The king of rock and roll, Elvis, was famous for “Taking Care of Business” (the name he gave his band). But when it comes to your cybersecurity dashboard, do you have the right metrics and visibility to mount a proper cyber defense and take care of business? Or are your cyber optics just along for the ride? No matter how many news stories about hacks, information theft and cyber espionage surface within your Facebook or Twitter feed, the idea that a major problem could happen to your organization sometimes remains just that, an abstraction. Many companies do not devote the proper resources to safeguarding their networks, even though the global cost of cybercrime will reach $2 trillion by 2019, three times the amount in 2015. Don’t wait for cybercrime to find you — remember that the best defense is always a good offense. Maintaining a successful security strategy requires dedication and delivering on a strategy that supports all functions of an organization. Security is a company-wide issue, and quantifiable metrics not only unify language but also demonstrate success. Keep Your Eyes on the Prize Your team can’t catch what they don’t see. Sounds like a catchy song lyric, doesn’t it? Maintaining a comprehensive view of the entire organization means more than just access to networks and systems. It requires an understanding of typical user behaviors and data traffic patterns, plus an awareness of corporate protocols as they relate to remote users and servers. Proper visibility throughout an organization necessitates laser focus on: BYOD (Bring Your Own Devices) protocol and management: Most organizations have policies around personal devices brought from home. These may or may not be followed, so a closer eye on device usage throughout the organization is warranted. Email traffic: Did you know that in the third quarter of 2016 alone, 18 million new malware samples were captured? Viruses via e-mail remain a top concern for security teams. Social and internet traffic: It’s likely that most employees in your organization use social media, perhaps even to promote the business. Prevent them from becoming an avenue into committing fraud or damaging the brand. See also: Security for Core Systems in the Cloud   Unusual user behaviors: Understanding your organization’s user behaviors is key to spotting abnormal patterns. Communicate clear policies and expectations for employees and enforce compliance to avoid accidental missteps and catch genuine incidents. Cloud applications and virtual servers: Internet-based applications create functional and productivity tools for an organization, but they put data at risk. Careful monitoring and protective firewall construction prevent easy access for hackers. The Best Metrics: Keep It Simple Create a security plan with goals that are understood and supported by the whole company. Measurement offers a clear and concise method of presenting critical information, so it’s important to measure the right statistics. Communicate on stats and data aligned with business objectives to gain the support of your employees and create a common language that everyone can understand. Focus on answering the following questions: How are we doing compared with our peers? In today’s business environment, understanding how successfully your organization prevents data loss or theft compared with other companies in your vertical provides a clear perspective on how your strategy is working. How quickly are we able to respond to a breach? Your response plan to a potential security incident is a critical factor in recovering from a cybercrime. Remember, it’s not IF you are breached, it’s when. Recognition of an incident, isolation of a breach and recovery convey the crucial steps to preventing widespread loss of private data. Two of the effective security metrics Secure Anchor uses with our clients are “dwell time” and “lateral movement.” Dwell time answers the question, how long did it take you to find and contain a breach? Lateral movement describes how you were or were not able to prevent the cyber adversary’s movement throughout your network. Are we getting better? Cybersecurity is never “done.” Regular audits of security processes and breach protocols provide the opportunity to improve and excel. Make sure your executive board is cognizant of the evolving journey. Are we spending enough (or too much) money? Aligning security technology and human resources with return on investment can be tricky, but budget allocations are a realistic pain point for many security departments and must be addressed. See also: 2018 Predictions on Cybersecurity   Creating and maintaining a thorough view of an organization’s user, network and system traffic allows a security team to design a blueprint to a comprehensive security strategy. Communicating that plan and measuring its success require the right metrics to align IT with business and prevent widespread damage from information thieves. Be a cybersecurity rock star. Just like any musician, you’ll have your big hits and your flops. But when you can see where you're going, with the right visibility into your systems, you will be TCB, takin’ care of business.

This is the second part of a five-part series. The first part is here. We’ve all read the productivity articles about the world leader who eats the same thing for breakfast, repeats the same 40-minute workout and reads the newspaper in the exact same order. We’ve heard about elite athletes with rigid pre-game routines, down to the music they’ll listen to before the match. The take-home message from this is that you need a stable foundation if you’re going to do amazing things. And in the case of insurers, a stable, efficient core is essential to enabling innovation. A stable core is essential for innovation It’s easy to focus on the shiny, emerging technologies that promise to upend the insurance industry: artificial intelligence (AI), the Internet of Things (IoT) and blockchain, to name a few. Do these things have far-reaching implications for insurance? Yes. Are there startups leveraging new technologies that may eventually disrupt the industry? Of course. But when many insurers still struggle to provide real omni-channel customer service, or offer timely and transparent claims settlement, it’s almost irresponsible to be asking which company or technology will disrupt insurance. Part of the issue is that the industry tends to clump two distinct opportunities together. First, there are the core competencies that insurers must master: the user experience, personalized offers, timely and transparent claims service. Get these pieces right, and you may not win—but do them poorly, and you will inevitably lose. Separate from this are the new technologies that capture headlines; if scaled successfully, these cool innovations can pave the way to an insurer’s future revenue streams. See also: Core Transformation Is Not Negotiable Brilliant Basics and Cutting New Ground At Accenture, we call these two opportunities the Brilliant Basics and Cutting New Ground. By getting the Brilliant Basics right, insurers foster a stable core—the strong foundation that’s necessary to enable innovation, in the form of Cutting New Ground. By injecting new digital technologies to transform the core, it becomes cheaper and more efficient to do the Brilliant Basics. This approach is aligned with what’s recommended by the Accenture Disruptability Index, which identified insurance as being vulnerable to disruption and recommended optimizing to improve structural productivity. Successful core transformation can create efficiencies, reduce the cost to serve and improve growth—all of which frees up investment capital to fund Cutting New Ground initiatives. These innovation initiatives should be viewed like a portfolio of digital investments. Low-risk, low-reward projects may be more likely to succeed and deliver incremental growth. High-risk, high-reward projects may be less likely to succeed—but if they do, they can enable an insurer to establish a definitive competitive advantage. Given insurance’s risk aversion, it’s definitely a cultural shift to embark on a project knowing it may not succeed, so viewing Cutting New Ground as a portfolio of investments can be one way to mitigate cultural concerns. Consequently, insurers need both pieces. Brilliant Basics can enable a stable core and generate investment capital that make it possible for insurers to focus on Cutting New Ground. Brilliant Basics is the elite athlete’s pre-game routine; Cutting New Ground is the game-winning performance, and maybe a record-breaking one at that. To get started, insurers should consider the following questions:

• What are your Brilliant Basics, and what will it take to deliver them?
• What are the foundational capabilities required to both deliver those Brilliant Basics and to set up the organization for cutting-edge innovation?
• What is Cutting New Ground for the industry, in general, and your organization in particular?

Transform the core to enable innovation It’s no longer enough to talk about digital channel strategy or digital operating models. We live and work in a digital world, and insurers need an appropriately digital strategy, period. This double-barreled strategy of using Brilliant Basics to become more efficient and create investment capital can enable an insurer to place smart bets with Cutting New Ground initiatives. See also: Core Transformation – Start Your Engines!   Done properly, Brilliant Basics can help insurers better connect with customers. By layering successful innovations on top of it, they can begin to see the stepping stones to becoming a competitive, digitally enabled business. Many insurers are focused on how to innovate, but most do not have a stable, cost-efficient core to support and fund their innovation efforts.

Property/casualty personal lines are under pressure unlike at any other time in history. The risk landscape is evolving as some circumstances result in increased losses (distracted driving, increased catastrophes), while others hold the promise to dramatically reduce risk (autonomous vehicles, the IoT). Customer expectations and demands continue to change. Emerging technologies offer new opportunities to manage risk and improve operations. New competitors and partners are surfacing every day via insurtech startups and greenfield insurance ventures.

But the industry is not standing still. Personal lines insurers are pursuing a dozen strategic initiatives that are propelling them to a stronger competitive position.

The strategic initiatives include both traditional initiatives, such as business intelligence and core modernization, and new world initiatives like investments in insurtech and a digital strategy. Creating a unified strategy with the right blend of traditional and new world initiatives is the challenging task of senior leadership today.

See also: Insurtech in P&C: It’s Not About the Tech  

Three of the traditional initiatives are further along in the implementation and deployment lifecycle: core systems modernization, business intelligence and advanced data/analytics. In a sense, these are the most foundational capabilities needed by insurers for success in the digital age.

Two of the traditional initiatives are primarily in the strategy and planning stages: innovative products and services, and the restructuring of the workforce. Personal lines have not historically been known for product innovation, relying on tweaks to coverages and services for the same basic products for many years. Now, a new generation of opportunities is upon us with the advent of on-demand insurance, parametric insurance, episodic insurance and coverages for emerging risks such as cyber. From a workforce perspective, the industry is on the front edge of massive retirements of insurance professionals, leading to the need to introduce more technology to support the workforce (collaboration tech, AI), increase recruiting efforts and rethink business models.

While the traditional initiatives are vitally important and foundational, it is the new world initiatives that hold the promise for more competitive differentiation. Improving the customer experience and becoming more digital are the two initiatives that have been underway for several years at many insurers, and they continue to pick up steam. Newer initiatives such as investing in insurtech and emerging tech are earlier in the strategy and planning stages, but important activity is underway there nonetheless. Almost half of personal lines insurers are developing strategies to deploy new business models, an indicator of how much rethinking and transforming are actually underway.

This is a significant time of change and transformation for the personal lines sector. The next five to 10 years are likely to produce more than a few surprises, with new products, new competitors, new distribution options and the impact of insurtech and emerging tech reverberating across the industry.

Let’s talk about trust. The insurance industry is built on it. So why is there so little trust between consumers and the insurance industry? According to the 2018 Edelman Trust Barometer, financial services as an industry has improved in the percentage of those surveyed who trust the industry from 48% in 2014 to 54% in 2017. While the level of trust is at least moving in the right direction, financial services does rank dead last among all of the sectors polled. Last. Trust is not something that comes easily these days anywhere, much less in the world of insurance and other financial services. This is not great news for an industry in which we literally sell a promise to be there when bad things happen to consumers and businesses, such as car accidents, fires or deaths. Many insurers may think of data along these lines: Consumers trust and understand that, at the end of the day, insurance carriers are in the business of data. It’s at the core of what we do, the data is how premiums are decided, how to best protect assets and develop the fastest solutions when there is a loss, how products are marketed and much, much more. Of course, carriers can be trusted to protect that data and consumers’ privacy. As a regulator who often hears from consumers, I wouldn’t bank on that. Simply put, there is a lot of uncertainty around data these days. Cyber-attacks are in the news seemingly endlessly, from Home Depot, to Target, to Equifax. And if consumers know one thing, it’s that their data is out there, often on old systems that may or may not be properly maintained, and many big-name companies may not have succeeded in protecting that data, and thereby their privacy. Consumers also often are bombarded with long applications or questionnaires, sometimes with rather personal questions. Often, they are left baffled trying to understand, “Why would these people need this information?” See also: When Not to Trust Your Insurer   Many agents or brokers requesting the data may not know themselves. Data collected by insurance companies is input into complex algorithms in trade-secret black boxes to which few have access, much less full access. Simon Sinek provides great insight into why leaders and companies need to focus on answering the question of “why” to maintain the focus as anyone—leaders, product managers, agents and brokers—starts the process and as any of us review whether that vision is working. Sinek says that people should consider whether “Starting With Why” in innovation will instill trust and cooperation. If companies are transparent about exactly why data is collected, consumers can understand how it affects them. Transparency also can allow agents, brokers, consumers and others collecting the data to ensure it is as accurate as possible. This issue is being discussed inside insurers, at insurance departments and among consumers. There can be scary downsides to secret data black boxes in insurance and otherwise. Insurers could also use the data to provide feedback to help consumers better manage their risks. It’s important that, as new technology brings new opportunities, those asking for the information fully explain the “why” behind requests for data. Insurance is global, and changes in other countries may cause changes that affect U.S. consumers and companies. As the General Data Protection Regulation (GDPR) is on the eve of its effective date of May 25, 2018, in the E.U., the U.S. has the opportunity to learn from the experiences. When the Iowa Insurance Division addresses these topics with companies, we point out the obvious. These are your consumers. If consumers ask the question about what data is being used and from what point, they should gain a clear response so they can understand fully before they consummate the transaction. See also: 6 Lessons in Trust From Retailers  Those in the insurance industry are given and trusted with much data. Because of that, much is expected. It’s an incredible time to be in the business of insurance, and the expectations are high. The Iowa Insurance Division will continue to work with companies and consumers to discuss the proposed “why” for the benefit of all affected. After all, the insurance industry is built on trust.

For security and compliance professionals, the announcement of new regulatory standards can be a stark reminder that the to-do list is long and the day is short. But with careful preparation and concerted, coordinated efforts to mature governance, risk management and compliance (GRC) activities, compliance and security teams can face new rules and standards with confidence. After many iterations and comment periods, the National Association of Insurance Commissioners (NAIC) announced the adoption of the Insurance Data Security Model Law in October 2017. The model law — which encompasses rules for licensed entities about data security and data breach investigations and notifications — establishes more rigorous guidelines for the insurance industry. It shares many similarities with the New York State Department of Financial Services (NYDFS) cybersecurity requirements for financial services companies, currently considered to be the highest bar — and a best practice — so the NAIC's model law is likely to be adopted by many states as the governing standard. The NAIC’s rules specify information security programs should be based on “an ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event.” In particular, take a close look at Section 4: Information Security Program. It details implementing a program and the requirements for assessments, reporting, audits, policies and procedures. It sounds straightforward on the surface but grows in complexity the more you read; you need to not only identify internal and external threats but also assess the potential damage and take active, concrete steps to manage the threats. Section 4 also calls for more accountability when it comes to protecting data — each insurer must submit an annual statement by February 15 certifying compliance with Section 4 or identifying areas that need improvement, as well as remediation plans. See also: Insurance Is Not a Magazine Subscription It is important to note that the insurance industry has unique challenges around internal risk, third parties and intricately collaborative processes. Many entities and individuals are involved in a single claim: brokers, dealers, agents, actuaries, adjustors and claims processors. This creates more room for error, more potential gaps in security coverage and more difficulty managing contributors. Comprehensive procedures supported by integrated risk management technology solutions will help weave a tighter web. Renewed Focus on Third Parties As is the case with many of the major cyber security and data privacy frameworks (e.g., HIPAA, NYDFS, GDPR), the NAIC’s model law gives special attention to required oversight of third-party providers. Licensed entities are responsible for ensuring that third parties implement administrative, technical and physical measures to protect and secure the information systems and nonpublic information they hold or have access to. Meeting these requirements means licensed entities need to conduct assessments to ensure third parties are following security, privacy and notification guidelines. In Section 4.c.: Risk Assessment, it stipulates identifying threats by means of an ongoing assessment and an annual review of systems, controls, processes and procedures. Developing a comprehensive and streamlined system for vendor risk management is an increasingly critical component of both security and compliance programs — especially for large enterprises and those with complex partnership and outsourcing structures. Incident Response is Key The NAIC’s model law also specifies requirements for incident investigations and mandates that breaches are reported to the commissioner within 72 hours. In this notification, insurers must provide as much information as possible, including: the date of the breach; how the information was exposed; the types of information exposed; the period during which the system was compromised; planned remediation efforts; a copy of the company's privacy policy; and more. Additionally, licensees must notify consumers of the breach as their state's data breach notification law requires. It will be nearly impossible to meet these demands if your security information is outdated, incomplete or difficult to pull together. Expedient incident response can have a significant effect on outcomes. If you can quickly coordinate clear, accurate communications to regulators, third parties and customers about a breach or cyber attack, you can contain reputational damage, protect end-users and prove negligence was not a factor. See also: It’s Time to Act on Connected Insurance How to Become Prepared — and Stay that Way While some of the specific requirements of NAIC’s new model law might cause alarm, most insurance businesses already have well-defined processes and controls. The need to keep sensitive customer data secure and private isn’t new, and high-profile data breaches (e.g., Equifax, Anthem, Aetna) keep a spotlight on the consequences of failing to do so. Licensed entities are most likely to be challenged by the outer ends of the integrated risk management spectrum — the granular details of controls, policies and procedures on one end as well as the development of a sustainable security culture on the other. Both can be enhanced and reinforced through an enterprise-wide, technology-driven approach to GRC efforts. By implementing a centralized integrated risk management platform, insurance organizations can move away from fragmented manual processes (spreadsheets and email) and toward higher degrees of automation and analytics. The difficulty of meeting the NAIC’s requirements depends on the maturity of a company's security and compliance program. Companies that are already using an integrated risk management platform will easily be able to identify the gaps in compliance and efficiently make needed changes to achieve compliance. Those who do not have mature programs in place will have a longer path, from reviewing the requirements and identifying compliance gaps to the challenging goal of creating a culture of security.

The healthcare business is broken for consumers and taxpayers in America. And we can expect to see more mergers, acquisitions and large alliances in the coming months and years, all forming in the name of trying to control rising costs and taking better care of patients. The question is: Will they? Unfortunately, the answer usually is generally no. Let’s take a look at two recent headlines, starting with the CVS acquisition of Aetna. While the CVS acquisition of Aetna makes financial sense for shareholders, the same cannot be said for consumers. CVS and Aetna, which individually represent severe conflicts of interest, together create an even larger systemic problem. American consumers need healthcare intermediaries to clearly represent the interests of either the patient or provider — they can’t do both. Maybe we’re suffering from amnesia because we’ve forgotten why the Pharmacy Benefit Manager (PBM) industry exists in the first place. Years ago, insurers managed drugs themselves. However, the conflict of interest and the resulting price gouging was so bad that the PBM industry took off in the 1980s and became the de facto broker (intermediary) for the drug industry. Over the next three decades, the PBM industry “evolved,” and, today, the PBM business model looks worse than the insurance industry it once set out to fix. Considering the conflicted business models involved, it seems highly ironic that today’s largest PBM is buying one of the largest health plans. This was a bad idea 30 years ago, and it’s an even worse idea today. See also: How Amazon Could Disrupt Care (Part 3)   So why isn’t this going to control costs? Because it really is just a mechanism to switch roles from the “broker function” to that of the supplier. In this case, there is the added benefit that Aetna can get over the 85% Medical Loss Ratio (MLR) limitations by paying themselves as a supplier. All this does is further reduce choice, lock out competition and increase profitability for itself while increasing costs for purchasers. Planning on larger mergers to control costs is a fool’s errand. Take a look at UnitedHealth Group (UHG), which owns UnitedHealthcare (UNH) and OptumRx. The company’s structure and scale is on par with a combined CVS and Aetna. UHG owns one of the largest health plan providers and one of the largest PBMs, and UHG continues to aggressively acquire other health care services companies.  Many corporate customers will tell you UNH is one of the most difficult insurers to work with because of restricted data sharing and lack of transparency. UNH also makes it nearly impossible to use services other than their own.  This is not a recipe to control costs, and it’s going to get worse because UHG recently announced the purchase of Davita’s Medical Group, which has hundreds of care facilities and about 30,000 affiliated physicians. Another major issue with this acquisition is that it enables the combined entity to collect even more patient data and constrict its availability and use. CVS CEO Larry Merlo stated, “By integrating data across our enterprise assets and through the use of predictive analytics, we will create targeted interactions with patients to promote healthy behaviors and drive adherence, and this will further improve the quality of care for patients while also resulting in healthier outcomes.”  Mr. Merlo fails to acknowledge that the data the company integrates, uses for its benefit and sells for its profit is their customers’ data — to which the company claims ownership and restricts for others’ use. After the CVS-Aetna deal closes, restrictive data hoarding will stifle potential health benefits and further limit innovation opportunities. Just a few weeks ago, another headline about an alliance forming to control rising costs captured our attention. Intermountain Healthcare, Ascension, SSM Health and Trinity Health announced they are joining forces to create a new generics drug company. Again, on paper, the announcement seems like it could help control costs and benefit consumers. But taking a closer look at the match, the marketing value to the hospital chains has already vastly exceeded the cost reduction of the generic drugs in question as well as the pressure this places on big pharma by at least three or four orders of magnitude. Big Pharma isn’t in the generics business. As egregious as the examples are that we keep talking about with Valeant and Turing, those are rounding errors in aggregate compared to the global sales of just one brand drug, Humira, which brought in $14 billion last year, alone. Big Pharma is laughing all the way to the bank as the press keeps writing about how big a deal this is and how four hospital chains are going to change the landscape. These large monopolistic systems get the great publicity as they try to lay claim to the moral high ground. More importantly, we have, yet again, given providers of services (a.k.a hospital systems) who already have the reputation for marking up medicine such as Tylenol the power to mark up these new generics they will manufacture. The most important announcement of the past few days is the one from Amazon, Berkshire-Hathaway and JP Morgan. While there are few concrete details, the message from the top is clear that these companies have decided to take matters into their own hands to control costs as all the intermediaries they have relied on haven’t delivered. As those who represent consumers, benefits professionals have a crucial role to play as we continue to learn about more mergers, acquisitions and large alliances. As such, there are three things each of us as HR benefits professionals can do to help tame the M&A beast. First, insist on transparency. This starts by making sure intermediaries (insurers and PBMs) never control supplier performance data. You should have the right to see whatever data you need about your suppliers — just as you would in any other industry. Stop working with intermediaries and suppliers that restrict or refuse to provide data. You should also require intermediaries to provide all supplier contracts they have in place. Trust, but verify. See also: The PBM vs. the Drug Manufacturer   Second, require your suppliers to pick a side — yours, or theirs, but not in between. You, not an intermediary, should be able to choose who provides services to you. You should never be penalized for choosing a supplier that isn’t your intermediary’s preferred choice. Third, demand independence. Intermediaries must represent the company and customer interests. There’s an obvious conflict of interest when an intermediary also represents a seller of goods that constitutes a significant source of the intermediary's revenue. Stop doing business with intermediaries who have such conflicts. Congratulations to all the CVS and Aetna stockholders out there; there’s a big payday headed your way. Because one person’s profit is another person’s cost, expect the price of health care to increase in this brave new world. However, in the long run, the rest of us are going to bet on the new Amazon/Berkshire-Hathaway/JP Morgan model from Bezos, Buffett and Dimon to lead the charge of purchasers taking control of their own destinies.

There is a growing recognition among insurers that insurtech represents more of an opportunity than a threat and that insurers should seek to collaborate closely with this latest breed of technology-fueled startups.

Insurtech is enjoying record growth. While 2016 saw $1.7 billion in insurtech investments, things are only picking up in 2017. A recent report by Willis Re, Willis Towers Watson Securities and CB Insights found that investment in insurtech startups in the second quarter of 2017 totaled $985 million, a rise of 148% on the previous year. Q2 saw an 88% rise in the number of transactions year-to-year, setting a record of 64 transactions in the quarter. While the growth hot spots were traditionally located in North America (primarily California and New York), this year saw significant markets emerging in China, India, Germany and the U.K. Insurtech is now a global phenomenon. See also: Digital Insurance 2.0: Benefits   Which technologies are behind this surge? Accenture analyzed more than 450 insurtech deals and found the insurance industry is investing in technologies that help companies better understand their customers so that the companies can deliver hyper-personalized services. These technologies include artificial intelligence (AI), analytics and the Internet of Things (IoT) — areas where traditional insurers are, arguably, falling short of meeting evolving customer demands. Insurtech may help bridge that gap. Partnering with insurtech startups may offer insurance incumbents the opportunity to do just that. Though insurtechs are often thought of as potential industry disruptors, many insurers view the rise of insurtechs rise as an opportunity to partner with agile startups and expand ecosystems. Indeed, Accenture found that 44% of global insurers plan to pursue digital initiatives with startups in the next two years. See also: Retirement Funding, Inequality, Insurance In my next posts on insurtech, I’ll look at some specific challenges and opportunities traditional insurers face as they seek partnerships with insurtech firms.

The cyber attacks in the past year spread with startling frequency and intensity and demonstrated that cyber risk is not only a concern for organizations holding sensitive or regulated data, but also a material threat to businesses across all industries. The WannaCry and NotPetya attacks, for example, resulted in large-scale interruptions to global commerce, with companies reporting significant losses in sales caused by business disruption. Far-reaching regulations such as the EU’s General Data Protection Regulation (GDPR) open up businesses to large potential fines and consumer class action suits. The cost of cyber crime keeps rising, with data breaches predicted to cost businesses a total of $8 trillion over the next four years, exceeding worldwide IT security spending, which is expected to be upward of $120 billion by 2021. In this climate, executive teams must urgently stop thinking about cyber risk as an IT issue and lead a shift to managing its impact across the entire organization. Companies’ cyber exposure has dramatically increased beyond the risks to their data and intellectual property (IP), exacerbated by the convergence of the physical and digital worlds. To drive efficiencies, organizations are bringing processes and infrastructure online, for example, through connected grid systems, supervisory control and data acquisition (SCADA) and industrial control systems (ICS). At the same time, the need to innovate and compete drives businesses to introduce an ever-increasing number of endpoints, significantly expanding the cyber attack surface – whether through a retail bank’s mobile app, a manufacturer of connected cars or even office equipment like printers or employee devices. Every change in a company, be it an M&A transaction, working with a contractor, introducing new software or moving data to the cloud, affects a company’s cyber risk posture. Securing this shifting target requires a holistic view of how all the activities of all departments affect the company’s exposure. See also: How to Manage Claims Across Silos One of the core business challenges hampering executives’ ability to look at the impact of cyber risk beyond individual silos is that members of the C-suite are not collaborating effectively over this issue. Every executive has a different lens on how to view, assess and manage cyber risk: The general counsel, for example, will be focused on compliance with information security regulations and disclosure requirements; the chief information security officer (CISO) and chief information officer (CIO) implement technical controls and remediation efforts; the chief risk officer (CRO) and chief financial officer (CFO) will be quantifying the financial exposure to cyber risk and mitigating it through insurance; product developers may view security as a roadblock to meeting product launch deadlines; and human resources (HR) will institute internal training for employees. Multiple parallel work streams like these exist in silos, rarely with any common framework for taking an integrated view. The fragmented cybersecurity market reinforces these challenges, as organizations work with multiple providers for different elements of their security needs. For example, a company may contract with an incident response provider for post-breach services, separate external experts on assessments or penetration testing exercises and a separate insurance broker to assess the implications of cyber risk from a balance sheet perspective. Multiple providers such as these are working with different internal stakeholders, who aren’t effectively communicating with each other, exacerbating the ineffectiveness of the approach. As companies wake up to the impact that cyber risk can have on their business, C-suites in mature companies will break down organizational silos to create a holistic view of their risk exposure. CROs and CISOs will work collaboratively with others across the C-suite, including IT, legal teams, HR and finance, to understand how technical vulnerability affects financial exposures and potential risk scenarios. This will happen in sectors beyond the early adopters in financial services, healthcare and retail. As an example, a shipping firm will assess how cyber risk affects physical operations and revenue-generating activities, such as tankers being remotely diverted by hacked GPS systems, or look at the potential benefits of smart contracts and blockchain technologies with regard to tracking goods and inventory and verifying manifests. To support more coordination and informed decisions within organizations around their cyber risk management, they need a technology platform such as the one Aon Cyber Solutions is building to provide a single point of visibility into all aspects of an enterprise’s cyber risk profile, across all C-suite functions. The platform will enable companies to conduct cyber risk assessments, dynamically quantify risk across multiple dimensions, optimize efforts to remediate risk and reduce the organization’s overall risk posture. Executives can leverage quantitative information in real time to model security plans and budgets, as well as receive recommendations as the threat landscape evolves and requires new insurance options. Bringing together all the elements that affect cyber maturity across the organization through a centralized portal view enables anyone in the C-suite – whether it’s the chief executive looking for a high-level view, or the CFO or CRO prioritizing investment decisions, or the CISO examining the remediation activity - to have a more holistic understanding of how the activity within their function affects the company’s cyber exposure as a whole. See also: How to Link Risk and Strategy   The industry needs to collaborate to drive this holistic approach. For our part, Aon has teamed up with Apple, Cisco and Allianz. This combined solution helps protect a wider range of companies from cyber breaches associated with ransomware and other malware-related threats. Customers who deploy Apple devices and software and Cisco cybersecurity products, such as Cisco Ransomware Defense, and conduct Aon’s Cyber Resilience Evaluation, will be eligible to apply for more enhanced cyber insurance coverage than are available in existing cyber insurance products through Allianz. In addition, companies can take advantage of access to Cisco's or Aon’s industry-leading incident response teams, should an incident occur. Through these and other innovative solutions, Aon Cyber Solutions is focused on helping companies eliminate the silos that typically hamper effective cyber risk management. This is an urgently needed shift in thinking throughout a currently fragmented industry, so that clients can manage their evolving cyber risk exposure in a digital, connected and regulated world.

For some time now, you've seen me mention our Innovator's Edge platform, where we have built the best data base, bar none, on insurtechs. We're now taking the next step, adding a framework that lets you make connections that will help you on your innovation journey. 

Insurance Thought Leadership is launching the Innovator’s Edge Network, a free professional network for insurance innovation executives who are leading the transformation of insurance. The network is one of several tools available within our Innovator’s Edge platform that insurance executives can access to achieve growth through innovation.

You can join the network today at www.InnovatorsEdge.io and build a professional profile that will connect you with people, discussion groups and events that support your needs.

The free membership is designed for executives within the insurance industry who seek to expand their professional network and meet fellow innovators—both from traditional insurance companies and insurtech entrepreneurs. The IE Network also helps members follow innovation trends and developments focused on their areas of interest and gain insights to the potential impact of innovation on the industry, quickly, deeply and efficiently.

We have made it super simple for you to join the IE Network: Just go to www.InnovatorsEdge.io, register to join and provide a little information about yourself and the areas of insurance innovation that are of most interest to you.

Within each area of interest, you will be able to find potential connections, participate in online discussion forums—to share ideas, ask and answer questions and collaborate in a professional and respectful environment—and access curated analysis and perspectives from some of the most significant thought leaders in the industry.

The events feature allows you to browse future insurance and innovation events, identify those of interest and signal others within the IE Network that you are attending, speaking or sponsoring. The tool also allows users to manage face-to-face meetings at events with other network members, and manage your schedule.

Your free IE Network membership also will get you a peek behind the curtain of the premium features of Innovator’s Edge, which is our strategic growth platform that connects the insurance industry with the top innovators and entrepreneurs delivering insurtech solutions and exponential technologies that are creating growth opportunities for insurance.

Last, and most importantly, we want you to invite your friends and colleagues from the insurance innovation community to the IE Network, join you in categories and groups, join you in positions of leadership and join you in becoming an insurance innovation executive.

Have a great week.

Paul Carroll
Editor in Chief

Insurers cannot afford to be complacent when disruption has upended other industries. The industry can, and must, embrace change and the future-fearlessly.

Insurance hasn’t changed much in 200 years. It’s still about capital placed against risk. It’s still about creating tailored products for customers. It’s still about using information to sell through channels, to generate returns for a company. Except that capital now includes venture capital and peer-to-peer funding. Risk now includes cyber, pandemic, micro. Tailored products? Think episodic, pay-as-you-go, parametric. Information? Humanity produces 2.5 quintillion bytes of data every day (a quintillion has 18 zeroes). Customers span millennials and high-net-worth boomers, each of whom expects personalized service. Insurance hasn’t changed much in 200 years, but everything around it has. At its highest level, the insurance industry appears stable. Profits are solid, with average pre-tax RoE levels from 2010 to 2016 between 10% and 12% globally. Company rankings are stable, and share price performance is solid across the globe. That sentiment is confirmed by the Accenture Disruptability Index, a global, cross-industry study of how incumbent industries will likely fare in the face of disruption. On a scale of zero to one, with zero being minimally disrupted and one being highly disrupted, insurance scored 0.37. See also: Time to Formalize Insurance Career Path   The study also identified four distinct periods of disruption, each with its particular implications and corrective actions. Insurance is in the “vulnerable” period of disruption, characterized by structural inefficiencies and low innovation that lead to low productivity. These pressures compress profitability but create a high barrier to entry that can hold off disruption—for now. Insurers cannot afford to be complacent. The industry’s future disruptability scored 0.68—above the median of 0.57 and among the highest scores in the study. An estimated 30% to 40% of EBITDA is projected to be at risk by 2020, and the industry has already experienced significant disruption. Moreover, executives know that innovation is essential not just to remaining competitive but to surviving. To fend off disruption, insurers need to take targeted action. They must optimize to address structural productivity and inject new digital technologies to upgrade core offerings at lower cost. This last point is worth repeating: Core transformation is critical to fending off disruption. I’ll keep coming back to this throughout this blog series, as we discuss ways to transform the core, and how doing so can fuel innovation. Feel the fear—and make change Insurance is at the edge. It’s vulnerable to disruption and under threat of being made redundant if it continues to bask in the status quo. But insurance is not the only industry caught unprepared. Accenture research found that 93% of chief strategy officers agreed that they will be disrupted within five years—but only 20% feel highly prepared to deal with it. What’s more, longevity comes with perks. Insurers have data, distribution channels and innovation practices that many startups would envy. Insurers are more than capable of turning disruption into an opportunity. Over the course of this blog series, I’ll explain how insurers can meet disruption head-on. How they can create efficiencies in their core business and innovate to create revenue streams for the future. How to not just meet customer expectations, but exceed them. Why legacy systems don’t have to be an obstacle to change. And how to make the wise pivot to become an organization that is equipped for success in a digital economy. See also: Unfair Perception of Insurance Insurance hasn’t changed much in 200 years, but everything around it has. The insurance industry can, and must, embrace the future—fearlessly.