Juneen Belknap, Principal, Financial Services-Insurance for PwC Advisory Services, talks with ITL COO Paul Winston about how PwC is working to provide solutions and shape how people think about the integration of modern new technology, including insurtech, with legacy systems to drive change and innovation in insurance. Among the insurtech companies PwC is working with to reimagine insurance processes are Terrene Labs, Snapsheet and InvestCloud, among others.

---

View more Innovation Executive videos Learn more about Innovator's Edge

Robin Roberson, President and Co-Founder of Goose & Gander, talks with ITL CEO Wayne Allen about the creation of the boutique consulting company and how it is working to help insurance incumbents and startups overcome obstacles to adoption.

---

View more Innovation Executive videos Learn more about Innovator's Edge

Alex Pezold, CEO and Co-Founder of TokenEx, talks with ITL Editor in Chief Paul Carroll about how the 10-year old company, which has been active in providing a cyber solution to the banking and payments industries, is now exploring ways to bring its data protection solution to the insurance industry. TokenEx assigns a token for sensitive data, such as a customer’s personally identifiable information, so that a company is not storing actual consumer information that is at risk in a data breach. Learn more about TokenEx.

---

View more Innovation Executive videos Learn more about Innovator's Edge

Kobi Bendelak, CEO of InsurTech Israel, speaks with Paul Winston, COO of ITL, about the company’s mission to invest in insurtech startups based in Israel and to provide advisory services not only to Israeli startups looking to enhance their strategy to gain adoption in insurance, but also to global insurance companies that want to access the extensive technology innovation in Israel. Kobi also shares his views on what makes Israel such a hub of tech innovation and entrepreneurism.

---

View more Innovation Executive videos Learn more about Innovator's Edge

Lee Poskanzer, CEO and Founder of Directive Communication Systems, talks with ITL CEO Wayne Allen about the growth of digital assets and why access to these are at risk of being lost in estate planning without specific legally compliant steps to protect them for heirs. DCS, he says, aims to make this process easier for individuals to decide which assets—from social media, cloud storage, bank accounts and more—should be passed on and to whom..before it's too late.

---

View more Innovation Executive videos Learn more about Innovator's Edge

Steve Bernardez, Partner with Avanta Ventures, talks with ITL Chief Innovation Officer Guy Fraker, about how Avanta—a unit of CSAA Insurance Group—evaluates startups and opportunities through the lens of several key themes, including insurtech, mobility, and products that are ancillary to certain insurance products, such as cyber.

---

View more Innovation Executive videos Learn more about Innovator's Edge

Sanjiv Parikh, Managing Partner of Avanta Ventures, speaks with ITL Chief Innovation Officer Guy Fraker about the company’s mission, which includes not only investments, but also an accelerator/incubator to nurture early stage companies, and identifying and promoting the opportunities of innovation to drive growth for its parent, CSAA Insurance Group.

---

View more Innovation Executive videos Learn more about Innovator's Edge

More than 200 million people and two-thirds of the 48 contiguous states are at risk from flooding, according to Edward Clark, director of the U.S. National Water Center. This demonstrates the major threat that flooding poses to the reinsurance industry in the U.S. In light of this hazard, the U.S. private insurance market is growing, with 2017 reporting $600 million in premiums, an increase of $217 million over 2016. But why isn’t this figure higher? And, why do approximately 85% of U.S. homeowners lack flood insurance policies? One of the key reasons, among many, for low private insurance penetration stems from the inadequacy of current flood data, such as FEMA's, to fully assess this hazard. Changes in landscape Many parts of the U.S. have experienced extensive redevelopment since the creation of the industry-standard FEMA flood maps, and these redevelopment changes haven’t been adequately captured in flood maps—until now. To illustrate this, take Sherwood Park in Palm Shores, Florida, which has seen rapid and major development since the 1980s. Areas that were once rural wetlands have been re-landscaped and developed into desirable real estate. See also: How Non-Standard Became the Standard   Figure 1 shows a historical map of the Palm Shores development in 1981. Palm Shores as an urban area was then confined to the southern part of the area shown, with areas to the north and west entirely rural with several lakes and ponds. This is contrasted with Figure 2, which shows aerial imagery of the Palm Shores development in 2016—an entirely different, more urbanized, landscape today. Figure 1: Historical map of Palm Shores development in 1981.  Figure 2: Aerial imagery of Palm Shores development in 2016. This shows an entirely different, more urbanized, landscape today. Basemap: U.S Geological Survey Historical Topographic Map Collection, 1983 ed., accessed via topoView. Flood maps from the 1980s To fully and accurately represent today’s flood hazard in these changing areas, it’s vital for insurers to use the most recent flood maps available, which use contemporary, best-available elevation data. Figure 3 shows FEMA’s flood hazard zones for the Palm Shores area, showing some patches of Zone A flood zones in red, largely restricted to the west. The housing development in the bottom center is Sherwood Park, classified by FEMA as being in a Zone X area of minimal flood hazard. Figure 3: FEMA flood hazard zones for the Sherwood Park housing development, Palm Shores, FL.  Figure 4, on the other hand, shows JBA’s 1-in-100-year flood map, the equivalent of a FEMA Zone A map, which shows a very different picture. The areas of flood hazard are distributed across more of the overall area, with the Sherwood Park area now being represented as flood-prone. Figure 4: JBA’S 1-in-100-year flood map, showing areas of flood hazard in Sherwood Park (dark orange indicates more severe flooding). Contains Microsoft® Bing™ Maps, © 2010-2017 Pirmin Kalberer & Mathias Walker, Sourcepole AG. This disparity in flood hazard mapping can be better understood in the context of the altered landscape. It can be seen that FEMA’s mapping for this area largely corresponds to the landscape of the 1980s rather than the landscape of today. If insurers rely on mapping using this outdated data, they may easily over- or underestimate flood hazard in areas that have experienced redevelopment since the map’s creation. See also: Hurricane Harvey: An Insurtech Case Study   The need for high-resolution data This urbanization in areas across the U.S. also highlights the need for high-resolution data, especially when we consider that more than 20% of all NFIP flood claims relate to properties outside FEMA-designated high-risk flood hazard areas. Figure 5 shows downtown Miami when mapped at 30m resolution (left) and when mapped at 5m resolution (right). The 5m resolution illustrates the flow of water down narrow features such as walkways and roads much more effectively, whereas the 30m mapping can result in under- or overestimation of the hazard. Figure 5: 30m flood map (left) vs JBA 5m flood map (right). Basemap data ©Mapbox ©OpenStreetMap. In light of these changes in landscape, it’s vital that insurers use the right tools for today’s world. JBA's flood maps include the most up-to-date elevation data and can be used within SpatialKey to help insurers better understand risk in the context of their portfolios for more informed and confident underwriting.

Virtually every company owns, licenses or maintains personal information and other sensitive data. Until recently, companies were not legally required to implement cybersecurity policies, procedures or controls specifically designed to protect personal and other sensitive information. Some companies might even have decided not to comply because of perceived high implementation costs and complex operational changes. However, recent expansions in a number of laws have changed this dynamic. Across the U.S., state regulations are being promulgated that require companies to implement and maintain a reasonable level of cybersecurity controls. Some of these laws provide for significant penalties in cases of non-compliance. As companies begin to take steps toward compliance with these regulations, one significant source of assistance is the cyber insurance market. New Privacy and Cybersecurity Regulations As of the writing of this article, at least 25 state laws impose obligations on their corporate citizens to have reasonable data and information security practices to protect sensitive data from unauthorized disclosure. Some laws go even further and prescribe specific standards that corporate citizens must follow to protect the privacy rights of those states’ residents. Two of the most stringent regulations currently in effect are in New York and Massachusetts, while a third, which may very well be the most stringent regulation, becomes effective in California on Jan. 1, 2020. New York state’s recently passed, “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act, applies to businesses that maintain private information of New York residents, regardless of whether such entities actually conduct business within New York. SHIELD requires covered entities to implement “reasonable safeguards,” taking into account administrative, technical and physical safeguards such as training, risk assessments, regular testing of key controls and procedures and the disposal of private information within a reasonable time after it is no longer needed. Similar requirements exist in Massachusetts, Ohio, Oregon and Vermont. See also: Hidden Dangers for Cybersecurity   SHIELD also allows for possible fines for violations of the notification requirements up to $250,000. Notably, the imposition of the “reasonable safeguards” requirements brings the new law closer to New York’s 2017 Department of Financial Services’ Cybersecurity Regulation, which prescribes holistic security measures applicable to a broad swath of financial services companies operating under New York’s banking, insurance and financial services laws. In addition, many of New York’s small and medium-sized businesses in industries unaccustomed to the regulations applicable to the financial sector will now be required to address their security measures and implement controls, including risk assessments, to protect sensitive information and systems from unauthorized use or access. Massachusetts’ current regulation, 201 CMR 17.00, et seq., establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The regulations apply to all persons who own or license personal information about a resident. 201 CMR 17.03 and 17.04 impose obligations on covered entities to implement prescribed safeguards, including (this is a small sample from the list set forth in the statute):

• A comprehensive, written information security program that contains administrative, technical and physical safeguards.
• Designation of one or more employees to maintain the information security program.
• Identification and assessment of reasonably foreseeable internal and external risks, and evaluation of the effectiveness of current safeguards for limiting such risks.
• Continuing employee education and training.
• Measures to oversee third-party service providers, including requiring such vendors by contract to implement and maintain appropriate security measures for personal information.
• Password management and controls.

California’s much discussed California Consumer Privacy Act, see oag.ca.gov/privacy/ccpa, Assembly Bill 375 (CCPA) becomes effective on Jan. 1, 2020. The CCPA is a significant expansion of privacy rights granted to consumers and shifts the burden of compliance regarding consent and the collection, use, storage and destruction of personal data to businesses. The CCPA’s expansive requirements placed on businesses relative to the collection and use of personal data bring California much closer in line with the privacy culture of the European Union and its GDPR. While California, Massachusetts and New York have been at the forefront of imposing affirmative obligations on businesses requiring implementation of comprehensive cybersecurity policies and protocols, more than 25 states in total have laws that address data security practices of private-sector entities. Most of these data security laws require businesses that own, license or maintain personal information concerning a resident of that state (in several cases, including even entities who maintain such personal information but who are not doing business in the state) to implement and maintain “reasonable security procedures and practices,” taking into account the size and resources of the entity and the nature of the information it holds. Accordingly, businesses with personal information in their systems – for example, unencrypted combinations of names with Social Security numbers, driver’s license numbers, account numbers, PINs, biometrics, etc. – are required, by law, to adopt, implement, maintain and regularly update their information security programs. The conjunction of new obligations imposed by states like Massachusetts and New York, with the expansion in privacy rights granted to California residents in the CCPA, leaves companies with little choice but to take cyber security and corporate privacy with the utmost seriousness and spend time and resources in advance of any type of occurrence. The Role of Cyber Insurers It is clear now that instituting and managing cybersecurity protections are no longer merely options for companies in all industry sectors. One key resource for any business in developing and deploying a cybersecurity program is its cyber insurer. In today’s environment, businesses of all sizes should purchase cyber insurance. Cyber insurance is designed to cover numerous risks associated with both privacy and technology. Moreover, cyber insurance is there to respond after an incident occurs. See also: It’s Time for the Cyber 101 Discussion   Most traditional insurance policies do not cover measures like those contemplated by the various regulations. However, a few cyber insurers provide value-added risk control services along with free or reduced-cost access to cyber security vendors that can help an insured through this process. These services are available to the policyholder upon binding coverage with the insurer in advance of any actual cyber occurrence. CNA, for example, recently launched a suite of cyber security services. CNA CyberPrep is a program of cyber risk services designed to aid cyber policyholders in cyber threat identification, mitigation and response.

• Identifying cybersecurity posture is a critical beginning. Services include detailed analyses from a network of free or reduced-cost cybersecurity experts, reports that provide a snapshot of policyholder security posture and numerous recommendations for improvement.
• Working in collaboration with their broker, CNA Risk Control, and Cyber Underwriting, policyholders execute the cybersecurity experts’ recommendations to mitigate their cyber risks and improve their cybersecurity posture.
• CNA CyberPrep continues to benefit policyholders. In the event of a cyber breach, CNA’s panel of experienced incident response vendors provide guidance and strategies to help expedite recovery and minimize loss.

Offering these types of services is in the best interests of both insurers and policyholders, as an ounce of prevention is worth a pound of cure. Also, given the regulatory developments across the U.S., companies should, more than ever, take advantage of their cyber insurer’s ability to help facilitate this process. Simply put, companies can no longer fail to implement cybersecurity policies, procedures and controls. Failure to comply with the state and federal laws and regulations can easily result in substantial fines and mandated corrective action. Some states also permit individuals to sue when failures result in loss of their personal information, potentially resulting in treble damages under unfair competition laws. Given the staggering costs of non-compliance, businesses must implement appropriate cybersecurity policies and procedures, keep them current, train their employees and use the latest technical protections. When selecting your cyber insurer, look for one that can help supply the requisite resources for a comprehensive – and compliant – cybersecurity program.

When I wrote two weeks ago about the possibility of combining workers comp with health insurance to produce a sort of let's-just-keep-people-healthy approach, many of you wrote to tell me that I'm nuts. (You were as kind as possible; thanks for that.)

One wrote that the obstacles to a combination are "nearly insurmountable." She added:

"Workers comp is a legal system, whereas health insurance is a purchased benefit. Moreover, the legal system governing workers comp is federal law interpreted by each state, thereby making it 52 different legal systems counting Washington, D.C., and Puerto Rico. That’s the basis from which you need to start. Good luck!!"

I love the "Good luck!!" But I don't give up easily. I still believe in Stein's Law, which, paraphrased, says: "Trends that can't continue, won't."

The trends in our intertwined healthcare and insurance worlds simply can't continue. As a result, I think silos will break down, eliminating all sorts of traditional barriers, whether between workers comp and health insurance or between other parts of our healthcare system.

The urgent need for change was driven home by the recent report that the cost of family health coverage now tops $20,000 a year. That cost isn't sustainable. Indeed, many people are dropping coverage because they can't afford it.

The need also hit home in a more personal way. A woman I know, a CFO, reacted horribly to a cleaning solution used in her office and is largely incapacitated. She just wants to feel better and get back to work, but the lawyers have to sort this out first. Does she have a workers comp claim? A health claim? Is there a liability claim against the cleaning service? 

In all, the American healthcare system spends 8% of the total on administration, compared with 1% to 3% in other developed countries. 

But there are also signs of progress, of people trying to change the rules. In particular, businesses are starting to intervene to serve their employers better, beyond just paying for insurance. Amazon is following a move taken by many other large employers and setting up health clinics for employees, with an idea to rolling them out more broadly. Walmart is helping employees find doctors, schedule appointments and generally navigate the health system, also with the idea that the company might offer the service to others. Many companies are providing telemedicine services to help employees get faster, more effective treatment, supplementing the care provided through health insurance. 

Even health insurers, the bogeyman for many, are moving more directly into care. That may or may not turn out to be a good thing, but certainly represents a blurring of traditional lines.

One of my favorite dicta from my days in Silicon Valley is: "Never confuse a clear view with a short distance," so I realize that my (reasonably) clear view of healthcare won't necessarily happen soon. In fact, I'd say it's highly unlikely to happen soon. But it will happen, and we might as well get started, if not on workers comp and health insurance then on any number of the other possibilities.

Cheers,

Paul Carroll
Editor-in-Chief