In a year of COVID-19, contractors and crews need to stay vigilant and celebrate successes during Construction Safety Week.

Construction Safety Week was created six years ago by more than 40 companies in recognition that construction crews face countless risks of injury every day on job sites. COVID-19 has added risks and uncertainties. 

That’s one reason Zurich, a supporter from the start, remains a committed sponsor of Safety Week in 2020. Zurich Risk Engineers have been working to help protect construction workers in many cities and states where building has continued in exceptionally challenging times. Safety Week is an opportunity to heighten awareness of practices that can help manage those challenges to protect workers’ lives and livelihoods. 

Construction has always been a high-risk occupation. However, this Safety Week is like no other due to the additional risks crews are facing from COVID-19. Zurich has sponsored Safety Week since 2014, and we will continue encouraging practices that can help mitigate both the perennial risks and the unprecedented ones.

Here are five points that are top of mind for this year’s Safety Week, which consists of both virtual and live events across the country Sept. 14-18.

1. Continual training and communication

Crews need continual training and communication in the best of times, but the evolving challenges of COVID-19 heighten that need. Socially distanced huddle meetings at the start of a shift can offer a preview of the risks anticipated during the shift and prescribe actions to prevent injuries or accidents. Refresher training on how to wear a fall-protection harness, for example, can be especially crucial for workers who might have been out of work for weeks during the height of the pandemic, as well as for subcontractors who may lack the training resources that general contractors have. 

“Contractors should have a communications plan in place for their crews and subs, and there should be regular meetings where they’re communicating how they expect work to be performed to get everyone home safely at the end of each shift,” said Rick Zellen, construction senior risk engineering consultant for Zurich North America. 

2. Personal responsibility

Contractors and workers need to be vigilant about monitoring and adhering to state and county requirements related to COVID-19. This is complicated by the fact that mandates are evolving as COVID cases rise and fall in different areas. 

“Key points to know are requirements for wearing face coverings, temperature taking and social distancing,” Zellen said. “One of the biggest things for workers is, if you feel sick, don’t come to work.” 

Furthermore, workers need to protect themselves even when they’re not at work, which is part of looking out for each other’s well-being, too. 

3. The fundamentals

COVID concerns have at times overshadowed the Focus Four Hazards that the Occupational Safety and Health Administration talks about with construction. Workers still need to maintain situational awareness and safety practices related to the Focus Four Hazards, which include falls, electrocution, being caught in or between, or struck by, objects.

“Some contractors have us come in, and they want information about cutting-edge technology,” said Robert Labbe, another construction senior risk engineering consultant at Zurich. “I say, ‘First, let’s talk about the basics. If you don’t have people who are tying off, or something is missing in the training, let’s talk about that before we talk about the cutting-edge tech.’ Fall protection and safety glasses still have to be an integral part of safety training from the first day a worker comes to a site.”  

See also: COVID-19: Next Steps in Construction

4. Mental health

Construction is an occupation with one of the highest rates of male suicide, according to the Centers for Disease Control and Prevention, and misuse of opioids is also higher in construction than in many occupations. Social isolation and new stressors, such as providing care for children who can’t return to school because of COVID-19, can take a toll. 

Superintendents, foremen and others on a construction job site need to be attuned to subtle signs that another crew member may be suffering, get to know people on a first-name basis and take the time to pull up a five-gallon bucket to listen and talk, albeit while wearing a face covering and maintaining physical distance, if required. 

“Mental health issues in the past were swept under the rug,” Zellen said. “Our people need to be aware of the issues and know how to recognize signs and symptoms of serious distress.”

5. The power of “thank you”

In a time when contractors and crews may be rushing to make up for time lost to the pandemic shutdown, it’s easy for supervisors to forget to thank their crews for their efforts to work safely — including when they report near-misses. Many jobs have close calls, which can shed light on what action prevented a potential tragedy or what action could be improved to reduce the risk next time. 

“A lot goes into making jobs a success,” Zellen said. “On a daily basis, there are a lot of people who do good-quality, safe work; who plan, inform, protect and prevent accidents. Especially today when people are dealing with so many issues, Safety Week is a good opportunity to recognize people and celebrate the successes.”

‘Fake News’ Reaches Risk Management Paul Carroll, Editor-in-Chief of ITL With all the legitimate concerns about the wildfires in the West, I was dismayed to see that people in Oregon were declining to evacuate because they were convinced that antifa would loot their homes. To try to catch members of antifa, vigilantes even set up roadblocks and demanded that those trying to leave present ID. Authorities have said that, despite the rumors, there is no evidence of any involvement by antifa in setting fires, and there have been no reports of looting. But such “fake news,” amplified on social media, is complicating crisis management in Oregon. I’m afraid the pernicious effects of “fake news” will only grow — and massively — for risk managers... continue reading > Complimentary Q&A Panel The Future of Smart Property and Insurance  Watch Now SIX THINGS Creating the Future of Distribution by Denise Garth Having partnerships and an ecosystem becomes very strategic as insurers expand their reach and presence to where their customers will be. Read More For Agents, COVID Means Digital or Bust by Bill Suneson Survival in the era of COVID-19 will be determined by the independent agent’s ability to implement digitization. Read More How to Evaluate AI Solutions by Amber Sutherland There are five main concerns when implementing regulatory technology, especially AI technology, in the financial sector. Read More You Can Still Have Personal Interactions by Priya Merchant The challenge in these socially distant times is how to create real relationships with customers despite so much of the exchange being digital. Read More Navigating Security in the Remote Paradigm by Jarrod Lynn While companies having been improving during the work-from-home phase, bad guys have been busy, too--and deep fakes are getting scary. Read More What My $18,289 Medical Bill Says by Kate Terry Systemic problems don’t sound catchy, don’t boil down to one sentence and take time to implement -- but we need systemic solutions. Read More GET INVOLVED Write for Us Our authors are what set Insurance Thought Leadership apart. Get Started Partner with Us We’d love to talk to you about how we can improve your marketing ROI. Learn More SPREAD THE WORD Share Share Tweet Be Innovative Learn about Notion's easy-to-launch programs to get started. Learn More SUBSCRIBE TO SIX THINGS

I regularly communicate with a very large and diverse cross-section of the broad insurance ecosystem. and almost everyone expresses the same professional anxieties and frustrations. With regard to the business of insurance, very few have a clear view of the future, and for obvious and good reasons. However, I believe that several discernible patterns are emerging out of the fog of this pandemic and together they provide a fairly well-defined view of the future of insurance, leaving only the timing uncertain.

Digital Evolution

It’s a good bet that you are reading this article on digital media and that it was published in digital format. As overused and abused the word "digital" may be, it is mission-critical to every aspect of our industry. And, although the migration from analog to digital was already well underway in 2019, the arrival of COVID-19 acted like gasoline on a fire and accelerated the trend. Data by its very nature demands to be digitized to be useful, and no industry has more data than insurance. Technologies such as mobility, connectivity, imaging and artificial intelligence in all of its manifestations are useless in an analog environment. Paper is the enemy of efficiency, information and cost management.  

Claims Is a Major Beneficiary of Digital

No single area of insurance has benefited more than claims from the digital revolution. The “claim is the moment of truth” mantra is tiresome but truer than ever. As insurance fell victim to commoditization, and as advertising budgets became bloated, insurers turned to claim service to differentiate and promote their brands. But true claims excellence is only attainable through end-to-end claims process digitization. From first notice of loss automatically transmitted by connected sensors and devices all the way to claim payments made instantly and digitally, and for every step in between, digital solutions are being adopted and integrated into digital claims platforms at breakneck speed.

Digitization and Innovation 

If, as it often said, “data is the new oil,” then digitization is the refinery, storage facility, pipeline and the distribution network. Innovation essentially means connecting the dots, particularly the ones that others have missed and those that were previously unconnectable. Digitization enables the connection of “dots” – individual bits of information from myriad sources all strung together in an electronic chain to arrive at a critical outcome. That could be an insurance quote, an estimate of repair costs, the identification of a likely fraud and thousands of others, all of which are required to make, build, operate and maintain an insurance enterprise and partner ecosystem. And digital, next-generation technologies enhance an insurers’ ability to easily build a partner ecosystem, embed insurance offerings and enable an innovation culture.

See also: For Agents, COVID Means Digital or Bust

Digitization has enabled mobility and connected vehicle telematics, which in turn has spawned exciting cross-industry partnership products and services linking auto makers, insurers, information and service providers as well as drivers. The resulting rewards and benefits include hyper-personalized auto insurance products, services and rates for drivers, deeper engagement with vehicle owners and greater certainty of safe and proper accident repairs for OEMs, faster and better claims service for insurers and safer roadways for all of us.  

Similarly, digitization has enabled property insurers to develop and market new risk avoidance and claims services for connected homes, factories and businesses. Life, health and accident insurers are leveraging wearables and telehealth to drive meaningful customer engagement and potentially significant new revenue. 

Digital Communications and Customer Experience

A new universe of digital messaging platforms, chatbots, business texting, voice assistants and more has emerged and is in widespread and general use in commerce today, and the insurance industry has taken notice and is quickly playing catch-up. During a recent virtual insurance industry event, a SMA (Strategy Meets Action) survey of participating insurers asked about their interest in and objectives for digital communications and found that 83% consider it a vital part of the overall digital transformation strategy; 75% expect digital communications will help to improve the customer experience (CX). And who among us is not routinely conducting business through videocast – the ultimate digital/human interface? 

Accenture says that “CX is the new battleground for brands.” 72% of businesses say improving customer experience is their top priority, according to Forrester. And no wonder – Forrester found that each single point increase in CX can translate into tens of millions to hundreds of millions in annual revenue.  

In its “Digital Transformation: Powering the Great Reset” of July 2020, the World Economic Forum (WEF) states that as the world moves even more online due to the coronavirus pandemic – which has driven a 50% to 70% increase in global internet usage – the ability to serve customers on the digital channels they choose is no longer an option, creating what the WEF calls a “watershed moment for the digital transformation of business.”

Digital Disruption

The insurance industry has been a laggard in digital transformation, yet a new class of venture-backed startups has disrupted and refocused incumbents and exploited their weaknesses by leveraging new digital technologies. 

Specific legacy vulnerabilities and areas of opportunity for these well-funded startups have included new cyber risk and gig economy protection products, underwriting, administration and claims management. 

Applying many types of artificial intelligence (AI), including machine learning (ML), natural language processing (NLP) and imaging technology to fraud prevention addresses one of the industry’s most enduring pain points. 

Another intensely painful area is the claims process, which has long been a protracted, labor-intensive, inefficient and costly process and has hurt customer satisfaction, loyalty and retention. New technology offerings have come to market that streamline and compress the end-to-end claims process using AI and digital imaging to augment damage appraisals, track and report repair status, automate disbursements to policyholders and vendors and better engage with policyholders. 

See also: New Digital Communications

Insurance claim payments have always been slow and complicated, involving multiple parties such as other insurers, attorneys, healthcare providers, auto and property repairers and contractors. New digital claims payments systems have come to market to solve those challenges, and the rush to touchless and virtual claims processes, boosted by pandemic-driven consumer preferences for safer contactless transactions, is driving adoption of these systems.

None of these advances would have been possible without digitization. The future of insurance is starting to come into focus, and it is filled with exciting new digitally enabled opportunities for everyone involved.  

This theme will be explored in depth with industry CEOs and C-level speakers during The Future of Insurance USA from Reuters Insurance Events online, Nov. 16–18, 2020.

With all the legitimate concerns about the wildfires in the West, I was dismayed to see that people in Oregon were declining to evacuate because they were convinced that antifa would loot their homes. To try to catch members of antifa, vigilantes even set up roadblocks and demanded that those trying to leave present ID.

Authorities have said that, despite the rumors, there is no evidence of any involvement by antifa in setting fires, and there have been no reports of looting. But such "fake news," amplified on social media, is complicating crisis management in Oregon. I'm afraid the pernicious effects of "fake news" will only grow -- and massively -- for risk managers.

What's happening with wildfires will surely happen, in exponentially greater fashion, when a vaccine for the coronavirus becomes available, likely within the next several months. We'll head into a stretch where "fake news" about a vaccine could easily overwhelm real news and real science, given the environment of fear about the virus and suspicion about political motivations. Rumors, and even deliberately faked "news," could determine millions of decisions about whether to take the vaccine, whether to fully reopen businesses and schools and whether individuals will try to resume their normal lives.

In a thoroughly rational world, risk managers could make thoroughly rational decisions about how a vaccine would be rolled out. Then risk managers could advise on how quickly offices, factories and small businesses could safely reopen and on the myriad other issues that will face companies as we try to feel our way back toward the pre-COVID economy.

But we don't live in a thoroughly rational world. We live in what some call a "post-truth" world, where likes and shares on Facebook matter more than veracity, where the debunked "Plandemic" conspiracy video carries more weight for many than public health authorities do. We vote on truth these days, certainly when deciding what journalism to believe but even when choosing what science to accept. So, anyone who wants to predict what risks will look like over the next six months to a year, as the vaccine rolls out, will need to channel his or her inner Nate Silver.

Even in the best of circumstances, the next six months to a year would be tough for risk managers to plan for. The FDA will approve a virus as long as it's 50% effective (once it's determined to be safe), which leaves a lot of room for indecision. Those in vulnerable groups will still be cautious if told a vaccine is only 50% or 60% likely to protect them. At some point, through vaccines and through immunity achieved the hard way, by getting sick and recovering, enough people will become protected that we will achieve herd immunity -- but at what level does that happen? I've seen estimates ranging from 20% to 80% as the level of immunity that needs to occur in a population to render us generally safe. There's a lot of room for uncertainty between those numbers. And it's not clear how long immunity will last -- it could be as little as several months. Until people know how safe it is to venture out again, and start acting predictably, all planning will be iffy.

Now consider our actual circumstances and all the misinformation -- and even disinformation -- that will be tossed into the mix.

The Trump administration has pushed a political agenda that has often run roughshod over the science on issues related to the pandemic (hydroxychloroquine, masks, convalescent plasma, etc.). At times, the administration even contradicts itself, with the president saying one thing while public health authorities may say something very different. So, even if the president declares victory on a vaccine, many people might see that claim as "fake news."

Those ignoring of disputing the president could, in turn, spark a reaction from his supporters, which could produce the kind of political divide that occurred over wearing masks and create the sort of angry environment that fosters misinformation and disinformation. Michael Caputo, a spokesman for the Department of Health and Human Services, may have given us a taste of what lies ahead when he bizarrely claimed over the weekend that there is a "resistance unit" within the Centers for Disease Control where officials are willing to commit "sedition" to undercut the president and that "they're going to have to kill me." [Note: After this article was published, Caputo apologized for his remarks, then announced that he is taking a 60-day leave of absence.]

The anti-vaxxers will have their say, too. So may the Russians and any other foreign actors interested in stirring up confusion and rancor in the U.S.

"Fake news" is going to have its way with us, complicating every decision that we make as individuals, as families and as leaders of our organizations as we try to determine the pandemic's risk over the next six months to a year. Pity the poor risk managers who have to predict how all those individual decisions will play out, so they can spot the key risks and help all of us mitigate them.

Fasten your seatbelts, then check your airbags. Okay, maybe put on a helmet and some body armor, too.

This will be a bumpy ride.

Stay safe.

Paul

P.S. On a personal level, I ask that we all be the place where rumors go to die. Having spent too much time on Twitter, I'd say the most dangerous words known to man are, "Interesting, if true" -- which almost always introduces some article that has a 0.0% chance of being true. I think we'll all be better off if we only share information that we've personally vetted and would be prepared to defend on a witness stand.

P.P.S. Here are the six articles I'd like to highlight from the past week:

Creating the Future of Distribution

Having partnerships and an ecosystem becomes very strategic as insurers expand their reach and presence to where their customers will be.

For Agents, COVID Means Digital or Bust

Survival in the era of COVID-19 will be determined by the independent agent’s ability to implement digitization.

How to Evaluate AI Solutions

There are five main concerns when implementing regulatory technology, especially AI technology, in the financial sector.

You Can Still Have Personal Interactions

The challenge in these socially distant times is how to create real relationships with customers despite so much of the exchange being digital.

Navigating Security in the Remote Paradigm

While companies having been improving during the work-from-home phase, bad guys have been busy, too--and deep fakes are getting scary.

What My $18,289 Medical Bill Says

Systemic problems don’t sound catchy, don’t boil down to one sentence and take time to implement -- but we need systemic solutions.

Summary 

The current remote work situation has brought to light a three-part problem around security. First, it has created challenges in defending against traditional threats – both physical and information security. Second, emerging technologies promise new threats that will be all the more difficult to counter in remote settings. Third, the body of regulations mandating security measures vis-à-vis personal data is growing. Liability for breaches does not abate due to the current circumstances. The inherent vulnerabilities of the remote situation paired with likely advances in adversary tactics and threats from emerging technologies will challenge organizations to meet their regulatory security obligations. In this article, I will give an overview of these problems in isolation and discuss how they might combine. Finally, I will suggest some measures to take to begin to deal with this predicament. 

Introduction

At its core, a security program’s goals are the protection of life and the maintenance of the confidentiality, integrity and availability of information. 

The recent widespread shift to off-premises work has two primary distinguishing features from a security perspective: It expands or eliminates the organization’s physical perimeter and necessitates remote access to corporate networks as well as a far higher degree of dependence on information systems for communication between employees. These factors upend an entity’s normal process of security assessments and controls and create fertile ground for both traditional and emerging threats. With unsupervised personnel and data dispersed to uncontrolled locations, using various means to access organizational networks, numerous varieties of threats abound.

Categories of vulnerabilities and threats for which there were standard controls and processes in the traditional setting require rethinking in this new reality. Likewise, emerging technologies pose novel threats. We can expect adversaries to continue to adapt to changing conditions of work by capitalizing on physical vulnerabilities and developing increasingly sophisticated and clever implementations of both existing and new technologies. 

At the same time, targeted organizations and individuals continue to bear the costs and liabilities of adversary actions. Victim entities may suffer direct losses from attacks. In addition, cybersecurity requirements related to privacy and penalties for failure to comply grow with each new law without regard to the remote work situation. This creates a difficult bind for defenders and all types of enterprises and individuals who control the data of others. 

There are, however, steps that can be taken to address these concerns. Now, more than ever, defenders will see the advantage of relying on skilled security personnel and cross-disciplinary leaders and teams as well as adopting an approach to security that recognizes that cyber and physical security are intertwined.  

While the long-term status of the recent shift to work-from-home remains unclear, inherent vulnerabilities of the remote paradigm combined with threats based on new technologies present an opportunity for reflection on the status of future contingency plans and demand the attention of executives, counsel, security professionals and insurance providers now. 

How the Remote Paradigm Interacts With Security for Traditional Threats  

Effective security programs apply technical, physical and administrative controls or countermeasures to assessed vulnerabilities, threats and risks. While not always uniformly or well-applied, and noting that threats are continually evolving, standards are generally well-developed in the context of traditional workplaces and often in the case of small groups of workers who require remote access, such as members of sales teams and business travelers. 

The remote paradigm expands or eliminates the physical perimeter and forces remote access and communication, with serious significant consequences for security controls. 

In very general terms, an expanded perimeter leads to: 

1. Less physical control over information systems and data
2. Technical/physical vulnerabilities (e.g., potential adversary access to residential Wi-Fi) 
3. Less physical security over personnel (e.g., threats to their physical safety) 
4. Less supervision over staff 
   1. complicating application of administrative controls such as job rotation 
   2. greater potential for problems from insider threats – both witting and unwitting 

In equally general terms, remote access and communication means: 

1. Inherent technical vulnerabilities to data – both at rest and in transit 
2. Proliferation of endpoints and lack of control over these 
3. Reliance on communication between remote users and the need for out-of-band communication
4. Communications involving proprietary data (e.g., trade secrets) and sensitive activities (e.g., engineers working on live systems) that normally occur in controlled settings and may now be conducted remotely
5. Increased reliance on, and accelerated migration to, the cloud 

Organizations have established processes for addressing traditional threats in the context of the status quo. The remote paradigm entails significant changes to the security process. Categories of vulnerabilities, threats and risks that are relatively well-managed in an on-site setting must be reconsidered when the whole enterprise is operating remotely. Adversaries are left to their imagination in ways to overcome whatever security measures may (or may not) be in place in the many home offices from which employees operate. 

Beyond considerations around configuration management, security professionals must be aware of the potential presence of Internet of Things devices such as smart appliances and smart speakers that may have implications from both a technical and physical security perspective.

In addition, two newly established threats can have significant potential ramifications in a remote environment. In “Zoom bombing,” someone who is not supposed to be involved in a meeting can disrupt it, eavesdrop or alter the message. In other words, the person can interfere with the confidentiality, integrity or availability of information. Secondly, a well-made deep fake can be very damaging to an organization if, for example, it falsely portrays an employee acting in a way that runs counter to the entity’s interests. These threats are particularly problematic in remote settings because communication and public messaging is complicated and potentially interfered-with. 

See also: Getting Back to Work: A Data-Centric View

Emerging Threats 

At the same time as the remote paradigm complicates existing threats, new threats are on the horizon with emerging technologies. As with traditional threats, emerging threats will pose more of a problem in the remote environment. Here, we will consider some potential malevolent applications of quantum computing, artificial intelligence/machine learning (AI/ML) and real-time deep fakes. 

Both quantum computing and AI/ML are broad new technologies with myriad potential beneficial implementations as well as malevolent uses by adversaries. 

Practical applications of quantum computing are not yet reported to be in use outside of a laboratory setting. However, there is a quantum arms race underway due in large part to the fact that quantum computing will revolutionize cybersecurity. Quantum computing is predicted to make child’s play of current encryption. Remarkably, it may be possible to apply quantum decryption of current protocols retrospectively. That is, traffic might be recorded today and replayed through future quantum decryption tools to decrypt it later. This could have dramatic implications for organizations to the extent that they rely on current encryption to safeguard sensitive communications that will remain sensitive. The current predicted timeframe for widespread use of quantum technology varies; however, three recent developments suggest it may be accelerating. First, processor power has been improving exponentially. Second, the U.S. Department of Energy recently unveiled a blueprint report to develop a national quantum internet. Third, given the threat of quantum computing to current cryptography, the National Institute of Standards and Technology (NIST) aims to develop a post-quantum cryptography standard by 2022. 

Moving to AI/ML, adversaries are already using the beneficial features of AI/ML in numerous malicious ways. For example, AI/ML can obfuscate an attacker’s location and identity and augment traditional attacks, providing additional power and scale. Malevolent uses will continue to evolve to enable far more sophisticated attacks. Recent developments involving photon-based chips have moved us closer to AI/ML that learns independently at the speed of light.   

Judging anecdotally from the preponderance of articles and developments in both AI and quantum, we may be at a tipping point for both.

Although enabled by AI/ML, deep fakes are a sufficiently rare use case as to merit their own mention. Separate from the pre-recorded deep fakes discussed above, it is now possible to create a deep fake in real time. The primary concern with real-time deep fakes is that an adversary could appropriate the likeness of an employee, infiltrate an internal or external video teleconference, convince an audience of the veracity of the messages and influence outcomes. It is also possible to imagine that a real-time deep fake could falsely portray an individual engaging in some sort of behavior that is damaging to the organization.

Whether in a traditional setting or operating at a distance, these emerging threats are problematic. However, the remote environment continues to provide adversaries with more opportunity due to the expansion or elimination of the physical perimeter and the necessity of remote access and communication. 

Some Scenarios

Having looked at the inherent problems of the remote paradigm and some of the emerging technologies, consider some edge cases. Each of these is presented in its starkest form and capitalizes on weaknesses in a generic remote model. 

The first scenario stems from advanced persistent threats (APTs). APTs are insidious in that they tend to burrow into an information system and lie in wait or operate undetected, frequently exacting a heavy toll. They can benefit from emerging technologies of AI and ML as well as the security shortcomings and potential chaos around the current remote work situation. 

The next general category of threats has to do with physical violence against employees operating away from corporate offices or in settings that are not within a security perimeter managed by the organization. This could range from a kidnapping to a home invasion and assault or murder. Likewise, as in a remote bank robbery, an employee could be forced to take actions against an organization’s interests under duress. 

Next is the new category of real-time deep fakes. The real danger to organizations with this technology is the prospect of a real-time deep fake during an internal or external communication. At a minimum, this could interfere with the confidentiality, integrity and availability of information. At worst, such a tactic could be used as a ruse to outright direct the actions of employees or outside interlocutors. 

Finally, a very serious and dramatic threat is that an adversary could take advantage of the various attack vectors available combined with the weaknesses in the remote paradigm to completely divert the organization’s resources to his or her uses for a time. Far more damaging than ransomware, this could constitute a total takeover. This might involve a mix of physical force and real-time deep fakes as well as other technical weaknesses inherent in remote communications. Further, the attacker could rely on an entity’s lack of out-of-band communication or other successful means of authentication to ensure that he or she is able to carry out the plan. This is admittedly an extreme, worst-case scenario. A far more nuanced possibility would involve an attacker subtly manipulating corporate resources using scaled-down versions of the same tactics. 

Considering these scenarios, readers might be tempted to ask who would do these things and why. 

The potential cast of bad actors and motives is the same as always. It ranges from opportunistic “script kiddies” to activists to common thieves and organized criminals to nation-states. What is different here is that the how becomes easier. Further, bad actors may be emboldened by the lack of traditional security controls and barriers. Simply, someone not otherwise inclined to physically access a system or commit violence in the service of what could be a relatively white-collar crime might make a calculated decision that the risks involved are not prohibitive relative to the rewards. In a traditional environment, corporate security and access control measures would ordinarily discourage the mere consideration.  

Potential Consequences 

These threats can cause a variety of harms – physical harm to people, exposure of private data, financial loss to shareholders and damage to the organization through lost profits, regulatory trouble and reputational harm. 

Regardless of other priorities, any entity’s first concern must be mitigating increased risk to remote employees stemming from their employment. Should harm come to pass, there could possibly be civil liability, but safety is the first priority.   

The next area for concern is data privacy. Nearly all entities hold personally identifiable information (PII) of some sort, even if it is little more than the data of their own employees. If a breach exposes that data, liability to data holders (customers, employees, vendors) or shareholders may ensue. Likewise, chances are that a given entity is bound by at least one of the ever-growing number of industry- or regional-specific regulations addressing cyber security and privacy.

In the U.S. alone, there are multiple regulatory regimes and regulators that address PII and security – the California Consumer Privacy Act (CCPA), the Sarbannes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability Accountability Act (HIPAA) and the Payment Card Industry-Data Security Standard (PCI-DSS), as well as those falling under the jurisdiction of the New York State Division of Financial Services (NYSDFS), the Securities and Exchange Commission (SEC) and the Federal Trade Commission (FTC) – and the list is growing. Meanwhile, the GDPR has major implications for organizations whose operations have a connection to Europe.

In some cases, the obligations are clear, while in others, what exactly a business is required to do vis-à-vis PII is opaque. For instance, both the FTC and CCPA refer to a requirement to implement “reasonable” data security, without providing much clarity on what constitutes "reasonable." The sum and substance of these requirements is that even when, or precisely when, they are the victim of an attack, organizations remain obligated to provide a given measure of security over PII. 

Although beyond the scope of this article, organizations might consider potential downstream effects should their systems be used as a launching point for attacks on third parties, as well as impacts on the performance of contracts. 

Finally, the takeover or even meddling with a given entity’s operations is clearly likely to have severe direct consequences to the enterprise itself. For a business, this could include loss of revenue during down time, siphoning of productivity and damage to reputation, among other potential consequences. 

What Organizations Can Do

I hope it is clear that there are some immediate problems that merit attention. In this situation, one of the worst things to do would be to deny the problem and do nothing. 

Moving forward, organizations should start by asking whether the remote situation is temporary or permanent. For any entity that has plans to return to full on-site operations in the very near term, some of these considerations may be less pressing. 

For all other entities, the first concern is how to improve security in the remote situation. The best thing any organization can do is to hire, fund and take the advice of a competent chief security officer, chief information security officer and counsel, who should work together on issues of physical security, information security and administrative controls. Preferably, the CSO and CISO will take a holistic view of security favoring a convergence approach, where appropriate. If an organization does not currently have the benefit of competent or sufficient in-house security personnel, a firm specializing in security may be a viable option in the short term.  

Developing and adjusting security controls to the remote paradigm is a challenge, but it is not insurmountable. What follows is a non-comprehensive list of recommendations that can be taken related to certain key steps. 

From an information and technology security perspective, this starts with knowing the enterprise’s network, what machines are connected to it and the identity and location of the organization’s crown jewels. Organizations must decide whether the risks of allowing certain business functions that may have only historically occurred in dedicated spaces and via hardline connections (such as discussions of trade secrets and access to live/production systems for engineers) should occur remotely. Likewise, organizations must make decisions related to approved devices, means of accessing corporate networks and standardized security procedures (e.g., securing Wi-Fi). Organizations should also decide on remote identity and access management, to include the use of two-factor authentication. Organizations should consider engaging outside security firms to assist with these assessments as necessary, to audit physical and cyber security through penetration testing and, potentially, to conduct employee training. 

Administrative controls are more difficult. Given the variety of harms that can arise directly from human behavior, leaders need to find a way to encourage and maintain a culture of security despite the lack of physical proximity. Witting and unwitting insiders have much more room to cause damage away from supervision and peers. Organizations need to find ways to implement controls such as those related to access management and job rotation, among others. Education and training, particularly around topics such as spear phishing and authorized uses of corporate networks, should be designed with an emphasis on the remote setting. Employees should be given incentives to comply with security. Security managers need to stay abreast of trends in employee malfeasance around remote work as well as emerging best practices in this new area. 

Physical security will also prove challenging. Organizations should consult with counsel to determine their obligations to employees and tailor programs to meet these needs. Just as enterprises assess the sensitivity of their data systems, they should also assess the exposure of their personnel. For certain high-risk employees, it may be wise to consider implementing off-premises physical security measures or, at the very least, training. 

For all types of enterprises, whether they plan to return to on-site operations now or not, there are some common considerations. First, they should consider the possibility that clever and determined adversaries may have taken advantage of this period during which their guard has been down to some degree to access systems and plant malware or establish an unauthorized presence on the organization’s systems. With this in mind, organizations should carefully examine their networks for indicators of compromise. Likewise, they should consider that this has been a period in which insiders have had an opportunity to grow bolder. Security departments should step up their efforts to detect insider threats. 

See also: Keeping an Eye on Consumer Privacy

In the longer term, all organizations can take certain additional measures. This period has proven fortuitous in a number of ways. First, it can be treated as a practical drill. All entities should conduct an after-action review. Leadership at all levels from individual teams to the C-suite and boards should sit down and discuss what went right and wrong. Where business continuity plans and other policies and procedures did not match with reality, they should be rewritten. We’ve been handed a real-world opportunity to improve upon our posture. 

One specific action all sorts of entities should ensure is that they have reliable out-of-band communication and authentication. This is absolutely essential. In the event of a form of takeover such as the doomsday scenario proposed above, an organization needs a reliable and immediate way of verifying information, authenticating its source and enacting contingency plans should it become necessary. 

The various regulatory obligations to provide measures of security over PII imply a responsibility to keep up to date on shifting threats and vulnerabilities that stem from changing environments and emerging technologies. Organizations are on notice that they must begin to find ways to ensure they are meeting their obligations to develop measures to provide security against these threats. In other words, organizations are on notice. The fact that NIST has a public target date for its first quantum security standard provides some saliency around this. Some companies have already taken action along these lines. 

It does not appear as though exceptions will be made for shortcomings in security in the current situation, for example under NYSDFS rules and the CCPA. However, the rules of the road for the remote paradigm are being written as we speak. Organizations should use this opportunity to help write them. They should also develop relationships with law enforcement and regulators. They should join industry ISACs and other relevant security groups. Groups such as the IAPP and SANS also offer a wealth of information for professionals interested in working to improve their processes. In consultation with counsel and security professionals, all enterprises need to consider what constitutes acceptable security measures in the current situation and with awareness of emerging technologies. 

Of course, organizations should consider which forms of insurance are best-suited to the purposes of the scenarios laid out above. Cyber insurance and kidnapping and ransom may apply.

Conclusion 

We are facing three simultaneous game-changers – the remote paradigm, emerging technologies and increasingly prescriptive privacy regimes. At the same time, adversaries are taking advantage of this time to invest in research and development. Victim enterprises continue to bear many of the costs. 

The current remote work situation may continue, we may return to normal or we may find itself somewhere in the middle. Regardless, this time presents an opportunity to look at our approach to remote situations. By extension, it should be a time to examine and adjust business continuity plans, many of which may have been found lacking in this experience. Moving away from the remote setting, this experience highlights many aspects of traditional security that can benefit from fresh work. Again, it calls for a recognition of the increasing interdependence of physical and information security. Further, overall, this period should demonstrate the need for competent security officers and cross-disciplinary teams dealing with security at the highest levels of the organization as well as the need to invest in comprehensive security and exercise plans meaningfully. 

Disclaimer: This article is intended as general educational information, not as security guidance with respect to any specific situation or as legal advice. If the reader needs legal advice, the reader should consult with an attorney.

After 9/11, a revolution happened in airline travel. Airline security tightened far beyond what we had previously known. In addition to new carry-on guidelines, travelers were subjected to more frequent individual screenings. More items had to be removed from our bags and examined. Electronics had to be turned on. Our shoes started coming off. The TSA needed to know us personally before we were allowed to fly.

The revolution, of course, created lines. We had to get up earlier to get to the airport to account for two hours in security. Shorter flights were no longer worth it. “I can drive there in less time.”

So, in 2019, the TSA, doing anything it could to improve the line situation, began using computed tomography (CT) scans in many busy airports. CT scans would change 2D baggage scans into 3D scans, allowing the operator to look at an item in greater detail without tagging a bag to be opened and checked by hand. The ability to “see” the hidden information would shorten lines and streamline the travel experience.

When COVID hit, lines evaporated. Air travel hit rock bottom. Lines are mostly not an issue right now, but public safety is now an even greater issue. In China, for example, large scanners are being used to check human temperatures on anyone traveling. Those with high temperatures are tagged and removed for further screening.

This concept bears a close look for all insurers, and especially for life insurers. In what ways can we use technology to know applicants and policyholders instantly, using that information to protect them and our level of risk in the process? Can we build flexible frameworks for accelerated and fluidless underwriting that will allow us to tackle new issues as they arise and capitalize on new data as it becomes available? Life insurers, group providers and voluntary benefits carriers are entering new regions of opportunity through new doors of data capability.

In Majesco’s latest thought-leadership report, Rethinking Life Insurance: From a Transaction to a Life, Health, Wealth and Wellness Customer Experience, we examine the nature of the purchase experience. Our recent survey across all age groups segmented into two groups – younger (millennial and Gen Z) and older (Gen X and Boomer) generation - painted a picture of a population that is growing in its desire to buy, growing in its goals to stay healthy and wanting the purchase to happen.

Every experience holds data

Today, nearly every aspect of the B2B, B2B2C and B2C customer experience has a level of intelligence that has created a wealth of data about customer activity, behavior and preference. From smart speakers to smart watches, phones, appliances, outlets and more — sensors and signals are everywhere. And, with customers' permission, sensors are measuring nearly every aspect of their lives. The result is that we now have the data to capture the instantaneous 3D view instead of the 2D view. But insurers must strategically invest in ways to capture and master this data to transform customer experiences in an age of instant digital engagement, delivery and satisfaction. 

The use of data for life insurance is crucially important. Interestingly, the insurance industry has been capturing behavioral insights from customer interactions—offline—for many decades, before technology simplified managing customer relationships. Companies unfortunately didn’t know how to optimize their use of the data before now. That must change if insurers are to survive.

See also: Key Advantage in Property Underwriting

Can data improve the experience?

To meet the needs and expectations of today’s customers, insurers must create a radically different insurance experience, moving from a reactive approach to using real-time data, artificial intelligence (AI), machine learning (ML) and behavioral science to make processes and transactions simple, convenient, transparent and fast, like in other businesses. Encouragingly, our research found that the younger generation is ready and willing to use and share most new data sources for buying and rating life insurance. This willingness will be a key to unlocking sales. 

Adding to this market opportunity, Majesco’s survey data showed that even those Gen Z/Millennials who currently DON’T have life insurance are open to these new data sources being used, nearly the same as their peers who DO have life insurance.

Insurers that are not actively planning and building capabilities to use new sources of data will be rapidly left behind. 

MIB’s February 2020 activity report highlighted that pandemic-related demand for life policies pushed application activity to its highest level for the period since 2015. As noted previously, online, “fluidless” life insurance has dramatically increased during the first three months of 2020.

To accomplish this major experience transformation and bring the decision and the purchase into the same moment, insurers are moving from an underwriter-centric view to a digital, data-driven, accelerated and sometimes fluidless underwriting process. Accelerated underwriting is becoming widespread for term insurance. As shown in Figure 1, the interest in products that use dynamic underwriting and pricing is over two times higher in the younger generations – a significant difference that many insurers are unable to react to today. Once again, our data showed the younger generations who DO NOT currently have life insurance are even more interested in this option than their peers who DO have life insurance (41% vs 35%). Market and growth opportunities await for those who accelerate the move to dynamic underwriting and pricing with new data sources.

Figure 1: Interest in products that use dynamic underwriting and pricing

With the proper use of data, we don’t stop people at the checkout counter

In the traditional underwriting model, we ask people to come to the checkout counter for a price check, then send them home until we verify their ability to buy by gathering lots of medical and personal data. Companies are surprised with their level of not-taken policies. But if you put yourself in the customer’s shoes, why do you want to go through the extra hassle and time, particularly when other options are emerging. Using this picture, we can correctly assume that accelerated underwriting is a modern-day non-negotiable capability that will fit the desire for instant gratification at the point of need.

As a start, some insurers are reducing attending physician statements (APS) and paramedical exams (providing bodily fluids) and using more third-party data and predictive analytics-based models to automate and enhance the underwriting process.

Others are bringing in behavioral data from fitness and wellness programs, social media and new sources with AI and machine learning algorithms to create “smart, automated underwriting” that is continuously learning and adapting. All of this is redefining the process and cycle time and is creating a completely different customer experience.

The right ingredients in the right place at the moment of opportunity

Here is where technology acts as the enabler. For life insurers to fit their products into lifestyles and experiences instead of traditional transactions, several components must be in place.

Cloud Use for Digital Enablement: The point of sale (and marketing) must be well-integrated into current life processes. Often, this means partnerships or channel expansion that will require digital integration using application programming interfaces (APIs) and a cloud-based environment.

Data Integration (and AI / ML) for Accelerated and Fluidless Underwriting: Insurers need to create ways to go fluidless and physician-less so they can automate decisions in real time.

Ecosystem Philosophy: Insurers need to ramp up quickly. They can do this by partnering with ecosystem developers that can give them access to the data sources, channels and technology opportunities that will contribute to quick transformation.

Innovate for the Future: Innovate. Replicate. Reach. Learning the lessons from the past, that good data doesn’t necessarily get used effectively, insurers need to place themselves on a course for optimal data usage across the enterprise. They need to innovate how they use data to get a 3D picture for accelerated underwriting. They need to replicate greenfield and startup methodologies that transform data accessibility into improved experiences. And they need to reach growing and untapped markets with products that sell at the point of life experiences, instead of relying on traditional sales tactics.

See also: Underwriting Wildfire Takes Extra Care

Industry status quo is no longer an option. Your customers, particularly the younger generation who will be your dominant buyers, are expecting all of this and more. They want a customer relationship with a broader value to make their lives better across life, health, wealth and lifestyle needs.

How do your strategies align to what customers want? What plans are you taking to improve your odds of success? 

Are you ready? Your customers are.

For more insights on how you can end transactional thinking and begin capitalizing on customer life experiences, be sure to download, Rethinking Life Insurance: From a Transaction to a Life, Health, Wealth and Wellness Customer Experience.

Warning: While this is not quite as disturbing as the poor woman with a spider in her ear on Twitter, I’m still sleeping with one eye open.

Also, TLDR: Prices play a key role in free markets, right? They help set supply and demand and indicate value. My guess is that the vast majority of healthcare and by extension health insurance in the U.S. is a badly functioning market in part because prices are nearly irrelevant.

The story, in which I bravely warn my family of danger.

Not long ago, I went to bed early and was woken up by what sounded like a very loud fly knocking against the inside of our bedroom window. I turned on the light to see a bat weaving and darting just overhead. (We have low ceilings – the bat was way closer to me than any bat should be.)

I’m happy to report that I bravely warned the rest of my family by shrieking (repetitively) at the top of my lungs; the bat got a broom-to-the-rear-end assist out the bedroom window.

Really, there was no dignity to be had for anyone that night.

But, I had a bigger problem. I had two little marks on my arm that Dr. Google suggested could be a bat bite; my primary care physician’s office told me to go to the emergency room. 

Turns out, showing up as bat woman at a suburban ER late on a Monday night makes you an absolute rock star.

I ended up getting the rabies vaccine and a shot of human rabies immunoglobulin, which was absolutely the largest shot I have ever seen in my life. Follow up was three more doses of vaccine over a three-week period.

And that’s why I received an $18,289 bill: $1,120 for the ER visit, which didn’t shock me, and $17,169 for the shots, which did.

Pic, or it didn't happen:

I looked at the bill, nearly fell over and fortunately made it as far as the “You owe” box. My share, luckily, is $300; my insurance company paid $3,986.

Then I started thinking.

Why do we pay people to make up prices for healthcare, and what does it feel like to do that job?

Is $17,169 even a real price? Does anyone actually pay that?

I’m guessing no, if my health insurance company can get the hospital to knock 74% off the tab. And, given the way health insurance works in the U.S., I’d assume that every other insurance plan has negotiated some similar discount.

So, how does it feel to sit in a room with Excel open, presumably, and figure out what the rack rate is for care? What are the numbers even based on, if anything? And how does it feel to know that the only people who may get charged that are the people who are uninsured? (More on that later.)

The Centers for Disease Control and Prevention’s page on the cost of rabies prevention (published June 2019) pegs the expense for the immunoglobulin plus the four vaccine doses at $1,200 to $6,500, for the medications alone, not the hospital charge. So, how do you get to north of $17,000? And, according to First Databank, a company that monitors drug prices, the price of the drugs I received has increased 388% in the last decade, for no obvious reason, as best I can tell. Think the CDC missed that.

What is it like to be on the opposite side of this pricing, to be negotiating on behalf of the health insurer? Does someone go back to the boss to say, “Hey, I negotiated us a 74% discount!”? Doesn’t that doesn’t just strike everyone involved as laughably bizarre?

Why do we ask people to do useless work? What does that do to them, and what are we failing to grow or build or improve by asking them to focus on this nonsense?

Was it cost-effective to treat me?

This bill got me metaphorically scribbling on the back of an envelope.

Is $17,169 a fair price? Well, maybe that’s a silly question, because that’s not what my insurer and I paid together.

Let’s just assume that the fair price is about $4,000, which is roughly what we paid for the shots.

Rabies is a nearly completely fatal disease, and the onset of symptoms to death is about seven days. Let’s say the resulting hospitalization and treatment costs $100,000 (source: wild guess). Soullessly assigning no economic value whatsoever to my life (which I, by the way, value greatly), we should be willing to pay for 25 courses of rabies shots to prevent one case, or whenever the risk of catching rabies is 4% or higher.

What was my risk of catching rabies? The estimates I saw suggested that anywhere from .1% to 10% of bats are infected with rabies, depending heavily on local conditions. It is easily transmissible, apparently, especially with a confirmed bite, so let’s assume that, if my bat friend had rabies, I would get it.

So we’re within a wide margin of error based on avoiding costs. What if we ghoulishly try to value a life? There are lots of papers on this topic. I’m no expert, but I’m going to pick $100,000 per remaining high-quality year of life left, which seems roughly reasonable based on the literature. Let’s assume I have 40 high-quality years left, or $4 million of value.

Treating a known bat bite definitely makes sense.

Maybe the cost makes sense from that perspective? But would you need to consider it as part of all of the healthcare I will receive from this point on in my lifetime? Or just at this moment, with this choice?

I don’t know, but I’m pleased that I was able to make a rational economic decision on the fly.

Ha.

See also: Mental Health Even More Critical Now

How did we end up in a place where life-saving, cost-effective treatment is most ruinously expensive for the people least able to afford it?

If I had been uninsured and gone to the hospital, I’m going to assume I would have been treated, at least with the first set of shots, though I don’t know for sure. If I had gotten the full series of shots, how much would I have been billed? The full rack rate? The worst negotiated rate with an insurance company? Something different?

(My $300 ER copay alone represents a significant burden for many families, including those affected by joblessness or reduced working hours because of COVID.)

I did some research – it turns out the major manufacturers of rabies treatments have programs to pick up the cost for those who can’t afford it. I’m sure this is an enormous relief for those who qualify, which I desperately hope is everyone who can’t pay the price. I also hope it’s easy to apply.

But, systemically, how does this make sense?

We set fake prices that are beyond crushing for most families. Then we don’t charge them to people who are insured. We save the worst prices for people who don’t have health insurance, who are even likely less able to pay ruinous prices than those who do have insurance. So then the manufacturers have programs (complete with separate paperwork!) to waive or minimize the cost for the uninsured, at least those who apply.

And since the manufacturers still need to make a profit, those waived costs actually get funneled back into the pricing the insurance companies negotiate with the healthcare systems.

Again, what information is in the pricing for these drugs? And in what ways are the healthcare and health insurance markets dysregulated as a result of the lack of clear pricing information?

As both the consumer of our healthcare insurance and the employer paying for it, how am I supposed to assess this situation?

My co-founder and I picked out our health insurance plan. While there seemed to be a whole lot of choice for a business of our size, the plans were really all the same… $2,000 deductible with $50 copays? $2,005 deductible with $49.75 copays? And so on.

I’m exaggerating, but not by much.

The service our healthcare plan provides is fine, and the cost seems reasonable, but how do I assess whether the plan is as efficient as it could be? The costs paid to healthcare providers get passed back to us (all of us insureds) through pricing. If the plan pays too little, it isn't fairly compensating the medical providers, which will eventually refuse to work with our health insurance or go out of business, meaning we have an availability problem. If the plan pays too much, we pay for it.

Am I supposed to be really pleased that our health insurer negotiated a $14,000 discount? Or should I be mad it didn’t negotiate a $15,000 discount? How would I know? How could I make a more rational decision?

The answer is…I can’t. There’s so little information in the pricing, and so much opaqueness, that we’ll have to make another decision next year based on price and service when we renew our health insurance. 

Why do we tolerate the healthcare and health insurance mess we have in the U.S.?

I’m willing to believe that all of these ridiculous pricing mechanics exist for a reason, but do the reasons still make sense?

There are so many distortions here…

• Even when I am both the buyer and user of employer-sponsored health insurance, I don’t have the information I need to make any kind of a rational decision except what makes the most sense for us for the next year.
• There’s no easy way to understand how much healthcare will cost before treatment, especially in emergency situations.
• The list prices are no more than sky high caps on medical procedure prices.

I’m no expert in health insurance, but I see that same underlying issue here that I do in my own familiar property and casualty space – massive systemic complexity.

In the P&C space, I’d argue that most of the complexity derives from old court cases that created boundaries between lines of insurance. This led to technology solutions for each line and specialized staff and culture to handle input into, maintenance of and output from these ossified systems. The market need for those silos has blurred or disappeared, but thus far they’ve been indelible marks in the insurance landscape.

The same is probably true of health insurance. I’ll add the root of employer-sponsored health insurance (which usually separates the buyer from the end user), which stemmed from wage controls during World War II.

There’s an interesting historical summary in National Bureau of Economic Research Working Paper 14839. In short, fringe benefits were excluded

The issue is that systemic problems require systemic solutions. Systemic solutions are so much less attractive than quick fixes – they don’t sound catchy, they don’t boil down to one sentence, they take time to implement.

Yet, as a people, our failure to fight for systemic solutions is surely catching up with us.

from WWII wage controls, which caused employers to add more benefits to attract and retain workers. Health insurance existed in a fragmented way before this, but really came into its own and was firmly established as an employer benefit in the period. And now, 55% of Americans get their health insurance through their jobs, according to the Census Bureau. This has to be a piece of the complexity.

See also: 6 Life, Health Trends in the Pandemic

Public Service Announcement: Rabies is really nasty. Nearly always fatal, and really, really nasty – it kills tens of thousands of people worldwide each year, mostly in places where rabid dogs are common. It’s also not specifically spread by animal bites; it’s spread in the saliva of ill animals, so a scratch or a lick to a mucus membrane can also spread it. If you may have been exposed (including if you wake up in a room with a bat -- bat bites don’t necessarily hurt and can be nearly invisible), you really need to talk to a medical professional.

Postscript: I had a long conversation about CEO pay at pharmaceutical companies with someone regarding this whole situation. CEO pay can be grotesque, especially at companies that do not pay their workers living wages and don’t provide decent benefits. However, cutting CEO pay is largely an issue of equity, not much of a solution to this cost issue. I looked up the 2019 salary of the immediate past CEO of Sanofi Pasteur, which manufactured the shots I was given. If he had worked totally for free, applying the savings evenly over their revenue, my bill would have been $4 lower.

Continuing our series of helping leaders listen and think better, in this post I share why I recommend Edward de Bono’s thinking hats.

Over 20 years ago, when I was learning my trade as a leader, most management training programs included his technique. However, in recent years, I find that it’s fallen off the radar. Many analysts and leaders have never heard of De Bono nor his hats.

So, I will use this post to help reintroduce this technique and explain how I’ve seen it help analysts and leaders.

Introducing Edward de Bono and his hats

Edward Charles Francis Publius de Bono (phew, what a name), was born in 1933 in Malta. He has numerous degrees and has published 85 books, mostly focused on thinking and use of language. Indeed, he is the originator of the term "lateral thinking."

One of his most popular techniques for lateral thinking (solving problems by an indirect and creative approach) is called Six Thinking Hats, or 6TH. The technique is based on the idea that there are six imaginary hats. Each hat is a different color and represents a different type of thinking.

When you "put a hat on," you operate exclusively in that mode of thinking. When you change from one hat to another, you change thinking modes. Importantly, everyone thinks the same way at the same time – to avoid conflict.

Why and how 6TH?

DeBono developed the technique having noticed that when critical or contentious decisions need to be made, teams can find themselves in deadlock, stuck in a rut. They end up simply recycling the same ideas or variations on the same.

De Bono chose six hats to cover the different approaches to thinking he’d identified, and he gave them different colors to allow easy association and visualization. Each colored hat represents a particular type of thinking, each with its own rules about that type of thinking.

By requiring everyone to use the same hat – everyone is using the same way of thinking – at the same time. 6TH ensures both that everyone has the opportunity to air his or her views and that every angle of the issue is properly explored. So, you should get a full and open discussion with everyone working together.

Introducing those 6 different Thinking Hats

So, in a 6 hats workshop, a facilitator guides each participant to put on, in order, the following hats:

White Hat (Facts and Information)

With this hat on, you must think about any and all relevant facts, the data you can observe or have already captured. You look at what is already known and any information gaps you identify -- a great place to start for data and analytics teams. The workshop works best if robust data has been filtered and curated beforehand so you know you are on firm foundations. This hat is white because of the association with white paper for printed facts.

Red Hat (Feelings and Intuition)

This hat is about feelings, insights and intuition. So, you feel free to share your emotions and impressions. You focus, through discussion, on what people feel about the issue – including gut instincts. Importantly, there is no need to rationalize or explain your evidence for this stage. Red is associated with strong emotions, which are captured on flip-chart/Post-It notes/digital whiteboard.

Yellow Hat (Benefits and Advantages)

With this hat on, you all focus on being optimistic. What could go right? What’s the best that could happen? Together, you capture possible advantages, benefits or opportunities. This can be really fun for the more positive extroverts in the group. Yellow is used because of its association with sunshine and positivity.

Black Hat (Caution and Problems)

Like a yin to the above yang, this hat is all about being a pessimist or at least a risk manager. What could go wrong? Why wouldn’t that other idea work? As a group, you focus on the problems, risks and challenges that you can imagine. Black is not used to be associated with evil or depression, but rather the formality of lawyers' robes. Wearing this hat is like conducting a cross-examination.

Green Hat (Creativity and Solutions)

With this hat on, it’s like the green-fingered getting to work in a new garden. What can you germinate? The team is asked to consider new ideas or build on ones already identified. This stage is most akin to brainstorming or mind mapping in other creative workshops, but with the help of prompts from work done already. Green represents new growth.

Blue Hat (Managing Your Thinking)

Unlike the other hats, this one is worn by just the facilitator, who wears it throughout the exercise to ensure that people understand and follow the process. At the final stage, the facilitator reviews and summarizes the thinking so far and prompts the team to spot themes, draw conclusions and decide on next steps. The color blue is used because of its association with the sky, to represent oversight.

De Bono suggested that these hats could be used in different orders for different needs/challenges. However, the order above is the sequence that I’ve found most often helps data and analytics teams generate useful new thinking.

See also: How to Train Remote Workers as Teams

How does 6TH help data and analytics teams?

While this exercise may seem to lend itself to marketing or management types, I have seen (and led) sessions where this approach can help analysts, data teams and their leaders break through what have been intractable problems.

You may recall that I have shared before how structured thinking techniques can really help with generating customer insights from analytics. I’ve also stressed the importance of domain knowledge and working with others in your business to improve the quality of your analysis and interpretation.

When working on using data or analytics to tackle an issue for your business or create an opportunity – the technical work alone is rarely enough. A deeper understanding of your business, processes, market and customers is often needed. Following robust analysis or model building, it’s important to take time to think well about what it means for your business and next best steps (the Sign-Off step in my 9-step model).

How will you use 6 Thinking Hats?

For all those situations, I recommend trying this approach. You may well be surprised how well it works in getting the most out of the collective intelligence of your team.

Consumers do not generally enjoy shopping for insurance. This is not surprising, as they are spending money on something that may be required by law but that they hope never to use. Making an insurance claim means something bad has happened: A tree has fallen on a house, a piece of jewelry was stolen or someone has been in an accident. If something bad happens, the insurance is welcome; if nothing bad happens, customers may feel as if their money is being wasted -- like a black hole swallowing their money.

In these socially distant days, an increasing number of insurance purchases are occurring online, which can make a complicated transaction feel even more foreign for consumers. They only purchase once a year and may feel unease as they have to weigh options such as deductibles and whether to purchase coverage for particular perils. These sorts of decisions are easier when a human is with them; in fact, the personal relationship with an agent or broker can be the biggest factor in client retention.

The challenge for insurance industry players is to find ways to create real relationships with customers despite so much of the exchange being digital. Here are some suggestions:

Core Insurance Services Should Be Straightforward

If you are selling and servicing insurance policies, your platform has to make this easy. As consumers use many different systems -- they may start a search on their phone and later move to a laptop or tablet -- your platform has to be flexible technologically. So, the first challenge is very basic: You have to make everything work.

It should go without saying that you have to address the insurance issues. This means designing your website so that everything -- from purchasing insurance to making claims, when necessary -- can be done easily. Let customers know, in advance, what information they'll need to supply, such as a driver's license. You should also design your website to ask them a series of questions so that they can make the best decision. For example, if their car already has a few dings and dents, they may want to skip the collision coverage. Also, encourage them as they go through the different pages with phrases such as, "Just a few more questions, and you're done!"

When people have entered the data, you need to respond quickly. These days, consumers are accustomed to instant gratification; they may expect a quote or a settlement within minutes. When their needs are straightforward, a quote can be generated automatically. However, that isn't always possible; sometimes an application and certainly a claim will require additional review.

If instant gratification isn't possible, make sure you send an email or a text telling the person you have received the submission. Let people know the time frame in which they can expect a response. If there is some delay -- it happens; insurance employees are people, too -- let them know.

When you are ready to complete the transaction, remind customers of anything they may need to do to fulfill legal requirements, such as keeping proof of insurance with them while driving.

All of the above is just a description of the basics. Your company cannot survive without performing these tasks. However, the world is full of competitors, and you can expect others to master these basics, too. To improve customer satisfaction, the type of satisfaction that leads to retention, you need positive, personal interactions, even if those interactions must be socially distanced.

Positive, Personal but Virtual Interactions

Give customers reassurance. First, people buy insurance either because it's required, such as for a mortgage or car, or because they are concerned they may need it. Not only do you need to make sure they have fulfilled these requirements, but you have to give them the assurance that your company will be able to take care of them if it becomes necessary. Words such as, "Welcome to the XYZ Insurance Family, rated A+ by A.M. Best," is a good message to send.

Offer rewards for good behavior. If your customers make changes to reduce their exposure or simply don't file claims, give them rebates. This encourages safer behavior. However, don't just reduce premiums. Let people know you have reduced their premium by sending an email or a letter when it first happens. Congratulate them on being a better driver or a more responsible homeowner. Remind them, too, when they renew and whenever they visit your website. 

Remember important dates. People like their birthdays -- as well as other important events -- to be remembered. If you have the data, and it is not against company policy to make use of it, send a card or an email on significant anniversaries.

Send swag. If you have to use snail mail to reach people anyway, consider sending along some swag with your company logo. Perhaps you can send them a flashlight that they can store in their glove compartment. Perhaps you can send a mask with your logo discreetly placed on it. Perhaps you can send a magnet with useful information in addition to your logo. And, everyone can always use a good-quality pen!

Deliver news they can use. If your customers buy car insurance from you, send tips on driving and car ownership. For example, when do brakes need to be replaced? When are tires safe, and when are they worn out? How often should people check tire pressure? What should they have in their cars in case of an accident? These things are all useful and can increase their safety -- and they’ll appreciate your looking out for them. 

If they’re homeowners, they might want to know what they can do to reduce the risk of fire. Has the family practiced a quick evacuation in case of an emergency? How can people protect themselves from problems such as radon, mold and termites?

See also: COVID-19 and Need for Analytical Insurers

You can send people information that will help them save money on their insurance by informing them of any new offers and programs you introduce (e.g., only pa‌⁠‍y for what you ‬‍‬need). 

A regular email newsletter, with practical tips -- and those tips then stored on the website -- can give customers the sense that they matter and that you are concerned for their safety and wellbeing. A newsletter can also encourage them to take steps to reduce the risks in their lives, which the insurance industry always appreciates.

Conclusion

Your customer touchpoints and interactions are the face of your business -- more so now than ever before -- and the race is on to engage meaningfully via a slew of digital channels. The only way you can effectively cut through the noise of all the COVID-related content? You will need to be relevant and useful to your clients’ situations. Personalized experiences, offers and services will be important. 

Actual employees can be expensive to deploy, but they should still be used, as they can deepen a customer's relationship with your company and improve retention rates. However, the methods of reaching out to customers and personalization mentioned here will help give them the sense that your insurance company is not just there to take their money but is actually there to make their world safer every day. Use them to keep your customers feeling cared for -- even during the pandemic.

After almost a decade working in a large, global bank, I can speak to the challenges faced by all three lines of defense in trying to combat financial crime. I can also attest to the effect these processes had on our clients. As a front-line corporate relationship manager, I frequently had to navigate the know your customer (KYC), remediation and payment screening process for my clients. 

Not only was this an incredibly time-consuming and frustrating process on an organizational level, but more painful was the deleterious effect it had on our clients and their business: Crucial payments to vendors were delayed unnecessarily; accounts took months to open and required incessant back and forth among multiple parties; and account fundings/transactions always came down to the wire because of basic due diligence, regardless how much work you tried to do ahead of time.

Much of the process that required our intervention seemed mundane, repetitive and inefficient, which compounded everyone’s frustration. 

Sound familiar?

These types of repetitive, mundane tasks are ideally suited to be outsourced to artificial intelligence, which the industry seems to now realize. 

Artificial intelligence can be an incredibly valuable tool, in that it can offload mundane tasks, provide insight into customer and employee behavior, create more standardization and help reduce or manage costs.

But as technology becomes increasingly sophisticated, there are many factors to weigh in the decision-making process. 

After countless conversations with stakeholders and decision makers in the industry, I have learned that there are five main concerns when implementing regulatory technology, especially AI technology, in the financial sector: 

1. How transparent is the AI? 
2. What if the AI learns the wrong behaviors, such as bias?  
3. Does it have more than one purpose? What is the road map?
4. Is it better than what I have now? More accurate, faster, more standardized, more cost effective? Can "better" be tested quantifiably?
5. What are the redundancies? How will this technology affect my operational resiliency?

Let’s look at each point in order.

1. How transparent is the AI? 

While this seems like a straightforward question, “transparent” really encompasses three separate factors:  

• Will my team and our stakeholders be able to understand how it works? 
• Will I be able to easily demonstrate to audit, the board and regulators that it’s doing what it’s supposed to do?
• Can I get a snapshot of what is happening at any given moment? 

See also: Stop Being Scared of Artificial Intelligence

All of the major regulators have stipulated that artificial intelligence solutions be explainable and demonstrable. Both of these concepts are rather self-explanatory but still worth exploring.

Explainability 

It’s not sufficient for your compliance team to understand how the AI makes decisions. They also need to be comfortable explaining the process to key stakeholders, whether they are board members, the internal model committee, audit or the regulators. 

If your technical team can’t understand the technology or how decisions are made, or if the vendor claims confidentiality to protect its IP, this is a cause for concern.

Demonstrability

Like transparency, demonstrability captures a few components - it means you have to be able to demonstrate:

• What decisions the AI has made; 
• What changes you’ve made to how the AI makes decisions; and
• Who made the changes.

This is where an audit trail comes into play. First of all, is there one? If so, is it immutable, and does it capture all actions in the AI or just some of them? Is it exportable in report format, and, if so, is the report readable and can it be easily understood?

Compliance is a data-driven world, and the risk associated with being deemed non-compliant is substantial. Being able to capture and export changes to, and decisions made within, your AI is crucial to your relationships with your stakeholders.

As personal liability expands in the corporate world, board members and committees increasingly require an understanding of not only how compliance risk is being mitigated, but also clear evidence that it’s being done, how and by whom.

2. What if the AI learns the wrong behaviors, such as bias?

The underlying questions here, without detracting from the very serious concern about embedding existing unconscious bias into your AI, are:

• If the AI is wrong, or my requirements change, can I fix it? How easily? 
• What impact will tweaking the AI have on everything it’s already learned?

An industry journalist recently asked me if I thought bias was a problem with AI. My answer to her, and to all of you, is that AI simply learns what’s already happening within your organization. As a result, unconscious bias is one of the things that AI can learn, but it doesn’t have to be a problem. 

While you can’t really prevent AI from learning from past decisions (that’s kind of the point), good technology should enable you to identify when it’s learned something wrong, and to tweak it easily to prevent bad decision-making from becoming embedded into your AI’s decision making.

This ties in to the need for transparency and reporting. It’s not only necessary to see how decisions are made, you also need to be able to prevent poor decisions or bias from being part of the AI’s education. And all of these things need to be documented. 

When testing new vendors, once the AI engine has been trained initially for your proof of concept, you should be able to clearly understand the findings and be able to make changes at that time (and thereafter). You will very likely be surprised by some of the ways decisions are currently being made within your organization. 

For example, at Silent Eight, our technology investigates and solves name and transaction alerts for banks. This work is typically done by teams of analysts, who investigate these alerts, and close them as either a true positive (there is risk here) or false positive (there is no risk). True positive alerts require substantially more time to investigate and close than alerts deemed to be false positives. 

Analysts typically have KPIs around the number of alerts they’re expected to investigate and close each week. 

By late Friday, the analysts are doing everything they can to make sure they meet this quota. As a result, it’s not unusual during the AI training process that the AI learns that 4pm on Fridays is a great reason to close out pending alerts as false positives. 

Obviously this is a good example of AI learning the wrong behavior and needing to be tweaked. It’s also a good example of mistaking correlation for causation, which is a topic worthy of its own examination on another day.

Today, as regulations are introduced and amended, you’re continually updating your policies to reflect these changes. It’s no different with artificial intelligence. It’s imperative that your AI engine is correspondingly easy to tweak, and that, when you tweak it, you don’t lose everything it has already learned. 

Thoughtful, well-designed technology should be built in a manner that makes it easy to update or amend part of the AI engine, without affecting the rest of the learnings. This is something you should both ask about, and test.

3. Does the AI have more than one purpose? What is the road map?

Many financial institutions have the dueling mandates to be both innovative and transform digitally, but also to rationalize vendors. So, when considering artificial intelligence solutions, which are often niche, it’s worthwhile finding out:

• How the vendors decide to build out features;
• Whether they are willing to customize their offering for you;
• How reliably they’ve delivered on features in the past; and
• Whether what’s on their road map adds value for you.

This way you can ensure that the decision you’re making is one that is future-proofed and set up for longevity.

See also: 3 Steps to Demystify Artificial Intelligence

4. Is it better than what you have now? 

Better can mean different things to different organizations and individuals. It’s typically tied into the problems you’re experiencing now, and what your organization’s strategic focus and priorities are.  When I ask clients and prospects what they mean by ‘better’ the answers I hear most commonly are:

• Is it more accurate?
• Is it faster?
• Will it give me greater standardization?
• Will it enable me to identify more risk?
• Will it enable me to federate by jurisdiction?
• Will it lead to greater efficiencies?
• Is it more cost-effective?
• Does it increase my visibility? I.e., is it transparent?

Once you’ve defined what "better" means to you and your organization, you need to find out from your prospective vendors if and how "better" can be tested quantifiably. 

5. What are the third-party dependencies? How will this technology affect my operational resiliency?

Operational resiliency and third-party due diligence have become a significant focus in the industry and can be a barrier to doing business.  Many regulators, including the EBA and the FCA, have issued guidelines on the topic, and continue to revisit it.

It’s vital to understand if a vendor is reliant on any other vendors in its tech stack, if it's using open source code, what the deployment is (on premise, in the cloud, in a private cloud) and what security standards the vendor adheres to.

Take back the things you can control 

Right now, the financial services industry is beset by many challenges that are outside of its control, including low interest rates, working remotely, bad debt provisions and the increased new accounts and suspicious activity resulting from COVID. 

Your compliance costs and processes are a piece of the puzzle you can control. Good artificial intelligence technology will enable you to offload some of your mundane, repetitive tasks, freeing you and your team to focus on more complex risks and higher value projects. 

I recognize that artificial intelligence can be a bit daunting, and that it has a mixed reputation in the industry. However, if you’re armed with a dose of skepticism, have the right questions to ask and approach it with an open mind, you’ll be amazed by what it can do.