Don’t Blame it on the Cloud

Back when I was young, there was a very popular pop group that had three huge hits. Their last hit from their first album was a song called, “Blame it on the rain.” It was about someone who had lost love, and was trying find a reason. Its lyrics included, “Gotta blame it on something … Blame it on the rain ... Whatever you do, don’t put the blame on you.” The group became superstars for a while, even winning a Grammy award for Best New Artist in 1990.

I thought of the group and those lyrics during a recent security breach. The breach first was blamed on the cloud, then on consumers who might have inadvertently provided hackers with access to their data in the cloud, then on a combination of user error and security that was not as tight as it could have been.

The truth is, the why probably doesn’t matter much to consumers. If there’s a data hack, we can blame it on the rain, the cloud, the residual radiation from the Big Bang … whatever we will, and it won’t matter. All the consumer will care about is that his or her data has been exposed, and the big, bad insurance company that should have known better and done a better job will be to blame.

That’s the likely outcome even if it’s the consumer who provides the key to that information lock, whether by responding to a phishing e-mail or downloading malware. The Grammy-winning group accurately noted the human propensity to avoid blame, but its greatest lesson may have been in its downfall.

It turned out the group, Milli Vanilli, did not sing the songs for which they had received a Grammy. Looking back, it may be surprising that the deception was not immediately uncovered, but that was a time of change in the music industry with the rise of music television. Times of change tend to allow for the threat landscape to mutate and for unforeseen threats to appear.

To a certain degree, that is where the insurance industry now stands with regard to cyber risk. We know the threat landscape is changing, with different rules, routes and actors, but not every insurer’s Board of Directors yet has a full understanding of how great the danger can be.

The two singers in the group tried to put out a new album after they had been exposed. It didn’t sell. Whatever their talent level, their musical credibility had been lost. More than most industries, insurance depends on credibility and trust in order to sell its product. While the cost of continually preparing to handle new cyber threats may be reflected in higher IT spends, the opportunity cost of not doing so is too high to contemplate.

The famous, if apocryphal quote by Willie Sutton on why he robbed banks applies to insurance companies: “That’s where the money is.” In our era, information is money, and where better than insurance companies to come steal that.

Unlike banks, people tend not to interact with insurers frequently, and thus are less likely to notice issues. Like all financial institutions, insurers have increasingly migrated to digital channels to enhance customer relationships and meet their demands, introducing new cyber risks and attack vectors.

All this matters because insurance companies are the mother lode of personally identifiable information. Date of birth, Social Security number, credit card number, phone number, street address — all are likely to be available in an insurer’s files.

This can make insurers a tempting target, regardless of size. Most currently known attacks have been characterized as short term, but persistent, ongoing attacks may be growing. In addition to significant reputational risk, successful attacks could result in substantial tangible damages, such as fines, legal fees, lawsuits and fraud monitoring costs.

That’s why Boards at insurance companies should embrace New York Department of Financial Services Superintendent Ben Lawsky’s recent call to focus on cyber security.

Reuters quotes Lawsky as saying at a recent forum, “I worry that we're going to have some major cyber event in the financial system that's going to cause us all to shudder … It's a bargain if we harden our systems now and protect against something more catastrophic. It is a great deal in my view. Once there is a major event, everyone suffers. We're going to pay for it either now or then.”

Lawsky is right, and CIOs and CTOs should make sure their Boards get the message come budget time. Because if a major cyber event happens, blaming it on the rain is probably not the strategy you want to be stuck with.

Howard Mills is director and chief advisor for the Insurance Industry Group at Deloitte LLP and a former Superintendent of the NY Insurance Department.

Readers are encouraged to respond to Howard using the “Add Your Comments” box below.

The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

For reprint and licensing requests for this article, click here.
Analytics Policy adminstration Data security Security risk
MORE FROM DIGITAL INSURANCE