Case Study: Meeting Customer Demand for Secure Statements

Rather than navigating a Web site to see their data, customers at New York Life Investment Management Retirement Services enter only a username and password to see statements in an HTML e-mail attachment.

Sending encrypted e-mails—“secure messaging”—used to mean massive, public key infrastructure (PKI) projects to integrate different companies’ e-mail servers. Users might opt for personal PKI software and swap public keys with 10 friends. Neither scaled easily, and for general consumption, two-way encrypted e-mail still hasn’t reached mass adoption.

More recently, however, with increasing consumer data-privacy concerns, firms have begun giving sensitive information the secure treatment.

Take New York Life Investment Management (NYLIM) Retirement Services, which administers over 1,500 plans, has 1,400 employees, and manages $169 billion in assets. In response to customer requests, NYLIM began securing all customer statements sent via e-mail. That’s impressive in an industry where most companies just send links and users have to browse to visit Web sites to see anything. “Our focus, doing this, is to not require the user to check on information by coming out to the Web site,” says Tod Bryant, vice president of Information Systems at NYLIM.

That philosophy has dominated since NYLIM first offered Internet services in 1996. In 1999, the site gave customers the ability to subscribe to weekly, monthly, or quarterly statements. “So, for example, if a subscriber subscribed to a balance summary, we’d build a Web page on Saturday for the week, attach it to e-mail, then send it out to them. We were actually pushing information out to participants,” says Bryant. Now NYLIM sends about 15,000 weekly statements, and roughly 24,000 monthly ones; quarterlies are less popular.

Since 1999, privacy concerns have grown, and lately NYLIM reconsidered sending plain text data to customers. "In late 2002, a lot of our clients began to approach us and say, 'We love this e-mail subscription service, but now there’s a heightened awareness around privacy and protections, we want you to look into sending the e-mail subscriptions by encrypting them.'"

NYLIM had two requirements. The solution had to be easy for participants to use, and the staff would have little or no additional hardware or software management duties. After investigating various secure messaging options—Bryant declined to discuss the other products evaluated—NYLIM chose Secure Statements from Sigaba.

Here’s how it works: At NYLIM, a system process builds e-mails every Saturday morning—for weekly statements—and verifies them. Another process then pushes them to a Sigaba Secure E-mail Gateway server, which encrypts the messages and forwards them to the mail server. “That’s a nice thing about it; it’s really hands off,” says Bryant.

When users receive the e-mail, they click on the HTML attachment to get their statement. That opens their Web browser, with a catch—the page is encrypted. Users must enter their NYLIM username and password. That triggers an authentication process with the Sigaba Authentication Server, which—if the credentials check out—pushes a key back through SSL, and the user can read the HTML document with their statement.

Such an approach means users don’t need special plug-ins for their brand of browser; they just enter username and password. “That was key to us, because we have a wide variety of users, and a wide variety of backgrounds. We have people on latest version of Internet Explorer, and we have users on AOL version 3,” says Bryant.

NYLIM is an early adopter of secure messaging. Bryant notes that few, if any, other companies in his market have the ability to e-mail encrypted statements to customers. Most require end users to click a link, go to a Web site, enter a username and password, go to a Web site, then click to view statements online. “We’re trying to be much more proactive in helping people manage their accounts,” he says, by eliminating barriers to getting the information.

Bryant says the rollout went smoothly, though having policies and procedures already in place was helpful. “The process is no different than before, when we generated [the e-mails] without encryption.”

Customer education, he says, was crucial for making secure messaging work, though it’s an ongoing battle. Change one thing, and consumers can flood the help desk. So NYLIM paved the way, sending an e-mail 10 days before the early November 2003 changeover. “If more people had actually read that communication, it would have been even better,” Bryant notes. NYLIM also pre-registered existing users, so they’d only need their existing username and password to decrypt the e-mail attachment. “I think [that] cut down the learning curve tremendously,” he says, as well as forestalled more customer calls to the help desk.

NYLIM initially opted for Sigaba to host the authentication server. In the near future, Bryant plans to bring the Sigaba e-mail in house. “From an end-user standpoint, it won’t make any difference,” he notes, but he prefers to manage all technology in house.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.