Insurance companies are following in some banking organizations' footsteps to build a secure transaction infrastructure for the Internet-but the insurers may finish the job first.
While bankers continue to puzzle over a dizzying array of data security options and how they may fit into existing business lines and practices, a major technology supplier to the property/casualty insurance industry is trying to cut out the complexity and cut right to the chase.
IVANS Inc. of Greenwich, Conn., which since 1983 has provided technology and networking support principally to the property/casualty segment, has taken on the task of ushering its 500 members and their business partners into the realm of secure electronic commerce.
It has placed "high urgency" on the project, said chairman, president, and chief executive officer Dan R. Carmichael. Given the rapid spread of personal computers, Internet connectivity, and consumer interest in on-line brokerage and banking, he said, it is only a matter of time before insurance takes to the World Wide Web.
"We want to be ready," he said.
IVANS wants to do for insurance what ABAecom, a for-profit spinoff of the American Bankers Association, has proposed for its membership. But any hurdles IVANS faces seem less daunting because of its unique "utility" status.
Like ABAecom, it wants to promote adoption of a public key infrastructure, a data-encryption-based hierarchy for the issuance of digital certificates. Those are credentials that banks or other financial service providers might issue to authenticate parties in e-commerce transactions.
ABAecom supports the notion that the role of certificate authority, the entity that issues and manages the digital credentials, is a natural extension of the trusted-agent role that is the banks' historical legacy. ABAecom has also brought outside trade groups, such as the Investment Company Institute and American Council of Life Insurance, into its advisory board, in hopes of creating a broad-based financial industry framework.
But the ABA venture is battling for attention and commitment against other priorities, such as year-2000 remediation, and must rise above the noise level of a fragmented industry composed of thousands of institutions of vastly varying sizes and degrees of openness to new ideas.
Property/casualty insurance may not be the embodiment of simplicity, with its 40,000 independent agencies dealing with numerous insurance companies and a multitude of necessary outside connections to banks, health care providers, automobile data sources, and the like.
But in IVANS the industry has what is essentially a communications utility with an 80% share of the technology services market as it has defined it.
"Our property/casualty business has been slower to get onto the Net than banking and some others," Mr. Carmichael said. "People are just not anxious to rush out there. But it's going to happen," he said, citing consumer surveys by Opinion Research Corp. commissioned by IVANS that indicate half of consumers are already interested in submitting insurance claims on-line.
IVANS' goal is to create a shared information security infrastructure with sufficient mutual benefit that all parties would buy in.
For a company with 80% market share and with many of the characteristics of an association, because it is owned by several trade groups and enjoys considerable support in the rank and file, industry fragmentation is not a problem.
IVANS is in the business of providing "core technologies," Mr. Carmichael said, often in collaboration with International Business Machines Corp. He defined the security framework as "a core technology."
"This is not about competitive advantage, it's a utility function," Chip Lawson, IVANS' senior Internet strategist, said of its proposed approach to a public key infrastructure, or PKI.
"The devil is going to be in the details of this," Mr. Lawson added. "We have to get into certificate formats, the issuing and revocation of certificates, how to deal with directories. Now we are getting the initiative and discussion going."
"We have a captive audience that is asking us to step up," said Mr. Lawson, who is based in Tampa.
IVANS, which is heavily involved in the automated documentation exchanges traditionally defined as EDI, or electronic data interchange, is initially focused on business-to-business commerce. "One reason is that consumers haven't warmed up to buying insurance on-line," Mr. Lawson said in an interview.
But some of the bigger and more aggressive insurance companies, feeling the e-commerce train bearing down on their operations, went so far as to set up their own PKIs. Mr. Lawson said that in their proactive eagerness, they learned hard lessons, such as "just defining the (data) fields in a certificate is very difficult."
"They came away saying, 'We don't want to play this game,'" Mr. Lawson said. "They came to us as the obvious solution provider."
Last week, IVANS formally launched its effort, circulating a "Proposal for an Insurance Industry Security Framework." It is asking for comments on it by the end of May, with an eye toward beginning pilots of a system built on data encryption technology and digital certificates by the fall.
"We want to see if the level of commitment is there that we think is there," Mr. Carmichael said. "We have every reason to believe that it is."
The IVANS document said, "Once a company decides to link to the Internet or even intranets and extranets, it becomes visible to a very large audience and vulnerable to the potential problems and hazards associated with such vast exposure."
"This brings about a new dependency on security," which the report described as "no longer just a protector," but rather "an e-business enabler."
The ultimate vision is an Internet-based network over which insurance carriers, agents and brokers, information and service providers, and customers would all feel confident about the security and privacy of document transmissions and transaction details.
IVANS' paper warned against "industry participants' (choosing) to adopt proprietary technologies" and relying on multiple vendors with nonstandard systems. "Without an integrated insurance industry approach to security, there will be significantly increased complexity and potential interoperability issues," leading to confusion and higher costs that "an industry standard security solution" would avert.
Technology executives from CGU Insurance, Chubb & Son, Travelers Property Casualty Co., and Dawson Cos., a Cleveland-based agency, all argued in favor of these standards principles-and IVANS' central operational role-at a security forum that IVANS sponsored in New York last week.
"If every carrier took a different tack with different security packages, it might not matter to an agent that deals exclusively with Chubb," said Don Garvey, an assistant vice president with that company. "What happens when they deal with other carriers?"
"If we went out with our own security solution, we would get a lot of push-back from our agents," said James D. Oleksiw, telecommunications director of Citigroup's Travelers subsidiary. "It makes sense to have an interoperable solution. It would be a nightmare for agents to have to sign on to 160 different insurance companies 160 different ways."
Mr. Oleksiw said the benefits of IVANS' proposal would include a sharing of the cost burden across the industry, considerable research-and- development savings for his own company, improved relationships with agents, and lower training costs.
"Different systems providing security in different ways could spell trouble for the industry," said Braden Polansky, Dawson Companies' director of information technology. He even warned that this could seriously damage the agency distribution system. "We need to keep the solution simple," he said.
Christopher Owens, director of GTE Internetworking, which is assisting IVANS' PKI research, said the contrasts between banking and insurance point up a reality that vendors and strategists in the security field must face: Different industries have different needs and will proceed at different paces.
"Everyone will need this eventually," he said. "But every segment has a different set of priorities."
Thomas Greco, President of ABAecom, said he was surprised that the IVAN effort, as ambitious as it is, just came to his attention last week.
He said that may be because the project has been better known in technology circles, rather than the senior managements that will foot the bill. But ha said he is pleased that the topic gaining wider attention.
"One of the nice things about banking is that it has a natural hierarchical structure" into which a certificate hierarchy can neatly fit, Mr. Owens said. But bankers do not yet seem to be clamoring the way IVANS' customers are.
GTE Cybertrust said it has entered into an exclusive agreement to provide digital certificate technology for a recently announced Sun Microsystems Inc. initiative.
The data encryption unit within GTE Corp.'s GTE Internetworking group said it will be the sole provider of public key infrastructure equipment to Sun's ServiceProvider.com program, for management of digital certificates in extranets.
Extranets are the Internet-based networks that admit remote employees and customers, as authorized, into corporate computer systems. Sun's program is designed for Internet service providers and application service providers, known as ISPs and ASPs, markets that GTE Cybertrust is entering for the first time.
"The key benefit of a secure extranet is that sensitive data is available only to designated people within your organization and to approved outside business partners," said Paul Paget, vice president of marketing at Needham, Mass.-based Cybertrust. The Sun-Cybertrust link will assure that "your extranet can only be access by someone who has a valid digital certificate."
The ISP-ASP market is "a natural extension of our business model," said Cybertrust president Peter Hussey. "Service providers that use Sun systems are building extensive extranets to carry out business-critical on-line collaboration and exchanges."
