It’s no wonder that the cyber risk sessions at April’s Risk and Insurance Management Society Annual Conference were standing room only. We’ve just learned that as many as four million people’s information has been breached on government computers. This comes on the heels of an IRS admission that 100,000 taxpayers may have had data from past tax returns stolen. These instances prove that even our government is far from immune to the dangers and failures that have plagued the likes of private sector giants, Target, Home Depot, and Anthem Health.
I don’t have a particular statistic to cite, but my fear is that we are seeing only the tip of the “data insecurity” iceberg. How many small breaches of far less secure databases are occurring for each one of these high-profile, high-stakes breaches? Even if there are not a multitude of smaller breaches occurring, the aforementioned highly visible breaches cast a pretty wide net. I have no indication that I or my family have been caught up in the federal government’s latest data breaches, but between my wife and I, we are receiving complimentary identity protection services as a result of links to all three of the aforementioned private sector hacks: Target, Home Depot, and Anthem.
Perhaps the larger question should be (spoken with utter exasperation), “What in blazes is going on?!”
The explosion of the internet in 1990s ushered in an era of exponential connectivity and information sharing, which is generally a good thing. Unfortunately, it seems apparent that the rapid expansion of connectivity has outpaced our ability to protect the valuable data that naturally results from all of this connectivity. In our rush to automate and connect everything (and to benefit from the incredible productivity and wealth growth that results) have we put the proverbial cart before the horse? Or is it just a fact of our new digital life that our vast connectivity of devices and databases means that data is going to be at risk to some extent no matter what we do?
No matter how these questions are answered, risk management and insurance are both going to play integral roles in the cyber risk world. It looks to me like we’re in the midst of a “Wild West” sort of era – and my concern is that there is likely to be a shoot-first-ask-questions-later approach to our data systems and our risk management processes. That tends to produce considerable collateral damage.