The perils of taking cloud into regulated sectors: a CIO’s tale

There’s a torture scene in the 1970s classic movie Marathon Man that reminds Ian Cohen, CIO at global insurance group Jardine Lloyd Thomson (JLT), of the challenges of trying to embrace cloud services in a highly regulated industry.

In the gruesome sequence, Lawrence Olivier, as a former Nazi concentration camp ‘dentist,’ probes and drills the bare cavities of a PhD student and fanatical runner, played by Dustin Hoffman, repeating a single question to his bound innocent victim: “Is it safe?” Unable to comprehend the question, Hoffman’s character is subject to repeated rounds of unanesthetized drilling. Eventually, he is in so much pain he blurts out, ‘Yes it’s safe, it’s absolutely safe” even though he is completely unaware of the stolen Nazi diamond collection that the dentist is trying to retrieve without the scrutiny of the US authorities.

The ‘Is it safe?’ scene is one that often plays in Cohen’s head when he’s in cloud discussions with regulators, and it shows just how far the cloud has yet to go in some highly regulated industries. As Cohen outlines:

When an auditor comes to you and asks, ‘Where’s the data?’ you can point out they are actually asking the wrong question and carefully explain: ‘You see, we put it in the cloud; the cloud is this kind of virtual space; it’s not actually in our data center but at a supplier’s. The data doesn’t live in any one place: in fact it might be rapidly assembled and re-assembled at different points. But it enables all this great stuff for the business.’ And they come back with, ‘Where’s the data?’ And you expand again: ‘It really is not the question, because not only does cloud deliver greater flexibility but by having data in a number of different places we get resilience and disaster recovery. And they say, ‘This is all very interesting, but where’s the data?’

Eventually, you tell them what they want to hear, says Cohen.

From actuarial to actual

Like many other companies in rapidly digitizing industries, London-based JLT, which had revenues of £979 million ($1.6bn) in 2013, is going through fundamental change — and the cloud model is seen as critical to supporting that. The change not only applies to the way JLT engages with its clients and its insurance industry partners, but to the way it manages and makes use of data. As Cohen explains:

The speed at which data can now be analyzed is fundamentally changing the way the insurance industry operates. Our world used to be actuarial — we used to have teams of actuaries whose job it was to dig deep [into probability] and ultimately end up with a view on risk. That has changed: Our world has moved from actuarial to actual. The data is now real-time, available and ready to be manipulated immediately. And that fundamentally changes how we approach information.

And companies who find themselves in that position are running up against major obstacles. They would like to be agile and responsive with their data, says Cohen. They would like to be able to rapidly assemble it and reassemble it, to be able to store their client data in the most suitable place and to move it geographically without restrictions. But in exploring the cloud options that would enable that, they are constantly being dragged back to the base question of data residency.

And it’s a question that’s asked in multiple accents and languages, as Cohen highlights.

If you’re in Australia and you’re managing government data, they will demand to know the nature of your CRM service and where its data is based.’ [JLT uses Saleforce.com which has Asia-Pacific data centers in Japan and Singapore.] In Asia, seven of the 11 countries in which we operate will not allow us to take customer data beyond their borders. In Germany, nobody will let you even touch cloud services [involving customer data] if the data has anything vaguely to do with being domiciled in the US.

As he points out the world is becoming much more open in terms of the opportunities to work with vast volumes of data and on-demand services, yet at the same time it is becoming an incredibly closed place in terms of cross-border regulation and privacy laws that thwart the technology and business opportunity.

But regulators concerns are not just about data residency. Another big question that they want to ask, says Cohen, is ‘Why did you collect so much of data?’

Regulators come to you and ask about something called ‘big data’ because they read about it in some in-flight magazine. We are a regulated business in a regulated industry, but the people who regulate us do not understand our vocabulary.

Shifting the burden

There is no obvious solution, but Cohen wants to turn at least some of that big challenge over to his colleagues on the supply side. He feels suppliers need to play a much greater role in demolishing barriers to cloud.

Let’s say I want to buy services executed by a third-party who does something that I am not particularly good at. But if a regulator comes to me and says, ‘How do you manage your client’s data,’ it’s no good me saying, ‘I don’t know, I give it to IBM.’ That would be a relatively short conversation. So if you can’t outsource, what you can do is use your leverage with the vendor community to influence it.

He feels vendors should be taking it on themselves to educate both customers and regulators on the realities of global cloud services. And, part of that, is dialing down the hype surrounding cloud and big data.

It would be really helpful if the supplier community were actually telling us more about how we can manage information, how we can handle the residency of information, how we can move data around to make it useful in regions with tough data regimes, as opposed to some of the marketing hype around big data and talk of serendipitous analysis of Facebook or Twitter which actually doesn’t derive much dollar value in my book.

And that involves suppliers building a much closer working relationship with regulators and compliance authorities, teaching them about the techniques, the tools and the capabilities of cloud. It would be great if some key suppliers were recognized as trusted agents in global data management, for instance, he says, and if there was a recognized certification of cloud services that made suppliers more culpable and therefore more acceptable agents to regulators.

That needs to happen soon, given the pressures on companies like JLT. As Cohen says:

There are things that we have to do in order to meet the demands and requirements of our clients but there are things that we are execrably challenged about when working in a regulated industry. With so many suppliers, making so many promises, it feels a bit like the Wild West — with too many snake oil salesmen and the challenge of finding genuine trusted partners for the journey.