By Tom Murray, Head of Product Strategy, Exaxe.
Once he activated the switch, the malware was stopped in its tracks. The world was also lucky that the malware was not specifically aimed at critical infrastructure such as major dams or nuclear power plants.
However, it must give all of us in the life and pensions industry pause for thought as we are among the industries with the most sensitive data. Not just payment data but a mountain of personal information, including confidential health data, is held on life and pension systems across the globe. The duty to protect this data lies with the firms involved and it is not a duty to be taken lightly.
The seriousness with which this responsibility is taken is shown to a great extent by the reluctance of the industry to get involved in early adopter phases of new technology. This is a cautious but admirable approach but as the WannaCry ransomware showed there is almost as much danger in staying on old unsupported technology as there is in moving forward to cutting-edge untested technology.
A significant issue is the fast moving pace of technology. Technology in and of itself is not a primary competence of a life and pension company. There is a huge overhead in keeping pace with technological advances and ensuring that technology risks to customer and corporate data are minimised.
One of the easiest ways for companies to keep up is to outsource the processing to other firms, essentially using Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or even Software as a Service (SaaS), thereby getting rid of all the technological problems and allowing themselves to focus on the products and services that they are delivering.
But whilst doing this may bring big benefits, as it moves the responsibility for keeping up with technological and security advances to companies whose core competence it actually is, it is important to bear in mind the life and pension company still retains full responsibility for the security of its customers’ data. This remains firmly with the life and pension company who hold the contract with the customer.
So when designing contracts for the use of these other systems, a huge amount of effort must be put in to ensuring that the data security approach of the outsourced firm is up to the standards required. This means ensuring that the supplier is fully compliant with all the data protection obligations that are regulated for the industry as well as ensuring that their general technical security processes and procedures are completely up to the best practice standards within the industry.
So whilst it is important that the outsourcing company can deliver the services required and that the business areas are involved to ensure that the outsourced systems support their business goals, it is actually even more important to ensure that both IT security and the Compliance departments are heavily involved. Otherwise, the company is at risk of having to take responsibility for regulatory breaches for operations that are outside their control. Whilst not delivering a good service could lead to slower company growth, fines and damages that have to be paid for data mishaps could potentially ruin the company; the danger from not protecting existing information could be far greater than the danger of not providing the service efficiently in the first place.
The use of IaaS, PaaS and Saas are good ways to ensure that life and pension companies have access to the benefits of the latest technologies, both in terms of newer hardware and software advances, and to move the responsibility for humdrum but essential tasks such as software patching, data backups and resilience provision to companies who have the expertise, setup and scale to deliver it properly. For most life and pension companies it is a clever move and it means that their boards do not have to spend huge amounts of time trying to take the kind of decisions about the long-term direction of technology that most of them do not have the expertise to take.
However, it does mean that due diligence on suppliers, and on any third-party suppliers they use, must be extensive, if the company is to have the confidence that they are doing all they can to protect customer data from being lost or compromised, whether that be by targeted ransomware attacks, poor data management or just old-fashioned abuse of access by a disaffected employee. To take a short cut when the contract is being drawing up could turn out to be a very expensive mistake.
|