The insurance industry has been "Amazoned," as customers increasingly demand the sort of easy interaction that the company provides. But the initial pressure is just a taste of what is to come, as the industry goes through the sort of "disaggregation" that Amazon has forced on the world of retailing. The change will alter the basis for competition for many companies and, thus, the skills that will be needed to thrive.

Just look at Sears, J.C. Penney or any number of other retailers to see the dangers that can arise for incumbents when digital technology breaks an industry down into its basic components and allows the nimblest to reassemble the parts in more efficient or appealing ways. Amazon used technology to separate the testing and buying parts of shopping. Instead of going into a store, finding something you like and buying it there, you can complete the purchase at the best price you find on your smartphone. Amazon also pulled the warehousing function out of stores' back rooms and centralized it. Less capable retailers couldn't withstand the loss of sales and of the warehousing piece of their business model.

There are, of course, opportunities, too. Best Buy's Geek Squad managed to take a service function previously fulfilled by the manufacturers or by separate businesses and incorporate that capability into store/showrooms. Allstate, through its purchase of SquareTrade, is stripping warranty business away from manufacturers and retailers. Tesla's use of centralized showrooms is duplicating Amazon's move on warehousing and could take away a major function of car dealerships, while eliminating the cost of financing billions of dollars of cars sitting on lots.

In insurance, you can see the disaggregation coming based on where the innovators are placing their bets—McKinsey reports that, despite early expectations of some sort of killer app, only about 10% of insurtechs are trying to disrupt the industry business model, while two-thirds are working to perfect some piece of the value chain.  

Snapsheet tackles the claims process. Pypestream provides customer engagement. Carpe Data and Groundspeed go after big issues in data and analytics. Platforms like Bolt let customers pick and choose products from an array of insurers, so they can search for the best of breed in each line and not be limited once they choose a principal insurer. RiskGenius makes it easy to take the policy review process for customers and their agents down to comparisons of individual clauses, so they can find the best coverage and build the policies they want.

As this specialization continues, the generalists will have trouble keeping up. Sure, the biggest incumbents will have the resources to compete, at least for a while, but how many companies will be able to match, say, the claims process designed by an insurtech with tens of millions of dollars of backing and access to the kind of programming talent that gravitates to software startups? 

Increasingly, the build vs. buy decision will go away and be replaced by a need to partner with insurtechs that have optimized parts of the insurance process. The switch to partnerships may force major changes to IT systems, so they can work with others' software and not function just as a closed system, based only on what's done in-house. The change will also require a workforce able to get past the not-invented-here bias at many incumbents and to collaborate with partners. 

Leadership will be required. What CIO got promoted by saying, "Nope, I don't think my people can build what you want, at least not as well as that insurtech"? The CEO will likely need to intervene to make sure decisions are made based on fact, not emotion. 

The good news is that, once a company adapts to disaggregation, it can reassemble the pieces of the industry in new and creative ways. Look at Best Buy, which some had on a death watch because of the "showrooming" phenomenon but has reinvented itself in the new world of retailing. Or look at Amazon itself: It began by just selling books but honed its business model and is now eating every market in sight.

Cheers,

Paul Carroll
Editor-in-Chief

Insurers can leverage chatbots to improve a number of customer journeys, including operational processes such as claims first notification of loss, and processes related to the purchasing of insurance products, such as quote and buy. This article covers recommendations related to the latter, specifically focusing on best practices in integrating chatbots with insurance policy-handling applications. Two initial considerations may be relevant. First, will the chatbot journey be a sub-journey within a channel, or a net new channel? Sub-journey within a channel: If the entrance point to the chatbot conversation is contained within the insurance platform’s front end, existing for example as a button on a web page, then the chatbot solution may not attract extra traffic and will effectively be a sub-journey contained within an existing channel. Net new channel: If the entrance point to the chatbot conversation is outside of an existing channel, for example via Facebook, then the chatbot may generate new traffic, potentially adding significant value. Second, will the chatbot journey replicate an existing journey, or will it be a net new journey? Replicate an existing journey: The chatbot asks the same questions in the same order as they are asked in the journey being replicated. For example, if the journey being replicated is quote, then the chatbot asks the same questions as the quote web journey in the same order. Net new journey: The chatbot asks questions different from those asked in other journeys, or asks the same questions in a different order. For example, a quote-and-buy chatbot may be built to ask different questions or use a different tone of voice depending on responses input by the customer, such as age or location. This provides a customer experience that is truly different from that of other channels, potentially engaging different audiences. Beyond the initial considerations, it is important to analyze in depth the architecture of the platform into which the chatbot solution is to be integrated. Key areas to cover:

• Insurance policy-handling application: What data does the policy system expect at the end of the chatbot journey? For example, if the chatbot replicates a quote journey, what data does the policy system require from the chatbot to convert the quote into a policy?
• Integration layer: Is the existing integration solution fit for purpose, or should a new solution be defined addressing how to pass data between the chatbot, the policy-handling application and any relevant near and downstream applications?
• Management information (MI) solution: Does the policy handling platform have an MI solution, and is it feasible to use that MI solution to gather data relevant to the chatbot conversation? For example, a platform may have an MI solution, but a decision may be made to use the analytics produced off the back of the chatbot to gain a more granular view of the conversation.
• Billing application: Are there integrations between the core policy system and the core billing system that could affect the chatbot solution? For example, if the chatbot conversation collects data that needs to land in the billing system, the format in which the data is collected must comply with the billing data model.
• Near-stream/downstream applications: Are there applications that consume data from the core policy system that could affect the chatbot implementation? For example, there may be a documentation system that the chatbot needs to integrate into.

See also: Chatbots and the Future of Insurance   After the architectural issues, consider the overall response times of the chatbot, which have a significant impact on the user experience. Key points:

• One question at a time – the implications: Whereas in web journeys customers can see a number of questions at the same time, and as such have something to read and engage with if the response to their inputs is slow, with a chatbot questions are presented one at a time. The outcome is that when a customer is engaging with a chatbot, and the chatbot response is delayed, the customer can do nothing but wait, which may lead to a poor customer experience.
• Minimizing chatbot response times: An approach to minimizing response times is to build a skeleton proof of concept (POC), then test response times using the POC. A second approach is to perform performance profiling, where speculative analysis is done upfront to model how long each transaction will take. For example, knowing that a rating call made from the policy handling application takes circa one second, it can be estimated that the same called made from the chatbot will take circa one second, too. The combination of early modeling and POC should avoid the situation whereby performance issues are baked into the chatbot solution through architectural decisions that are hard to reverse.

Analysis should be done on the look and feel of the chatbot. The two main options are to have the chatbot conversation align with the look and feel of the other customer-facing journeys, or give the chatbot a look and feel distinct from all other journeys. A key disadvantage of the latter approach is that customers, not recognizing the look and feel of the chatbot, may think they landed on the wrong website or, even worse, on a phishing platform. Points that should be considered are:

• Location in journey: If the platform’s front end indicates to users where they are in the journey, for example highlighting that a user has answered nine of the 12 questions required for a quote, does the chatbot do the same?
• Forward and backward navigation: Is it possible to navigate forward and backward in the chatbot conversation? For example, a chatbot conversation could be built so that questions A, B, C can only be asked once and in order, or could be build so that the customer can navigate both from A to B to C and from C to B to A. If the second, then care should be taken to ensure that answering again previously answered questions does not cause issues with near-stream and downstream application.
• Multi-device look and feel: Is the chatbot look and feel consistent across devices? For example, a chatbot that is built to replicate the look and feel of the underlying policy-handling application will need to maintain that consistent look across web, mobile and other customer devices.

Once deployed, a chatbot coupled with a feedback-gathering and -reporting framework can help uncover insights about customer journeys. For example, web forms do not analyze what the user is doing between when the web page is loaded and the click on the submit button, but chatbots do. Chatbots can help uncover:

• Conversion rates per question, allowing local optimization.
• Net Promoter Score (NPS) for the insurance brand delivering the product.

Each optimization derived from the learning may not be significant on its own, but the sum of all optimizations can lead to significant improvements for the overall journey. Furthermore, because, on average, chatbots can be improved once a month, the result is a learning curve with a faster acceleration than traditional web forms. See also: Chatbots and the Future of Interaction   Key Takeaways:

• Defining whether the chatbot conversation will be a new channel and whether it will replicate an existing journey helps in defining the overall chatbot use case.
• It is good practice to analyze in detail the application architecture into which the chatbot is being implemented, focusing in particular on the core insurance policy application, integration layer, MI solution, billing application and near-stream/downstream applications.
• The time it takes for the chatbot to respond to user inputs is particularly important, as chatbot journeys display one question at a time.
• It is helpful to define upfront whether the look and feel of the chatbot conversation will mimic the look and feel of the other customer-facing channels.
• An implemented chatbot can be used to uncover insights about customer journeys, especially with regard to conversion rates and NPS scores.

The California Consumer Privacy Act (CCPA), which becomes law on New Year’s Day, is to this point the most important and influential piece of privacy legislation in the U.S. It’s designed to protect the privacy of consumers, and its effects far exceed the borders of the nation’s largest state—and the country, for that matter—by dictating how organizations around the world are allowed to collect and handle the data of Californians. Specifically, the law will give Californians the right to know what data of theirs is being collected and with whom it is being shared. It also gives them the right to refuse or opt out of any agreement that would allow their data to be collected (with a few exceptions) and to request that their data be deleted in the event that they do so. Beyond those general considerations, the law aims to address demands for stricter regulations for businesses that collect customer information and stronger enforcement practices when those businesses improperly handle sensitive personal data. In this regard, the law is not unique but rather only the beginning of what’s become a nationwide crackdown on data collection and privacy. Nearly 20 states have passed or are in the process of passing comprehensive privacy legislation. Once enacted, these regulations will create a veritable minefield of privacy measures that vary from state to state, and the organizations whose business purposes compel them to trudge through it will need to protect themselves against the possibility of fines and other penalties. As a result, the need for cyberinsurance, specifically as it relates to fines for regulatory noncompliance, has never been higher. Although organizations are exempt from the California law when “assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions”—thanks to Assembly Bill 981, which was passed in May—organizations are still subject to its requirements when the scope and use of personal data exceeds those specific operations. In many cases, the compliance concerns of insurance companies will be solely with that of their policyholders, so it is in the best interest of both parties to ensure steadfast organizational compliance with an emphasis on reducing risk and anticipating future regulations. See also: Blockchain, Privacy and Regulation   Of particular importance to these insurers and their insureds is the controversial concept of private right of action, which allows individuals whose privacy has been violated to bring civil suits against noncompliant parties. Originally, this portion of the California law could have exponentially increased the financial consequences of a breach by subjecting violators to class-action claims of damages from victims, on top of the compliance-related fines levied by the state. It has since been limited to injunctive or declaratory relief, but other developing statutes include language similar to the original bill’s treatment of private right of action. Louisiana, Massachusetts, New York, North Dakota and Rhode Island all are working on bills that include a private right of action, with New York’s being especially expansive and potentially heavy-handed toward violators. In addition to including a private right of action, New York’s proposal has no minimum gross revenue requirement, meaning all companies—regardless of size—will be subject to the law’s rules and penalties. This has led critics to question the feasibility of fairly enforcing what they deem to be overly broad regulations aimed at punishing well-meaning organizations that cannot keep up with the evolving privacy space. In terms of its impact on the insurance industry, the resulting legislative inconsistency will hit the big names the hardest, but it still does no favors for mid-size carriers struggling to keep up with their state or regional laws. In addition to meeting their own compliance obligations, they will have to accurately gauge the risk and potential penalties presented by the difficulty policyholders will have satisfying theirs. Insurers might not have to walk through the minefield, but they will have to clean up the mess inside it once something goes wrong. As we discussed in a previous post, the difficulty insurance companies already experience when attempting to create reliable cyberinsurance policies is inhibiting the industry’s ability to provide much-needed coverage. The private right of action and other uncertain aspects of these laws further complicate the task of accurately estimating and pricing the cost of cyberinsurance coverage by expanding the potential recompense for breach victims. When coupled with the fact that no federal privacy law exists—allowing each state to establish its own set of rules for what constitutes personal data and how it should be protected—offering cyberinsurance can seem like an almost untenable prospect. However, a risk-reducing, compliance-enabling solution exists in the marketplace: tokenization. See also: Mobile Apps and the State of Privacy   Tokenization, such as that offered by the TokenEx Cloud Security Platform, especially excels at reducing risk through its use of pseudonymization and secure data vaults. Pseudonymization, also known as deidentification, is the process of desensitizing data to render it untraceable to its original data subject. It does so by replacing identifying elements of the data with a nonsensitive equivalent, or token, and storing the original data in a cloud-based data vault. This virtually eliminates the risk of theft in the event of a data breach, and, as a result, tokenization is recognized as an appropriate technical mechanism for protecting sensitive data in compliance with the CCPA and other regulatory compliance obligations. Because tokenization satisfies controls concerning the processing of sensitive data, it can prevent losses stemming from fines and other penalties as a result of noncompliance. As new laws emerge and the privacy landscape in the U.S. continues to shift, it is crucial for both insurance companies and their policyholders to prioritize risk minimization. And tokenization is an essential tool for significantly reducing the likelihood of a cyber event, and as a result, a claim.

Over a third of the U.S. workforce work on a self-employed or freelance basis; a stat that is forecast to continue rising. This is the gig economy and is here to stay. For a recent InsurTech Insights, I looked at the gig economy's impact on insurance with the rise of ride-sharer platforms like Uber. Only a decade old but already operating in over 700 cities, Uber is a global brand that has achieved the rare distinction of becoming a verb. "To uber" has replaced "to hail" when needing a ride home. To help me understand the impact of the gig economy on insurance cover, I called up David Daiches, the COO and co-founder of specialist insurtech platform Inshur. First up, I asked David how he got started at Inshur with co-founder Dan Bratshpis. “Dan and I came at this from different directions and met in the middle. Dan had been writing trading algorithms on Wall Street until the financial crash. From there, he found himself in a taxi brokerage serving the traditional yellow cabs. Then Uber came along, and Dan saw first-hand the difference between the (old) traditional cabbie and the (new) digital natives driving for Uber. Age, attitude, technology were all defining characteristics of the younger drivers who simply don’t want to come into the brokerage and sit around sorting out insurance. They wanted to do everything online and mobile and resist coming into the office. “Which is when Dan started to look for a technology solution and our paths crossed. I had been working on OpenUnderwriter and developing an open source policy admin solution to allow brokers to trade on the internet. When Dan saw what we had done with OpenUnderwriter, he got in touch straight away. We met in London within days and created Inshur; the rest, as they say, is history.” It’s a familiar story when I look across the insurtech landscape; one founder is a technologist, the other understands the market. Becoming more than just a broker in the gig economy In the beginning, Inshur operated as an aggregator in New York. They saw the opportunity of getting the driver up and running as fast as possible. In the old world, it could take weeks before a licensed driver was insured and ready to go. In the new world, that wasn’t going to be acceptable. See also: How to Insure the Gig Economy   So they did what insurtechs do and built a fast and convenient sign-up app using a chatbot called Ami. Providing a totally digital experience on a mobile app, Inshur could get the driver signed up, checked out and quoted in a matter of minutes.

“We asked carriers for more flexibility, but all they offered us was a dedicated fax machine!“

This gave them a digital face, but, behind the scenes, much of what they did looked like a traditional broker operation. They were restricted in their efforts to adapt the insurance experience to meet the digital profile of the ride-share drivers. David explained, “We asked carriers if they would give us some binding facility, but all they offered us was a dedicated fax machine! “Then we saw what Munich Re was doing with Digital Partners, and we reached out to Andy Rear. After an initial meeting with Andy in New York, we signed a partnership agreement with MRDP and launched as an MGA in New York last year. The next logical step for us was to launch in the U.K., and we strengthened the team by hiring a good taxi underwriter who understood the U.K. market. We then started working with Uber and collaborating on how we could use their driver data for underwriting purposes.” Inshur is a service-driven, engagement model It’s clear to me that Inshur wants to be more than just a distributor of insurance products for the gig economy. The service features they are building into the platform offer value over and above a cheap price and an easy-to-buy insurance product. It’s what I would call an engagement model. In New York, Inshur has a partnership with a dash-cam provider called Nexar. It’s a self-financing no-brainer for the driver who pays $49 for the camera and, in return, gets a 10% discount on the premium, typically worth about $450! The deal works for Inshur, too, which gets access to the footage of any incident/accident. The dash cam also collects telematics data that provides useful corroborating evidence in any claim. When it comes to claims, the Inshur approach is all about getting the driver back on the road as quickly as possible. Business interruption cover can be challenging when it comes to getting a plated replacement vehicle for the driver, in which case the solution is to pay the driver while he is off the road and get the car fixed as soon as possible. Managing different regulatory environments Launching in New York and London has created challenges managing very different regulatory environments. David explained: “In the U.K., it’s much harder to get an FCA license, but, once you have it, you can be very flexible on pricing compared with the U.S.  It’s the other way round In the U.S. In New York, you can get an insurance license quite easily by submitting a form, but you don’t have the same freedoms on pricing. In the U.S., all prices have to be agreed with the regulator and published in advance.” The logic to the U.S. approach is that the regulator is protecting the market against new players undercutting market rates and then failing, leaving an exposure. I know from talking to many founders that it can be difficult to get the regulator to agree with pricing no matter how compelling the proposition for digitally removing cost and inefficiency. The regulators are there to safeguard the customer, not give a free ride to the startup, after all. Putting the insurance customer first  When it comes to underwriting Uber drivers, Inshur uses around 50 different rating factors. These are a mix of proprietary data and publicly available data sources from simple processes, such as the scan of a driving license. This data gathering reduces the time on the application process and builds a much richer and more accurate driver risk profile. One of the significant factors in underwriting used by Inshur is the driver’s Uber rating. Any driver with an Uber rating of 4.99 is going to be rated a much better risk than one at, say 4.5. This rating is much easier to use in the U.K. than it is in New York, but, with their U.K. experience, Inshur will be able to show the New York regulators that the Uber rating is a reliable factor when pricing premiums. For the ride-share drivers, insurance is a high fixed cost, and Inshur has introduced flexible pricing models to fit the needs of the drivers. Currently, about 90% of their ride-share drivers buy the monthly policy. At each monthly renewal, a simple process involving one click in the app re-rates drivers based on any changes to their Uber rating. See also: Gig Economy: Newest Tool for Insurance   However, Inshur haven’t gone as far as moving to a pay-as-you-drive model like the one Metromile has in Los Angeles. I asked David about the need for flexibility and how he saw the market developing for ride-share insurance. “Simpler is better,” he told me. “We have found that the gig economy drivers want a simple annual/monthly policy that enables them to drive when they want, for whoever they want. We haven’t found much appetite for on-demand. When you think about it, it doesn’t make a lot of sense to keep turning the insurance on and off. It becomes too complicated when most drivers have multiple apps and are signed up to drive for everyone: Uber, Lyft, Juno, etc. They flip between the different platforms to the next ride; they don’t mind where it comes from. Any insurance product that was based on on-demand would need to be smart enough to flip seamlessly between the different ride-share platforms.” I tend to agree with David; simpler is always better than complicated, unless it can be completely hidden inside a black box, which isn’t practically possible just yet. This article for Linkedin is part of an op-ed first published on The Digital Insurer. The full original article can be found here.

Cybersecurity attacks are inevitable. That’s the unfortunate reality. In fact, in a special report, Cybersecurity Ventures projects cybercrime’s global cost will exceed $1 trillion between 2017 and 2021. Safeguarding clients’ nonpublic information from cyber-criminals is a top priority for CPA firms. The latest data breach statistics from the 2017 Identity Theft Resource Center Data Breach Report show an alarming number of exposed consumer records in the U.S.

• 1,579 reported breaches, exposing 179 million records
• 55% of all breaches involved businesses
• 59% of all breaches resulted from hacking by outside sources
• 53% of all breaches exposed Social Security numbers

Now more than ever, organizations and accounting firms of all sizes need to be vigilant about protecting data and responding to threats. What’s my liability? “That’s a big question we hear from firms regardless of whether they’ve been attacked,” said Stan Sterna, vice president and risk control specialist for Aon. “There are actually no uniform federal laws on business cybersecurity. But there is a patchwork of state and federal rules.” Under certain state laws, CPAs can face liability for cybersecurity breaches that expose personal information. Most states have rules for handling breach notifications and for what remediation measures need to be taken. Breach requirements depend on where the client resides – not where your firm is located. We encourage you to learn the dynamic requirements of states that apply to you. The Texas data breach notification law has been amended several times since its passage in 2009. It requires notification of affected individuals in the event a data breach results in the disclosure of unencrypted personal information consisting of an individual’s first name or first initial, last name and certain personal information such as Social Security and driver’s license numbers. Federal rules and law The Safeguards Rule is enforced by the Federal Trade Commission and applies to all companies defined as financial institutions under the Gramm-Leach-Billey (GLB) Act. Businesses that prepare tax returns fall within this definition. Under the rule, businesses are required to develop a written information security plan that describes their program to protect customer information. There are five additional requirements. Learn about the rule and implement applicable compliance protocols. Do clients have standing to sue a CPA firm if they did not suffer damages as a result of a data breach? At the federal level, the circuit courts are split as to what constitutes sufficient standing to sue in cyber breach cases. Some courts hold that companies may be liable for damages if client or employee data is stolen, even if the theft causes no harm; instead, it’s sufficient to merely allege that the information was compromised. This broad interpretation will only further increase the risk of cyber liability claims. Two recent decisions illustrate these differences:

• The Sixth Circuit court, citing the defendant’s offer for free credit monitoring as evidence, joined the Seventh and Ninth circuits in holding that a cyber victim's fear of future harm is real and provides sufficient standing to sue. This particular ruling specifically undermines the defense that if no actual cyber fraud or identity theft occurred, the victim has not been damaged and has no standing to sue.
• However, in another case, the Fourth Circuit held that a plaintiff must allege and show that their personal information was intentionally targeted for theft in a data breach and that there is evidence of the misuse or accessing of that information by data thieves. The division among the circuit courts as to standing is not likely to be resolved unless the U.S. Supreme Court decides a case on the issue.

New cybersecurity regulation sets the stage for other states to follow In response to several highly publicized consumer data breaches, in 2017 the New York State Department of Financial Services enacted 23 NYCRR 500, “Cyber Requirements for Financial Services Companies,” with which all affected firms must now comply. These “first-in the-nation” data security regulations establish the steps that covered entities must take to secure customer data. The regulations are designed to combat potential cyber events that have a reasonable likelihood of causing material harm to a covered entity’s normal business operations. See also: 4 Ways to Boost Cybersecurity   Specifically, insurers, banks, money services businesses and regulated vital currency operators doing business in New York with 10 or more employees and $5 million or more in revenues must comply with the new rules. Under the provisions, companies must:

• Conduct a cybersecurity risk assessment, prepare a cybersecurity program subject to annual audit and establish a written policy tailored to the company's individualized risks that are approved by senior management;
• Appoint a chief information security officer (CISO) responsible for the cybersecurity program who regularly reports on the integrity, security, policies, procedures, risks and effectiveness of the program and on cybersecurity events;
• Establish multi-factor authentication for remote access of internal servers;
• Encrypt nonpublic information (PII) and regularly dispose of any nonpublic information that is no longer necessary for conducting business (unless required to be retained by law).
• Prepare a written incident response plan that effectively responds to events and immediately provides notice to the superintendent of the New York Department of Financial Services of any breaches where notice is required to be provided to any government body, self-regulatory agency or any other supervisory body or where there is a “reasonable likelihood” of material harm to the normal operations of the business;
• Implement a written policy addressing security concerns associated with third parties who provide services to the covered entity that contain guidelines for due diligence or contractual protections relating to the provider’s policies for access, encryption, notification of cybersecurity events affecting the covered entity’s nonpublic information and representations addressing the provider’s cybersecurity policies relating to the security of the covered entity’s information systems or nonpublic information;
• Annually file a statement with the New York Department of Financial Services certifying compliance with the regulations.

Meanwhile, the California Consumer Privacy Act of 2018 (CCPA) goes into effect on Jan. 1, 2020. The CCPA represents a significant expansion of consumer privacy regulation. Its GDPR-like statutory framework gives California consumers the:

• Right to know what categories of their personal information have been collected
• Right to know whether their personal information has been sold or disclosed, and to whom
• Right to require a business to stop selling their personal information upon request
• Right to access their personal information
• Right to prevent a business from denying equal service and price if a consumer exercises rights per the statute
• Right to a private cause of action under the statute

What is the impact of these new regulations on CPA firms? Whether or not a CPA provides professional services for an entity covered by the New York Department of Financial Services or the CCPA, these new rules are important:

• Regulation in one state frequently results in regulation in other states; both the New York and California cybersecurity regulations may serve as a template for other states contemplating cyber security legislation.
• The regulations create a framework for plaintiffs' attorneys to follow when alleging that a company (regardless of whether it is a New York or California covered entity) should have done more to protect private information, keep consumers informed or prevent a data breach or that a CPA firm should have detected data security issues while providing professional services.

Take preventative action now “If someone sues your firm because of a data breach, you may have a stronger case if you can show that you’ve taken reasonable measures to help prevent an attack or theft,” Sterna advised. “Setting up systems to assist in prevention is an important aspect of managing cybersecurity risk.” Here are three tips to get you started: Start with an assessment. What are your cybercrime defenses? Do you have gaps in your data security procedures? Do you have controls in place? How do you document incidents when they happen? What is your response plan when incidents occur? “Mapping where you stand today and your vulnerabilities is the best way to understand your next steps,” Sterna said. The AICPA’s cybersecurity risk management reporting framework helps you assess existing risk management programs. The Private Companies Practice Section cybersecurity toolkit can also help you understand the most common cybersecurity threats. Implement best practices. At a minimum:

• Use encryption wherever appropriate to protect sensitive data. This includes laptops, desktops and mobile devices. Failing to do so threatens your data and your reputation.
• Train employees to recognize threats and safeguard equipment and data.
• Develop and practice your response plan for various situations such as a ransomware attack, hack or ID theft.
• Back up your data so you’ll still have access to it if it’s lost or stolen.
• Keep your equipment physically secure in your office and on the road.

Get an outsider’s perspective. What better way to learn your firm’s vulnerabilities than to hire an expert for penetration testing? Through a penetration test, a third-party consultant will perform a test tailored to your firm’s needs and budget. They’ll provide insights on your firm’s vulnerabilities and educate you about solutions for protecting your practice. A consultant can also help you implement regular drills that test your firm’s response in the case of various attack scenarios. See also: Cybersecurity for the Insurance Industry   Legal and insurance considerations CPA firms should consult with their legal counsel to assess the firm's risk of first/third party data security claims and assess vendor data security coverage. The existence and adequacy of data security used by third-party vendors (including contract tax return preparers) is often overlooked. CPA firms also should consult with their insurance agent or broker to review their current cyber policy to ascertain the adequacy of coverage. This article is provided for general informational purposes only and is not intended to provide individualized business, insurance or legal advice.  You should discuss your individual circumstances thoroughly with your legal and other advisers before taking any action with regard to the subject matter of this article. Only the relevant insurance policy provides actual terms, coverages, amounts, conditions and exclusions for an insured.

In my previous article, I addressed some of the apprehension associated with artificial intelligence (AI). Now that AI is real and being put to work outside of research labs, some are afraid of losing their jobs to machines. Others worry that the technology could be misused, reinforce biases or perhaps get co-opted for more nefarious means. I would argue that AI naysayers are thinking about the situation the wrong way. Although comments, criticism and questions are understandable, they are based on how the world functions right now. But innovation is not static. The world around us will change and mature, too. This, in turn, will require the commercial insurance industry to take a good hard look at what it is versus what it can be. There Is No Crystal Ball A couple of years ago, one of my customers owned a beautiful, traditional building in Seattle. Think offices and cubicles. They decided to sell the building and opt for a 30-year lease on a state-of-the-art space designed around how people work — open floor plan, lovely couches, lots of windows, every comfort you could think of. What’s headquarters like today? Empty. Most employees don’t come to the office any more because they work remotely — and now the company is saddled with a building far bigger and more expensive than it needs for the next 20-something years. That is not to say tides won’t turn again, but the point is that people are afraid of what AI will be tomorrow according to present-day terms. Fearing AI is akin to being scared by electricity when Ben Franklin lit up the kite. There was reason to be nervous. I’m sure electricity seemed quite unnatural and terrifying at the time, but think about how vastly different life would be if fear won and electricity was never used. By planning for tomorrow based on a limited view or context as it exists right now, we will miss the opportunities ahead. Don’t Confuse Focus With Narrowness Companies are built to drill into one (or at least relatively few) specific problem(s). In insurance, in particular, domain knowledge is essential, and organizations provide much-needed solutions. But companies also must see the forest for the trees and not define themselves in such a narrow way that they are closed off from how they are positioned in the larger scheme. See also: Strategist’s Guide to Artificial Intelligence   Consider the dawn of air travel. The people most capable of taking advantage of the market were the railroad barons. They were the ones with land, money and a choke hold on the transportation business. But, these men saw themselves solely as rulers of the railroad, a realm unto itself. If they had thought of themselves as leaders in transportation instead, they could have owned all of the airlines, planes, airports, etc. The same is true today. The companies that dig in their heels and have a fixed notion of what they are and how they should operate will eventually cease to exist. Instead, they could leverage AI to help them become more and appeal to customers in previously unimaginable ways. There Is No “Now” Moment There is rarely a clear signal that flashes “jump” when it’s time for an organization to make changes necessary to remain competitive over the long term. If you look at the evolution of business in the world, innovation in the marketplace rarely comes from existing companies. Kodak, for example, controlled the film market, but it wasn't in the photo business. Kodak hung onto film long after pixels arrived, until the company was so far behind the rest of the world in pictures that it could never recover. And Kodak is far from alone. Blockbuster, Blackberry, Atari, Hostess, TiVo — the list of once-beloved-then-abandoned companies is extensive. All of these businesses refused to move into a new mode because of too much fear, pain or expense; it was not who they were or saw a need to be, and the insurance industry is notoriously averse to change. Traditionally, it only happens when leadership believes in taking a risk or as a last resort, not because of some seminal moment. The question is how long do you have to adapt before falling too far behind to be successful. AI could expedite that timeline given the impact it’s already having on other industries. Clearing the Way No one knows what the future will bring — and how big or how small a role AI will play — but we are far enough along to know that AI is on the upswing, and its uses will continue to broaden as systems get smarter. So how do you take advantage? Leave legacy systems behind. This is a scarier proposition than AI to many companies. Yet, with the proliferation of cloud-based applications and services, there is an opportunity for organizations to no longer feel locked into a singular way of doing business, which is a game-changer. The cloud provides an unprecedented level of freedom to innovate in ways that are far less permanent and expensive. With more flexibility, companies can adapt at the speed of technology, learn from AI and evolve as it does (as well as the world at large). Organizations can plan and adjust to what’s happening around them in ways that make sense for the larger industry. See also: And the Winner Is…Artificial Intelligence!   The bottom line is that AI is here — whether we are ready or not. Will you embrace its potential like Ben Franklin, or will you be a railroad baron and stay where it’s comfortable? The choice is yours. Are you ready to leave legacy systems behind? Are you ready to have your business systems change at the speed of technology? Are you ready to have your business grow at the speed of light? As first published in Dataversity.

Lately, I’ve been talking a lot about the impact technology has had on the travel insurance industry – from chatbots that answer customer questions to apps that guide them through the claim process – and it got me thinking about just how far our industry has come and just how much customer needs have changed in only a few decades. Consider this: In the 1990s, consumers could purchase travel insurance, but distribution was far more limited than it is today. Printed brochures – which customers completed by hand and returned via snail mail – ruled as our primary distribution method. Online travel agents (OTAs) were not much more than a concept. AOL was just beginning to gain momentum as a mainstream communication tool. We were conducting business as we had for years. By the middle of that decade, the industry began to change, setting the stage for the experience we know today. Recognizing the value travel protection could provide its passengers, Cunard became the first major cruise line to offer a plan designed specifically for their needs. Others began to follow suit, and today virtually every travel supplier offers some sort of travel protection customized for its customers. Then along came Cancel For Any Reason (CFAR) plans. See also: Has Digital Insurance Failed?   Much like the supplier plan, CFAR seized on the need for customization – then it layered in a degree of flexibility that consumers simply hadn’t seen before. A concept almost ahead of its time, CFAR has exploded in recent years as the desire for travel – particularly abroad – collides with a growing number of global uncertainties. Consumers want to see the world, and CFAR is helping them do just that. The industry continues to evolve with benefits such as parametric coverage and fully online/mobile pre-sale questions, purchase options, post-purchase support and claims platforms. Essentially, we’ve put the security of travel protection in consumers’ pockets, giving them instant access to coverage tailored for everything from their traditional Caribbean cruises to their bucket-list experiential journeys to Mongolia. The future is exciting. According to a recent survey by flight information specialist OAG, more than 75% of travelers would be willing to use fingerprint and facial recognition scanners at stop-points if they could simplify their journeys. And 73% of all travelers and 89% of millennials said they would like artificial intelligence to better predict flight pricing during the booking process. The survey also indicates growing comfort with the integration of technologies like virtual reality and robots into different phases of the travel experience. Just imagine blending some of these technologies into the travel insurance experience to further tailor and streamline it for consumers. See also: Practical Tips for the New Traveler   Consumer travel preferences may be changing rapidly, but the travel insurance industry is right there with them and will continue to be right there with them – enabling new adventures with a sense of security. I look forward to what the future holds for our industry.

Relationships are the key to success in the insurance industry. Trust and respect go a long way when it’s time to deliver challenging news. For example, the firming of the directors and officers (D&O) market has led to tough conversations about increasing rates. The best way to handle these conversations is to make sure your communication skills are in excellent shape – and that means both what you say and how well you listen. How to announce a price increase to clients: Plan ahead and be clear Preparation is key. Take the time to identify potential high-risk accounts early, with 90-day reviews. Our clients aren’t happy to hear their rates are going up, but it helps to have conversations early to explain the reasons for rate increases. With pricing down 50% over the last 10 years, a market adjustment has been due for some time. In fact, price increases in the current D&O market are a good sign for the industry’s long-term health. Be sure to take the time to explain the main drivers for rate increases, which are being experienced by public companies, private companies and financial institutions, including large private equity firms and large banks:

• The number of claims has risen.
• Capacity has decreased with the departure of carriers.
• Defense costs have risen, in part because of coverage expansions and increased loss costs.

Securities claims on a yearly basis are up, and, because there are fewer public companies now than there were 10 years ago, the chances of attracting securities litigation is even greater. We owe it to our clients to be open about the realities of the market and their impact on rates. Bear in mind: How we announce a price increase to clients and brokers will have a lasting impact on our relationships going forward. The markets that handle this communication effectively will be the ones that succeed in the long run. See also: How to Be Disruptive in Emerging Markets   Be transparent about how underwriters evaluate a risk Underwriters base their risk evaluations on data. Reminding clients of the factors that contribute to their increased rates can help alleviate some of their distress. These factors include:

• Financial strength
• The class of business
• Strength of the leadership
• Business track record
• M&A activity
• Organizational structure
• Claims history

While it’s important to be straightforward in explaining the facts underlying a risk evaluation, it’s just as important to demonstrate your understanding of your client’s position. We view our relationships with clients and brokers as partnerships, and we want to deal with people fairly and honestly and communicate our position. Be effectively empathetic – and actively listen It takes effort to be effectively empathetic. Saying, “I know this isn’t what you want to hear,” is not enough. Consider these steps to validate the reactions you will receive when it’s time to share not-so-good news:

• Put aside your viewpoint
• Validate the other person’s perspective
• Examine your attitude
• Ask what the other person would do
• Listen

Be prepared to respond to objections It’s only natural that bad news will meet resistance. Here’s how we suggest keeping the conversation on track.

• Objection: Why is my rate increasing in the absence of a claim? Response: Rate increases depend on risk and current pricing, which is affected by increases in regulatory costs for financial institutions, in defense costs and in claim frequency.
• Objection: I may have to go to RFP if rates increase. Response: We understand your position and wanted to give you an update early for our due diligence and your ability to market the risk with other carriers.
• Objection: This account was written new last year. Why the increase this year? Response: Accounts are evaluated annually, and defense and regulatory costs increased over the past year.
• Objection: Why are both the underlying and the excess rates increasing? Response: We know this news is hard to hear. The market is adjusting after a lengthy period of low rates. We’ve seen more price compressions for excess than for primary, which has created even more need for excess rate increases.

In our careers, we’ve come to anticipate that the marketplace will continue to change. It’s essential to keep your skills refined for when the time comes to have tough conversations.

Storms of unprecedented power have lashed the U.S. and the Caribbean in recent years, leaving a trail of devastation estimated in the tens of billions of dollars. The U.S. alone has experienced 212 natural disasters since 1980 with the overall costs totaling $1.2 trillion, according to the National Oceanic and Atmospheric Association (NOAA). As a venture investor interested in fintech, I get sight of quite a lot of innovative insurtech startups hoping to be the next big thing in insurance. Barely any of these businesses are focused on improving claims management. Why is that? Perhaps claims are considered the least sexy aspect of the insurance industry, a necessary evil if you like. Good insurers understand the claims experience is one of the most important parts of insurance. Insurance, after all, is a promise to make good your losses in case of an accident. Natural disasters are brutal. They leave people vulnerable and exposed, and a speedy resolution by the insurer is crucial to the customer experience, encourages customer retention and also saves the insurer time and money. That’s an easy thing to say, but dynamically responding to claims after events of the magnitude of Hurricanes Harvey and Irma is no mean feat. It’s often impossible for people to access the areas for quite some time, by which point storm surges have subsided, and claims can be harder to assess. One company addressing this challenge for insurers is Geospatial Insight. VenturesOne recently announced a growth equity investment in the company, and I was with their team in the U.K. They had just delivered incredibly detailed visual intelligence on Hurricane Harvey to enable insurers and their corporate clients to understand the situation at ground level and respond swiftly to claims. There are three main challenges that an insurer can address by adopting visual intelligence services after a natural disaster:

1. The approximate total claim size likely as a result of the event.
2. An accurate map of the area affected by the event, to prevent fraudulent claims.
3. That the proximate cause of the claim is directly related to the event.

There is a lot of hype around the possibilities of advancing techs like machine learning, big data and drones, etc., but I see less in the way of tangible examples of how they can be combined to deliver benefits right now, so here is a real-life example. Hurricane Harvey Case Study On Aug. 25, 2017, category 4 Hurricane Harvey makes landfall near Rockport, Texas. Harvey causes catastrophic flooding, with 50-plus inches of rainfall in some areas (a record from a tropical cyclone in the U.S.). Harvey covers over 20,000 square miles in 72 hours, displacing 30,000 people. See also: Hurricane Harvey’s Lesson for Insurtechs Situational Analysis The first step was to make an initial assessment of the affected area and a rapid review of expected requirements by insurance clients. The densely populated residential and commercial area of greater Houston was set. Big Data Collection, Processing and Analytics Although Harvey made landfall on Friday, the weather event continued with torrential rainfall throughout the days that followed. By Wednesday, the 30th, it is estimated that a mind-boggling 24.5 trillion gallons of rainwater was dumped from the Gulf of Mexico across Houston and Southern Texas. To get the most comprehensive understanding possible, a diverse variety of data sets were collated, including terrain data, satellite imagery, drone footage from social media scrapes and independent commissioned light aircraft with specialist high-resolution camera imagery. The team used the data collected from aerial and social to calibrate the threshold used to generate the sentinel footprint. Geospatial Insight then use proprietary algorithms to cluster the areas detected as water into flooded areas. To understand the likely impact of Harvey on homes and commercial buildings, the multiple data sets were combined to gain insight into flood extents. The color-coded image below shows different data sources. The blue is derived from the National Oceanic and Atmosphere Association (NOAA) imagery and an aerial survey using a Midas oblique camera system. The red is Sentinel 1 radar satellite that can penetrate cloud cover to identify areas of standing water. The small pockets of yellow are derived from Geospatial Insight’s social media scraping tool to find photos and videos of the event, which can then be mapped to build the extents from video evidence. Typically, the team use their global network of licensed UAV operators that work to agreed SLA’s to map flood areas with drones, however, drones were banned over Houston during this time frame due to emergency services using the airspace for rescues, etc. Footage like the example below were identified, then the flight path and flood extents expertly mapped. Why was the flooding so severe? You can clearly see the two large blue reservoirs on the west side of Houston, Addicks to the north of Interstate 10 and Barker to the south. They are designed to protect Houston from flooding, and both dams feed into the Buffalo Bayou. The reservoirs are surrounded by parks and residential areas, and by Monday evening water levels had already reached record levels, measuring 105 feet at Addicks (north) and 99 feet at Barker (south). Local officials hoped to prevent a spill-over by slowly releasing water from both the Addicks and Barker dams on Tuesday and Wednesday. However, the storm surge was so great that the engineers had to release water through the dam gates much earlier than expected or risk it spilling over and causing further damage to homes. A warning was given to homes to evacuate in the early hours of Monday morning, but the decision was made to release the pressure late Sunday night, and many residents became stranded in the resulting swell. Accelerating Claims with Visual Intelligence To provide the intelligence required to rapidly address insurance claims, the Geospatial Insight team needed to first make sense of huge amounts of unstructured data. Not only the diverse image sources but also client information for insurance customers and corporate responsibility data like home addresses of employees to map the affected customers and staff. This data was quickly mapped and the multiple image sources applied as layers to allow corporate clients to access and make sense of the information via Geospatial Insights' dedicated customer portal. The image above shows the client portal with claim location points identified in yellow. High-resolution satellite images can be a good indicator, but they are a top-down view, so it is much harder to get an accurate perspective on the level of damage on a property. Images at an oblique angle were needed to help quantify this over a vast area, and thus Geospatial Insight commissioned a light aircraft equipped with a Midas 5 camera to map the most-affected region for high-resolution imagery. See also: Preparing for the 2019 Hurricane Season   The visualization below shows how this camera is able to capture oblique angles in four directions simultaneously (along with an overhead view). Using this technique, huge areas could be imaged in high resolution and then mapped to provide oblique angled images in North, South, East and West orientations for accurate analysis of identified claim locations. With this resolution and volume of data, the Geospatial Insight team could identify the evidence of flooding such as remaining water, sediment and waste outside houses even after the flooding drained away. Below is an example image showing home furnishings being disposed of. You can clearly see the raised swimming pools that remained clean and blue compared with those that were ruined by the storm surge. Rebuilding Lives After Disaster Sadly, it seems many residents of Houston were uninsured and face rebuilding their lives without any form of insurance payout. For those with cover, getting access to funds quickly will make all the difference. By embracing the kind of technology used in Hurricane Harvey, insurers can make a meaningful difference in helping residents, businesses and communities get back on their feet as quickly as possible.

If you Google the phrase “digital transformation,” you’d get more than 450 million search results, including educational pieces, research reports and information on technologies. Yet many organizations still face major challenges. Often, these obstacles aren’t even related to technology. According to a recent study from Novarica, the biggest challenges come from not knowing where to initiate a digital transformation journey, how to minimize disruption to business, how to accelerate time to value and how to ensure stability and agility throughout the process. We often discuss three paths, or phases, to digital transformation to clarify how insurers can achieve their goals. The paths also take some stress off organizations that see the goal but get lost in the haze of how to get there. The process starts with digital enablement. Digital enablement Prior to the digital enablement stage, many organizations feel like they are drowning and in need of change. Processes take too long and often rely on paper; customer experience is poor; and employees feel stuck. The problems push organizations to enter phase one of their digital transformation journey: preparing an outline of a digitization strategy with a clear mission and goal. In this phase, there may still be multiple digital "silos" where information is stored, often in legacy systems. Unconnected, insurers cannot get a complete view of business processes and customer information. To overcome this, IT departments should take time to understand and evaluate the organization’s full technology ecosystem and all the required systems that a new solution would either replace or integrate with. Once the ecosystem assessment is complete, the organization can evaluate the best solutions and partner with vendors and system integrators (SI) to help map out the scope of the project, keeping realistic expectations and goals in mind. One of the last steps within the digital enablement phase is putting the right team together to put the strategy in place. By starting with a critical department, like claims, insurers can gain quick momentum and showcase success before expanding the solution as needed. Digital Optimization Gartner defines digital optimization as "the process of using digital technology to improve existing operating processes or business models." In this phase, insurers are often enacting the same business processes – but using technology to optimize the procedures and experiences for end users and customers. For example, take the typical claims process. Once the claim is filed, an insurer receives, investigates and acts on the claim. Using the digital optimization model, the insurer would receive the claim in a digital format, and digital workflows would route the right information to the right adjuster at the right time, who could then review the claim and come to a resolution faster. By expediting the process, insurers decrease time to decision while increasing customer satisfaction. “A large incumbent could more than double profits over five years by digitizing existing business,” McKinsey reports in its Digital Disruption in Insurance report. Digital transformation Many insurers find that achieving digital transformation is much harder than they originally thought, not understanding that it is a continuing process and never really quite finalized. Insurers create revenue streams not possible in earlier stages of the transformation journey. The enterprise-wide, digital-first strategy ensures that digital information and data stays digital, available from anywhere at any time. Many insurers are still in the initial phases of digital transformation – sorting through goals and assessing needs within the digital enablement phase. The good news is that they are taking the time to evaluate needs and how they hope to achieve their goals. Some are even are starting technology evaluation processes, looking at content services platforms to help them modernize and digitize. By defining problems from both a business and technology viewpoint, insurers can gain approval from all stakeholders and buy-in from the beginning for a more successful transformation journey. It’s clear that insurers that embrace digitization will continue to thrive within the industry’s digital future. By selecting technology that will both uncover insight in data and provide the ability to quickly develop and support new products, insurers will attract new customers while continuing to provide exceptional service to current customers.