Employer-sponsored healthcare remains one of the most sought-after employee benefits across America. Unfortunately, rising premiums have made it difficult for many plan participants to continue coverage. According to Willis Towers Watson, employers can expect health coverage costs to jump at least 5% to 9% over the next year. Randa Deaton of Purchaser Business Group on Health predicts a 10% to 12% increase.

Why does this larger-than-usual jump matter? According to Axios, this latest ballooning cost is expected to be passed down to nearly half of Americans who currently receive coverage through their employer. Rising costs of employer-sponsored healthcare premiums have forced many companies to reduce benefits, lower contributions or eliminate health plans altogether. 

Much uncertainty remains concerning how much more and for how long premiums will rise. In the meantime, it is important for employers to understand the severity of these increases and what they can do to reduce costs while maintaining quality benefits.

Rising Premiums - Why?

According to Mercer’s 2021 National Survey of Employer-Sponsored Health Plans, the average per-employee cost of employer-sponsored health insurance increased 6.3% in 2021. 

Many employers have chosen to pass on these costs to their workers, resulting in a high degree of scrutiny. Employers struggle to maintain an affordable healthcare plan that is accessible to everyone while facing rising cost pressures. Finding a solution to these rising costs is critical to retaining talent, reducing turnover and maintaining morale. 

Healthcare costs in the U.S. have risen dramatically over the past several decades. In fact, a study by the Kaiser Family Foundation (KFF) and the Peterson Center on Healthcare found that, when adjusted for inflation, healthcare spending increased nearly $1 trillion from 2009 to 2019. The study showed that healthcare spending in 2019 was nearly $3.8 trillion, or approximately $11,582 per person. These costs are expected to reach $6.2 trillion, or around $18,000 per person, by 2028.

What exactly is causing this rapid rise in employer-sponsored healthcare costs? A combination of factors is at play. Inflation is a leading cause. Health spending and medical care costs typically outpace growth in the rest of the economy. Moreover, healthcare expenses represent a large share of gross domestic product, and many families are feeling the pressure as the cost of health services and premiums start to grow at a rate that surpasses their wages.

Increased provider expenses may also be to blame. Currently, hospitals and healthcare providers are well-positioned to demand higher prices. A recent report by the Center for Studying Health System Change found partnerships and mergers between insurers and medical providers to be one of the most prominent trends in the country’s healthcare system. Lower individual market competition has put insurers and providers in a position where, without opposition, they can drive up healthcare service prices. 

The COVID-19 pandemic has also played a critical role in rising premiums. Throughout much of 2020 and into 2021, many states were shut down to prevent the spread of the coronavirus, preventing many individuals from receiving the care they would normally receive otherwise. Now that the country is open again, consumers’ use of healthcare services continues to rise as more people schedule the care that they deferred during the pandemic. 

See also: How Synthetic Data Aids in Healthcare

Customized Healthcare Plan Solutions

As healthcare premiums continue to rise, many employers are left unsure of how to keep coverage expenses manageable. Most businesses do their best to avoid passing on increased costs to employees but may feel compelled to cut back on benefits or reduce contributions to make up for rising premiums. Many employers are turning to customized healthcare solutions to maintain quality benefits for their workforce while finding opportunities to increase insurance premium savings. 

Custom health plans allow employers to shop competitively the vendors inside of their health plan, like their pharmacy benefit manager, claims manager and reinsurer. This results in cost savings compared with typical off-the-shelf health plans from insurance carriers while maintaining the same quality of coverage. 

As an example, prescription spending accounts for 27% of a plan’s overall claims on average, according to Milliman. Inputting a more efficient pharmacy benefit manager often results in a 50% reduction in overall Rx spending without restricting access to pharmacies or prescriptions for members. These savings are substantial for businesses looking to find ways to reduce healthcare costs and improve benefits. 

Another major benefit with custom plans is they can be built onto all the major national networks: Blues, United, Cigna, Aetna and Humana. So, these plans have no sacrifice to doctors or facilities for employees and their dependents. With flat monthly premiums, they also have the same cashflow predictability as off-the-shelf retail health plans. 

By enrolling in a customized healthcare solution, businesses can gain more control over the selection of their healthcare plan and can choose a policy that better fits their employees’ unique needs. Customized healthcare plan designs can also result in significant savings for employers without the need to reduce employee benefits or employer contributions. This type of solution can be a win-win for both employers and employees in the long term.

While we all know that insurance fraud is a massive problem, we now know just how massive: more than $300 billion-a-year massive, just in the U.S.

That figure comes from the Coalition Against Insurance Fraud, whose estimate would mean that fraud costs each person in the U.S. some $930 a year and the average family some $3,750. The estimate is nearly four times as high as the group's previous estimate, in 1995, of $80 billion of fraud a year in the U.S. -- largely because of inflation and because the coalition looked at more types of fraud this time around, but also because the internet has allowed for new forms of cheating. 

“We updated our study because regulators of insurance need to know this information, as do legislators in Washington, DC, and in our state capitals all across America,” said Matthew Smith, the coalition’s executive director. He said the goal is to put a target on fraud, so that, the next time the group produces an estimate, the number will have fallen. “There’s no reason it shouldn’t,” he said. 

Life insurance registered the most fraud, at roughly $75 billion a year. Next was Medicare/Medicaid, at nearly $70 billion, followed by property/casualty ($45 billion) and healthcare and workers' comp (about $34 billion each). The report says that roughly $25 billion of the workers' comp fraud occurs via false claims, while some $9 billion is because of falsification that leads to underpayment of premiums. Auto theft -- which was not included in P&C -- totaled $7.4 billion a year. 

The coalition singled out the internet as a significant enabler of fraud since it last did a comprehensive estimate of industrywide fraud. 

“In 1995, that little thing we call the internet was only about four years old,” Smith said. “We all know the internet has revolutionized every aspect of life, but it also opened new areas and avenues for insurance fraud.”

The internet, and a host of related technology advances, should also, in my view, make it easier to spot fraud. We've all seen how people making fraudulent claims against workers' comp have been caught through posts on social media showing them playing golf, skiing or doing something else that shouldn't have been possible, given the extent of their "injury." Big data and the ability to analyze it have made it easier to spot doctors generating such high volumes of "treatments" that they likely are in league with fraudsters. Sensors in cars will increasingly tell us what happened in an accident -- and what didn't happen. And so on.

Fraud will always be a cat-and-mouse game. Yes, the bad guys have gained an advantage because the internet has expanded their reach. But technological advances, including the internet, give the good guys a lot of new tools, too -- if we use them.

Here's hoping the next report by the coalition does, in fact, show that the good guys have managed to fight back powerfully.

Cheers,

Paul

P.S. I'm drawing my numbers for the report from two news articles, here and here. I'd obviously use the report itself, but as of Monday evening, as I write this, the page on the coalition website where the report is supposed to be returns an error message when I click on it. Here is the link to that page, on the assumption that the coalition will soon fix the error.  

Keeping aside the details of B3i bankruptcy, why is the uptake in the industry very slow, and is there a real return on investment for many of the current blockchain/DLT industry initiatives?

The short answer is that there are many impediments that need to be resolved for a faster uptake. While it is disconcerting to see a leading innovator, in B3i, leave the arena, the killer applications of blockchain/DLT are still evolving and need some push through advances in the technology, broader education of benefits of a business network-based solution to problems of inefficiencies in the industry, concrete business cases with measurable near-time ROI and executive level support. The one application where the industry could see immediate benefit is an area where the industry may be too conservative to get into: cryptocurrencies.

The Impediments to Adoption

The impediments to adoption can be broadly classified as business and technical. Many of these impediments are being addressed.

Business Impediments

• Collaboration as opposed to competition

Blockchain/DLT is effective when entities come together and form a business network. Forming a business network requires insurance entities to collaborate with a competitor. While the notion is that this will be for the betterment of the overall industry, for any business capability it is not easily accepted, especially when many businesses are doing relatively well despite all the inefficiencies. The push to collaborate will materialize only when insurtechs truly start disrupting the business processes of the industry. Also missing in the industrywide discussions is that insurance entities can still compete on their own terms while collaborating with their competition. The technology to enable this concept exists.

• Regulatory framework

Regulators are reviewing blockchain/DLT technologies. Many of them attend conferences that have specific tracks on this topic. However, there is a need for a comprehensive, industrywide framework that is fine-grained enough to the level of a sector and business capability.

• Compliance to regulations

While the regulatory framework is a work in progress, it is not clear if the compliance posture is satisfactory to regulators as business networks between insurance entities come into existence.

• Operational risk

The operational risk introduced by new technologies, especially solutions that are distributed across multiple entities of a business network, may be too opaque for insurance entities to jump in headlong.

• Legal

The legal aspects of some of the features of blockchain/DLT technologies are still being addressed. For example, smart contracts are considered legal contracts in some countries, where they are enforceable. However, there is no clarity on the legality of these in many other countries, so it is not easy to implement these in some cross-border transactions. Even in a jurisdiction that recognizes smart contracts as legal contracts, there is not enough critical mass of use yet for legal aspects to be clarified and precedents established.

• Insurance for use of blockchain/DLT

There are many well publicized high-profile hacks of smart contracts in production in the public blockchain/DLT arena. While the context of enterprise use is mostly around private and permissioned blockchain/DLT implementations, the issue of hacking smart contracts is still something to be cognizant of, as the business network spans multiple entities and their varied security implementations. Hence there is a need for insurance that covers the risk of using smart contracts. This is an area that is still evolving and needs to mature for entities to be comfortable in using blockchain/DLT technologies.

• Cultural 

The cultural acceptance of blockchain/DLT technologies and the concomitant implications for an insurance entity is one of the most important impediments for adoption. This barrier to adoption can be bridged with appropriate executive support. But, for this to happen, the real ROI and the benefits of a business network capability must be articulated well. Effective tools for quantitative measures of these benefits are yet to be developed.

• Business network operating model

Who creates the business network and who runs and governs it? Should I join an effort that my competitor started? Or can I start my own network for some business capabilities and expect my competition to join, provided I am willing to join the networks they initiate? The answers to these questions are critical for increased uptake in the adoption of blockchain/DLT in Insurance. There are some initiatives that industry membership groups have initiated, but how many can an insurance entity join? Is joining many networks depending on business capability scalable from an IT and operations perspective? The answer could be for an entity to create and be part of one network and let technical capabilities around interoperability help the entity participate seamlessly in many other business networks. This capability is still not mature.

• Public vs private blockchains

This is a topic that needs further discussion in the industry. In the early stages of discussion around the enterprise use of Bitcoin and Ethereum public networks, it became clear that private and permissioned blockchain/DLT technology is the only option for enterprise use cases. This is because of limitations of public networks regarding performance, speed and privacy. Public networks have started addressing these issues, but the extent to which the industry will accept the use of public networks for insurance transactions is up for discussion.

See also: Guide to Insurance on Cryptocurrency

Technical impediments

• Interoperability

The technical solution for blockchain/DLT transactions to seamlessly transcend the different underlying technology implementations is critical to the increased adoption in the insurance industry. The good news is that these technologies are maturing and that there is increased impetus behind making transactions interoperable between networks for multiple industries.

• Performance

In the near past, as private and permissioned blockchain/DLT technologies were increasingly being evaluated for enterprise use cases, slow performance caused many implementers to pause their efforts. While many of the early platforms have fixed and improved their performance measures, some of the newer platforms still have technical limitations. Also, because there is an increasing focus on the use of public blockchain networks like Ethereum for enterprise use cases, the recent initiative to move Ethereum from proof-of-work consensus mechanism to proof-of-stake should alleviate performance concerns of this well-known public network.

• Scalability

Scalability of blockchain/DLT private and permissioned networks in terms of large number of participants and their operational base is an issue that is still being ironed out. However, public networks are better suited, and, with Ethereum changing to proof-of-stake very soon, this problem may be alleviated for some enterprise use cases that can be deployed on such public networks.

• Security and privacy

Blockchain/DLT networks span multiple enterprise boundaries. While the underlying technology is meant to allow secure transactions between inherently untrusted parties, the crossing of enterprise boundaries brings into focus the security posture of the weakest entity in the network. If entities in the network follow guidelines and implement continuous monitoring of adherence to these guidelines, the network could be considered secure. 

Privacy of data and insurance transactions in blockchain/DLT networks could be a concern in two scenarios. In the private business network scenario, insurance entities may deem certain data and transactions to be private and keep them away from competition. Technology does exist for private data and transactions and is maturing. The other scenario is that of transactions on the public networks. Technology for increased privacy of the data is evolving, and clear strategy of an insurance entity to limit public network transactions to those that their privacy policies allow will go a long way in accepting usage of such networks.

• Governance

The technology for neutral governance of the business network based on blockchain/DLT technologies is maturing. There is increasing need for discussion around a more decentralized way to govern such networks. The rapidly developing technology around DAOs (decentralized autonomous organizations) may be of help. Tools for such a solution need to be developed.

Crypto use cases for the industry

While the industry discussion is focused on use cases that improve the efficiency of insurance transactions across the value chain, there are two applications of blockchain/DLT that the insurance industry should take a deep dive into.

• The case for an internal coin/token

There is a lot of development and maturity in the realm of coins/tokens. How are these applicable for an insurance entity? One way to test these out is to create an internal coin. Such a coin could be for inter-entity transfer of value. This is especially useful for multi-country insurance entities that transact in inter-entity, multi-national currencies. There is a clear business case and ROI in such a scenario as currency exchanges could be minimized to avoid fees paid to banks.

• The investment scenario

Insurance entities should also consider investing premium dollars in crypto assets. While these are risky investments, insurance entities invest in risky assets today. Investing in crypto assets can help the insurance entity learn and accept blockchain/DLT technology.

Conclusion

True disruption caused by blockchain/DLT technology of the insurance industry will take a long time. Resolution to many of the impediments and cultural acceptance via increased use of crypto assets will slowly improve adoption. Upstart and smaller insurtechs cannot make an immediate impact on the adoption of blockchain/DLT technologies, as it is a team sport and will require large number of insurance entities willing to participate beyond proofs of concept and pilots and enabling production implementations of  business capabilities.

Improving customer experience is the greatest challenge facing the life insurance industry. Social media, the pandemic, technological innovations and e-commerce giants have pushed what it means to deliver fast and customized services that match consumer needs. Life insurers are working to meet these expectations and compete with new market entrants, but legacy technologies create barriers to innovation—including system incompatibilities that slow time-to-market. 

To address these issues, many life insurance companies are implementing low-code applications.

Low-code is an approach to software development that allows any employee to put together software applications to fulfill business needs. It requires a minimal amount of coding knowledge, which makes it easier for non-IT staff to solve business issues and create better experiences.

Key reasons life insurers are embracing the low-code approach

1. They don’t have to rely on the vendor for changes

Low-code enables an insurer to configure the solution rapidly to bring products to market without the vendor having to change the underlying source code. This approach requires fewer resources, while increasing flexibility and responsiveness to changing conditions because new apps can be brought to market faster. 

2. Many pre-packaged, static applications from outside vendors can’t be customized to meet organizational needs

Life insurers often rely on third-party vendors to address issues, given the limited bandwidth of internal IT departments. While these vendors might have a solution, they don’t always have the solution to solving the business problem in the exact way the company requires. 

This issue is particularly acute in the insurance industry, because most companies have a host of specific business processes that are unique to their organization. Generic vendor solutions are also often difficult to configure or customize in response to changing business requirements. Low-code applications give a life insurer greater flexibility and make them more responsive to changing regulations, market conditions or competitive pressures. 

3. Low-code enables life insurers to more easily implement improvements to core systems after initial procurement

It is no secret that the insurance industry is hampered by a proliferation of tedious and repetitive manual processes carried out on idiosyncratic, company-specific systems. This makes insurers a rich source of low-code use cases. 

For example, no two insurers record and store information in the same way. Often, generalized vendor solutions need to create patches or workarounds in order for business processes to work. These types of jury-rigged solutions introduce the risk that data needed for important functions like underwriting decisions or audits could be lost. With a low-code platform, life insurers can easily customize, collect and store crucial information in the correct format without risk.

See also: Breathing Life Into Life Insurance

Wrap-up

Off-the-shelf technology packages rarely produce exactly what an organization needs; with low-code, businesses can more easily configure solutions to their unique needs. Low-code extends the life of core IT technology by enabling easier modification of components to enhance user experience and streamline processes. 

The daily work of the world's farmers -- from a smallholder's one or two acres/hectares to major agribusinesses -- sustains us all. However, they face myriad challenges, not the least of which is access to agricultural insurance, due to constraints placed on insurance products and the complexity of assessing agricultural risks. Now, thanks to technological innovations, including better methods of crop data collection and agricultural intelligence (AgI) analyses, insurance companies can lower operational costs, improve underwriting performance, offer appropriate insurance quotes and more effectively track the facts on the ground.

Here are just a few ways digitization and other technologies can boost agricultural insurance:

Upgrade data collection

Digital, on-field data collection - with data points including time, location and user stamps - provides insights for effective underwriting and claims management while reducing operational costs.

Technology minimizes human errors and allows complex output, such as damage calculations based on the estimated value of the crops when a damaging event occurs, to be automated and flow seamlessly from the field to the decision-makers' desks, in real time.

These real-time insights improve the efficiency of insurance operations, while creating a structured database of on-field events, making it easier to spot patterns or irregularities that could focus in-person field inspections later.

Streamline quotation

Forget multiple forms and interminable waiting. Digitization at the point of sale smooths the application and quotation process and enhances user buy-in. AgI can be used to create risk models including more accurate quotations in the fields. This can lower premium costs as automation slashes administrative and operational expenses.

See also: Climate Change and Product Liability

Facilitate underwriting

Digitized field data makes it easier to analyze multiple geospatial data sets. Factor in altitude, soil type, climate history, claims history, etc., for a more complete picture of risk patterns. Moreover, the data sets can be used to determine individual risk -- by examining, for example, specific farms and comparing them with equivalent farms in the same region cultivating the same crops. Is one farm employing a different farming method that results in better harvests than the other farm? What are the other variables? These insights can help insurers select "good" risks, the key to achieving a profitable business line.

Optimize monitoring and claims management

Insurers get the critical insights they need to determine immediate and longer-term risk and know where to concentrate their resources using real-time data when tracking remote data sources such as vegetation indices from satellite and weather stations. Perhaps a remote field inspection based on the comparison of data from several insured farms may reveal that one is having issues others aren't experiencing. The insurer can then send someone for an in-person inspection to identify the key variables, whether it's a pest infestation, improper irrigation practices or any impediments to the farmer's success. Answers to these questions and more form the data that will prevent losses for all parties.

Enable farmer education

Lack of understanding by the farming community of the nitty gritty of agricultural insurance is one reason for their inability to access its benefits. For example, parametric insurance, in which payouts to the insured are based on outward or visible guidelines (e.g., level of rainfall) instead of measured and verified damages, may be a hard-to-digest concept for some farmers. Technology can go far in providing insurance education. Imagine a tool that can mimic payout situations to help farmers understand how to apply the parametric insurance concept to their real lives. This will be necessary to win over farmers and increase agricultural insurance's market penetration.

A focus on innovation at the farm and insurance levels can bring significant changes to the state of global agriculture, adding levels of stability to farming that were previously impossible. The more stable the agricultural environment, the easier it will be to maintain stronger supply chains focused on ensuring the world's growing population has enough to eat during these times of extreme climate change.

The cyber insurance industry, battered by a seemingly unending onslaught of claims, is reaching a breaking point. According to the FBI’s latest Internet Crime Report, cyber-related complaints have increased by more than 180% over the last five years, resulting in $18.7 billion in losses. Last year, some carriers ended up paying out more in claims than they received from premiums. As a result, the industry is now demanding that customers reduce their exposure or face steep price increases or quite possibly cancellations. 

In an effort to shore up the industry, some insurance providers are taking a more hands-on approach in an effort to reduce their client’s risk. At the forefront is an attempt to mitigate human error, the crux of the problem. According to a 2021 Data Breach Investigations Report from Verizon, accidental clicks or other mistakes make up 85% of successful hacks. This has led insurers in search of cybersecurity training programs that have been independently verified to actually change human behavior.

No longer optional 

Survival of the cyber insurance industry is paramount. According to the National Cyber Security Alliance, 60% of small to medium-sized businesses (SMBs) fold within six months of a cyberattack. Yet, while SMBs cannot afford to go without cyber insurance, many soon won’t be able to afford the insurance itself.

Business owners and CEOs are feeling the seriousness of the situation when their renewal letters arrive. Premiums – which increased by as much as 300% in 2021, according to a report by Risk Placement Services – are expected to escalate at an even more dramatic pace. At the same time, insurers are adding exclusions and limiting coverage, and some are even exiting the market.   

“For some underwriters, the risk in offering cybersecurity coverage is simply too great at this point,” said Mark Weir, who has spent over 30 years in the insurance industry and is now managing director of LCM Solutions, a Canadian consulting firm. “In spite of the fact that taking risks is their business, insurance is an industry that doesn’t like uncertainty.” 

In the early days of cyber insurance, the one thing guaranteed was hefty profits. Insurance companies were eager to get into the market because demand was high and the perceived risk was low. 

“Initially, companies were offering cyber insurance thinking they would never actually have a claim,” explains Jeremy Harris, CEO of Mindshare IT, a managed service provider offering both IT and cybersecurity services. “Now they find themselves in a sticky situation and are looking for solutions.” 

In the past, almost all incidents were covered regardless of fault. Today, if a company fails to properly train employees or demonstrates poor security hygiene and gets hacked, its claim may be denied, and future access to coverage could be in jeopardy.

See also: Cyber Insurance Market Hardens

Dramatic rise in attacks

The cyber insurance industry may have become a victim of its own success. As insurers began to offer more coverage, businesses may not have felt the need to be as vigilant in their defenses. Often, they would quickly pay ransomware, assuming they would be reimbursed. As a result, cybercriminals had incentives to target companies with cyber insurance policies in place.

Now, with escalating attacks and shrinking coverage, insurers are trying to actuate companies to be more vigorous in reducing risk, including pushing for more stringent employee education on cybersecurity issues.

Many experts feel training is crucial to slow successful phishing breaches, which account for an overwhelming majority of attacks. Phishing, along with vishing (over the phone), smishing (via text) and pharming (visiting fraudulent websites), often leads to the deployment of malicious software, such as ransomware. 

A growing number of new regulations now require a number of industries to add education to their security programs, but some top executives question whether these generic training programs work as advertised.   

“Our view is training that does not impact risky behaviors is a waste of time and money for our clients,” says Kirsten Bay, CEO of Cysurance, which writes policies to protect against privacy breaches, identity theft, system damage and other cybercrimes.

Bay says Cysurance was looking for a training platform that took into account how different personality types perceive and respond to risks, such as an email with a link or attachment. The platform would then target those specific people with consistent, continuing training materials that would evoke a change in actions.  

“For us, the goal is to find proven ways to detect and prevent harm, which then lowers the risk of both a security event for our clients and also a future claim,” Bay explains. 

“I think what you're seeing with the better security training companies out there is that they really focus on the individual’s personality and train them accordingly,” Harris says. “Those that have metrics proving a reduction in potential breaches are rising to the top.”

Personalized behavioral training

Some personalized training programs have demonstrated they greatly reduce the rate of phishing failures. For example, at cyberconIQ, we have found we can cut failures from a national average rate of 15% to 18%, to less than 2% after just 30 days. We use a 40-question assessment, akin to a Myers-Briggs personality test, to assess the susceptibility of each employee. Then, we use machine learning to develop a customized approach for each, to correct key motivating factors that drive underlying online behavior and measurably lower their vulnerability to fraud.  

“What we look for is to develop a ‘culture of compliance,” Weir remarked. “However, what helps one person, may not be helpful to another. So, this idea of first evaluating the psychology of the individual and then educating that person based on their natural propensity is a game-changer. I think it is going to be what keeps the cyber insurance industry afloat.” 

By partnering with a cyber training company that provides verified proof of reducing claims, insurance companies can greatly minimize their risks and therefore reduce the costs of their coverages. 

“I give a lot of credit to those insurance companies who are smart enough to realize they have to help their clients mitigate risk,” Harris concludes. “It’s for the good of these small companies as well as the overall health of the cyber insurance industry.”

The California insurance commissioner and the California Department of Insurance (CDI) issued a bulletin regarding industry bias and discrimination. The bulletin acknowledged allegations of bias and discrimination in the industry and gave notice to insurance players that the CDI is watching and that "bias and discrimination in any form will be investigated and will not be tolerated."

The bulletin is addressed to "All Admitted and Non-Admitted Insurance Companies, Licensees and Other Interested Parties" - clearly intending to cause awareness and attention beyond the carrier ecosystem.

So, what does this mean? California has been a leader in following Europe regarding consumer protection laws. The state previously followed the E.U.'s lead when it came to GDPR and implemented the California Consumer Protection Act (CCPA). Recent news from California indicates a similar pattern when it comes to AI regulation; the largest state in the U.S. - and the sixth-largest economy in the world - is likely on a faster path to follow the lead of recent regulations in the E.U.

For example, the CDI bulletin follows recent developments regarding the regulation of AI in recruiting and hiring practices in California.

See also: Key to Competitive Carrier Strategies

There are already laws in place that can be enforced when it comes to the misuse of AI, especially in cases of bias and discrimination. The bulletin cites these as "laws prohibiting discrimination with regard to insurance ratemaking, laws prohibiting discrimination in claims handling practices, laws prohibiting discrimination when accepting insurance applications and laws prohibiting discrimination when canceling or nonrenewing insurance policies."

This latest bulletin comes amid a growing area of concern and topic of discussion in the U.S. and around the world: responsible and ethical AI practices. One key challenge for the insurance industry, along with other sectors, is missing (currently protected) data. Legally, insurers can't collect certain protected data, such as race. Without this data, how can companies institute corrective measures against bias and discrimination?

Another trend is that, while the adoption of AI technology continues to expand, governance best practices have been lagging.

The CDI bulletin addresses that issue directly by stating, "The department reserves the right to audit and examine all insurer business practices including an insurer's marketing, rating, claim and underwriting criteria, programs, algorithms and models."

The wording around "business practices" signals an expectation that industry players enact life cycle governance and risk management controls. Companies without strong policies and documentation will find themselves in a very awkward position should CDI choose to exercise this right.

There have been additional developments in AI regulations, as well. Movement in AI-related regulation has been growing significantly and consistently for the past couple of years. We can expect there will be more pressure to come from governing bodies in relation to AI technology use in business as well as its impact on society as a whole.

While the California letter takes a very concerned tone regarding big data, algorithms and AI, there is still immense potential for these technologies to improve our everyday lives. The potential to provide better pricing, new products, improved customer experiences and more availability and competition stand out for the insurance business, in particular. The challenge is how to implement this innovation responsibly and ethically.

Insurance is built on decades of historical data, so we should expect and plan for that data to reflect societal inequities and injustices. If we want to disrupt insurance with innovative data and technologies, we need our leading corporations and executives to "own the history" and create more robust governance, reviews and policies across their advanced technologies. We need insurers and their partners to go beyond good intentions to build a better future.

From the Editor: The Boundless Future for AI When I think of the potential for artificial intelligence, I hark back to my days at the Wall Street Journal, taking notes in my home-brewed shorthand in one of those long, skinny notebooks you may have seen reporters carrying around in their suitcoat pockets. I still break out in a sweat when I recall interviewing the president of Mexico in the mid-'90s, in Spanish. I only knew how to take notes in English, so I had to translate on the fly, while still thinking about my line of questioning—and concentrating furiously so I would quote him so accurately that I wouldn't cause an international incident.  While AI would have been zero help back then, today it's remarkable. I just record an interview on my phone, and AI transcribes the conservation in real time with remarkable accuracy. That's true even when I'm talking to someone with a heavy, non-American accent. Even if I somehow resurrected my long-lost Spanish or French and conducted an interview in a foreign language today, the AI would transcribe it, and I could have Google Translate produce an English version in no time. Sure, there'd be issues to iron out, but that always happens in an interview anyway, and the AI links the text to the relevant spot in the recording, so I can easily decide for myself what was said. No sweat required. So, if you want to think about where AI can go from here, you can look back 25-plus years and see that the difference between then and now is, well, like magic, and then start to think about 10, 15 or 25 years from now. Cheers, Paul "When you ask for several years of claims data so you can train the AI, you find you're dealing with all kinds of messy issues. Unfortunately, nobody with decision authority thought about the kind of data you’d need in the future for AI...and it may be a while before they do." —Tom Warden, CLARA Analytics Read the Full Interview READ MORE Role of NLP in Claims Management Natural language processing can transform a burdensome process, freeing claims professionals to apply their expertise where it makes the biggest difference. Read More Elon Musk Is Wrong About Artificial Intelligence In painting a rosy and likely unrealistic picture of what AI can and can't do, Elon Musk has, in our view, misled the public about how far we still have to go. Read More 'Intelligent Decision-Making' Is the Future An increase in digitization, the rise of AI and better value-tracking methodologies have paved the way for more advanced technology like "intelligent decision-making." Read More The Risks of AI and Machine Learning If the proper guardrails and governance are not put into place early, insurers could face legal, regulatory, reputational, operational and strategic consequences down the road. Read More How AI Can Solve Prior Authorization Physicians spend nearly two full business days per week on prior authorization requests as part of an antiquated, manual process. Read More The Way to Address Climate Change Climate change is one of the most pressing issues in the insurance industry today, but forward-thinking insurers have found the way to combat it: AI. Read More FEATURED THOUGHT LEADERS Kieran Wilcox Vivek Wadhwa Stuart Rose Anthony Habayeb Mark Scott Guy Attar View all ITL FOCUS topics

Early in the year, I was working on an assignment and needed a change management maturity model. I was surprised that, with the exception of one from Prosci and another from the Change Management Institute (CMI) (slide 9 of the presentation here), there didn’t seem to be much out there.

Neither of the big-name versions quite hit the spot for me. For me, the Prosci version has some good content in the accompanying article, but not so much in the model itself. And I personally don’t find the CMI’s three dimensions of Driving, Receiving and Implementing very helpful for telling me how to improve an organization’s change management capabilities.

It was a short assignment, and time was pressing, so I made do with what I had. But for the past few months I’ve been waiting for a chance to have a go myself. And now that chance has come.

Here, then, is my own change management maturity model:

See also: COVID-19: Implications for Business Models

As a dyed-in-the-wool management consultant, I couldn’t help but start with the three old stalwarts of People, Process and Technology. Though for change management, I felt that useful Tools and Templates, in whatever formats, should be the focus rather than technology in the IT sense. That’s not to say that technology is ignored – it just comes in at an advanced level of Tools and Templates maturity.

Process and People are, as you would expect, covering the “how” of change management and the extent to which people have the skills and expertise to drive it.

However, I did feel it important that the Process dimension reflect both:

• The importance of having proper project management in place before trying to add change management; and
• The need to support non-waterfall delivery approaches such as agile, and to be able to accommodate those from a change management perspective.

At this point, I shared my thinking with my friend Katherine Rozakis of Toptal, and she persuaded me that:

• Where People, Process and Technology are found, Strategy and Governance are likely to be needed, too; and
• Communication and Engagement are such critical components of change management that they demand a dimension of their own.

So I added those as my fourth and fifth dimensions.

From my many years seeing the change management aspects of projects and programs being de-scoped, de-funded or just downright ignored, I also believe that an organization’s Culture, specifically in relation to its understanding and acceptance of the need for professional change management, is often the critical missing piece. So I made Culture my sixth, and final, dimension.

Today, most means of protection are “mounted.” This means that information systems are designed separately from security systems. Protection is implemented on top of the infrastructure, like a network. But this approach does not always work, especially in post-COVID times, when the number of phishing threats has increased by 600%. Every day, mass media report about leaks, hacks, blackmail and other cyber incidents. Standard protection is becoming scarce, so organizations have turned to a new and promising trend in cyber resilience – Security by Design (SbD). What is its essence and how does it help businesses?

How has COVID-19 affected cyber resilience?

A cyber-resilient organization can withstand cyber-attacks and recover quickly, without significant damage. Whereas cybersecurity combines tools and technologies that keep attackers away, cyber resilience focuses on addressing the business impact of attacks.

To implement cyber resilience, it is necessary to perform four important operations:

• protection
• detection
• response
• recovery

Cyber ​​resilience shapes long-term thinking. An organization creates a fault-tolerant system that ensures business continuity.

Even though the number of cyberattacks is growing together with the increasing number of applications, IoT devices and Internet users, a real cyber boom occurred in 2020. Attackers took advantage of the situation with COVID-19 and began to send out emails everywhere allegedly on behalf of the World Health Organization (WHO), tricking people into clicking on a link that would ostensibly provide recommendations on combating coronavirus or list statistics for a particular region.

The next situation that created a stir among criminals was the transition of employees to remote work. This is where incidents with organizations that did not prepare virtual private network (VPN) servers for possible attacks rained down. Corporate denial-of-service (DoS) attacks became commonplace. The attackers used corporate emails to send purportedly updated workplace policies concerning COVID-19 to remote employees.

For organizations, these risks can cost $3.9 million to cope with blackmail, $20 million in GDPR fines, financial losses due to downtime and loss of reputation. That is why organizations should rethink their “cyber defense after incident” approach and move toward an embedded solution: Security by Design.

Infographic 1: https://www.amdhservicesltd.com/wp-content/uploads/2021/12/CyberResiliencyInfographic-scaled.jpg

See also: Time to Focus on Cyber Resilience

Security by Design: What defines this approach to cyber resilience?

Security by Design refers to how organizations think about cybersecurity at the start of a project. Developers design an application so as to reduce the number of vulnerabilities that can compromise the company's security.

The security lifecycle is the same as the software development life cycle (SDLC) of a product: it starts with an idea and ends with delivery and support. During software creation, specialists constantly monitor possible cybersecurity risks and eliminate them.

Security by Design includes the following processes and practices:

Checkpoints

Checkpoints are temporary points in the software life cycle. At each point, the security of the system is assessed, and the decision is made to continue or terminate the project.

Actions

These are the procedures that keep a system secure. For example, the same technical tasks that test the stability of the system are performed alongside software development.

Plan

A plan defines the steps that need to be taken when creating software to achieve the goal of Security by Design.

With the Security by Design approach, developers implement security early in the SDLC. System or application security is planned as part of the architecture from the start.

Security specifications are encoded in templates and ensure that the desired configuration is present. At the same time, if the infrastructure changes, it is not necessary to do an audit. An in-depth security assessment is also not required if infrastructure patterns change significantly. With Security by Design, there is less repetitive work to be done and more attention to real problems is paid.

Infographic 2: https://personalinteractor.eu/wp-content/uploads/2015/11/secure-by-design.jpg

Principles of Security by Design

For Security by Design to function, you need to keep to its three principles.

Principle 1. Minimum attack surface area.

An attack surface includes all external points of entry and communication of the system. The attack surface can be associated with:

• software (OS, libraries, read/write access);
• a network (open ports, active IP address, network flows, protocols);
• a human (phishing, social engineering).

A defense system with a wide attack surface is more vulnerable to cyber threats because it is more difficult to set up. When all entry points are defined, it is worth involving proven monitoring and protection tools. A very complex and vulnerable security system should be constantly assessed for reliability.

To reduce the attack surface, it's important to strengthen defense and close underused services and ports. This will limit the likelihood of remote interaction with this system.

Principle 2: Least privilege.

The administrator should only have access to certain administrative zones. Tasks, roles and rights should be distributed among employees who interact with a corporate network. When the environment is partitioned, it is more difficult to compromise it. Even if an attack occurs, it will have limited consequences.

Principle 3. Defense in depth.

Defense in depth means that a combination of security methods or tools is used to prevent hacks. To set up such a defense, you should take the following steps:

• set security goals
• create a system architecture to define control and evaluation points
• develop a defense policy
• regularly monitor the protection against attacks

Infographic 3: https://blogs.sap.com/wp-content/uploads/2021/11/2sec.jpg 

See also: Raising the Bar on Data Privacy

Why is Security by Design important for companies?

Security by Design is important for the following reasons:

Security is harder to implement in an evolving system

Moreover, it may take time and additional funds to correct the problems that have arisen in the reliability of a system. In a competitive environment where time to market can make or break a business, leaders are looking to accelerate product development. Therefore, the development and testing of cybersecurity are often ignored, because they consider it unnecessary work.

But such a rush will result in security problems and even greater costs in the future. Experts say that addressing protection issues at an early stage costs one one-hundredth as much as at a later stage. Companies that provide cybersecurity resilience services can help you avoid this waste.

Popular IoT devices are not always reliable

Users are buying IoT devices for their homes more often and trust them with personal information. But this trust is not always proven efficient.

Hackers exploit consumer devices' weak security and 24/7 connectivity (toasters, washing machines or webcams). Even though IoT devices have limited power and memory, they can be gathered in botnets into a huge army of robots. Compromised devices are used to hack into equipment on the same network, steal personal data or perform other illegal activities.

The number of cyberattacks is growing

There are at least 20 types of cyber attacks in the world, and this list is regularly updated with new advanced types. Approximately 300,000 items of malware are generated daily by cybercriminals, and a hacker attack occurs every 39 seconds. Moreover, both small and large organizations suffer from such incidents.

This statistic suggests that Security by Design will soon be no longer a recommendation but a vital part of the cybersecurity resilience of companies of all levels and sizes.

Conclusion

The pandemic has forced businesses to go online and embrace digital business practices. As business models become dependent on technology, companies should pay more attention to cybersecurity and increase investment in tools for reducing cyber risks.

One-size-fits-all cybersecurity solutions are rarely appropriate for specific organizations with different IT infrastructures. Therefore, it will be better to have a reliable cyber security partner – an IT company that will conduct cyber resilience assessment and create a custom solution to protect company assets.