Andrew Rigby says insurance companies need to have strict security policies for outsourcing business

Alarm bells sounded throughout the financial services and outsourcing communities last summer when a tabloid newspaper claimed it had purchased the financial details of customers of several UK banks from an outsourcing supplier in Delhi.

This breach in security involved some of the biggest names in financial services.

It naturally sparked concern about data management in outsourcing and caused customers and companies alike to question how safe their data was.

The real issue was not that the call centre was offshore. There is nothing to suggest that Indian call centre workers are any less moral than UK ones.

But it does go to show that security is a complex equation particularly in an outsourcing or offshoring environment.

Many factors need to be taken into consideration including IT, people issues and the type of information that is protected.

As more and more insurance companies turn to outsourcing to reduce overheads and increase business agility, the security issue is becoming key.

Companies such as Norwich Union recognise the cost efficiency of outsourcing. But in outsourcing the focus can all too often be on the attempt to drive down overheads and boost profit margins, occasionally to the sacrifice of other factors within outsourcing, such as security.

Security issues resonate through every aspect of outsourcing, from insurance claims process outsourcing to customer service call centres and IT.

Security policies need to be robust and thoroughly considered in any outsourcing scenario.

In the insurance sector this is crucial. Highly confidential and financial data has to be made secure. Any breaches could have catastrophic repercussions.

Security breaches take many forms. They can come in the shape of internal risk, such as data being stolen or misused by an employee.

External risk comes from say, a threat such as a hacker, and IT risk which may be a threat posed by a computer virus.

All these factors need to be considered and integrated into a security plan in order to safeguard data effectively.

When an insurance company is outsourcing part of its business to a supplier, caution needs to be taken.

The insurance company is entrusting its reputation, customers' data and, in some cases, even its staff into the hands of the supplier.

This is true in the case of a Transfer of Undertakings (Protection of Employment) or 'Tupe' agreement, where employees are transferred to the supplier company, such as in Pearl Group's recent deal with Tata Consulting.

Great care needs to be taken and the right security procedures need to be in place.

The wooliness around the division of responsibility of security protocol is often the reason behind security lapses.

When working with a supplier, the issue of responsibility is always a potential problem. Contracts are meant to clarify this and clearly define responsibility.

This can often be exacerbated by an 'out of sight out of mind' attitude that too many companies have with outsourcing. This is not an approach that insurance companies can afford to take, particularly with security.

Letting a supplier act independently of a company is risky. If the operation is not closely integrated, there is a danger that the left hand won't know what the right hand is doing. This may result in misaligned security objectives and achievements.

Additionally, a close eye needs to be kept on a supplier to ensure they are maintaining security standards.

So how can this be prevented?

As the problems behind security issues in outsourcing are often contractual, there can be a power struggle between the end user and the supplier over who leads the security policy and who implements the operational aspects.

In particular, companies need to pay close attention to pre-contractual due diligence. For example, determining who is responsible for the firewall, who upgrades patches and who is responsible for penetration testing must be detailed and an "owner" allocated.

There are often tussles over which party drives the strategy. Although there is no hard and fast rule, the insurance company (that is, the customer) should primarily take responsibility for the security strategy and typically the supplier will be responsible for the whole implementation of this strategy.

If no one knows who is responsible for what, then there is a good chance that there will be flaws in the process.

Insurance companies must ensure they have consistent security policy.

The companies must specify rules that outsourcing suppliers must comply with, such as setting passwords and access codes.

Every company has a different way of working, and ensuring that the supplier works in the same style and adheres to the insurance company's processes is paramount in making the security seamless.

It is also important to impose a greater level of control - put the obligation on to the supplier.

It's one thing having it in the contract but if the supplier is aware the insurance company is keeping a close eye on them they'll be far more likely to ensure they meet the required security standards.

So what if they don't meet those standards?

Impose as much of a burden on suppliers in terms of indemnity.

Putting all the risk on the head of the supplier pressures them to get it right. They'll know that if they don't (and particularly if there is any breach in security as a result) then there will be severe consequences.

Risks are always changing and, in turn, so must the security policy. Ongoing audits of security policies are continuously updated and amended in light of the proliferation of viruses. Whether in-house or outsourced, this is a security must. If outsourced the end user needs to ensure that the supplier is up to the job.

Choosing a supplier with a range of clients that provide security services for a range of companies may help, as they'll be generally more aware of the market and changing risks.

Also it's good to look for a supplier that has an exemplary record in terms of providing security.

What if the worst happens? For those extreme and unforeseen circumstances, a meticulous security crisis management plan should be in place. So if the unthinkable happens the insurance company and the supplier know how to handle it quickly and efficiently to minimise and contain any damage.

An outsourcing project, like any other business environment can never be 100 per cent secure.

However, with forethought and insight, insurance companies and their outsourcing suppliers can do their best to protect themselves.

Thorough preparation can, in almost all situations, counter any security attack, be it from an internal or external source. IT

' Andrew Rigby is a partner at the technology and outsourcing group at Addleshaw Goddard