IT systems have never been more powerful or accessible to businesses. However, the scope and scale of cyber crimes continues to outpace tech innovation. For years, the challenge for internal IT and security teams has been to use existing company data to construct an integrated picture of oddities and unexpected actions on their network. Recent advancements in machine learning and behavior or anomaly-based analytics that leverage existing enterprise logs have provided security teams with much more accurate intelligence than ever before. See also: 3 Technology Trends Worth Watching   In the past, security expertise was embodied in signatures, representing particular and specific types of malware. In time, the experts couldn’t keep up, signatures were out of date or not installed quickly enough, and hackers began to take full advantage. An attack from an employee account is signature-less, making conventional security approaches that rely on blacklists ineffective. Security experts quickly realized that pattern patching alone wouldn’t work, so they added rules, such as the correlation rules found in security information and event management (SIEM). For example, if an HR employee has been terminated and begins accessing sales data for the first time, something is likely wrong, and an alert will immediately be sounded. Technology outpaces analysis As the number of endpoints (i.e. mobile devices) skyrocketed, so did the volume of data to be analyzed by firms, making it more difficult for security experts to rely on cut-and-dried rules. Existing—not to mention expensive—intelligence tools, typically some form of SIEM, were supposed to predict and detect these types of threats, but were unable to keep up. This left companies at an all-time vulnerable state for both insider threats and hackers. Experts predict a 4,300 percent increase in annual data production by 2020 and IDC anticipates that the “digital universe” of data will reach 180 zettabytes in 2025 (that’s 180 followed by 21 zeroes). Thankfully, open source big data systems have provided a way to collect, process and manage monstrous amounts of data. Open source big data technologies such as HDFS and Elasticsearch enable solutions that handle petabytes of security data with ease. This not only allows firms to store a wide range of data sources, but also reduces overhead cost of data storage altogether, which can reach millions of dollars annually for large organizations, due to the cost of vendor data management hardware and vendor per-byte pricing models. Consequently open source big data frees up the budget to invest in stronger analytics. Algorithms crunch data Another major advancement that has fortified cybersecurity tools is machine learning. The method of analysis flips the expert approach on its head; instead of requiring expert rule-writers to guess at attacks that might come, machine learning algorithms analyze trends, create behavior baselines—on a per user basis—and can detect new types of attacks very quickly using baselines and statistical models. These systems are more flexible and effective than any pure expert-driven predecessors. See also: Innovation: ‘Where Do We Start?’   Technology options available to enterprises are at an all-time high, and so are the number of cyber crimes that are committed. Fortunately, as technology has advanced, so has the ability to seek out cyber criminals that may have been virtually invisible in the past. User and entity behavior analytics and machine learning technology continue to provide chief information security officers with the accurate insights they need to thwart attacks before severe damage is done. This article originally appeared on ThirdCertainty. It was written by Nir Polak.

In 2015, an accountant looking at the balance sheets of a U.S. tech company noticed a $39 million hole in the figures. The accountant would have been even more dismayed to know where it had gone – a member of the financial team in an overseas subsidiary had transferred it directly to the thief. All the thief had to do was pretend to be a CEO. It’s a kind of attack known as a CEO email attack, and just one of a broad range of hostile tactics known as social engineering attacks. These are attacks that exploit the natural weaknesses of human beings – our credulity, our naiveté, our propensity to help strangers and, sometimes, in the case of phishing attacks, just our greed – to get around security systems. To put it in the language of 21st century cyber security: Social engineering operates on the idea that, just like any computer system, human beings can be hacked. In fact, a lot of the time they’re much easier to hack than computers. Understanding this fact, and the forms that social engineering can take, is essential to formulating a robust defense strategy. These strategies are even more important now, as the lines between the physical and digital worlds continue to blur and the assets at risk continue to multiply, thanks to the proliferation of connected technologies. In Depth From the serpent in the Garden of Eden, to the fake phishing emails that promise fortunes if only you’d just part with your bank details and Social Security number, social engineers have been with us for a while. But few epitomize their arcane arts quite like Frank Abagnale, whose exploits between the ages of 15 and 21 were immortalized in the Steven Spielberg film Catch Me If You Can. During those years, Abagnale posed as a doctor, a lawyer and an airline pilot and has become one of recent history’s most legendary social engineers. He now runs a consultancy, Abagnale and Associates, that aims to educate others – including government agencies such as the FBI, and numerous businesses – on how to catch people like him, as social engineering methods shift. Abagnale asserts: “Some people used to say that I’m the father of social engineering. That’s because, when I was 16 years old, I found out everything I needed to know – I knew who to call, and I knew the right questions to ask – but I only had the use of a phone. People are doing the same things today 50 years later, only they’re using the phone, they’re using the mail system, they’re using the internet, email, cloud. There’s all this other stuff, but they’re still just doing social engineering.” We live in an overwhelmingly digital world, and the projected 50 billion Internet of Things (IoT) devices due to be hooked up to the internet by 2020 means the already broad frontier of digital risk will only continue to grow. “I taught at the FBI for decades. There is no technology today that cannot be defeated by social engineering,,"Abagnale says. Making sure the human links that sit between this expanding set of digital nodes remain secure lies at the heart of securing the whole system; one increasingly tied up with physical as well as digital assets. New Risks In 2010, the Stuxnet worm, a virus believed to have been developed jointly by the U.S. and Israeli military, managed to cause substantial damage to centrifuge generators being used by the Iranian nuclear program. The virus was designed to attack the computer systems that controlled the speed that components operated in industrial machinery. By alternately speeding up and slowly down the centrifuges, the virus generated vibrations that caused irreparable mechanical damage. It was a new breed of digital weapon: one designed to not only attack digital systems, but physical systems as well. It was physical in another way. To target this system, the virus had to be physically introduced via an infected USB flash drive. Getting that flash drive into a port, or into the hands of someone who could, required human beings to intervene. In this case, anonymous USB devices were left unattended around a facility and were then accidentally inserted by unwitting technicians. See also: It’s Time for the Cyber 101 Discussion   The Stuxnet worm highlights the extreme end of the dangers that lie at the overlap between digital technology, physical assets and human beings, but the risks extend well beyond that. More prosaic, for instance, are email scams that work by tricking the receiver into sharing vital information – remember the notorious “Nigerian prince” emails, where a fraudster would promise a willing helper untold riches in return for money to be released from jail? Some of these scammers have elaborate networks that crossed countries and continents and can be worth more than $60 million. Move the concept into the organization now: Imagine receiving an email from someone purporting to be your boss, asking in an official and insistent tone for a crucial keyword or a transfer of funds. Could a typical employee be relied on to deny that request? What about a phone call? This was hacker Kevin Mitnick’s strategy. In a way, a Frank Abagnale of the digital age, Mitnick managed to make a range of high-profile attacks on key digital assets by just phoning up and asking for passwords. IoT: The Convergence of the Physical and Cyber Worlds “Humans are the weakest link in any security program,” says Dennis Distler, director, cyber resilience, Stroz Friedberg, an Aon company. In fact, it’s us, rather than computer systems’ weaknesses or failures, that lie at the heart of around 90% of cyber breaches. Social engineering attacks can come in various forms, and the risk from them will never be fully mitigated. But while full mitigation is impossible, you can limit your exposure – that strategy begins at the individual level. Humans are the targets, so the first line of defense has to be from humans. “You certainly remind people that you have to be smarter, whether you’re a consumer or CEO. You have to think a little smarter, be proactive, not reactive,” Abagnale says. While social engineering has a focus on financial loss, the focus of cyber risk is shifting to tangible loss with the potential for property damage or bodily injury arising out of IoT devices. Historically, cyber risk has been associated with breaches of private information, such as credit cards, healthcare and personally identifiable information (PII). More and more, however, the IoT – the web of connected devices and individuals – will pose an increased risk to physical property as breaches in network security begin to affect the physical world. Having a better understanding of vulnerabilities and entry points – both at the individual as well as device level – will be critical for organizations in 2017 and beyond. Organizational Mitigation While security awareness training and, to a lesser extent, technology can prevent successful attacks – whether IoT-related, human error or stemming from actual social engineering – the risk from them will never be fully mitigated. Organizations can take a number of steps to protect themselves. Distler of Stroz Friedberg, highlights a number of key steps a company can take to minimize exposure to social engineering risk:

• Identify what and where your organization’s crown jewels are. A better understanding of your most valuable and vulnerable assets is an essential first step in their protection.
• Create a threat model to understand the types of attacks your organization will face and the likelihood of them being exploited. From email phishing to physical breaches, the threat model can help teams prioritize and prepare how to best respond.
• Create organization-specific security awareness training addressing what types of attacks individual employees could expect, how to detect them and what the protocols for managing and reporting them are. Consider instituting a rewards program for reporting suspected attacks to further encourage vigilance.
• Provide longer and more detailed training for high-valued or vulnerable targets, such as members of the C-suite and their executive support staff, or members of IT, finance, HR or any other employee with access to particularly sensitive information. This training could vary from account managers to mechanical engineers working on major operational projects. These enhanced training procedures could include red-teaming exercises, which test the ability of selected staff to respond to these breaches in real time.
• Create well-defined procedures for handling sensitive information and provide routine training on these procedures for employees who handle sensitive information.
• Conduct routine tests (recommended quarterly at a minimum) for the most likely social engineering attacks.

Preparing for Tomorrow’s Breaches The term “cyber threat” is becoming more and more complex. No longer is it a threat posed to digital assets by viruses and malware or a financial threat posed to individuals and financial institutions. Now, cyber risk encompasses a broad range of risks with the potential to harm assets, from property to brand and reputation. And at the center of all of these interactions are people. Almost every breach begins with a human being. By understanding how such threats can manifest, and how to deal with them when they do, risks can be mitigated ahead of time. Bringing together various functional groups within an organization will be crucial as teams prepare for the more multifaceted risks of our increasingly connected future.

Houston and Harvey. Florida and Irma. The West and the Wildfires. Hail in the Midwest. Floods in the South. Will 2017 set a new record for catastrophe claims? According to the Insurance Information Institute (III), 2013/14/15 and the first 9 months of 2016 were welcome respites from insured disaster losses, totaling between $13 billion and $18 billion. This is far lower than several other periods in recent history. These would include Sept. 11 in 2001 ($39.5 billion), Hurricane Katrina in 2005 ($77 billion) and 2011/2012, which were among the costliest years in U.S. history with $35 billion to $37 billion in losses. The Insurance Information Institute points out that the long-term trend is for more, not fewer, costly events. Preliminary estimates by AIR Worldwide have placed the low end of 2017 damages at over $115 billion accounting only for damage from Hurricanes Harvey and Irma. When catastrophes hit, they hit insurers hard. They decimate the lives and livelihoods of individuals and families, but they can also wreak havoc on the systems and reputations of those who will be trying to assist in the restoration and rebuilding. Insurance executives are undoubtedly wondering if they are prepared enough, what they can do differently and what they can improve before the next natural disaster strikes. Customer service and marketing are worried about retention rates, service ratings and net promoter scores.  Operations is concerned about scalability during claims events. Finance is (understandably) concerned over losses. In my next three blogs, we will take a close look at holistic claims preparedness. How can we use catastrophe preparations to improve our customer value, save customers from additional loss and lessen claim impact on both the insured and the insurer? Claims Pays Back What is important to remember is that from a satisfaction standpoint, one claim or a tremendous number of catastrophic claims both have the potential to positively or negatively impact satisfaction, retention and recommendation. According to a 2016 J.D. Power post-claim survey of auto insurance customers, 84% of delighted claimants will definitely renew their policy and 83% will definitely recommend their insurer. Among displeased claimants, 12% will definitely renew and 7% will recommend their current insurer. What does this tell us? It suggests that any effort aimed at improving the claims experience through catastrophic preparedness isn’t effort wasted if the catastrophes never come. These efforts will bear fruit in loyalty and recommendation — the positive results of a thoughtful, “rethought” claims value chain. See also: Harvey: First Big Test for Insurtech  Adopting a Holistic View of Claims What does a catastrophe-prepared insurer look like? How can we use our new knowledge of catastrophic events and our years with fewer claims to ready ourselves for those times when we will be inundated? What can we do to give customers a superior claims experience from pre-claim through restoration — anytime — even outside of catastrophic events?  What new technologies can change and enhance the process? Some years ago, customer-focused business practices came into vogue and most insurers started paying attention to every area of the organization and its relationship to the customer. What many didn’t realize was that this shift was never-ending, because shifting demographics and customer expectations would continually be in flux. Very few insurers realized quickly that claims is perhaps the most vital front-line touch point because of its overall power to drive loyalty. This caused their definition of the scope of the claims process to remain limited. (“People make a claim. We assess the damage and pay the claim. We use technology to quickly assess and pay.”) In reality, claims has become a hotbed for opportunity, where a holistic vision of a technologically-advanced process can truly revolutionize everything from damage impact to efficient and effective replacement and restoration. In its depth and breadth, claims is no longer claims at all, but it encompasses everything that flows from prevention to protection to assessment and restoration. Where Technology Intersects with Catastrophe The process opportunities lie in the places where technology can be employed to achieve cost-savings and improve satisfaction. Just considering the possibilities can be overwhelming. Here is a tiny sample of places where technology can be employed to rethink the claims process.

• Global Information System (GIS) data to identify and predict impacted customers.
• Rules-based alert libraries, cross-referenced to policyholder property and contact data
• Drone views of property pre- and post-catastrophic events.
• Redundant and cloud-based operations and communications for reduced business impact
• Artificial Intelligence to predict likely post-catastrophe fraud scenarios.
• Adjuster mobilization, prioritizing and routing.
• Multi-touch communication plan and CRM that weaves human contact and digital contact into a cohesive approach (No claimant left untouched.)
• VR educational simulations to walk claimants through a process they may have never encountered.
• And there are so many more…

The simple exercise of walking through the claims process with an eye toward streamlining and improving service will yield a long-list of fantastic opportunities for claims innovation. Though every insurer will prioritize differently, we’ll highlight some of the most impactful areas, beginning with communications. Where the Digital Thread Begins You have just received a text from your insurer via a chatbot. “Hail is coming to your area. Place your car into the garage.” The insurer is in touch with current weather, knows your address, knows you have a garage and perhaps even knows where your car is currently parked. That would be a “digital win” and the beginnings of a digital thread that could run through many applications in insurance operations. If we can’t keep catastrophes from happening, we can keep our insureds aware of their potential. We can warn, suggest preparations, suggest evacuation, prepare and send an initial first notice of loss (just in case) and mentally prepare people for what is coming and what is next. This is just the beginning of the digital thread that will impact claims service. There are dozens of these digital threads and we’ll be discussing many of them throughout the course of this series. See also: Hurricane Harvey: A Moment of Truth   We should acknowledge at the outset, however, that no insurer can employ and “conquer” every digital opportunity at once, and every insurer will have a unique perspective on how these technologies should be acquired or employed. In some instances, technologies will be rented (e.g. drones), borrowed (AI) or tested (cloud) before diving into full use. In other cases, digital capabilities will be fully-integrated into operations at the outset. In all cases technology will add a valuable layer to protection and service. In our next blog in this series, we’ll be looking at these layers through the lens of Operations. How will our tech decisions move us toward the optimal claims value chain? How do we need to rethink the holistic process – possibly extending beyond where we have traditionally been?  Can these external disruptions positively impact our internal use of disruptive technologies? How will our internal catastrophe preparations not only create an innovative claims process, but also create a consistent claims experience that will foster loyalty and lift us above the competition? I hope you’ll join me in this relevant and rewarding conversation.

The way mediations start is important. A bad start can result in a lot of wasted time getting to the place you should have been at the beginning. The First Move The best way to start is to start. Don’t be afraid to make the first offer to settle. Setting a settlement floor or ceiling tells your negotiating opponent where you are. Silence can falsely communicate that you are in the same ballpark. Even if your offers did not get a response before, making a new offer now re-defines the settlement ballpark. An offer made “in light of new information” (even if that is simply a reconsideration) is not bidding against yourself. See also: ‘Twas the Night Before Mediation   Start Very Big or Very Small Think about how your negotiating opponent will react to your opening. Your initial offer should not be so ridiculous that your opponent will walk out. On the other hand, research tells us that an extreme number can lead to a final result closer to the speaker’s expectation than does a more moderate opener. Pick the Tiny Issue Seldom does a workers' comp settlement turn on only one issue.  Plan to start with the issue where the parties have the smallest evaluation difference and continue on as the challenge size increases. You may have to skip and come back to the thorniest issues regardless of size. Isolating issues and knocking them down one by one is an effective way to reach agreement.

Traditionally, insurers have siloed lines of business. But that presents a challenge for carriers working to meet the unified, user-friendly expectations of today’s consumers. A functional online portal has increasingly become a baseline expectation of carriers across all lines of business. Planning, design and governance are just as important as development for insurers launching customer portals; building out a successful customer portal means taking the following nine elements into account. Develop from the customer’s perspective. Carriers should consider how the products they offer in specific markets can be brought together in a way that is both logical and consistent with customer expectations. When it comes to defining the term “customer,” it makes sense to look at the individual or entity responsible for paying the premiums and then building from there. Other industries, such as retail and banking, have established effective user interfaces, and carriers should take advantage of the professional support conducted and experience gained in these other industries. Portals should be clean and efficient, expose information rationally, and provide clear direction on how to accomplish key tasks. Make omni-channel an inherent part of the design. Carriers should recognize that customer expectations and preferences for communication channels can vary widely. While websites, mobile apps, IVRs, and call centers are all viable, customers may want to utilize different channels, depending on their needs. Consumers should be able to easily change channels while retaining access to consistent, accurate information. Insurers should consider mobile capabilities from the outset so portals address changing consumer expectations and so that responsive design capabilities can be leveraged. See also: Happy Producers, Happy Customers  Design for maximum leverage across the distribution chain. The architecture of comprehensive portal solutions can be leveraged across the insurance value chain to include multiple distribution partners and business models. Reusability should be the primary focus, with a broad set of functionalities that can then be tailored to specific situations, with underlying functionality to support other touchpoints. A sound approach is through user-driven integration, which enacts product integration automatically when possible but allows customers to enable the process manually for products that fail to do so naturally based on business rules. Create a functional road map. Insurers can create a road map for the future by building a list of the various transactions, both financial and non-financial, that a customer portal should support. This composite list allows for an assessment of the relative complexity of these transactions and the business rules that surround them while providing a visual representation of commonalities and differences between participating organizations. In addition to creating a framework for work prioritization at the beginning of portal efforts, road maps can provide a foundation for regular touchpoints and discussions about priorities moving forward. Build a healthy “household.” A logical construct that allows multiple products to be integrated into a unified whole is a foundational component of any effective portal implementation strategy. In order to create this unifying structure, carriers should reconsider how they think about customer relationships. A common best practice is to look at the relationship from the standpoint of the person being insured, regardless of risk, to create a “customer information file” and a form of a “household.” Carriers should create this person-centric view of information, then integrate that information into any further relationships through an appropriate online tool set—which should be part of the portal. Test often and leverage feedback. Insurers should proactively leverage testing and feedback in the deployment process. By paying attention to users, insurers can follow through on their efforts to design from the customer’s point of view. Incorporation of insights should be done in an iterative manner, should engage sales partners who may already have a perspective on customer needs with respect to self-service capabilities, and should potentially utilize “secret shopper” studies. All of these capabilities maximize the potential for tools to be built from a client perspective, rather than an internal one. Implement a cross-function governance structure. Insurance carriers need to face the reality that creating a unified, enterprise-wide set of outward-facing portal capabilities may cause friction between business units. Typical best practices call for a centralized managerial structure to work with all areas, navigate political and organizational challenges, facilitate priority negotiation, and collaborate with a range of different IT organizations. As with any other tactical innovation initiative, the implementation of digital portal capabilities has the best chance of success through executive sponsorship. Build partnerships for implementation. It is important to consider both internal and external partnerships when approaching a portal implementation. Key partnerships include a managerial structure that crosses organizational boundaries along with third parties or suppliers, such as marketing agencies and consulting firms, focused on communications. A customer-view approach to portal design should be paired with an externally minded approach to implementation and deployment. Involving stakeholders to create a test market can support rapid “test-and-learn” capabilities and allow these stakeholders to become advocates for new capabilities, thus accelerating adoption across the organization as a whole. Plan for the long term. With portals at the heart of a company’s digital strategy, which is increasingly becoming its business strategy, it is critical to have both initial capability deployment and the ability to evolve over time. Product portfolios, distribution strategies, distribution partners, and end-point devices are all subject to change. Carriers need to build their architectures and road maps to support evolving standards. Additionally, building analytical capabilities into platforms is key to provide carriers with the insights needed to precisely target messages to their customers. See also: How to Captivate Customers (Part 2)   Customer portal efforts are continuing. The creation of a strong, customer-facing portal is an effort that defies the term “done.” CIOs implementing a customer portal should recognize that these initiatives will require continued funding, even after they are in production. Carriers will need to pay attention to the constantly changing trends and channels to meet evolving customer expectations.

With the insurtech world descending on Las Vegas next week for the InsureTech Connect event, we will, of course, have a big presence there, and we hope to see you. It's possible to do a lot via email, phone, Skype, etc. these days, but nothing beats face-to-face.

Look for us by the entrance, near the registration desk, where we'll be doing video interviews with luminaries. Our Paul Winston is about nine feet tall, so he's easy to spot. 

You can also find us at the Culture of Innovation panel on Oct. 4, moderated by Chief Innovation Officer Guy Fraker, and coordinating insurtech meetings with insurance regulators as part of the pre-conference agenda on Oct. 2.

We'll be available to do demos of our Innovator's Edge platform, which tracks more than 72,000 insurtechs and other companies that might be of interest for the insurance innovation ecosystem (pioneeers in AI, blockchain, medtech, etc.) and provides tools that can match insurance providers quickly and easily with the most appropriate innovators. Either look for us at our video site or email Chief Technology Officer Joe Estes at joe@insurancethoughtleadership.com to arrange a tour of Innovator's Edge during the conference.  

Next week, we'll send you a guide to insurtechs to check out, based on the Six Innovators to Watch notes we've been generating monthly. If you want to get a head start, the full notes are here: August, July, June, May, April and March. 

In the meantime, please check out these six articles from the past week and visit our website to explore the more than 3,100 articles from our more than 950 industry-luminary authors. As always, please pass this along to any colleagues who might benefit from it. 

Cheers,

Paul Carroll,
Editor-in-Chief

So far, we’ve dealt with two statements: We do good! It’ll just take a few seconds! The claim about incredible speed is part of the premise of many in the insurtech space, but it’s also something that we’ve been dealing with for far too long in insurance. Let’s get into this conversation about money. Statement #3: You’ll save so much money! No one insurer site is to blame for this. There are several insurers that market strictly on price. All you have to do is watch for the ads in the apps you use and the games you play on your phone. (Yes, we all know that you’re playing some simple mindless game on your phone. It’s okay. Just watch when you’re doing it, right?) Implication: Insurance is a product that you shop for based on price. There are no differences in company or coverage. It’s all about the bottom-line dollars. How much will it cost you? You have other things that you want to be doing anyway. Response: Stop it. Just stop it. If you’re selling insurance based on the price, do us all a favor and stop. You’re not helping anyone, even yourself. We should be helping people to buy insurance, not selling them insurance. What’s the difference? Good question. Selling insurance is saying, “I can save you 15%.” Helping to buy is about educating about the things that people need to know about their insurance. It sounds more like, “Yes, we can find ways to save you money today, buy let’s first find out how best to protect you and your family, and then we can talk about ways to save money.” See also: Top 10 Insurtech Trends for 2017   Insurance is not just another product. I can go to the grocery store and pick among products, and often price is the decider. I’ll pick the one that’s about a quarter less than another item. When I do that about 20 times, I realize some savings and feel better about my shopping experience. When I’m shopping for insurance (and, yes, I shop for my insurance, too), I’m looking for so much more than the price. I can do the “compare tool” and get a bunch of quotes for my auto, but what do they mean? What does one cover that another doesn’t? When I last shopped my HO-4, I found a great price, but what sold me was the difference in the policy. The policy I bought included flood as a covered peril, did not have a hurricane deductible (amazing, given that I live in Florida), and allowed me to work from home without any issue. To be fair, I didn’t use an agent mostly because I am such a bad customer to deal with for an agent. I start asking questions and take a lot of time, so I didn’t want to put anyone through that. Every time someone sells an insurance product based on the price, he is devaluing the insurance product. We should be helping people to buy. This requires getting to know the customer, finding out what their real risks are, finding some insurance products that meet those needs and then (and only then) talking about the prices. See also: Innovation — or Just Innovative Thinking?   Insurance companies all over the world are quietly doing good things. Yet, some of our startup friends want us to believe that they’re the only ones that do good. Some companies say that it’ll only take a few moments to get a policy from them. But that’s not the whole story. Eventually, they will ask some more questions. Save some money. Buy your lunch based on who makes the best $5 lunch. But don’t let people buy insurance based on how much it’ll cost them today. This article first appeared at www.insurancejournal.com.

We are living in a period of unprecedented technological change. Building resilience to these changes is becoming increasingly imperative. By 2020, it is expected that there will be tens of billions of devices connected to the Internet of Things (IoT). New technology means new risks. What if someone hacks a car? Or a power plant? By the same token, financial losses incurred through data breaches are likely to reach trillions of dollars. There are also opportunities. GE estimates that IoT devices will be generating $11.1 trillion annually by 2025, touching 43% of the global economy. Meanwhile, it is expected that 4.2 billion people will be online by 2020, or 55% of the global population, exchanging and sharing goods and information. Mitigating the risks while embracing the opportunities is key. The internet asks a lot of questions of its users. How should the internet interact with nation states? What opportunities can it offer criminals? How should legislation and regulation apply to the seas of data that constitute the heart of the new digital economy? We are still coming to terms with these issues. Building resilient firms that can provide solutions and adapt to these new challenges will be a major task in the coming years. Siloed risk management and recovery efforts will come to be seen as increasingly out-of-place in such a digitized world. To become more resilient in this age of continued digital disruption increasingly means understanding the full scope of cyber governance responsibilities. This means starting with a top-down approach in managing risk at the board and executive level, identifying and protecting the organization’s most critical assets and understanding the impact to the enterprise should they be compromised. It means complying with international regulations and understanding organizational blind spots. And it means adapting to the latest techniques and trends in security and being prepared to respond should there be a failure in any of these areas. Cyber security cannot be approached piecemeal but should be considered holistically, as a challenge facing the entire organization. In Depth If leaders are to make the most of new technology, then they cannot only think about that technology: They need to take into account the business context in which that technology operates and the impact and risk exposure that it can potentially cause to the organization. There are two key areas to consider: the regulatory environment and organizational culture. Regulatory Issues Today’s globalized, digitally integrated world means that most organizations are to some extent international. Whether it’s a business that serves a global market, or a manufacturer hooked into global supply chains, awareness and adherence to local rules and regulations is crucial. The EU is a good case in point. The EU General Data Protection Regulation (GDPR), due to come into effect in 2018, will require every organization operating in Europe to abide by several regulatory provisions – and this doesn’t just mean companies based in Europe, but also those that offer goods or services to EU markets in a way that involves processing any European-owned data. “GDPR can impose considerable punitive measures on companies that fail to comply with these regulations,” warns Andrea Garcia Beltran, EMEA Cyber Sales Leader, Financial and Professional Services Group at Aon. “Failure to comply could mean fees of up to 4% of annual global revenues, and intensified investigations and auditing in the future.” Crucially, this new legislation will affect “organizations of every size, industry and geography that process data of EU citizens,” says Kevin Kalinich, Global Practice Leader, Cyber Insurance, Aon Risk Solutions. “It applies broadly to personal data, including customer lists, contact details, genetic/biometric data and potentially online identifiers, such as IP addresses. Companies must obtain explicit clear and affirmative consent prior to processing personal data – assumptions based on silence do not comply.” These provisions include the regulation of corporate data protection policies, which means treating data stored on mobile devices with the same precautions as data stored centrally. GDPR also requires the consolidation of data visibility tools and written reporting for data processors, as well as mandating that companies have a data breach notification protocol. However, there are upsides to new regulation. “Compliance will enable firms to update their current process and methodology to assess cyber risks and the related potential business impact,” Kalinich says. “Once compliant, an organization’s total cost of risk could be reduced.” See also: How to Mitigate Cyber Threats The scope and potential severity of the legislation mean that liable companies need to move quickly before the law comes into effect on May 25, 2018, to ensure compliance. In practical terms, this could mean the C-suite assessing their company’s readiness for GDPR, and then putting in place teams that can carry out necessary changes before the regulations come into effect. And the GDPR is just one example, in just one part of the world. Japan’s PIPA, originally implemented in 2003 and due for extension in May 2017, is another. These challenges are global, and regions everywhere will need to come up with appropriate regulatory responses. Understanding legislation like this and building a responsive cyber policy is crucial. Maintaining Cyber Awareness The GDPR determines how an organization will manage, protect and administer data. Such regulations are put in place to protect businesses and also consumers from the damage cyber breaches can cause, Garcia Beltran explains. “And they will be most effective if organizations themselves take cultural steps to acknowledge and take appropriate measures to protect against known and unknown cyber vulnerabilities.” East Asia provides a good example of a region still transforming its attitude toward cyber risks. This can be seen in the gap between the cyber risk faced by leading Asia-Pacific firms and the levels of cyber insurance. Ponemon’s 2015 Asia Pacific cyber impact report found that only 13% of potential losses to intangible assets (i.e., informational and data assets) were covered by insurance in the region, compared with 49% for tangible assets (such as goods or operating technology). “Cyber risk awareness and understanding is still very low, but awareness is growing rapidly over time with incident frequency,” says Sandeep Malik, Asia CEO, Aon Risk Solutions. Numerous studies have shown that the APAC region is the leading source of malicious cyber traffic, and organizations within the region are more likely to be targeted by hackers than in other parts of the world. Despite this growing risk, and with the exception of regulatory initiatives like PIPA, organizations are still working to adapt their strategies to improve their resilience to the threat. In the meantime, the discrepancy between coverage and risk level means that information and system assets are too often exposed without appropriate protection. This problem is compounded by an insurance sector that has historically underserved the Asia-Pacific market in comparison with North America; the reason being that there is much less litigation in AsiaPac, Kalinich says. “While companies in the region are adopting technology at a rapid pace, cyber insurance purchases lag way behind property and general liability insurance even though there are increased cyber exposures, such as business interruption, which could be equal to losses in North America,” he says. Due to this lack of demand, “cyber insurance companies have not flocked to Asia – yet.” The difficulties facing APAC regions are just one example of how approaches to cyber risk need to be understood in terms of organizational culture. Cyber teams would do well to understand any blind spots that might be inadvertently opening vulnerabilities in cyber policy. Not only will this reduce the potential risk, but it should also reduce the cost of cyber insurance. Companies also need to make sure their C-Suite and their cyber teams are speaking the same language – this seems straightforward, but what might seem rudimentary for a cyber specialist may be too technical for a C-level executive. “Experts in this space sometimes tend to use technical language when describing cyber security, which sounds like a foreign language when presented to CEOs and boards. It’s important for information security experts to communicate with executive leadership in terms they can understand and for leaders to become more knowledgeable about cyber security concepts and issues,” says Jim Trainor, Senior Vice President, Aon Risk Solutions and former Assistant Director of the FBI’s Cyber Division in Washington, DC. Making sure an organization can face risks effectively means making sure that the nature and scale of those risks is effectively communicated. Four Steps to Reducing Your Cyber Vulnerability There are a number of strategies that can help organizations ensure smooth operations. Leaders should keep the following cybersecurity tips for leaders in mind as they operate in today’s digital, connected and regulated world.

1. Identify your critical assets. Organizations need to identify their most critical assets and have alignment with the board and executive team down to the individuals who are responsible for protecting them. Organizations must assess what data is critical, where it is stored, how it flows across the organization and who really needs access to it. This could include customer data and intellectual property that could be stolen, or operating and manufacturing technology that could be sabotaged. This can help to serve as the foundation for any organization as they develop, test and validate their security program. Furthermore, organizations must recognize the impact to the business should these critical assets be compromised and be prepared to respond to limit the impact to the organization while restoring normal business operations.
2. Conduct a comprehensive risk assessment. Once alignment on critical assets has been established from the top down, it will be easier to pinpoint vulnerabilities and assess cyber preparedness. Organizations should review cybersecurity deficiencies and vulnerabilities across all key enterprise areas including business practices, information technology, IT users, security governance and the physical security of information assets. Risk could also manifest itself as losses due to business interruption or reputational damage.
3. Take a holistic approach to cyber governance. Mitigating cyber risk is not just an issue for tech teams. The scope of risk means that guarding against attacks should involve key players across all enterprise functions and entities. Educating employees and leaders at all levels on the scale of risk and getting in place provisional crisis plans will help build a truly cyber-resilient organization.
4. Keep your defenses sharp. A secure environment requires continuing validation and can become vulnerable in an instant. Deploy techniques such as pen testing or red teaming exercises to ensure your applications, networks and endpoints aren’t vulnerable.

See also: How to Determine Your Cyber Coverage   Rising to the Challenge Addressing ever-changing cyber threats could be a complex task, not least because of the challenges of ensuring sufficient levels of technical knowledge. “Since most lines of insurance base risk, pricing, limits, retentions and coverage on 10 to 20 years’ worth of actuarial benchmarking and specialized underwriting expertise, there is not a lot of cyber risk management experience,” Kalinich says. “Cyber risk management expertise requires a combination of technology acumen, insurance knowledge, understanding of legal and regulatory concepts, quantitative awareness and critical thinking. Given the growing demand, there are unprecedented opportunities in the global jobs marketplace for many new cyber resiliency champions to ensure organizations protect their balance sheets from cyber exposures.” As with everything, a holistic understanding of the challenges – be they regulatory or organizational – and a holistic application of the right solutions will be essential in building resilient companies that can adequately meet the demands of a rapidly changing cyber landscape.

As technology advances, the insurance business is witnessing an important and unprecedented disruption. Policyholders expect carriers to handle claims faster, better and more efficiently than ever before. Because of this, nearly all (89%) of insurance companies expect to compete on customer experience, versus only 36% four years ago. These changes are spurring unprecedented levels of innovation in the insurtech space. Let’s explore three insurance claims cycle trends that will change the way our industry operates: Trend #1 - Decreasing Claims Volumes Technology is making things safer – from driving automobiles to building houses. In automobiles, collision avoidance systems are projected to reduce auto claims by 8%. Plus, innovations such as rear-view cameras, safer designs and better brakes are reducing claims overall. See also: How to Respond to Industry Disruption   Trend #2 - Catastrophe Support Catastrophes and natural disasters create difficult times both for insurers and policyholders. Hurricanes Irma and Harvey remind us of this somber reality. Recognizing the difficulty that catastrophes create, many insurers have created catastrophe response teams to resolve claims quickly. These teams can now leverage insurtech innovations such as electronic claims filing to deal with catastrophe claims more quickly and help put people’s lives back in order. The use of drone technology in the insurance supply chain has also improved our ability to know what’s true after natural disasters strike. Trend #3 - Increasing Use of Sensors Through the Internet of Things (IoT), smart sensors are becoming more prominent across all insurance channels. Sensors monitor data and inform insurers and policyholders if certain risks are increasing. For example, Progressive’s Snapshot sensor monitors driving behavior. Home sensors can detect risks such as heat, moisture and sound. Consider NoiseAware, which allows short-term rental hosts to monitor decibel levels in their homes to deter large, noisy gatherings that can be distracting to neighbors and also lead to damage. Because sensors can reduce claims, they can also reduce premiums. This is favorable to insurance customers. In fact, according to one source, 78% of insurance customers are open to using sensors if they decrease premiums. See also: Preparing for Future Disruption…   Final Thoughts It is clear that technology is reshaping the insurance supply chain. This poses many challenges, but also offers many opportunities. Reduced claim volumes, improved catastrophe response and increased sensor usage will all change the way carriers underwrite, sell and settle. It’s critical for insurers to monitor and respond to these trends as technology continues to evolve. Stay tuned for part two of our series, where we’ll explore three additional disruptive trends.

Insurers should aspire to give their agents and brokers superpowers. Superpowers? Think of the impact of speech-to-speech language translators that free you from having to learn foreign languages. Of GPS car navigators helping you find your way without knowing your way. Or of 3-D printers that enable consumers to produce their own products. Those kind of superpowers. Insurers can deploy technology to empower agents and brokers much more, leading to an even better experience and performance. For instance, by combining and integrating robo-adviser systems with human agents and brokers, insurers can deliver better conversations and higher customer satisfaction, which result in better advice and higher conversion rates. A hybrid model. The best of both world. Connecting online customers with offline brokers and agents Digitization changed the way people research and purchase products. More and more comparison sites enable customers to check prices and services with just a few clicks. Consequently, agents and brokers need to adapt. Yesterday’s tactics become less and less effective, in particular in view of ever increasing customer expectations. But complex insurance products still need extensive explanation, and trust in the insurer. This is where the human factor comes into play. In Germany, for instance, 59 percent of all insurances are researched online, but purchased offline (ROPO), according to a survey by Google and Zurich in 2016. For high value and complex insurance and finance products like health, mortgage and pension insurances, the ROPO share accounts for more than 75 percent of all sales. Best of both worlds The past decade has taught us that insurers need to manage the feelings side of their relationship with customers much better. But with new technologies primarily being used to digitize processes, insurers are in danger to become even less human. Humans inject emotion, empathy, passion, creativity, they are able to smile and surprise, and can deviate from the procedure if needed, which algorithmic systems are unlikely to do at this stage. They have the ability to be kind, honest, friendly, generous, giving; someone who makes time for me, listens to me, keeps promises, goes the extra mile. These talents are essential parts of successful customer engagement. We believe that insurers should create the best of both worlds. By leveraging the latest technologies insurers can create smarter agents and empowered brokers. See also: Insurtech: How to Keep Insurance Relevant   Agent and broker empowerment In this DIA Summer Read we included six insurtechs that insurers should team up with to revamp this channel. Each of these insurtechs supports the agent or broker in different stages of the primary process: 1. LifeDrip offers state of the art automated marketing tools to agents and brokers. 2. Predictivebid built building an advanced AI platform for online customer acquisition. 3. Finanzen.de created an online marketplace for leads. 4. Virado puts the insurance broker back in the middle with an on-demand offer for millennials. 5. RiskAPP allows agents and brokers to seamlessly collect data for risk analysis. 6. Figlo facilitates the conversation between brokers/agents and customers. These six insurtechs have in common that they all give superpowers to agents and brokers. They give access to capabilities that used to be exclusive to large corporations. With the solutions offered by these insurtechs agents and brokers can move to a next level. Next generation brokers We also notice a new kind of broker emerging that taps into the needs of consumers and insurance carriers alike, leveraging to the max what digital has to offer. We included four of them in this DIA Summer Read: 7. Knip: the personal digital insurance manager. 8. SPIXII: an insurance chatbot designed to speak to consumers just as a person would. 9. Bought By Many: grouping together people with a special similar insurance need. 10. PolicyGenius: reveals the gaps and overlaps in your policies. DIA Munich Expect DIA Munich (15 and 16 November) to pay ample attention to insurtechs that make smart agents and power brokers. Agent and Broker Empowerment 1. LifeDrip: The future of life insurance agent’s sales software The world is going mobile but most insurance brokers and agents still use ‘old’ marketing methods to generate leads. It is time for something new and something smarter. LifeDrip, launched by the Seattle based software company Xeddy, is a turnkey, fully automated mobile marketing system exclusively built for the life insurance agent. It provides monthly, custom branded email newsletters and an exclusive agent website for generating client reviews and feedback. LifeDrip captures the fastest growing form of lead exposure, including Facebook, Google+, Twitter and LinkedIn. It is done automatically and the contacts and the database are continuously synced. Agents don’t even have to think about it. LifeDrip offers a new way to generate leads at a fraction of the cost. The SEO website is registered with Google and built with responsive code so it is viewable on any mobile device. To maximize Social Media marketing exposure all the required content for Social Media Marketing and Email Newsletters is automatically generated and customized specific to the agent’s sales specialties. The Recommendation Engine generates dozens of powerful and real client recommendations. SplashTriggers notifies instantaneously when a prospect is ready to be contacted for the sale and what to sell them. Read more: http://bit.ly/2vniEFD Check demo: http://bit.ly/2irgVOG 2. Predictivebid: the bidding platform of the future for insurance Predictivebid is a Tel-Aviv based tech company, building the most advanced AI platform for online customer acquisition through Search & Social campaigns based on Life Time Value Measurements. They excel in lead generation campaigns, lead quality analysis and lead potential scoring, thereby optimizing the lead process and helping companies lower their acquisition cost by providing higher quality leads with better life-time-value metrics. Predictivebid bridges the gap between online and offline, helping insurers capture consumers online and then directing them to book a meeting with their nearest and most relevant agents. The AI platform connects and tracks potential customers to the right agent nearest to them, based on their location and needs. A costumer can schedule a meeting with an agent, chat with an agent or even send his details so the agent can call him back. Read more: http://bit.ly/2vdced1 Check demo: http://bit.ly/2wmpXC7 3. Finanzen.de: the marketplace for leads Finanzen.de, located in Berlin, Paris, Zurich and Bristol, connects lead generators such as online price comparison sites with lead buyers such as independent financial advisers and insurance companies. More than 800,000 leads are annually traded via its industry leading technology platform, using real time auctions and real time lead delivery. The company also acts as an online broker for P&C insurance products. Thanks to its scalable business model, finanzen.de is ideally positioned to benefit from the digital shift occurring in the European insurance and banking domain and to capture the significant market potential ahead. Founded in 2004, Finanzen.de is one of the oldest and at the same time one of the most successful InsurTech companies. Finanzen.de generates about one million online leads per year for more than 20,000 insurance experts and financial consultants. Finanzen.de informs consumers about insurance and finance topics and offers interested customers free access to the best possible advice. In the search for suitable offers, visitors can perform neutral tariff comparisons. If they find a suitable offer they can close a contract directly online or receive advice from audited and evaluated experts. Read more: http://bit.ly/2nZAR9C Check demo: http://bit.ly/2xrmr6j 4. Virado: One app. 250 niche product insurances for Millennials German tech startup Virado is successfully creating new sources of income for insurance brokers. By offering 250 insurance products, mainly for niche policies on one platform. Targetting German Millennials. For example, insurance for an apartment share, DJ-equipment, or a travel backpack. These kind of products were not available for the insurance broker due to high connection and transaction costs of the insurer. The Virado all in one app for smartphones and tablet is based on Virado technology. The on-demand platform offers insurance brokers structured access to all insurances. Easy. Fast. Free. Virado puts the insurance broker back in the middle. Millennials do not use a traditional insurance broker. They go online to find an insurance solution to fit their lifestyle. The on-demand platform Virado puts the insurance broker back in the middle by giving him the opportunity to not only protect but also to create new sources of income by serving the Millennials with insurance products they need. ‘On the spot’ insurance products will significantly increase the customer’s loyalty and customer lifetime. The tech startup offers also digital business expertise and the app is suitable for the insurance brokers homepage and its own social media channels. Virado is completely free of charge and user-friendly. All the insurance broker needs to do is download the app and register. Read more: http://bit.ly/2w23mbh Check demo: http://bit.ly/2wmAGg5 5. RiskAPP: Risk assessment by agents and brokers RiskAPP is a new Risk Assessment tool created to assist insurers globally. RiskAPP is a unique platform for structured data collection and integrated risk assessment. RiskAPP helps insurers to use captured data from their prospects and clients to sell and underwrite the risks wisely and profitably. The RiskAPP is a complete Risk Assessment tool for the insurer that wants to win his challenges. RiskAPP delivers the most complete risk assessment possible. Through the platform the insurer can offer the most remunerative coverage program giving safety and peace of mind to insurance clients and the insurance carriers. The sales process is now smooth and seamless. When the broker has the first meeting with a prospect, the RiskAPP data collection helps the broker to engage the client. The process follows with the technical inspection where the loss preventionist gathers further technical data that clearly describes the company. RiskAPP, thanks to its proprietary algorithm, processes the data collected and elaborates a detailed report included with automated loss protection recommendations. The insurer now has access to the most complete risk profile of the insured. RiskAPP enables analytics, portfolio management and helps in increasing the efficiency of risk selection. Read more: http://bit.ly/2wDxoon Check demo: http://bit.ly/2vnQtX4 6. Figlo: facilitating the conversation with customers AEGON Turkey uses the Figlo platform to facilitate the conversation between brokers/agents and customers. A tablet app guides the complete conversation and gives a quick and tailored overview of the customer’s financial situation to select suitable products based on the client’s risk profile, to cover possible shortfalls. Uğur Tozşekerli, CEO AEGON Turkey: “Customer interaction and involvement as well as the possibilities for illustration and demonstration of the product benefits dramatically increased. From a customer point of view, using the app leads to better and more understandable advice, focus on the real customer needs and on top of that faster service. Straight through processing results in more efficiency and speed of delivery. Apart from a significant improvement of conversion rates the deal size increased between 10 to 45%, depending on the product category. At the same time the operational costs decreased by 18% due to decrease in rework and paperwork. The ROI was already positive in the first year of deployment.” Quote is from our new book ‘Reinventing Customer Engagement’ Next Generation Brokers 7. Knip: The personal digital insurance manager Knip is a ‘mobile-first’ digital insurance broker with a simple and transparent solution to insurance; bundling all the customers’ insurance products into one app. Even if these products are from different insurers. An easy-to-understand overview shows existing insurance policies, tariffs and services. One click opens an entire insurance policy. So the important information is always at hand. After an automatic analysis, new customers receive individual recommendations based on their existing insurance portfolio. Upon request, the Knip insurance experts offer professional consulting, analyze tariffs and services and detect individual savings and optimization potential. As the consultants receive a fixed salary and no commission whatsoever, they can provide independent and honest insurance advice. The app is designed to automatically detect individual’s insurance gaps and recommend essential insurance. Knip allows users to change their tariffs, close new insurance contracts and cancel old policies with a simple click. Read more: http://bit.ly/2wxi65i Check demo: http://bit.ly/2vXA7YK See also: What Incumbents Can Teach Insurtechs   8. SPIXII: Making insurance simple, accessible and personal for everyone London based startup SPIXII is on a mission to make insurance simple, accessible and personal. It starts by redesigning the way people buy insurance. SPIXII, named after a family of Brazilian parrots that spell out the co-founder’s names, has almost entirely done away with the human component of selling insurance. It is an automated insurance agent, a chatbot accessible via messaging platforms or via a native mobile app. Its app creates a WhatsApp-like chat on a smartphone where a robot will ask simple questions and figure out what the user needs. Built on principles of neuro-economics and the integration of user data with contextual data from multiple sources, SPIXII is an insurance chatbot designed to speak to consumers just as a person would. Read more: http://bit.ly/2xrFfT9 Check demo: http://bit.ly/2sxsubF 9. Bought By Many: grouping together people with a special similar insurance need Bought By Many uses a combination of search engine optimization and social media to group together people who have similar insurance needs --such as diabetic travelers, pug owners or homeowners in flood risks areas. They present that group’s requirement to the insurance industry and negotiate on behalf of the group to bring them a better deal than they can get on their own. A better deal might be better pricing, it might be more tailored benefits, or it might be both. Once they bring the offer back to the group, individuals buy directly from the insurer on the better terms that Bought By Many negotiated for them. Creating a win-win for everyone. Insurers only write the risks that they want and members of Bought By Many get a better deal. The company finds niche groups by looking at Google search data to see which niches have high volumes of search queries. There is also a data entry box on its website letting people submit their own policy ideas. They then validate those segments through social media and engaging with niche blogs, Facebook groups and other stakeholders. The site makes it easy for users to use social media and invite friends to join via Facebook, Linkedin, Twitter and the like. Having established the market, the company works out the group's specific requirements and then approaches the insurance companies to negotiate a deal on a policy. Bought By Many suggests to insurers to split the usual broker fee in three parts: one third for the Bought By Many members to get a better benefit, one third for Bought By Many and one third for the insurance company, because Bought By Many want you to want to do this business. Read more: http://bit.ly/2wmz8CB Check DIA keynote CEO Steven Mendel: http://bit.ly/2v4hvrz 10. PolicyGenius: revealing the gaps and overlaps in policies PolicyGenius for instance addresses the uncertainty of consumers with regard to gaps and overlaps in the various policies they have purchased over time. PolicyGenius offers a highly tailored insurance check-up platform, where consumers can discover their coverage gaps and review solutions for their exact needs. PolicyGenius’ online store includes solutions from life and long-term disability to pet insurance. Quoting engines offer side-by-side comparisons of tailored policies. PolicyGenius is backed by AXA Strategic Ventures and AEGON’s Transamerica Ventures. What would happen if AXA and AEGON would open up the PolicyGenius platform to all its brokers and agents in all countries she has a presence? Read more in our new book ‘Reinventing Customer Engagement’.