Our chief innovation officer, Guy Fraker, told me the other day of being in an innovation strategy meeting where the CFO of a workers comp carrier talked of needing to "protect our losses."

The pushback was fast and strong: Insurers increasingly can help clients predict and prevent losses and must do so, even though lower premiums will eventually result. But we can empathize with the CFO, right? His job is to squeeze the last drop of profit out of the business, and that gets harder if premiums shrink because clients' losses are declining.

His comment points to a false dichotomy that is accepted throughout the insurance industry even in these modernizing times and that we need to move past. Left unaddressed, a belief in the dichotomy could both lead us away from our mission of protecting clients and cause strategic blindness that could endanger our businesses in the long term.

The issue is that we want to help clients, including by preventing losses, but we also need to generate as much profit as possible. Trying to maximize both goals simultaneously can seem to be somewhere between hard and impossible, depending on your role in the industry.

If we just bounce between the two goals (what might be called a thesis and an antithesis, if you’ll allow me to dip back into my vague memories from college of the Hegelian dialectic), you miss the chance for a novel solution (what Hegel called synthesis). And one is available—but only if we take a new view of what clients want and of what our sources of profits should be.

New ways of thinking have always been hard, no matter the industry. Businesses begin with some sort of novel approach, but, as they grow, become much more about developing that approach to the fullest and optimizing the business built around it rather than about developing new insights. Even worse, over time, executives often come to think that customers are as wedded to the industry structure as the executives are.

Kodak's fundamental failure was that it thought customers loved physical prints as much as Kodak loved selling the film, paper and chemicals used to produce prints. Executives, since about 1980, saw clearly how digital technology would develop but simply couldn't imagine a world where images were shared solely digitally and was slow to react to that new world.

In insurance, we have the inertia problem in spades. We think of ourselves as selling policies. Even our language locks us into thinking of ourselves as being in the product business—I've heard some talk of setting up "factories" and "manufacturing" policies. But customers don't long for policies, and they are becoming increasingly stern about letting us know their preferences.

Customers want peace of mind, and they want help managing and reducing their losses. They’ll tolerate insurance policies if that's the only way to achieve their goals—and detailed legal contracts are certainly required in many, even most, instances—but customers aren't wedded to traditional policies like we are.  

We fit the description of the classic Harvard Business School article that said companies often think they're in the business of selling quarter-inch drills, when what customers want are quarter-inch holes.

If we can free ourselves from the historic emphasis on pushing product, we can see our way to providing an array of services that provide customers with the insurance equivalent of quarter-inch holes. That workers comp CFO, for instance, could sell services that would help clients identify potential problems and head off workplace injuries, based on the growing capabilities of sensors, better data analytics and other developments that the insurtech movement is providing.

The shift to services does require, of course, a willingness to look beyond today's profit streams and will require creativity. Even Kodak, belatedly, looked to digital cameras and printers (remember executives' belief about the absolute need for prints) as new revenue streams, but there just wasn't enough there to replace the billions of dollars of revenue that film, paper and chemicals had generated. The new revenue streams turned out to be rather far afield, in facilitating digital sharing of images and helping customers build stories around images, so all the value from digital photography went to Facebook, Instagram and other such platforms.

It's always tempting to think that customers don't have a choice, and inertia certainly provides some protection here for insurers. But commercial buyers' willingness to self-insure and broker dominance in captive management services sends a strong message that clients are going to get what they want, with or without insurers. And just because an insurer doesn't want to switch from a product to a service focus, lest profits be endangered, doesn't mean someone won't offer that quarter-inch-hole service. (We know a thing or two about this approach because our IE Advisory team has helped companies innovate into services.)

So, let's get beyond the false dichotomy of either helping clients OR maximizing products. Let’s turn thesis-antithesis into synthesis. Let's get beyond policies and premium, addressing customers' actual needs and finding ways to make them happy about paying us for our assistance. Hegel would be proud, and the industry will thrive.

Cheers,

Paul Carroll
Editor-in-Chief

Small business cybersecurity must be taken seriously. The days of hackers focusing on major businesses have given way to a new era. Small businesses are the new target. The Verizon 2019 Data Breach Investigations Report found that 43% of data breaches hit small businesses. The next most common industry for breaches - the public sector - was hit by just 16% of security events. Small businesses are a high-priority target for attackers, and a Ponemon Institute study found that 67% of small businesses were hit by a cyber attack in the year prior to its study, which was released in late 2018. These are tough statistics for small business owners. The problem doesn't stop here. Small businesses aren't just targets; they are also less likely to be able to handle the costs of a data breach. A study from IBM Security and the Ponemon Institute found the average total cost of a data breach was $3.9 million in 2018. That figure has been rising over the past few years. Small business cybersecurity is a mission-critical situation. It's something that poses real challenges for small business owners who lack the resources to invest in robust IT systems. Understanding the Scope of the Cybersecurity Threat The high costs of a data breach are influenced by major security incidents affecting large corporations. You may not think you have almost $4 million to lose in a cyberattack because you simply don't have that kind of money in the first place. But that's the problem. You may not be hit by a hacker trying to steal highly regulated data, leading to the kinds of fines that cause huge costs. But how much cash do you have lying around? If you're hit by a ransomware attack - a security event in which a hacker uses malware to encrypt your data so you can't access it and demands a ransom - do you have the funds to respond? Even a $50,000 ransom can have a huge impact on a small business. See also: Hidden Dangers for Cybersecurity   Dealing with the Costs of Attacks The costs that come with a data breach stem from a variety of sources. If you're lucky, you won't lose any information, or have it stolen. For example, two types of common attacks don't steal data; they just kill productivity. The first of those is ransomware. The cost here comes from lost productivity while data is inaccessible, and the price of paying the ransom to recover your data. The second is distributed denial of service (DDoS), an attack in which servers are overloaded by constant attempts to access your website. This makes it impossible for legitimate customers to interact with you. When data is stolen, the costs escalate, particularly if customer information is lost. In this case, you often have to:

• Cover the costs of credit tracking for those affected by the breach.
• Deal with regulatory fines if it's found that you weren't in compliance with an industry standard.
• Face lost trust from customers, something that often hurts the bottom line.
• Scramble to deal with the source of the attack and fix any IT problems that existed.

Whether you're hit by something like ransomware or face a full data breach, the costs can escalate quickly, to the point that a single security event can put you out of business. Investing in small business cybersecurity is critical in dealing with these situations. Looking at Common Attack Types Cyber criminals are constantly shifting their methods as they identify vulnerabilities. They're also aware that many small business cybersecurity efforts are lacking. This has made small businesses targets for a wide range of attack types, including:

• Phishing schemes that use legit-looking emails to trick users into downloading malware.
• Account takeovers in which criminals use stolen login details to access user accounts and steal private data.
• Social engineering efforts that allow hackers to pose as an account-holder to gain access to sensitive data.

None of these attack types is technically demanding. They are cheap for hackers to act on. As such, criminals can easily attack small businesses in multiple ways. The hackers just sit back hoping that one method will get through. The Verizon study found that almost 40% of all cyber attacks stemmed from organized crime groups. Hackers are working in smarter, more efficient ways. Small business cybersecurity tactics need to shift as a result. Exploring Why Small Businesses Are Targets Imagine you're a hacker. You're looking for a target that will give you valuable data you can sell to third parties. Just about every business today is based heavily on digital resources. Why would you target highly defended large corporations when small businesses often have valuable data, but fewer defenses? See also: 4 Ways to Boost Cybersecurity   This logic is shaping the modern small business cybersecurity sector. Small businesses typically lack strong security measures to identify threats and safeguard data from intruders. Hackers can send phishing emails to thousands of business email addresses at minimal cost. All they need is to have a few people fall for the scam, and hackers have access to company data and systems. Overcoming the Resource Crunch  With hackers today, a single data breach could be expensive enough to put you out of business. With this in mind, think about making some IT updates, training staff and using similar strategies to bolster your defenses. Whether you tweak your budget to create space for cybersecurity spending or seek funding to boost your capabilities, it's time to start rethinking your defenses. Take action before your business becomes the next target.

Managing catastrophe reinsurance claims is a big challenge for carriers. In particular, dealing with the “hours clause” can be baffling. But taking the best strategy can make a big difference in how much reinsurance a carrier will collect. As climate change accelerates and the weather becomes more violent, catastrophe reinsurance has become increasingly complex, making modern technology a necessity for carriers to get the most value from their premiums. Ceded reinsurance has been one of the industry’s most technology-resistant areas, but that has begun to change over the last several years. Tracking reinsurance claims in general is challenging; managing catastrophe claims is especially challenging. One problem is claims leakage. This occurs when the insurer fails to file a claim with the reinsurer because no one at the company realizes that a claim should have been filed. That might seem unlikely, but it’s not an uncommon occurrence. Unfortunately, many insurers still use a spreadsheet to track policies and claims instead of a dedicated ceded system. Insurers that use spreadsheets must rely on staff combing through multiple spreadsheets to identify claims. Legitimate claims can fall between the cracks. See also: Reinsurance: Dying… or in a Golden Age?   Dealing with the “hours clause” in catastrophe claims is another complex challenge. With catastrophe reinsurance, defining the event, or catastrophe, is crucial. Under the “hours clause,” the duration of any one loss occurrence is usually limited to 72 hours. If a catastrophe’s duration exceeds the hours limit, the insurer may divide the catastrophe into two or more loss occurrences. Consider a catastrophe that lasts 290 hours. Because it’s possible to have up to four loss occurrences for such a catastrophe, grouping individual claims becomes a complex exercise. For instance, you can have four 72-hour losses that start at hour 1 and omit all claims for hours 289 and 290. Or you can start with hour 2 and skip claims for hour 1 and hour 290. That only hints at the complexity of the challenge facing insurance companies needing to optimize reinsurance recoverables. A ceded reinsurance system with an algorithm designed to optimize for such claims can remove much of the guesswork. How can you achieve the best solution? Reinsurance software is not a core system, but its usefulness largely depends on how tightly it is integrated with core policy administration (PAS) and claims systems. To ensure that, you’ll need to make a preliminary study before installing the software. The study should include a detailed description of the company’s reinsurance management processes and identify potential gaps between those processes and the proposed solution. The study should also identify the contracts and financial data needed, establish interface specifications, define the data-conversion and migration strategy and gather all reporting requirements. See also: Catastrophe Bonds: Crucial Liquidity   Besides connecting the data in the upstream PAS to the reinsurance management system, you will need to integrate ceded reinsurance data to other applications such as the general ledger, the claims system and business-intelligence tools. These are important details. But always remember the ultimate goal: giving the people who manage reinsurance the technology they need to do the job efficiently and effectively, especially when managing high-stakes catastrophe claims.

In five years, the premier insurance technology providers will be Aon, Marsh, Munich Re, Swiss Re and Allianz. This is a fairly radical statement to make, but it is not made without evidence and support. The following five announcements lead me to this conclusion:

• Aon announced it has agreed to acquire insurtech startup CoverWallet in a bid to boost its presence in the growing digital insurance market for small and medium-sized business customers.
• Marsh launched workers' comp analytics platform Blue[i] Claims, which leverages advanced, anonymized benchmarking capabilities to allow clients to do such things as craft targeted safety programs, identify complex claims early, expedite the closeout of legacy claims to reduce balance sheet liabilities and improve collaboration with claims administrators.
• Munich Re’s data analytics initiative Aqualytix combines an insurer’s portfolio data with external sources to analyze water-main damage. Using machine learning, experts can identify the risk drivers for individual buildings and predict the losses for the coming year.
• Swiss Re Corporate Solutions’ Innovative Risk Solutions team has launched a digital parametric natural catastrophe platform in the U.S. for the small and medium-sized enterprise (SME) market, called Parametric Online Platform (POP) Storm.
• Allianz SE and its subsidiary Syncier partnered with Microsoft to offer ABS Enterprise Edition to insurance providers as a service. This insurance platform will benefit customers by reducing costs and centralizing their insurance portfolio management.

Obviously, one announcement does not make these companies into premier technology solution providers. But a quick web search of the organizations will reveal other announcements and offerings, so this is not a one-time thing. What makes a premier insurance technology provider? It includes a focus on delivering business value, a keen understanding of what customers will need over the coming years and a quick time to decision to deliver solutions. So, the above companies appear to have the makings! See also: 5 Emerging Trends for Insurance in 2020   This past July, I wrote a blog titled The Reinsurers Are Coming – And It Might Not Be How You Expected. The blog cautioned primary insurers against being complacent about who their competitors are. This blog is taking the same stance with traditional technology providers that have kept their eyes focused on the same set of competitors they have had for eons, believing that, once you have established a beachhead, your customers will always keep you there. So, tech providers, be alert! The future may not be what you expected, either! Isn’t this a wondrous time to be in the insurance industry? It has been said that, in the digital age, every company is a technology company. These insurance leaders are taking that notion to the next level by becoming providers of technology solutions to others in the industry. Bold organizations are not letting traditional definitions of where they fit into the insurance ecosystem hold them back from delivering business value in new ways. Insurers and technology providers that are holding onto traditional roles are putting themselves at risk of falling far behind in a market looking for differentiation.

Starting a company has been likened to jumping off a cliff and building an airplane as you fall through the air. Risky stuff. I mean, really risky stuff. Living in Silicon Valley and around people who do this all the time as though it were normal, you can begin to think it is. Or maybe my brain has always been wired that way. At least four times now, I have boldly proclaimed to my wife of 21 years, “I have this idea, and I am going to do X.” And “Oh, by the way, we probably won’t be getting paid for a couple of years. And…well, there’s a high degree of risk involved, which means it is highly likely we won’t get paid...at...all.” In starting our current company, Limelight Health, four of us had an idea, iterated, worked hard and took no salary for over two years. We now now employ 120 people all over the globe and have raised roughly $44 million in venture capital. The journey from a chief executive of four founders haggling over how to get started and what to do, to CEO of a venture-backed company with lots of employees, has been nothing short of amazing. It has required me to do one thing, placing it above all else: exercise the willingness to let go of who I am and embrace constant change. Not in a theoretical way, but in a real, difficult, deep down-in-the-gut and character-changing, emotionally taxing way. At any company, you have to spend a lot of time talking about values. Who are you as a company? How are you going to treat employees, each other, customers and partners? It’s fun to talk about, yet much more difficult to execute. To that end, the best advice for an aspiring leader in the insurtech space would be to fearlessly create and live by tenable, actionable values. Talk about them with new recruits, talk about them in interviews, talk about them in All Hands meetings. Be sure to recognize employees who espouse them and call each other out when you’re not living up to the values. Below are some values that hold strong when leading a new company in this industry. See also: Key Difference in Leaders vs. Managers   Humility and Awareness. Leading a startup, it's easy to think you are right or that your way is the best way. Typically, leaders don’t enjoy being wrong. It’s easy to become angry when someone doesn’t behave in a way that is consistent with your view of how the work environment should be. You want to surround yourself with people and direct reports who will point out problems. When you are challenged and coached, you become humbled. From there, you can grow. All that is required is the humility to listen and the awareness that sometimes things need to change to set the tone for and build a great culture. If you aspire to lead in the insurtech space, find some humility. One way or another, when you innovate and disrupt, humility will meet you at your doorstep. Kaizen. A Japanese word for “continual improvement,” kaizen refers in business to activities that continually improve all functions and involve all employees from the CEO to the “assembly line workers.” Sometimes you have to climb into a cocoon, die and come out something altogether different. When you make a mistake, it’s important to jointly work hard to focus not on blame or how badly someone performed, rather, conduct a retrospective to discover how you can improve. If you are aspiring to lead, you have to do just that, and I can guarantee that you will be the one who changes more than anyone else. Grit. “Grit is passion and perseverance for long-term and meaningful goals. It is the ability to persist in something you feel passionate about and persevere when you face obstacles.” You will invariably face obstacles: Everything will take longer, cost more and be more difficult than you can possibly imagine. Simply put, you will need some grit to push through. See also: Setting Goals for Analytics Leaders   It is an incredibly exciting time to be in the insurtech space. There are innumerable problems, but with those problems come rich opportunities.

According to the Grammarist.com, the phrase “caught between a rock and a hard place” came about in the early 1900s in Bisbee, AZ, where miners who were seeking better working conditions pushed the mine owners for improvements. The owners were totally against making any changes – leaving the miners with a very hard decision. Either work in deplorable conditions or be unemployed: a rock and a hard place. So, what does this have to do with insurance? Over my insurance career, I have had several assignments in claims operations. A number of times, the “rock and a hard place” phrase has struck me as appropriate. I have met only a handful of claims people who lacked the fundamental desire to help people – it is usually part of the DNA of claims workers. Without it, claims is an almost impossible job to do! But, despite the desire to help, many claims folks have been stuck between the rocks and hard places of regulatory constraints, inflexible legacy systems, compliance requirements, and a seemingly perpetual cycle of reduced budgets. Until now. Technology can soften up both the rock and the hard place. That is an easy sentence to write, but a hard one to implement. In a recently released SMA research report, AI and Customer Experience: New Lenses for Claims Transformation, one of the key takeaways is to flip the lens so that claims procedures and business outcomes are viewed, not discretely from the internal, operational perspective, but rather from the outside/in perspective, which is the customer view. Opportunities to reduce cycle time, create transparency and personalization, and generate a better over-all claims experience can then emerge. Technology is here today that can be part of customer-driven claims transformation. Not only are there solutions in the market from incumbent technology providers, but some insurtechs have targeted claims processes to deliver AI-driven capabilities such as:

• Automated damage assessment: These can be anything from photos and videos supplied by the claimant to images taken by drones. Applying AI then drives the assessment.
• Claimant interactions: Utilizing chatbots, FNOL/FROI can speed along, and routine questions can be answered.
• CAT planning and response: Aerial images, both pre- and post-catastrophe, can assist CAT teams with resource allocation and customer communications.
• Fraud detection: On the surface, this may appear to be an internal response. But from a customer experience perspective, identifying potential fraudsters lets those not in that category go more quickly through the settlement process, perhaps even with straight through processing, while the “bad guys” get the special treatment.

These are but a few of the solution areas where claims organizations can utilize AI-powered technology to improve customer experience, as identified in the SMA claims research report. The important thing to recognize is that all of these applications also improve internal operations, not the least of which is taking routine tasks off claims personnel desks so they can focus on using their skills on complex claims, and situations where the customer wants – and needs – a human to help them. See also: Future of Claims Intake for Insurance?   Claims organizations are innovating and using technology to change business processes and outcomes. But keeping the dual lens of outside/in and inside/out in alignment is critical. For me, this conjures up an image of rocks of decreasing sizes, interlaced with paths and roadways that customers can intuitively travel. Even in Bisbee, AZ.

The use of accelerated underwriting processes has come a long way in the last five years. Although it was an innovative idea not long ago, most insurers now engage in accelerated underwriting to some degree and are increasingly looking for novel ways to remove inconvenience, delay and cost from the new business process. However, as impressive as its uptake has been, the industry has yet to begin tapping the true – and transformative – potential of accelerated underwriting. This is because most of the time it has lacked the automation component. Automation has the potential to benefit insurers across their entire business, but this is especially true of accelerated underwriting, which at its heart is about streamlining and speeding policy issuance for simpler, lower-risk cases. It’s here that automation can really shine. Take for instance a case where an accelerated underwriting process removes the need for an in-person examination. Without automation, that review by an underwriter will still take 24-48 hours to be completed, even though the relevant information is instantly available in seconds. With automation, the entire application and underwriting process can be reduced to a matter of minutes. This is precisely what new technology platforms are enabling. Advances in AI and machine-learning have come to the point whereby technology can consistently and efficiently underwrite a large proportion of cases. Technology can respond intelligently to input, in real-time, determining what additional information is needed, and then make an underwriting decision and issue insurance coverage. What’s more, when appropriately linked with and integrated into the rest of the business, it can feed information back for better risk modelling in the future. See also: 3 Ways to Optimize Predictive Analytics   When you add in a layer of predictive analytics to the automation, things start to get really interesting. Predictive analytics can add value to the risk selection process and our understanding of the risk in a number of ways. The first, mentioned above, is a ‘bottom-up’ benefit – i.e. cases where the analytics engine can spot relationships in the underlying data that are then brought to the attention of underwriters, who can then investigate whether and how that pattern relates to real-world factors. Another way predictive analytics can add value runs in the other direction - top-down. It means business managers and underwriters have access to a vast pool of analyzable data that they can use to help answer questions and test hypotheses or ideas. Having this ability can remove a lot of unnecessary trial-and-error, and can give all levels of the business a better view of information that is vital to long-term success. A third and very significant value-add from predictive analytics is that it can help with the systemic stratification of ‘grey areas’ within the underwriting process– that is, the cases in the middle that aren’t either extremely healthy, or obviously high-risk. Segmenting this grey area and formulating better approaches to these cases is crucial for any insurer looking to reduce “RTUs” (Refer to Underwriter) and gain a market edge, and a sophisticated analytics engine can make the process a lot more efficient and smarter. It is these elements – automation combined with predictive analytics – that could turn accelerated underwriting from a useful cost and time saver into something that could truly revolutionize the insurance business model as a whole. So far, insurers have predominantly used accelerated underwriting to target the same customers they’ve historically targeted. What automated underwriting and predictive analytics can unlock is the ability to actually grow the pie – to target new or previously untapped markets, and create a wider variety of more specialized products focused on particular customer niches. The time and cost savings associated with using this technology could enable different business models for distribution and make it more attractive to target markets that were previously viewed as uneconomical. This process is particularly well-suited to digital distribution, and to making headway into the underserved middle market. Connected to this – and under-utilized at present – is the way in which automated systems are able to integrate new data sets quickly and holistically. Data has always been, in one way or another, the lifeblood of insurance. But in the modern digital age with its corresponding explosion in the amount of data available, a lot of potentially relevant data sets go untapped by the industry. The ability to access this data and integrate it into risk selection processes will be a big determiner of success for insurers in the near future – those that don’t succeed could get left behind. Of course, opportunity and challenge are two sides of the same coin. The addition of automation and analytics to accelerated underwriting holds tremendous potential, but also poses a big challenge. Insurance isn’t renowned for being a particularly tech-savvy industry. Yet, to make full use of these new capabilities, firms are going to have to embrace technology and data science. Most companies will need to work with partners to help the transition. Not just a software vendor to access the technology itself, but there will be a need to find the necessary expertise in both the technology and the insurance sector as whole in order to facilitate a business process revamp. Collaboration will be key in supporting the integration effort needed to fully realize new technology’s potential within a business. But automation does not mean a total overhaul of existing business structures and processes – because this too is likely to incur more risk than opportunity. Firms should take a modular and flexible approach, using systems that can sit within a variety of existing infrastructures with minimal disruption. See also: How Underwriting Is Being Transformed   The shift to automation and analytics is coming fast. And when it does, the implications for insurance business models – what’s possible and what’s not – could be just as profound as e-commerce was for the retail sector. For those that get ahead, the rewards could be just as great.

Back in the days when Johnny Carson was host of "The Tonight Show," he joked about what he saw as the four seasons in southern California: earthquake, wildfire, rain and mudslide. Now that the first big rain of the season is set to hit California over the next few days, I found myself thinking about what may come next—and into the breach stepped my friend and frequent co-author Chunka Mui with a challenging column both on the fundamental problems that climate change poses and on how insurance needs to step up to the challenge. (That's where you all come in.)

The core issue is timing, as Chunka explains in his Forbes column. Even in areas such as in Florida where rising sea levels are a known problem, 30-year contracts are being written for municipal bonds and mortgages, based on historical data. But past isn't prologue where climate change is concerned, and a timing disconnect arises because insurance on those 30-year contracts is arranged annually.

What happens in 15 years if sea levels rise so fast that a property that can, today, be insured for a modest amount is seen as being at far greater risk? In 20 or 25 years, could many municipal projects and considerable real estate carry such high insurance premiums that they lose enormous value or even become worthless, while municipalities and property owners must continue to meet their payment commitments?

The Florida economy depends on its real estate values, and we don't have to go far into the past to find perilous analogies, where banks made long-term commitments based on short-term borrowing, only to see short-term rates soar. 

The answer would seem to be two-fold. First, those making the commitments to repay the bonds and mortgages will want insurance innovators to set premiums that bridge the one-year versus 30-year disparity, ideally offering a 30-year insurance contract. Easier said than done, right? So, second, innovators will need to become far, far better at predicting climate change so that rates can be based on projections, not irrelevant historical data, and so that municipalities, builders and prospective property owners can get economic signals about projects they should avoid.

In reality, the best result, at least initially, will probably be a hybrid. Longer-term insurance contracts (or commitments in capital markets) may be offered based on sharper projections, but with some ability to raise premiums if sea levels rise much faster than expected.

A look at our Innovator's Edge database on insurtechs finds that there are plenty of companies on the case. Nearly 90 identify themselves as focused on climate change, and we'd say that a portfolio of about a dozen have good prospects for making a dent, on issues ranging from analytics and artificial intelligence to sensors and smart homes.

Chunka has seeded a lively discussion on the topic at LinkedIn, and I'd encourage you to join in if you have any interest. Comments would also obviously be welcome here. How to price climate change risk is a hard, hard problem—one that deserves the full attention of the insurance community and that I'm sure we can tackle, if not solve outright.

Have a great Thanksgiving.

Paul Carroll
Editor-in-Chief

Companies have increasingly turned to the cloud for their email solution. Cybercriminals or attackers have watched this trend and are finding ways to access email hosted in the cloud, which is known in the security community as a Business Email Compromise (BEC). Unfortunately, many companies are implementing cloud-based email without an understanding of how attackers are getting in and what safeguards help prevent an attack. The vectors for compromised email attacks are the same as many other types of system or network occurrences. The most common attack vectors are phishing or spear phishing emails, which contain an attachment containing malware or a malicious link that brings the user to a legitimate-looking website and prompts the user for credentials. When the email recipient clicks on the link and provides credentials or opens the attachment from a phishing email, the attacker is able to get a foot in the “door” of the company, so to speak. The security community refers to this as gaining a foothold, and this is the first step in a cyberattack. Credential stuffing is another attack vector often used, which involves using stolen credentials, typically obtained from successful data breaches, to access the cloud-based email environment. Attackers find that credential stuffing works well because many people use the same username and passwords for multiple accounts across the internet. Credential stuffing involves the automated entry of stolen credentials into online accounts in an attempt to gain access to accounts or systems. Sites such as haveibeenpwned.com allows users to determine if their email address account has been compromised from discoverable past breaches. Once an attacker has access to the cloud-based email environment, it is easy to view email within the account to identify any information of value. Additionally, the attacker may try to gain access to other systems in the environment or launch other phishing attacks using the compromised account to make the phishing emails look legitimate. If the attacker has or gains administrative access to cloud-based email environment, the attacker may even modify rules within the system to forward emails to an external email account or even create her/his own email account on the system. The goal of the attacker is typically monetary gain. There are several methods, many of which are often very creative and are used to obtain money from the company. The first involves fraudulent wire transfers where the attackers attempt to impersonate an executive in the office via email instructing someone in finance to wire money to a particular account, usually for the alleged reason of paying an invoice. The second method often used (if sufficient anti-fraud procedures are in place to prevent the wire transfer) is to obtain and modify invoices that have not been issued with payment instructions redirecting the funds to an account the cybercriminal has set up. The attacker then issues the modified invoice to a client of the company from the company’s cloud-based email, thus making the invoice look legitimate. Here, the attacker relies on the client paying the invoice without verifying the modified bank information. See also: How Can Insurers Leverage the Cloud?   Unfortunately, these attacks are often successful despite security practices in place to prevent them. For example, most users do not have administrative rights to the cloud-based email environment. Restricting rights is one of the basic components of security, called the principle of least privilege (POLP). But attackers have ways of escalating privileges by searching for cached credentials, using key loggers that track users’ keystrokes, and a variety of other means. Once the administrative credentials are located, the attacker can escalate their compromised accounts to higher levels and set rules that are not obvious to the average user. This allows the attacker to move throughout the email environment without being noticed and helps the attacker to cover her/his trail. Now that the attacker has the proverbial “keys to the kingdom,” the attacker will typically modify rules so that she/he can monitor the organization’s email content and traffic. Oftentimes, this includes having email of key personnel, such as the CEO, CFO or HR personnel, forwarded to the attacker. At present, most attacks involve locating banking credentials and information to help attempt wire fraud, but as companies get better at prevention, attackers will likely morph their methods for other financial gain. For example, email communications may provide attackers with information to attempt to extort an organization or an employee. Most organizations discover an attacker’s presence only after the attacker has executed some fraudulent activity; however, there are times when perceptive IT personnel may see evidence of the attack such as modified rules or the addition of email accounts. Once an attack is detected, the company should start an investigation. While investigating, it is important to make sure the attacker is no longer in the environment; then the focus can turn to what information may have been compromised. As a first step, the company should change passwords and enable two-factor authentication. Additionally, the settings, including whether any forwarding rules are in place, should be reviewed. Unfortunately, even if the attacker was unsuccessful in achieving financial gain, the company’s information, potentially including personally identifiable information (PII), or protected health information (PHI) may have been exposed. Reporting requirements for exposed PII vary among states. In some, access to PII may be reportable even if there is no evidence the information was acquired. So, it is important to involve outside counsel to examine if there are reporting requirements. Use of forensic experts can also prove beneficial in understanding how the attacker got in, whether the attacker is still in the environment and what information was accessed or acquired while the attacker was there. As Ben Franklin said, “An ounce of prevention is worth a pound of cure.” This holds true when it comes to cyber security. It is difficult to build a house that is impenetrable, because people need to get in and out and commerce needs to continue. However, there are some actions that should be considered by IT security, including:

1. Using dual-factor or two-factor authentication (2FA);
2. Reviewing email security settings to ensure adequate controls;
3. Monitoring traffic for unusual activity – consider using an email gateway to help monitor traffic;
4. Keeping email authentication and trace logs for as long as possible;
5. Training employees to recognize phishing attacks.

See also: Cloud Apps Routinely Expose Sensitive Data   As companies continue to migrate to the cloud, cybercriminals will continue to target the cloud as a gateway to commit crimes. Prior to migration, companies should consider these risks and make sure the security measures in place are as strong as possible. Doing so will help make the cloud a less lucrative target and can help reduce the volume of attacks. Until then, the Rolling Stones song “Get Off of My Cloud” seems to be a fitting warning to cybercriminals: “Hey, you, get off of my cloud.”

We are living in the accumulated aftermath of the countless cyber breaches that, since the turn of the century, have cost the global economy over $2 trillion. We are in the untenable situation where insurers find it nearly impossible to provide security for their insureds while safeguarding their own profitability. However, the destruction and loss of the past need not be the fate of the future. If cyber liability and technology E&O insurers learn from the recent past, then insurers can help give rise to a future cyber realm that is free from the doubt and fear that are prevalent now. Over the past two decades, insurers have not worked with members across the private spectrum to put into place unified laws governing the cyber realm, so there are now laws across the world that have been enacted or about to be enacted that are making it more difficult to provide cyber liability insurance. What may be even worse is that, for the past four years or so, different governments have argued against end-to-end encryption (E2EE), and insurers have not responded swiftly to that threat, either. If a country, especially one like the U.S, were to pass a law making E2EE unlawful, then providing cyber liability insurance to anyone would be made more difficult than it already is. Thus far, insurers rarely speak to each other regarding their most prominent common adversary: hackers. Perhaps the only time that insurers might broach the subject of that adversary is when they are at a NetDiligence or PLUS Cyber Symposium conference, and even then hackers are treated as more of an appetizer than as a main course. If a hacker or hacking group causes five different insurers a combined loss of $50 million, then clearly such attacks represent a inconsequential loss. However, because insurers do not talk to each other, not only do they not know the common methods of attacks on their insureds, along with the collective loss they suffered, but they also have no way to focus efforts on removing that hacking threat. There is also no way to know that a hacker or hacking group is targeting a specific sector of the private sphere, because the only way to know that is through shared intelligence. Every day, threat actors from nation states or hacking groups or standalone hackers are using the advances in cyber breach techniques learned from each other to create the next unstoppable attack. It is time for insurers to pool their own resources so that they and their insureds can begin to level the playing field with respect to the main adversary so that laws passed are to the benefit of insureds and insurers alike. Insurers also need to look at the complete picture to be responsible netizens and help craft a safer cyber future. When semiconductor technology in the form of computers began to integrate with the personal and professional realms in the 1980s and into the 1990s, at least in the U.S, it was a very tortured process. Almost as soon as businesses had upgraded to 33Mhz processors, 66Mhz processors came out. Similarly, the original floppy disk drives quickly gave way to 3.5-inch disks, which gave way to Zip drives, CD-Roms and so forth. In software, things were no better. After finally using computers and learning DOS, businesses were introduced to Windows 3.1 and thereafter were upgraded to Windows 95, 98, 98SE and beyond. Every part of binary technology over the past 40 years has seen a relentless drive toward cutting-edge technology, and that pursuit thrust upon the people of this world a technological reality that very few understand. Today, most people are unable to say what SoC (System on Chip) drives their smartphones, what a GPU stands for, what the differences are between 4G and 5G wireless technologies and what many other basic technological concepts are. Even among insurance professionals, there are still many people who hunt and peck and are unable to achieve a typing speed of 45 words per minute. Worldwide, almost all schools lack a structured curriculum for the K-12 system that not only teaches binary fundamentals to the young but also helps them to understand computing history and the potential future of computing and networking technology. Consequently, despite the significant numbers of people using social media and smartphones, and the rise of IoT, most people do not know the fundamentals of our present binary world. Perhaps more damaging is what the future holds. If most people barely understand current technology, then quantum computing, carbon nano tubes and neurotropic technology will be ever more unnerving for even more people. This disparity between the few who understand it, and the tremendous numbers who access the binary world without comprehension, creates a dangerous situation in multiple ways. Yet, this is the situation in which cyber liability and technology E&O insurers are trying to insure a binary usage world. See also: Future of Insurance to Address Cyber Perils   With the whole picture in mind, it is time for insurers to start implementing, soonest, solutions that will prevent the future from being like the past two decades. Insurers and insurance brokers alike need to start to act in accordance with what being part of a community means. In its most basic form, a community is a group of people or organizations that exist in the same area or share a common purpose, and the most successful communities are the ones that come together and put the good of the community ahead of any individual member. Insurers would do well to start to establish a series of townhalls in physical communities to talk about not only what cyber liability and technology E&O are but also go over every aspect of what cybersecurity is, from anti-virus software to which CPUs and GPUs are the least vulnerable, to cyberattacks. It would be especially helpful if some of these townhall seminars were dedicated to people 65 and older, because many organizations are wanting to “help” seniors without providing them with reasonably secure cyber products. To date, seniors do not seem to have borne the brunt of cyberattacks. However, it is only a matter of time before cyber criminals begin to realize the monetary value of focusing cyberattacks on seniors. Many insurance professionals are eager to point out that small and medium-sized businesses are extremely vulnerable to cyberattacks, but warnings from a distance are not an acceptable substitute, on such an urgent issue, for face-to-face human interaction. There is a reason that property and auto insurers in the 20th century, used a phrase such as “like a good neighbor, State Farm is there.” A neighbor is a community member who is invested in the success and challenges of others. With the 2020 U.S census coming up, there still has not been a unified community outreach effort on the part of insurers to help the census begin and end in a secure form at the community level. The most efficient way insurers can help with the census is to provide public libraries and community centers with new computers and networking equipment and lending IT staff. Insurers also need to work with the cybersecurity community and with K-12 schools around the world so that students understand how to be responsible netizens. There needs to be encouragement in education, from letting the young follow what is popular technologically, to what is actually effective and useful. If insurers do not work with the cybersecurity community, then how can educators and parents ever really know what responsible netizen activity looks like? Insurers can either work with others to start reducing that deficit, which will also reduce the frequency of breaches, or insurers can repeat their mistakes and forever put their profitability and the safety of their insureds in doubt. In terms of effective global communication, we who are living now are standing where once stood those who coped with the changes in communication wrought by the printing press and its transformation of the world. However, modern global correspondence faces challenges that require insurers to start putting solutions into place now that will have benefits that last in terms of decades and centuries. With that in mind, it is time for insurers to bring to life an international competition that will encourage students in the seventh to 12th grades to create educational websites or advanced robots or allow for a structured and interactive way for them to point out zero-day exploits and other vulnerabilities that would have a $500 million or larger impact on the world economy if the exploit were to be used against the netizen community. Insurers also need to start to rate every piece of technology with an independent testing lab. The lab needs to be built with the authority and autonomy to ensure that its ratings are as impartial and accurate as possible so that insurers can work with information that is as close to factual as possible. Insurers also need to tackle higher education and work with an organization like IEEE to finally bring the training of software developers/engineers into the 21st century. It is time for software engineers to have to meet requirements that are on par with structural engineers and attorneys. Not only will this enable a minimum higher level of coding competency, but it will prevent the non-certified engineers from being allowed to put pieces of inept software code into programs upon which this world depends. Helping the brilliant young become useful and positive contributors to the cyber community, creating an independent testing lab and working with other members of the netizen community to produce certified software engineers can only enable a netizen community that appropriately values and pursues safety, the common good and the future success of the cyber realm. All of this would be to the great benefit of cyber liability and technology E&O insurers and their insureds. See also: Surveying Wreckage of Cybersecurity   People often cite the increasingly sophisticated breach techniques of hackers or the hyper evolving technological innovations of technology companies as reasons why dark knight cybersecurity specialists have managed to become so formidable. However, the reality for the rise of hackers is the inaction of implementing long-term solutions by insurers. Cyber liability and technology E&O insurers perhaps have the best vantage point of any other part of the private sector, because they get to watch in real time everything that happens before, during and after a breach. It is those insurers, especially cyber liability insurers, who say they can help and protect insureds, and who are actively offering their services on the world’s stage. Unfortunately, insurers have thus far acted as if they need only sprint to the finish line to help their insureds. This is not, though, a sprint. It is in fact a very long journey that insurers must undertake. However, if insurers pace themselves, unite with each other to overcome shared challenges and reach out to other members of the netizen community, then they will be able to leave the winter of desolation behind and step into a future spring that is lively, safe, profitable and enduring.