Close Close
ThinkAdvisor

Industry Spotlight > Broker Dealers

Data Security Doesn't Happen With The Flip Of A Switch

X
Your article was successfully shared with the contacts you provided.

When was the last time you heard someone say that something had “slipped through the cracks?”

It’s a common enough euphemism. We generally use it when we’re negligent in some way–forgetting to do something important, missing a salient detail, or making a small mistake that may have large consequences.

It also implies that while we made a good effort to lock everything up tightly, we couldn’t achieve a perfect, airtight seal, so–improbably–something got by, and “oh well, stuff happens.” It’s more of an excuse, really, almost an attitude. And most of us seem content to let transgressors who offer the “cracks” explanation slide.

I wonder if we would be so blas? and charitable, however, if what slipped through the cracks brought our agencies or companies to their proverbial knees. If a carrier’s CIO says, “Whoops (chuckle, chuckle), looks like I forgot to turn on the firewall after I rebooted the systems and our entire network is compromised with malware, shutting us down for the next 18 hours,” are we going to be OK with the explanation that something “slipped through the cracks?” Probably not.

Yet, our industry seems disturbingly comfortable with tolerating the “cracks” when it comes to the security of the huge volumes of personal, sensitive data we handle daily.

At an industry conference panel earlier this year, I brought up the very real problem of ensuring data security in the insurance industry. Another panelist–a respected analyst–dismissed the entire subject, asserting that data security is “a lights-on issue.” In other words, as long as we flip the switch and turn on the “lights” of our security systems, all should be fine. Why even discuss something that can be so easily dealt with?

Presumably, then, any security breach that does occur happens because “something slipped through the cracks” of our defenses–either technological or personal. It’s regrettable, but what can one do?

The problem with blithely dismissing the issue of data security, however, is that while it provides a convenient excuse for inaction, it also smacks of negligence. First, “switching on” security systems that are inadequate accomplishes little, except for possibly fostering a false sense of safety. Second, many security breaches take place because laptops or other devices are stolen or lost–no switch to be flicked there. Yet, data security is clearly not at the top of insurers’ priority list.

A September 2006 study of “IT As A Business Enabler,” co-sponsored by IASA and the Robert E. Nolan company, confirms my worst fears about the industry’s lack of urgency on this matter. The survey of IASA member companies found that improving efficiency and productivity was the most important return sought from technology investment. Incredibly, decreasing risk was rated as the least important benefit.

Meanwhile, according to the InformationWeek 2006 Global Security Survey, 57% of U.S. companies were hit by viruses in the past year, and 18% were hit by denial of service attacks. In the insurance industry alone, says online data breach watchdog privacyrights.org, more than a million customers have been affected by data breaches since the beginning of this year. I guess we should just tell them that “something slipped through the cracks.”

Perhaps you find it unbelievable that an industry as risk-averse as ours would take such chances, especially in the current restrictive regulatory environment. Undeniably, however, the insurance industry has a history of keeping its head planted firmly in the sand when it comes to technological advancement. In another column, I praised the industry’s conservative approach to buying and using technology, but the praise ends when penury–or just plain laziness–allows data breaches that could lead to identity theft and financial brokenness for customers and negligence lawsuits and federal charges for carriers.

Why isn’t data security a front-burner issue for the insurance industry? The simple answer is that no one has been seriously burned–yet. There have been no multimillion dollar lawsuits or federal indictments–yet. There have been no Spitzer-style investigations of the industry’s data protection failures–yet. Still, the number and seriousness of data breaches is increasing every year, and there are no easy solutions.

No, you can’t just flick a switch and expect to be protected from criminals whose insidious expertise is such that they can crack a system, steal everything, and be gone–covering their tracks–within 20 minutes. Data is the lifeblood of the insurance industry, and data protection must become a business priority. If that doesn’t happen, it may be the industry’s lifeblood that begins “slipping through the cracks.”