administration and claims processing.
Susan Savage: I work with Acord here in London. My responsibility is member relationships and encouraging not only membership participation in Acord but also the development and implementation of standards. We have approximately 250-300 members around the world, insurance and reinsurance companies, as well as a close working relationship with a number of software companies.
Colin Brown: I work for AON. For those of you who don't know, AON is a very large insurance broker and research company. At present, we are in 130 countries and have about 50,000 people. I am a director in AON Special Risks with a focus on price establishment. Specifically we deal with things like sabotage and terrorism, corporate distortion and digital risks.
My specific remits are twofold: I look at cyberrisks, or digital risks, for AON in the UK and secondly it's my responsibility to make sure that we can communicate effectively through a large network in many, many countries to ensure that we're providing clients with advisory services on the whole issue of crisis management, digital risk being one.
John Hodge: I'm the chief information officer at XL Capital. XL Capital has representation in about 60 countries. My job is to try and pull together the various initiatives that are going on around the world, into the type of initiative that you would expect to support a truly global organisation, which is what we have become in the last few years.
What I'd like to do is start with John. Perhaps we could have your view of the last five years or so - the end of the 20th century, if you will, and the beginning of the 21st - where the successes and failures have been, in terms of technology, with regards to insurance. Also, could you contrast what has and hasn't worked, and how you think those factors might lead us forward?
John O'Neill: Well, I think over the last ten years or more we've seen a lot of very exciting technological developments. I think the challenge for businesses has always been to make use of technology in a productive way, where it's actually going to reduce costs or enhance the bottom line. I think what we've seen is a lot of technologies that have come about that either haven't fulfilled that potential or have been made to live up to that potential in a way that has been expensive to implement. That is something that I think we're continuing to see. I think when we look at systems we need to ask ourselves what we define as a system. Are we talking about just technology here or are we talking about the people and the processes that also go into making that technology work? From our point of view as loss adjusters, what we often see is that when something goes wrong, it's not only the technology that might be going wrong, but it's actually how that technology is used by the people who are have to work with it. Very often we find people working with technologies that they're not, perhaps, fully familiar with, and that can be for any one of a number of reasons. But they need to understand it so that when it goes wrong they know how to deal with it so they can implement their contingency plan.
David Wilson: So you see the challenge as really the interface between people and technology?
John O'Neill: Oh very much so. If you focus purely on what the IT press has to say, it's all about technology removing the roles of people and how things are going to become more efficient, because of the computer that's going to do all the work for us. Whereas, in reality, in the back office there is a small army of people that make those processes work and that's often not realised. I think as we go forward, we're going to see more of a need for focus on training, to make sure people can get the most out of the technologies that have been developed and implemented. And we need to see processes being mapped out, not only within an organisation but across organisations where trading starts to take place using internet technologies. There needs to be an understanding as to who does what and when and how within that chain, so that if any one element of that chain - or perhaps more properly we should describe it as a web - if something goes wrong, we need to understand why it has gone wrong and what we can do to fix it quickly.
David Wilson: Thanks John. Perhaps we'll come back to some of those interface issues because it's an interesting topic. Rex, perhaps we could have your thoughts?
Rex Parry: Yes. To echo some of what John has said, systems have become all pervasive and the critical attributes of a huge number of systems have increased massively. Business now depends on systems to a very large extent. I think in the insurance sector there's been rather more reticence than in some other sectors to go full steam ahead but I'm not sure that isn't actually of benefit in some cases, having seen some of the dot.bomb disasters that have taken place over the last 18 months or so. One of the things that really does concern me, going forward, again echoes what John was saying. It's really about the level of awareness, particularly at the boardroom level, around risks: what risks businesses actually run now and where those risks really are. Until people have an understanding of those aspects, they're not going to be able to insure their risks appropriately.
David Wilson: It's an interesting observation that boards of insurance companies don't understand their risks.
Rex Parry: Not necessarily boards of insurance companies but companies generally. Actually, it would be quite interesting to have a conversation with board members about some of their technology and where the risks lie.
David Wilson: Yes, I think so. Harry, you've been very much involved in the changes that have taken place.
Harry Croydon: Yes. My background is not just insurance, it's technology as well. I've worked for many technology companies and what's been striking over the last few years is the poor project implementation to poor business sign-offs. It would be interesting to know if the insurance companies do understand their risks beyond the adage of, `the car mechanic's car never works'. I think it's probably true of lots of businesses around the world. The nature of technology, I feel over the last few years, people have just become much more reliant on it without actually thinking about it. A few years ago, not getting your post on a Monday would have been a bit of a problem. Now, not having your email up would be a critical business failure - not having it there for an hour, or even ten minutes could make businesses fail. So I think people have generally adopted lots of these technologies without necessarily looking at what the impacts are internally or externally. People blindly - in some respects - outsource businesses and business processes without actually passing on a lot of the risk management. Where they do some things internally, they have fantastic security and then ... out it goes. They outsource a part of the business over which they have their biggest security hold. So risk management has become much more important than actually looking at all the processes.
David Wilson:So again, we're talking about boundaries. Where the responsibility lies within the businesses.
Harry Croydon: Yes, and I think the word `web' actually conjures up the word `strength'. If you chop a little bit out of a web nothing much happens but I'm not sure that is actually true.
David Wilson:Lloyd, perhaps we could have your view now?
Lloyd O'Keefe: Just to pick up on one of the views that was expressed, and that is some of these institutions' ability to really optimise their investment in technology. I think a lot of institutions have underestimated the impact that business process change and changes in controls, roles and responsibilities and working practices of introducing technology have actually had on their business. Hence, they haven't really been able to optimise what they've got in place. And, to be slightly controversial, a lot of insurance companies also have this home-grown or in-house technology capability in terms of developing solutions. But if you look at other sectors, whether retail or high-tech, in terms of implementing solutions, many have embraced standard software to enable them to drive efficiencies and return on investment, rather than rely on huge in-house capabilities to develop solutions. So maybe that's an area that the insurance sector needs to consider, in terms of moving forward and embracing new technology.
David Wilson: Do you see this beginning to happen or are we still effectively using skills that are internal skills rather than knowledge-based skills?
Lloyd O'Keefe: Well, I think you've seen it in the front office, in terms of all the customer interaction-type processes. But in the back office, there seems to be a high tendency of using in-house capability and in some respects, I suppose, there is almost a `do nothing' type tendency and attempts to enhance and modify what is in place.
David Wilson: Susan?
Susan Savage:Your question about where have the successes been in technology in the past five years and where have the failures been. In Acord, we've noticed a subtle shift, where the successful use of technology has actually been because it's business driven. The company itself has allowed the culture to change and adapt in order to get the most out of the system solution that has been provided. So, it's business driven as opposed to expecting the software solution to be the `panacea', to be the `cure-all' for what really means - you touched on it, Lloyd - business process reengineering. As opposed to expecting a software solution to plug in and solve all their problems. So, where we have seen companies successfully, for example, implement some of the Acord standards, it's been because they have brought their people along with them. They've encouraged a change in the culture and how business is being done and they've seen the systems being implemented as a tool as opposed to being the solution itself.
David Wilson: Thank you Susan. That's quite interesting. I could see a number of those things from my experience and perhaps we'll come back and pick up on what everyone has said towards the end. Colin, if you could give us your view of where we are and what changes you've seen within AON, in terms of their attitude towards technology?
Colin Brown: First of all, I would say the thing that struck me over the last five years is the rate of change in the way that technology is used, both within the insurance industry, with the internal projects that we run, and the way that we interface with our underwriters. And also, perhaps more importantly, with the clients that we work with. Now, the reason for this acceleration in the rate of change, seeking some sort of competitive advantage. Now, whether that's trying to seek an advantage in the way we process internally - it could affect any business in the way that it interacts with its key partners or stakeholders - or whether it's externally - in the way that we provide our services or products to our clients - the reality is, we're trying to gain advantage over our competition. Clearly we're trying to reduce our own costs, increase margin and increase revenue.
The concern I have is that in my experience, that rate of change in the way that technology and business is adapting is not matched by the way that many businesses understand their potential exposure, and I mean this in the absolute widest sense of emerging risks. Those risks may well be their own business interruption, it could be perhaps protection of proprietary information or it could be liability issues or exposure to employers' and officers' type liability. But the reality at the moment is that there seems to be a disconnect between technology adoption for good business reasons and the way that this risk is managed. Now, if we look at the next layer down within organisations, there are a number of areas that we can explore. One might well be, `Are organisations structured in a way that enables them to effectively deal with this type of risk?' Do we have adequate coordination mechanisms in companies that tie together the different silos in many of the business units that we come across?
How do those companies start to promote best practice across the entire network of business associates they deal with? We've already heard Harry talk about outsourced services, that's one component of it. So, I think these are the areas that we need to address - that from a business point of view, the successes are the fact that we are using technology to gain advantage, to improve the service that we provide to our customers and, internally, to provide us with an edge over the competition. However, that comes at a cost and I don't think we fully understand what that cost might be yet.
David Wilson: I would like to come back to that because I think that there are some interesting things to come out of that in terms of the perception of risk in IT and whether it's a measured perception. I have some challenge to that. John, what's your view? The last five years and the next few?
John Hodge: I think, let's start negatively, as far as the failures are concerned. I should think today we still rank up there as one of the most inefficient industries and thus we've got problems. We can't blame that fully on technology. We have technology that is available to us, but as Sue was saying, there are a lot of initiatives that are going on to try and make us more efficient and we really haven't taken advantage of that as an industry. I think the driving force - where there has been a little bit more success and where there has certainly been a lot of activity - has been us becoming more global in our outlook. I think that's across all industries, but no less than with the reinsurance industry, and as we've become global, there has been a change of attitude, a change of culture and a change of information need. XL is a part of a number of research organisations and one of them has really been exploring the impact of globalisation. I was sitting there with one of my industry peers, who I've always thought of as a major, global player, and what I found fascinating was the sudden realisation that being international doesn't mean to say that you're global. His particular organisation was trying to put together a program, that had only been active for about a year or 18 months, to try and become a global organisation, even though the perception in the marketplace was that they were probably already there.
That has been very important I think to XL. XL has grown through acquisition. If you go back about five years, we were about five companies with just a few hundred people. Now we're sort of a hundred companies, of which 40 or so are true operating companies, and we manage global accounts. That puts a lot of pressure on being able to build a relationship. We're in a relationship business and we believe very strongly in the old adage of, `thinking global and acting local'. But you can't be parochial when you're acting local because you're part of the global scheme. So it's very important for us to have in place systems that support the ability to talk about a total relationship. If we're going to have a meeting in London to talk about our relationship with AON in Singapore, before that meeting we need to be able to identify that in Singapore, perhaps AON doesn't seem to be producing as much business as we would expect. Well, if that's the case, we need very quickly to find out whether, in fact, AON is doing a wonderful job in presenting us with any number of submissions and we're just not able to underwrite it. We may not be thinking about the global impact of some of those accounts, or whether, in fact, AON is actually presenting us with this sort of business. Well, if you are going to have a partnership or a relationship, you've got to understand the relationship. There's a tremendous need, I think, for support and information systems there.
And that really ties together with the aggregation of risk. The events of September 11 clearly brought home to us all that we were in a global business and we weren't necessarily dealing with the global aggregation of risk as well as we should have been. I think that is a big change for us. So I think the inefficiency of the industry and the move towards globalisation are two big drivers for us as we go forward in the new century.
David Wilson: I think that's a very interesting outlook - the globalisation knowledge requirement. To pick up on one of the things I got out of this, I found it quite interesting that John (O'Neill) started with the words - which I find quite unique to this industry - `back office'. There does seem to be still a huge division between the front and the back, which you don't see in other businesses, so maybe we should have a look at that.
We see the insurance industry as a poor adopter and the senior management perhaps as not having a full understanding of how their business operates at technology level, which is again part of this `front office/back office' .
We've got poor implementation practices and I think we've all seen evidence of poor value for money on technology. Businesses don't really understand the boundaries and the responsibilities and the systems used. Do we all agree that there's been relatively poor value for money in our experience?
Harry Croydon:I don't think that has necessarily held just for the insurance industry. I think there is massive poor value for money. I think, across the globe, something like 80% of IT projects don't get finished. I don't think it is just the insurance industry, although this `front office/back office' thing is a tough thing.
David Wilson: I think what we heard from Colin was the importance of gaining competitive advantage, and that technology is there to give a commercial advantage. Perhaps we could come back and discuss whether or not the industry has actually co-operated, because there does seem to be a highly competitive motivation. If we look at other industries, banking has created back settlement systems and a number of cooperative enablers, which have allowed them to compete on a platform.
Lloyd O'Keefe:SAP has had a major focus in terms of developing solutions specifically for the retail banking sector, but we've also developed solutions for other areas of banking - predominantly around back office business support processes, which are typically cross-industry based anyway. So, it's been quite an easy transition to take all those types of solutions and adapt them for an insurance business. A lot of the banking expertise that is helping us in the insurance sector is around aggregated accounts and the integrated banking concept of the one account. We're developing building blocks to support multiple products but we're also developing technology to actually bring all those products together in a way that gives a single customer view. That type of capability is helping us, for example, in the life and pensions sector at the moment, where we're developing the capability to deliver wrap products. This gives those organisations the chance to gain competitive advantage through actually wrapping investment products together and delivering them via their sales channels to their customers.
John Hodge: If I can make just one comment on the difference between the insurance industry and some of the other industries? When we take a view that perhaps the insurance industry hasn't taken advantage of technology, there are probably many in the industry that don't adapt well to change, but you can't just put it down to that. It's quite an interesting industry in that if you look at the industries where there has been significant change, there are a few dominant players. We don't have dominant players in this industry that can drive through change. That makes it much more difficult to see change take place because you have to have a consensus. It's a challenge for our particular industry because we don't have those few dominant players that can actually force the change. So, if you look at General Motors, for example, they can put in place a value chain through all their suppliers because they're so large and those suppliers are very dependent on them. That's not true necessarily within the insurance industry. You don't see that same dominance.
David Wilson: In the insurance industry, we have some global leaders in the broking community. Are you suggesting that the brokers could have a role in setting these operational standards?
John Hodge: Absolutely. I think the brokers are very, very much in the driving seat. They themselves have clients, and those clients are in the insurance companies and there are a lot of insurance companies that they do business with. So they have their own difficulties in trying to work out how to do that but they can go far. The dominant players have to be at the client level for these types of changes to take place.
Colin Brown: And this is happening now in my division. There are a number of initiatives going on about one of the things you mentioned earlier, which is front office/back office. If you look at that from a traditional broking point of view, we're talking about the guys that wholesale insurance into the various markets, or those that deal on a day-to-day basis with the clients, in a client management role.
What we are in the process of doing is actually tying together a chain that includes the insurance markets that we use, through the wholesale and straight through to the client. Because the reality is, particularly post-September 11 in the areas that we deal with, the placing of insurance for clients is incredibly difficult. If you come to me and say, `I would like you to view this risk and provide me with options and I need an answer in the next two weeks,' we've found that it's been difficult to achieve that. On occasions, it's taken us three or four weeks. When you look at digital risks, then the underwriting process can be incredibly tortuous for clients. This is driving initiatives - not just within AON, but I suspect within Marsh and Willis and other organisations too - which are increasingly about how we can provide a service to our clients. From a commercial point of view, we want to get away from the point where we are an intermediary supplying a commodity. If you're supplying a commodity it becomes very easy for a client to move to Marsh or Willis, etc. I expect that the initiatives that we have in place, which focus on how we service clients, are probably being replicated in the other major broking houses.
David Wilson: Susan, what's your feeling on this?
Susan Savage: I think first, I'd like to touch briefly on what we were saying before about the front office versus the back office. If we speak specifically about the London market, as opposed to the US market or other parts of the world, if you look at how the London market operates, there's always been this great division. Some of it has been about the broker, where you have the front-end, the glamorous part about the client interface: doing the deal, wining and dining the underwriter, walking around with the slip -case and being seen to be the money maker. So, that was always the fun side of it to be in. And then you have the back room, which was actually removed from some companies.
Back offices were put in Ipswich and they were put in Romford and they were put in Southend and there was a sense of, `can't have any of that coming anywhere near us because that's all the boring stuff'. You know, that's all the coding, the accounting, the settlement, all that kind of thing. Until, I would say, about six or seven years ago, when they realised just how expensive some of these risks were to actually place and service. At the end of the day, you're as good as the claim that you pay on behalf of the client.
But people were spending the money they were making as commission within the first one or two years, so that when run-offs, for example, started to become an issue and there were no funds left, it started to focus peoples' minds that back office and front office should not be that far removed. You have to look at it collectively, and as John was pointing out, it's one thing to believe that you're a global player but there has to be an even stronger communication between the underwriter, the broker doing the deal and the backroom that's coping with all the information and, unfortunately, the claims that come about.
So, at Acord, our philosophy if you like, has been really quite strongly addressing back office operations. Things like closing and accounting settlement. Even acknowledgement, so that if you send me a message, for example, we've actually worked it out so that a message comes back saying, `I've had the message.' This means you're closing the loop so far as, `Did you really get that electronically? I better call,' which defeats the whole purpose of trying to get things streamlined. We're trying to drive down the costs to free organisations, like AON and Willis and Marsh, to be more competitive in what they do best, which is looking after their clients and finding the best underwriter for an exposure. And from the underwriting and the reinsurance point of view, being allowed to do what they do best, which is underwriting. So, we're saying a lot of awareness, from the business people in these organisations, and not just the IT, has changed everything. We're saying we have to become more efficient. Implementing some of these standards does not jeopardise any kind of commercial sensitivity.
In fact it helps because if AON uses XML standards to correspond with John (Hodge) and to correspond with my colleague at the end, who is a loss adjuster, and who's a very important part of this loop, that's just great, because he can loss adjust to the best of his ability, which helps everyone perform. So, we're seeing a lot more co-operation and communication, in particular, in this market. The events of 9/11 really focused peoples' minds because they were not aware of, in some respects, how much it was costing them to do business and where that business was.
I do want to make it clear that Acord doesn't sit in isolation and decide, `I know, we need a new standard.' We actually have a pool of members. We have over 400 volunteers from all of our membership - the insurance and reinsurance side as well as software vendors - that work with us in creating those standards. And we don't create the standard unless we have a pilot. That was another point I wanted to make: there is this massive cooperation, where you have industry leaders sitting with their competitors working out the best way forward.
John Hodge: I think the industry hope for Acord is that they take it back a little bit further down the chain, because a lot of the industry initiatives have been taking place within the brokers and the reinsurers, and there is obviously variation through geographic territory. If you take the US for instance, XL receives about 1,000 EDI transactions a month - accounting and primary accounting transactions from all our brokers. They all send us EDI messages. We then print them out and we sit there and we wait for the bordereaux to come from the insurance companies, because we believe that we've got to have an accurate breakdown by line of business and territory. Well, you only get that from the insurance companies. Today the broker doesn't actually have the information that the reinsurer needs to be able to honour its statutory obligations. So, it really is complicated and we rely very heavily on brokers. But then, how is a broker to get the client to do the things that we need them to do as an industry? That's one of the challenges that we hope Acord can help us with, because they're so strong within the insurance carriers' space.
David Wilson: Just switching back to something else that was said: people don't understand their IT risks - they seem to be transparent or invisible risks. There was a saying, and I can't remember the exact percentage, but any company that has a major fire has a 20% - 30% chance of survival. Perhaps there's a great deal of secrecy about IT issues? Do companies actually go bust when the IT fails? Do we know of companies that have ceased to exist?
John O'Neill: Oh we have an example, that Harry probably knows better than me, but an internet service provider that was actually hacked to death through denial-of-service attacks that were mounted upon it. Was it Cloud Nine?
Harry Croydon:Yes, Cloud Nine.
John O'Neill: Cloud Nine. Too many enquiries electronically, they couldn't cope with it. They had to sell out their business.
David Wilson: Was that malicious?
John O'Neill: It was malicious, yes. That's an extreme example, though. What we typically see is that the companies that don't have adequate disaster recovery plans in place are more prone to corporate failure in the ensuing 18 months. Now that can be because of IT failures, it can be because of, more typically, a serious fire or a flood, or a fire or flood affecting one of their key suppliers.
David Wilson: Yes. But the incidence of the IT equivalent of arson ruining businesses? The example we've got is Cloud Nine, where they were particularly vulnerable.
Rex Parry: It's quite interesting. People did some research last year. They spoke to 1,000 companies. Forty-four percent had had some sort of security issue in the previous twelve months. The average cost of that was £30,000 per company. So the issues are there and they're real and they're not well understood. It's quite interesting the direction that this conversation has gone because it's looking at the risk of external people coming in. But 86% of the attacks on systems come from employees and contractors you've got on the site. People need to start focusing on the processes they have in place to minimise those risks.
David Wilson: Are we looking there at malice or simply carelessness or indifference?
John O'Neill: It can be both. Very often we think that, to use our hacking example, it can happen from the outside. More typically, fraud takes place from the inside an organisation. We've dealt with a number of claims where it's been an insider who's actually been involved in perpetrating whatever it is that's gone wrong. And that has actually been very costly to the employing organisation.
Harry Croydon:It's also a lot easier now, I think. That's the issue. How long would it take me to write a thousand letters on company-headed notepaper, put the addresses on the front, stick them in the out-tray and get them out? That's a malicious attack on all your customers. Now, I can quickly write an e-mail, copy down the database, and send it. Same thing: company-headed paper. People just treat them differently. That takes two seconds after somebody is made redundant.
Rex Parry: We also had a client who had a problem with someone they'd made redundant. The person concerned e-mailed the marketing list to themselves at home so they could go and compete the next day. The only reason they found out was that it was such a big attachment that it crashed the system. There was no process in that company to prevent that person taking those steps.
David Wilson: I'm not being a Luddite in this but, in the days before technology, people would laboriously alter book-keeping systems and steal ledger cards - if you remember the old ledger cards. I mean, there were similar techniques available. They were harder work perhaps, but ...
Colin Brown: It's hard to walk out with a filing cabinet. It's easier if you put it on a disk or send it directly to another account. But I think we need to understand that with digital content, it doesn't matter if it's intellectual property for a software company or whether it's a marketing list for a business development unit. The reality is, it has value. It has value in terms of providing it to a third party - you gain revenue from that - and it has value in terms of causing damage to an organisation. Now, irrespective of whether you're an internet-based company or a bricks and mortar company, right the way across the board we're relying on technology and the internet to communicate. We've found one factor that's common to our clients in different industry groups of different sizes and different levels of complexity, and that is reputation. It's no good just looking internally at how you protect a critical network or how you protect really valuable information. You also need to understand how, when something goes wrong, it's communicated externally. Often, a very small incident that has only a tiny impact on the bottom line can quite significantly change the way that our customers and our investors perceive us as an efficient organisation.
Rex Parry: Well the (UK) Inland Revenue is a great example there. If the problems they had with electronic tax returns had happened to someone in industry, you can imagine the effect it would have had on that business. It would have been devastating. And if you look at some of the things that people out there are doing, one of the great things in financial services is account aggregation. Citibank, for example, holds a very large number of peoples' bank details for on-line banking, including their passwords, on a server. OK, it's encrypted, but that's going to be a very attractive target, isn't it? Just think of the value of the information on there.
Harry Croydon: Coming back to the theft issue and the filing cabinet, and the old way that you actually had to steal it. You took it out and it was missing, typically. Whereas now I can steal your database and you wouldn't even know it was gone.
John O'Neill: What we have seen examples of in the very recent past, is contractors and employees who have left the employment of an organisation but their passwords haven't been revoked by the IT department. So, for several weeks or even months, there is a direct link in from the outside world, from anybody's bedroom, to get straight through to the database that Harry's talking about - to go and get that marketing list, in a very surreptitious way, and start using it discreetly.
David Wilson: But I mean that's the same as not getting the keys back when you fire the chambermaid, isn't it?
John O'Neill: That's right. Except that we're more likely to remember to get the keys than to remember to get the password revoked.
Harry Croydon: I think the issue that we're probably struggling with is that there aren't any claims on those things today, or that the policies haven't necessarily been sold to cover them yet. Take the Code Red Virus - $8trn or whatever it cost. These numbers are so huge that people sometimes ignore them. They say, `They don't affect me,' but these costs are built in and they do have an effect. So, it's about trying to identify the real cost, the real loss, the cost to the IP. Just how much is that disk worth then? Two pence or thousands of dollars?
David Wilson: Just touching on another area, I find it very interesting that large companies get attacked in quite an open and public way through nearly-the-same-name internet sites. People create those sites because they're dissatisfied with that company's service. It becomes quite a focus. Is that something which can be prevented by companies?
Rex Parry: There's quite a lot of case law, particularly in the US, around this sort of activity and there are things you can do about it. But it's very difficult to control what is going on across the web as a whole. There is a real cost benefit to be done in terms of, `Is it worth taking steps?'
Harry Croydon: And the web developed like that, didn't it? The web has grown up to get this sort of public sympathy towards some of these things. You've got a much more public space now.
John Hodge: There are things you can do about it. We have a group of people who are focused on trying to make quite sure that that doesn't happen and, yes, it's a pain, but then we will go out there and register domains that we think would be an embarrassment. Will we get them all? No. It's about risk mitigation. There are certain things you can do and I think it is not wise for us to sit back and say, `Well that's the nature of the web and that's life.' We've got to learn how to operate in that world.
Harry Croydon: I agree, I absolutely agree with that. People use this word `hackers'. It sounds like a highway robber or a Robin Hood sort of character. It's a great romantic word - you can sit in your bedroom and do this stuff. Whereas, calling them a `vandal' or a `thief' would bring them back down to earth. I think that's what we need to do with these things: make them real crimes, get some real punishment behind them and gain acceptance for that. Because, at the moment `hacker' is quite a good job to have. In reality, these people are just as bad as people who break into banks and take all your money.
Colin Brown: There can also be a positive side to this. People are using the internet to say they've got a whole load of disgruntled customers. In the real world, if that appeared in the newspapers, or we had demonstrators outside the office, someone would say, `Let's check that we're doing this correctly.' If we agree that the internet is a fantastic mechanism for communication, that it's got positive and negative sides, then we need to understand the positive side of this.
We've worked with one client - in the travel industry in the past, where groups of disabled customers have come together on the internet saying what a bloody awful time they'd had. Now if I was that company, I'd very much like to hear about that; perhaps review the service that's being given to these guys in hotels and deal with it in a positive way. I don't think it's all doom and gloom. And that's why, going back to the need to understand, if we're using digital technology, it's not just about the negative side or about keeping these horrible perpetrators out there away from our information. It's also about how we can use the internet and technology in a positive way.
John Hodge: Yes, I think it's very much, `How do we adapt to change?' And managing risk is a key part of it. I was talking earlier about the importance for XL of putting together a single network that was absolutely critical to our information systems and how we manage our relationships. And, guess what? We've suddenly got a much bigger risk. When we started out, we acquired companies that we wanted to run as self-sufficient units. Our risk was limited very much to what went into each of those organisations. Well, then we decided that that didn't make any sense - that we couldn't provide a service for our global clients by having these pockets of operations. Now we have one network and we have a very different type of risk. And it takes a great deal more effort to actually manage and mitigate the risks that go along with it. So, absolutely, we've got to take advantage of the tools that are there. Absolutely, we've got to understand that there are going to be different risks but we've got to manage better and it's not easy.
Rex Parry: I think it's coming back to where we started, though. We have demonstrated that the board of directors doesn't have the knowledge. I think a few months ago there was a survey done, in the City of London, of local area networks that were on a wireless basis. Seventy-one percent of them weren't secured in any way.
David Wilson: Yes, this is apparently a great game, isn't it? You drive up outside and log on.
Rex Parry: There needs to be an education of the importance of these issues, otherwise, as people begin to write insurance, and as people begin to trade in these things, there will be significant problems.
David Wilson: I'm not an expert in these things, but I think the issue of identities is very important. There's a great anonymity about the internet as it is now. There's never any positive proof of identity is there? If somebody logs on, if they have a password they are who they say they are. Wasn't there some sort of passport proposition coming out?
Harry Croydon: There is. Microsoft Passport have that.
David Wilson: And that's a clear proof of ID then?
Harry Croydon: Well probably not a clear proof but it goes some way. And there is other technology, other ways of doing it. More and more, you're going to need a digital identity. I had a discussion with somebody who does all the dot.com names the other day - someone who actually registers them - and they said, `Ah, you want harrycroydon.com.' And I thought, `Well, why would I want that?' There are possibly lots of people called Harry Croydon out there, so what gives me the right to have that one? And why do I want anybody to be able to type in harrycroydon.com and find me? I don't want that. So, when you're transacting on the web in the future, you will want people to know that you are who you say you are.
Rex Parry: There is an embryonic industry developing around digital certificates and digital signatures. One of the issues is, when the certification process is done, who actually checks that Rex Parry is Rex Parry? What do the certificate issuers actually do to check this? Because at the moment they do very, very little. I know the notaries public are putting together their own certification authority and they're actually requiring people to turn up in person, with two pieces of identification, before they're issued with a digital certificate. But you've got to first understand how it all works to realise the value of what you're being shown.
David Wilson: Susan, is this something which the insurance industry should do? I mean, how do you prove the identity of the counterparties?
Susan Savage: This is something that was looked at a number of years ago with the WISE Trusted Trading offering, which is now, I understand, part of Xchanging Insure. Where they are with digital certificates, I don't know, but part of the concern was that the certificate may not be the solution because the certificate actually sat on the laptop. It wasn't something that you carried around. Now, when you're hot-desking, you can have an issue where you're working together, and I go off to have an appointment and someone can sit down at your computer - because it's all teamwork and friendly and all business - driven - and send something and sign it with your signature. But you didn't actually send it.
From an identification point of view, there's a lot of discussion going on now about appropriate referencing. We've been talking to people about what would be the best way to go. I think we're just taking tiny little steps now with the client register but we're working quite closely with the LMP people on that. It's something that Marsh is pushing quite hard and giving a lot of time and support to. But I don't think it's going to be possible for any one market to actually maintain it. That's asking too much of anyone.
David Wilson: An authority?
Yes, an independent authority. Whether it be Acord or not, I don't know, but I'd like to think that it would be an independent organisation. Discussions are ongoing with other entities that are looking at that, but you could end up with ownership issues and that always puts the brakes on.
John Hodge: About five years ago, I did a Silicon Valley tour and one of the things we looked at was smart-cards. We were shown a system where there was a keyhole that you entered your smart-card, but then you also had to put in your finger prints so that you could verify who you were. That smart-card would have all the certificates that would allow you access to whatever you needed access to. But you also needed a verification. Having that card didn't do it. It's easy to steal a card and it's easy to steal a password - usually it's on a stick-it note sitting on top of the card so you don't forget it. So, you had to have some other form of ID. It's bound to happen, I mean there is no question that we have to have much more certainty as to who we're dealing with.
David Wilson: Lloyd, I know you have an interest in the banking industry. Clearly this is absolutely critical, although it's probably no more critical than for the insurance industry, but it is recognised. How are the banks managing these identities and verification?
Lloyd O'Keefe: Although banks have a checkered history about managing risk and having the appropriate controls in place, many of them, especially the clearers, tend to be control freaks in terms of how they actually manage their business. Also, they usually have pretty effective internal audit teams actually managing the controls in the business. And a lot of the major external audit firms are very accountable and actually help to advise in terms of the appropriate controls. This enables the banks to mitigate and manage risk in their businesses, although some examples recently in the US were perhaps not quite as successful as we would have hoped.
David Wilson: This is a small Irish bank that you're talking about?
Lloyd O'Keefe: That's one of them. And of course, even beyond the financial services community, some major corporates in the US have had some horrible experiences recently. But generally, I think in the UK there are some pretty stringent controls in place. In some respects, these controls actually hamstring businesses because they are so over the top, but I'm talking really from a retail banking perspective.
David Wilson: So, if we went round the table and were trying to advise the insurance industry on what they should do, where have we got to now on what the risks are? Where do these risks lie? How do you do the risk analysis? Where's the start? Do you just pick up the wreckage?
John O'Neill: It's such a wide field that we need cross-industry discussion, involving various parties or working groups, to see what the trends are. I think we can tell a lot from the trends but I don't think we're looking at those trends across the industry. I know some firms are looking at them from their own internal viewpoints but I think we need a sharing of that information. I'd come back to what John (Hodge) was saying about General Motors.
David Wilson: So what you're saying is that there should be some sort of register or private forum at which people can be open.
John O'Neill: I think we need to share that information. And I'm thinking of the way that General Motors and Ford worked with their suppliers and how they got a lot of benefit from that. Ford, in the run up to Y2K, went to all of their suppliers and the suppliers of those suppliers and the suppliers of the suppliers of the suppliers. So they understood their supply chain in quite some detail over three years ago. They were able to capitalise on that by making sure that they were dealing with those parties in the way that they wanted to deal, and then they took it a stage further. They said, `We've got competitive advantage but we want to share that and develop it further.'
So they got together with General Motors and Daimler Chrysler and they formed a marketplace. And now they do a lot of their purchasing through it. Although the statistics are very secretive as to the savings, I think there are lessons in that for the insurance industry. That if we were able to share things and collaborate in that way, then we really could be breaking through.
David Wilson: Rex, what would be on your checklist of must do things? We've talked about identity, we've talked about secure communications. What are the things that a company needs to protect in the intellectual property area?
Rex Parry: For me, it's actually about the insurance industry understanding the risks in the wider marketplace that they share. I think there's a trend towards not covering a lot of the risks we've discussed today. Actually, business needs to either understand that those risks are not covered - because a lot of businesses don't understand that - or they need to have some way of putting appropriate cover in place. But it's a much more complex area than most people have assumed. And people need to spend time talking about it openly.
David Wilson: Do you think companies, the insureds and effectively the insurers, are going to see premium income of a significant scale from technology risk? I mean, given that, at the moment, people aren't covered and swallow the exposure.
Rex Parry: I think you'll see increasing willingness to invest in that sort of protection. There are a huge number of new issues that are big issues for business.
David Wilson: Harry, what's your view on how a current reinsurance company should start? I mean where do you start?
Harry Croydon: The thing which we should try and promote inside our business, and obviously outside it too, is general awareness. For the first time, many of these new risks are cross-company rather than just being vertical. So where I would start with any business, is to put together a cross-company team to actually think about the risk. It could be a big list of things that you now have to look at.
David Wilson: So John, who handles this responsibility in your business? Is this in internal audit or is it in IT?
Well, I think we're talking about a lot of different areas of security which makes it complex. I think the key is around organisational structure. I think, as you're hinting at, the ownership problem is a start, because at a lot of organisations you can't see what that ownership is. If it is with the chief information officer, God help you, because the issues are a little bit broader than just the IT side. For instance, within XL, we have a chief compliance officer. Now, as you know, you've got to be able to identify who the chief compliance officer is, because of the Patriot Act in the US. So when we're talking about risk, it's a very broad risk and there's different regulatory risk in each area. We then, as we put together our network of organisations, for the first time, found the need for an IT security officer.
Do you actually have that in place, an IT security officer?
John Hodge: Absolutely. That IT security officer has the responsibility of setting the standards for the whole of XL - no matter what operating company - and also having a matrix of security officers. Every operating company has to have a declared security representative who will be the focal point for any security officers and any security issue, whether it's virus or whether it's standardisation of approach to application development - whatever it is. In addition to that, we began to move into the area of privacy. In many cases, privacy has been given over to IT. In our opinion, that's a mistake. So, we've appointed a chief privacy officer, who is from the legal side. He has a responsibility for monitoring the standard of privacy regulations around the world, because all these issues are interlinked. Then there is a steering committee that drives our privacy issues. That's made up of IT internal audit, human resources and legal. The chief compliance officer is on that particular board and that group tries to work out what pro-active initiatives we can take to try and protect ourselves, protect our employees and protect our client relationships. So there is a lot you can do organisationally.
David Wilson: That is very detailed. Colin, does AON rely on an IT security officer?
Colin Brown: We've put in place a structure that looks at the issue of security. And we've considered the various aspects of security, from a bomb-related terrorist threat to a digitally-related threat. We've also put in place training regimes and what we call information security ambassadors in each of the individual business units. What we're trying to put in place at every level within the organisation is a culture of awareness, a culture of training and also a culture of having someone you can go to, to ask a question - many of the issues that we come across with our clients are based on a lack of understanding. So yes, we have made progress. But I pick up on the point about organizational structure. If we accept that there has been significant adoption of technology to aid business process and, to be honest, to make money, in the last five or six years, I haven't seen, with the majority of clients that I have worked with, a change in structure, a change in who holds responsibility or a change in whether they coordinate their activities. If we accept again that this use of technology and digital media spreads across all bounds of the business, irrespective of whether it's HR or finance or security, then the reality is we need a mechanism for communicating and often that is missing.
David Wilson: What about activity, though? Do you build in the ability to monitor activity? Is this wired into any system, does it say, `We will look at any e-mail over 4 miles long,' or anything like that?
Harry Croydon: A funny example: I e-mailed a contract to a friend of mine the other day and when I checked to see that he had received it, he said, no. So, I e-mailed again - did he get it - no. Eventually I faxed the thing to him and I said, `I can't understand why you didn't get this.' What it was, is that I had put at the bottom, where you sign, xxxxxx. Their IT guys had decided that `x' was to do with sex, and had banned anything that had xxxxx in.
David Wilson: So you don't put sexxxxx!
Harry Croydon: Well, they have to get a bit more sophisticated than that, but there are systems which you can put profiles in to pick things up. And they are getting smarter and smarter. This technology is relatively new - I think that's the key thing to understand. Most security procedures take years to come through. How long did it take to get seat belts in cars? From day one, it was probably obvious you had to have them, but it takes ages to get some of these securities and best practices installed.
Rex Parry: This is quite interesting because it relates to the issue of Data Protection legislation. The Information Commissioner is in the process of rolling out a series of guidances on what you can and cannot monitor in respect of your employees, to stop you from just sitting there and watching what your employees are doing. You shouldn't be looking at personal e-mails.
David Wilson: Does this roll into the category that they shouldn't be making them?
Rex Parry: Well, if you have that sort of policy, but many organisations don't.
Harry Croydon: The issue there is that people work damn hard in organisations and they deserve to be able to send personal e-mails. But in adopting technology, you should be able to give them a private account and then you could make one letter-headed and one their own.
David Wilson: This is like the payphone in the canteen?
John Hodge: I think there's even danger there. I think you would find that if you gave an individual a private account, sponsored by the company, and they used that private account for some form of harassment, you would find yourself very much at risk. So I can't conceive of our doing that. I think the only protection that organisations have is the strictest, which basically says, `These are company facilities, don't abuse them.' It's exactly the same as the telephone. We all know that people make telephone calls, but if they make harassment calls, then that's in breach of their employment agreement.
Rex Parry: I think you need a very clear policy. We had an interesting occurrence last summer where one of our clients had sacked someone for poor timekeeping. The evidence they'd used to justify the dismissal was that person logging in and out of the building through the security pass. The individual concerned said, `Well hang on, I thought that system was only being used for security purposes not for logging when I was or wasn't coming into the building.' And they were very successful with that. The Information Commissioner got extremely upset with our client for not following the law, so there are a lot of hidden dangers in terms of relying on the systems we use in business to help us.
David Wilson: That's an interesting observation, but presumably had the statement to employees been, `We are putting in this system which will have dual purpose,' then I suppose ...
Rex Parry: If they had gone through the appropriate steps. The difficulty again is the disjointed nature of an organisation, because there was probably some guy in operations thinking, `We need a security system, right we'll put that in', and someone else thinking it would be a good idea to use that information in personnel when they needed to discipline someone. And neither of them had thought to talk to the data protection officer.
John Hodge: I think that it's not just policy that we as corporations have to worry about. It's really policy and education. And I think any compliance programme should have education as the key part of it. I think that's one of the things that has changed over the last couple of years. An example I can give you is that as we began to centrally control the network, we became much more aware about what was going on. Recently we noticed that one particular subsidiary seemed to be using an awful lot of internet time. Well, two years ago we would have bought additional bandwidth to make sure everything was OK. In this particular instance, we said, `That's a little unusual, let's find out.' And what we found was that there were two individuals that seemed to be spending rather a lot of their day on sites that we preferred that they didn't go to. Once we stopped them doing that, we actually had more than enough capacity on that particular link.
Colin Brown: Maybe there is a lot that organisations can do to pre-empt this type of activity. I'd like to pick up on a point that we made before about what we do in the real world about fraud - the reality is that many companies are not particularly good at identifying fraud. Now if we consider that any business, irrespective of the technology that's enabling that business, involves people, then maybe we should start to look in a little bit more detail at the people that have access to the most critical information - whether that's in our own organisations or in third party contractors or technology providers. At least this way we can try to pre-empt some of the problems that are arising from misuse of e-mail, such as malicious activity launched from one's own premises, or theft of proprietary information.
But time and time again, when I ask contacts what measures they have in place to ensure that - if they're using a managed service provider - the individuals managing their critical infrastructure and their critical information have gone through a decent vetting process, they don't have any. With your IT contractors, how do you know what measures your partner is taking in ensuring that those IT contractors are credible individuals? Generally, they've checked some references. I would always encourage clients to investigate specifically what they're paying an awful lot of money for, to recruitment agencies and third party providers. Because in reality, for most organisations this is the Achilles heel. You can put all the technologies in place, you can have all the policies and processes and awareness programmes in place, but if you're not certain who the individuals are who are working inside your company, then you have a major problem.
Rex Parry: It's amazing that most organisations have only one vetting procedure and not a range of vetting procedures that depend on the significance of the information that a new employee will have access to.
David Wilson: This is the airport cleaner's story, isn't it? We spend four hours being searched electromagnetically, and checked and re-checked, and they drift through having been employed only that morning.
Susan Savage: I think it comes down to clear communication on what you expect from your colleagues and employees. I think there has to be a degree of trust that there won't be abuse. It comes down to good housekeeping, making sure you have the right things in place and commonsense, keeping your wits about you. I don't think we'll ever completely eradicate fraud. But I think that trust and sensible communication are important, so that they know when they are allowed to send an e-mail to a friend versus abusing the privilege of having e-mail. I think sometimes we seem to let it get out of control because it's all electronic.
David Wilson: Because it's IT, it's somehow magically different. What about durability of data? I mean, we've still got a copy the Domesday Book in Winchester Cathedral, which was written a thousand plus years ago. But some of the data that Equitas was working with - when I was with them - was three years old but you couldn't understand it because the formats had changed. How is the industry going to manage data durability? What formats should be used? Electronic media has a very short lifespan, not because it physically dies but because the technology to read it is going.
Susan Savage: This question has come up quite a lot in the London market recently. Especially around the exciting new development of repositories - these file cabinets in the sky that everyone can access. An issue for the liability insurance market is the fact that many of these records have to be held for 80 years. Now, some people might say, `Well that's okay by me because I won't be here and I won't need to read it.' But we've seen how asbestosis claims have been hampered by either the fact that paper data was no longer in any readable form or the fact that there had been inadvertent destruction of records. Acord has been asked to do a lot of work on the repository issue. We are actually looking at how to best handle unstructured data, as opposed to trying to come up with the best format to keep anything in. We're looking more at re-usable technology that's already in