What can Blinky the 3-eyed fish teach company directors about protecting consumer data in the new world?

In the Simpsons episode “Two Cars in Every Garage and Three Eyes on Every Fish” (S2E4) we see a satirical story of ineffective environmental regulation, with a particular focus on 'Blinky' the fish that Bart catches from the plutonium-infused river downstream of Springfield Nuclear Plant.

This episode explores the interesting tension between shareholder returns (for Mr Burns) and a risk that impacts wider society. Mr Burns proclaims the fish as being evolutionary progress, but then appears a reluctant diner when he ends up being served Blinky for dinner by Marge.

Today we're seeing similar tensions play out around consumer data, where digital strategies have driven the capture and aggregation of consumer data in many places, yet when it goes catastrophically wrong the 'blast radius' of an incident goes well beyond the company shareholders in the same way an environmental spill does.

Going forward we need to treat and manage consumer data in a similar manner to plutonium - inherently high value, but something which needs to be kept in as few places as possible, and well secured.

Consumer data (and insight) has driven shareholder value

The US$300bln market capitalisation of Facebook's parent (Meta Platforms Inc) demonstrates the attraction of building large datasets of consumer data and the way in which consumer insights and the free consumption model can be leveraged for targeted marketing.

This link between market capitalisation and consumer insight has created a 'rationale incentive' for companies to collect and consolidate as much consumer information as possible, in addition to trying to own the consumer relationship itself, rather than be disintermediated.

Unsurprisingly, a wide range of companies have collected and harvested consumer data. This hasn't all been negative - its supported a range of benefits such as personalised services, better understanding of customer needs and clearly altruistic benefits such as forward prediction of some types of illness. However, in some cases consumers are facing compulsory enrolment and 'personalisation' which means surrendering some personal information is a condition of access to a service which could otherwise be provided anonymously.

But consumer data is also becoming a toxic liability...

As cyber breaches now occupy the news on a regular basis, this is leading to stronger regulation (e.g. GDPR), which sets high expectations for protection and is leading to the emergence of material penalties (e.g. >$100m) for breaches. In Australia, it's clear from the Prime Minister's comments in September 2022 that we face a dramatic hardening of the rules within this term of parliament.

These reforms will mean unambiguous expectations that organisations can effectively govern the risk around information, but also a realisation for boards that whilst consumer data can be an asset from which value can be derived, it's also becoming a potential toxic liability if the organisation holds the information in a manner which is insecure.

Cyber insurers are also 'handing the risk back'..

For the last 5 or so years, many organisations have used cyber insurance as a means of risk transfer for the potential costs of a cyber incident. However, in my recent conversations with ASX100 clients, the rapid rise in incidents means they're seeing premiums rise up to 80% a year and cover reduce - to the extent that cyber insurance as a proposition may well already be in a 'death spiral' as the value diminishes. I've also argued for some time that risk transfer using insurance isn't a really good outcome (beyond shareholder interests) if there's a huge societal impact from the incident.

In August 2022 a further development was the Lloyds of London insurance syndicate issuing a Market Bulletin to narrow cyber insurance policy wording to exclude some types of cyber attack linked to nation states. This is an interesting move given the aggression of some countries in using intelligence services to actively compromise and acquire personal data of foreign citizens through quite sophisticated channels, such as compromising the source code of software, or accessing cloud platforms through administrator accounts.

This change is also largely untested legally. As many learned cyber commentators have already pointed out, attribution of the origin of an attack is particularly tricky, and in some countries such as Russia, the boundaries of government and criminality are particularly blurry.

What these cyber insurance changes are effectively doing is handing the liability back to companies.

Organisations have become complex, which makes cyber risk management hard and expensive..

The pursuit of growth has driven consumer focused organisations to innovate, expand into new markets, or make acquisitions. However, this hasn't been accompanied by elegant simplicity of the data landscape. The high complexity of consumer information holdings and flows has become a root cause as to why many companies are struggling to effectively manage risk, or even understand their exposure.

As a consultant I’ve seen many of examples of high complexity that make the problem of securing consumer data incredibly hard and expensive:

• An organisation with more than 1,000 information systems, of which more than 300 held customer information.
• A multinational that has more than 25 active brands in the market with their own websites, marketing competitions and customer portals (which creates a large ‘attack surface’ to protect).
• An analytics ‘data lake’ for consumer insight that that was fed by more than 50 different source systems and data brokers, which had lost the traceability back to the individual consumer collection interfaces.
• A new cloud based customer billing platform with 25 external interfaces (APIs) to other organisations.
• A client with more than 10 different customer relationship management (CRM) systems
• A client with more than 15,000 suppliers, including more than 100 different cloud vendors, of which more than half had been directly engaged by business stakeholders without a governance process.

In most of these scenarios it is enormously time-consuming (and expensive) to map out and understand all the storage locations, interfaces and flows of consumer information, before even applying some level of risk governance to ongoing change through projects and innovation.

Moreover, companies with this sort of complexity often end up with risk acceptance that is driven by available budget (rather than the board's risk appetite). A classic symptom of this is where old legacy platforms exist which have critical security vulnerabilities identified, but these vulnerabilities remain long-term without documented decision (by a named executive) on risk acceptance or mitigation. By contrast, if this situation was leaking drums at a chemical plant, this would be unacceptable to most people.

This problem, and the growing liability of holding consumer data is ultimately going to challenge company strategies that seek to acquire consumer data without good 'plumbing'..

An era of a simpler, better engineered data processes is ahead

In a new era of higher cyber risks (and regulation) this increases the minimum viable scale of most information products and processes - to overcome the upfront and recurring costs associated with robust and effective cyber controls. For consumer data propositions, simpler and well engineered (with minimised data holdings) will generally become more important than flashy, feature-rich propositions that are messy and held together with sticky tape under the bonnet.

“Complexity is the worst enemy of security, and our systems are getting more complex all the time.” Bruce Schneier

This is likely to force a stronger link between corporate strategy and the underlying consumer information risks associated with a given business activity. Moving forward, companies will increasingly need to look at their portfolio to ask what propositions they really want to focus on and then build robust information processes with effective cyber security controls. Areas of innovation will often need greater risk management to ensure that skunk-works, experiments and 'fail fast' projects don't 'play' with real customer data until the quality and security is there.

Questions for boards and leaders

Boards need to ask increasingly strategic questions around the benefit of acquiring consumer data activities versus the growing liability it creates for stakeholders. Some key questions are:

1. Do we have a sustainable inventory of all consumer (and employee) data, including its ownership, and a complete footprint of where it is collected, processed, use and passed to third-parties?
2. Have we defined the cyber ‘non-negotiables’ that apply to any situation involving consumer data?
3. Do we have a sustainable process for risk management and assurance that helps us understand our risks and how these non-negotiables apply to our portfolio of systems, processes and suppliers, and any major risks?
4. Do we have situations of implicit risk acceptance, where 'no decision' is being made around known risks and vulnerabilities to core systems involving consumer data? Does an executive sign-off on material risk acceptances?
5. For every consumer proposition do the benefits outweigh the risks and likely cost of mitigation of known vulnerabilities?
6. Should we simplify our business to reduce the risk? Are there any products or services we should exit because they introduce excessive information risk or control costs in lieu of the benefits?
7. Are there examples where we're collecting unnecessary consumer information in the first place, or we're keeping it beyond justification?
8. Do we have some form of Attack Surface Management to understand all of our external websites, APIs, customer portals and data collection points?
9. Does a potential M&A business case include the costs of fully integrating the acquisition so we don’t build new technology debt and consumer data liability?
10. Do we have strong and effective data governance, particularly around consumer data analytics and innovation? Do we have a realistic set of dummy test data which avoids experimentation on real customers data?