Today, the question is not will my organization experience a cyber attack, but when, and how. In our digital and connected business world, companies seeking cost efficiency, speed and better customer experience are rapidly connecting more processes, infrastructure and information to the internet. At the same time, the complexity and frequency of cyber attacks continue to rise. You only need to look at the list of recent high-profile attacks to see that companies across industries, from Wall Street banks to healthcare to entertainment, and government entities are being assailed. This brave new cyber world exposes organizations to a different category of risks and associated liability issues, including the need to cover themselves for loss or exposure of commercially valuable intellectual property or consumer data; misappropriation of trade secrets; privacy violations; losses via third-parties; costs associated with breach notification, forensics, credit monitoring, outside incident response providers, technical remediation, PCI assessments; business interruption costs and system failure; legal proceedings and defending against regulatory actions – to name a few. On top of this, while companies suffering under the weight of a breach understandably feel like victims, it is not always seen that way by the authorities, the marketplace or the media. While dealing with the fallout of an incident, companies often face the additional challenge of defending their actions, protecting their brands and getting claims settled and paid. In this context, long before an event occurs, proper cyber risk mitigation is a best practice for all organizations. Just like in the Wild West, organizations dealing with cyber risk are operating in a fast, continuously shifting threat landscape, governed by its own set of evolving laws and rules. Even knowing the bandits are out there, organizations continue to be caught off guard by new criminal tactics and attack vectors. Hackers continue to hone their techniques, whether that means obtaining access through the Internet of Things, masterminding more sophisticated social engineering methods or attacking information sources and manipulating data. What is more, the delay between a cyber criminal penetrating a network and being discovered can be considerable: it might take a hacker only eight days to attack a network, but it typically takes six or more months to detect the incident. Financial firms take an average of 98 days to detect a data breach, and retailers can take as much as 197 days, according to the Ponemon Institute and IBM Cost of Data Breach Study. That’s a wealth of time for attackers to inflict significant damage, and it doesn’t look good to regulators, customers and other stakeholders. See also: Actuaries Beware: Cyber Is Treacherous   Against this backdrop, cyber insurance is an essential component of a company’s risk management strategy. Even while companies tend to view the likelihood of a loss as higher for information assets than for property, plant and equipment (PP&E) assets, they are more adept at protecting physical assets, with approximately 51% of PP&E assets covered by insurance to only 12% of information assets covered on average, according to the Ponemon Institute’s 2015 Global Cyber Impact Report. One reason for this is that insureds and cyber insurance providers alike struggle with accurately assessing and quantifying cyber risk; despite paying significant premiums, companies remain under-insured. According to the CEO of Lloyd’s of London, cyber-related losses for businesses worldwide were valued at $400 billion in 2015, yet ABI Research estimated that global gross written premiums for cyber insurance that year only totaled around $2 billion. The lack of data on which to quantify cyber risk means insurers feel they are often writing policies on the back of incomplete information. Unlike in other risk areas such as flood insurance – where historical data means that companies can quantify risk almost to the dollar – developing a strategy to assess and insure against cyber risk is altogether different. And for the insured, selecting a policy is taxing: all policies are not available to all companies, all policies are not equal, and, on top of this, companies are required to demonstrate the existence of sound cyber risk management policies and programs to be eligible for a policy and to claim benefits. These challenges posed by the burgeoning cyber insurance market, and the fact that companies cannot expect to transfer all their cyber risk, mean that they must take a broader, more holistic approach to assessing and reducing exposure. It is easy for organizations to lose perspective on how to best to manage cyber risk, particularly as it affects multiple stakeholders in an organization, from the CISO to the risk manager, the board, IT, the C-suite and even HR. Everyone will have their own ideas about which programs should be mandated and which technology is the latest “holy grail” in cybersecurity. However, this siloed approach is not effective. Cyber attackers are simply too well-motivated, -resourced and diverse. But it’s not time to throw in the towel. Knowing they will be attacked does not leave companies powerless; in fact, this certainty can empower a far better approach to cyber security. The key to managing risk – and avoiding chaos and significant loss in the wake of an attack – is achieving cyber resilience. Adopting a cyber resilient mindset serves the interests of all stakeholders trying to defend an organization and provides assurance to insurers that companies are prepared in the event of an attack. So, what does it mean to be cyber resilient? Resilience is the ability to withstand or recover quickly from difficult, often unanticipated conditions. In the world of cyber, resilience strategies enable companies to rapidly detect, respond to and recover from cyber attacks. The goal is to detect incidents before they become serious, respond to them vigorously and recover from them effectively. You will be attacked, but if you are resilient you are less likely to have to wear a scarlet letter when the incident occurs. Achieving resilience The most urgent question companies must answer is: What are the critical assets that we are trying to protect? Some organizations will find it easy to agree on a list of assets, such as customer data or Social Security numbers. Others, perhaps more complex organizations, might find it hard to come to agreement. Alignment on defining critical assets is essential and, above all, economically prudent. Cybersecurity talent is scarce and budget is finite, so prioritizing assets helps allocate money where it matters most. Knowing what needs protection, and where it is, enables organizations to focus controls on that area, directs threat detection activity and tells first responders where to look when an attack is suspected. This has the potential to shorten the gap between attack and detection, minimizing the risk of having a predator in the network for seven, eight or more months. Identifying critical assets is also a necessary first step in choosing and benefiting from cyber insurance products. It’s true you don’t need a $100 safe to protect a $1 bill, but you do need an adequate policy to protect everything that you safeguard. Of course, while focusing on protecting critical assets is essential, companies should continue to defend the full organization, maintaining a strong overall security posture. Once critical assets are clearly defined, cyber threats and vulnerabilities can be assessed and prioritized from three distinct perspectives: the threat to mission-critical technology, the balance sheet and corporate reputation. With vulnerabilities determined, companies can sharpen defenses and deploy programs to uncover, test and remediate them. Tactics regularly used include sophisticated penetration testing and social engineering techniques, to employing ethical hackers or red teams. In the world of resilience, however, the work does not stop at identifying vulnerabilities and shoring up defenses. Resilient organizations are ready for the "during" and "after" phases of an attack, as well as the "before." They enhance monitoring activities, develop response plans and study and practice threat detection and response processes so that they can quickly bounce back and resume normal business operations. See also: New Approach to Cyber Insurance   When news of an attack occurs, it is not scheduled on the day’s calendar of events. It comes as a hit. Companies will typically learn of a breach in one of three ways: The company identifies the breach itself, finding a malicious actor has been in the network for weeks, or even months; a company receives a call from law enforcement often with limited information as part of a larger compromise that has occurred; or, the worst scenario, a third party breaks the news, for example a customer, business partner or the media. Cyber-resilient organizations can adapt to any of these scenarios, take control and respond with confidence. To be prepared, companies need response plans to manage this "during" phase of an attack. Importantly, these plans need to come alive – which means that they are continually enhanced, practiced and ingrained into the workplace culture. This response preparation and practice equates to confidence, and the degree of practice will be clear in the wake of an attack. Some organizations call this conducting table-top exercises, or simulated cyber attack exercises. This preparation involves all key stakeholders, both internally and externally, and with a well-oiled plan, when a breach call comes, each player follows the blueprint. Public relations is not relegated to a "no comment" statement; financial teams are geared up to manage insurance; lawyers are deployed; and law enforcement is called – among other actions. Ideally, companies have already contracted with a cyber insurance carrier and cyber resilience firm, and have cultivated personal relationships with primary (and even secondary) representatives. Companies should also take steps to have incident response and forensic investigators, as well as outside counsel, on retainer, even if they have additional internal expertise to handle these aspects of an investigation. During a breach, companies need to move quickly. Entering contract negotiations and procurement processes mid-crisis will not only waste precious time but also leave companies on the back foot in price negotiations with providers. When considering who to retain, it is key to look at the firm’s experience: the number of cases a firm has been engaged on; the diversity of skillsets; the technical tools used; the references of the subject matter experts; and vertical experience. Be careful if selecting a firm that requires its own technology be used on the investigation, as this can limit the scope of its capabilities and potentially lead to conflicting motivations. Also be aware that asserting privilege over the information shared with any firm is a slippery slope, especially through in-house counsel: the strongest way to assert privilege in an investigation is through outside counsel. Recovering from a cyber attack Now that the attack is contained, it’s time to recover. Enter stage right, cyber insurance. The cost of a breach can be significant, not only in intangible ways but in concrete costs, particularly if companies face risk and liability via a regulatory or legal investigation. For example, the Federal Trade Commission (FTC) can launch lawsuits against organizations if it suspects them of failing to properly safeguard customer information. Such cases have the potential to span several years and can result in companies' drowning in millions of pages of documents in response to requests and questioning, often involving executives at the very highest level. The cost of related investigations can reach millions of dollars in legal and vendor fees, not to mention the associated damage to brand and reputation. To protect from such costs, it is critical that companies quantify the intangible damages that will occur in the event of a breach and enhance board-level understanding of the financial value of these risks to deploy capital to strengthen resilience and purchase insurance policies. When looking to transfer risk, companies must seek industry-leading terms and conditions with global carriers, often across multiple lines of business. Unlike policy options for physical assets, which are relatively standardized, the insurance industry is still ascertaining what cyber coverage looks like and, while more sophisticated teams are being assembled to effectively assess risk, evaluate preparedness and write policies, the policies still vary greatly. At its base, companies want a policy that covers “first party” types of losses, including forensics, notification costs, credit monitoring and breach coach fees. Companies will also want products to cover the third-party traditional liability costs, in case they are found liable for the incident and must pay a judgment or enter into a settlement. Insurance can also cover costs to defend against any regulatory action. Once a policy is purchased, a resilient organization has processes in place to ensure that potential losses are properly tracked in the event of a breach, which will help maximize coverage and cost recuperation. A strong personal relationship with the carrier representative is invaluable at this juncture, as is the ability to quickly and fully disclose the depth of cyber preparedness planning. This will confirm that the organization has an advocate for claim submission and approval. In terms of the risk of a public lawsuit and legal proceeding, negligence is by far the most common reason an organization is found to be liable of cyber wrongdoing. Fortunately, class action lawsuits are not common. Bryan Cave, in its Data Breach Litigation Report, reported that in 2016 about 5% of all breach cases filed led to class action litigation, a number that has remained consistent over the past four years. One case recently decided in favor of the plaintiffs was Tampa General Hospital, where it was argued that a series of insider breaches put plaintiffs at risk for identity theft, and was the result of the hospital's inadequately safeguarding patient data. Tampa General, in an October 2016 preliminary settlement approval, agreed to pay plaintiffs $10,000 plus as much as $7,500 toward attorney and litigation costs. Larger data breach class action settlements have reached the tens of millions, for example, in which claimants are eligible for cash payment if credit or debit card data or personal information was stolen as a result of the breach. Although it is still rare to see these allegations result in settlements, this pendulum could swing. When it swings, a sound cyber insurance product will bring protection in the form of covering part, or all, of the defense costs and resulting settlement payments. See also: Most Firms Still Lack a Cyber Strategy Cybersecurity is firmly entrenched as one of the most consequential issues affecting organizations across industries – no one is immune. However, acceptance that an attack is likely can be the impetus for companies to work toward becoming resilient. By putting in place better policies, people, response processes and technology, companies can position themselves in a place of power when a breach does occur. Resilient companies also put themselves in better positions when negotiating cyber security insurance rates, when claiming damages following an attack and when facing regulators, lawsuits and, importantly, embittered and disappointed consumers. Ultimately, adopting a cyber-resilient mindset serves the interests of all stakeholders and allows companies to focus on doing what they do best – running their businesses.

When things go wrong with a wedding, they can go really wrong:

• In Florida, a drunk bridesmaid nearly ran over the best man.
• Hurricane Matthew forced a Texas couple to cancel their destination wedding in the Bahamas last year.
• A Buffalo, NY, couple had 30 cards stolen at their wedding reception. Those cards contained cash and other wedding gifts.
• In Gatlinburg, TN, Cupid’s Chapel of Love was destroyed in a fire, and a wedding had to be called off.
• In Brooklyn, NY, the owner of ReBar, a popular wedding venue, abruptly shut it down and disappeared with the deposits.
• A photographer accidentally deleted a couple’s wedding photos.

Valentine’s Day is the traditional end to what is known in the wedding blogosphere as “engagement season.” These engagements tend to last just over a year, averaging 14.5 months, according to theknot.com. Those 14.5 months are a whirlwind of activity during which couples are setting their date, working on guest lists and putting down deposits to ensure that everything goes smoothly on the big day. But what if there is trouble in paradise—and someone calls off the wedding? Or weather prevents the parents of the groom from making it to the ceremony? Or the venue closes? Or the photographer gets lost? Or the caterer doesn’t show up? Or a drunk uncle damages property at the reception hall? What happens then? See also: A Closer Look at the Future of Insurance   The average wedding in the U.S. costs $35,329 (ranging from $12,769 in Mississippi to $88,176 in Manhattan). Pulling off a typical wedding involves a lot of variables–which all introduce the possibility of financial loss. There are multitudes of vendors: venue, caterer, baker, musician, florist, officiant, bridal salon, hair stylist, make-up artist and photographers to name a few, all of which will likely require a deposit. On the day itself, inclement weather could keep important guests from arriving or could even postpone the wedding. Finally, as with most social events that typically serve alcohol, guest behavior can cause unpredictable property damage. For such an important life event, at such a high price point, it’s worth protecting your investment. Many insurance companies have wedding liability products to help. Wedding insurance can combine a number of different coverages and can range from only $95 to $500 depending on the types and level of coverage provided. Wedding insurance is easy to purchase online (or over the phone). For example, Travelers offers a Wedding Protector Plan and has a quiz to help gauge the riskiness of your wedding. Other insurers, such as WedSafe and Wedsure, also make it easy to find a quote and buy wedding insurance online. The most commonly selected wedding coverage is liability coverage. This is typically purchased in situations where the selected venue requires the couple to cover property damage and bodily injury. In addition, certain venues may require the purchase of liquor liability coverage to protect against any alcohol-related incidents. In the event of a necessary cancellation or postponement, financial losses can be mitigated by cancellation/postponement coverages. Massive amounts of rain and snow can cancel flights, close roads and even damage or close venues. A severe illness or injury could befall the couple or a parent, grandparent, child or officiant. Sudden military deployments can also cause wedding cancellations. All of these are “necessary” cancellations/postponements, and insurance exists to protect against any financial losses they may cause. Some wedding insurance products will also protect against problems with the venue or other vendors going out of business, or vendors arriving late-or not arriving at all. Typically, the policy would reimburse the deposits, and, if alternate vendors can be arranged, the unexpected expenses incurred by the couple to avoid a full cancellation or postponement may also be covered. Wedding insurance purchasers should be sure to check if a prospective policy will cover a subsequently canceled or postponed honeymoon, as well. Additional wedding insurance provisions may include coverages for wedding attire, gifts and photography/videography. Attire coverage will pay to replace (or repair) any loss or damage occurring before the wedding or to reimburse a reasonable market value for any damage occurring after the wedding. This would cover, for example, airlines losing luggage with the wedding attire or the bridal salon going out of business before the wedding dress was delivered. Gift coverage will reimburse the couple for loss or damage to wedding gifts before, during and after the wedding while at home, at the wedding or in transit. This would cover any physical damage to gifts while on display at the wedding or a theft of non-monetary gifts. With respect to photography coverage, loss events can range from the contracted photographer not showing up, cameras being stolen (along with the film/digital memory card) or defective film/memory card use. This coverage excludes photographs not meeting expectations but does cover the costs of reconvening your wedding party for “do over” photographs or even a retaking of the official video at a restaging with the principal participants–including new flowers and a new wedding cake. Not only can the cancellation or postponement of such an important event be monetarily taxing, but it can also be emotionally taxing. Some wedding insurance will even cover professional counseling (if recommended by a physician) for as long as a year. All insurance policies have exclusions, and wedding insurance is no different. Engagement rings aren’t covered, but wedding bands are. Other common exclusions include anything asbestos- or lead-related, any abuse/molestation/harassment/sexual conduct (alcohol-fueled or not), fireworks, war, nuclear, neglect or any intentional loss. And, no, for the most part, wedding insurance will not cover cancellations due to a “change of heart” on the part of the bride or groom; cold feet do not count as a trigger for this insurance. See also: A Wedding’s Lessons on Customer Insight   One insurer, Wedsure, will reimburse any “innocent party financiers, other than the bride or groom, if the wedding is canceled due to a Change of Heart by the bride or groom, 365 days or more from the date of the first covered event" [emphasis added]. However, because the average engagement length is only 2.5 months longer than this, it’s unlikely that there are many qualifying losses under this coverage. Planning the perfect wedding can be stressful and expensive. The typical wedding costs more than the average mid-size car, and just as many things can go wrong with it. Purchasing wedding insurance can help relieve the additional stress of worrying about what happens when something goes wrong. It won’t do anything, though, about those cold feet.

Imagine this: Healthcare — the whole system — for half as much. Better, more effective. No rationing. Everybody in.

Because we all want that. And because we can. This can be done. Let me tell you how.

I’m an industry insider, covering the industry for 37 years now, publishing millions of words in industry publications, speaking at hundreds of industry conferences, writing books, advising everyone from the U.N.’s World Health Organization, the Defense Department and the Centers for Disease Control and Prevention to governments around the world to, probably, your local hospital, your doctor, your health plan.

The economic fundamentals of healthcare in the U.S. are unique, amazingly complex, multi-layered and opaque. It takes a lot of work and time to understand them, work and time that few of the experts opining about healthcare on television have done. Once you do understand them, it takes serious independence, a big ornery streak, and maybe a bit of a career death wish to speak publicly about how the industry that pays your speaking and consulting fees should, can, and must strive to make half as much money. Well, I turn 67 this year, and I’m cranky as hell, so let’s go.

The Wrong Question

We are back again in the cage fight over healthcare in Congress. But in all these fights we are only arguing over one question: Who pays? The government, your employer, you? A different answer to that question will distribute the pain differently, but it won’t cut the pain in half.

There are other questions to ask whose answers could get us there, such as:

• Who do we pay?
• How do we pay them?
• For what, exactly, are we paying?

Because the way we are paying now ineluctably drives us toward paying too much, for not enough and for things we don’t even need.

See also: Healthcare Reform IS the Problem  

A few facts, the old-fashioned non-alternative kind:

• Cost: Healthcare in the U.S., the whole system, costs us something like $3.4 trillion per year. Yes, that’s “trillion” with a “T.” If U.S. healthcare were a country on its own, it would be the fifth-largest economy in the world.
• Waste: About a third of that is wasted on tests and procedures and devices that we really don’t need, that don’t help, that even hurt us. That’s the conservative estimate in a number of expert analyses, and based on the opinions of doctors about their own specialties. Some analyses say more: Some say half. Even that conservative estimate (one third) is a big wow: more than $1.2 trillion per year, something like twice the entire U.S. military budget, thrown away on waste.
• Prices: The prices are nuts. It’s not just pharmaceuticals. Across the board, from devices to procedures, hospital room charges to implants to diagnostic tests, the prices actually paid in the U.S. are three, five, 10 times what they are in other medically advanced countries like France, Germany and the U.K.
• Value: Unlike any other business, prices in healthcare bear no relation to value. If you pay $50,000 for a car, chances are very good that you’ll get a nicer car than if you pay $15,000. If you pay $2,200 or $4,500 for an MRI, there is pretty much no chance that you will get a better MRI than if you paid $730 or $420. (Yes, these are real prices, all from the same local market.)
• Variation: Unlike any other business, prices in healthcare bear no relation to the producer’s cost. None. How can you tell? I mean, besides the $600 price tag on a 69-cent bottle of sterile water with a teaspoon of salt that’s labeled “saline therapeutics” on the medical bill? (Yes, those are real prices, too.) You can tell because of the insane variation. The price for your pill, procedure or test may well be three, five, even 12 times the price paid in some other city across the country, in some other institution across town, even for the person across the hall. Try that in any other business. Better yet, call me: I have a 10-year-old Ford F-150 to sell you for $75,000.
• Inefficiency: We do healthcare in the most inefficient way possible, waiting until people show up in the Emergency Department with their diabetes, heart problem, or emphysema completely out of control, where treatment will cost 10 times as much as it would if we had gotten to them first to help them avoid a serious health crisis. (And no, that’s not part of the 1/3 that is waste. That’s on top of it.)

So who’s the chump here? We’re paying ridiculous prices for things we don’t necessarily need delivered in the most inefficient way possible.

Why?

Why do they do that to us? Because we pay them to.

Wait, this is important. This is the crux of the problem. From doctors to hospitals to labs to device manufacturers to anybody else we want to blame, they don’t overprice things and sell us things we don’t need because they are greedy, evil people. They do it because we tell them to, in the clearest language possible: money. Every inefficiency, every unneeded test, every extra bottle of saline, means more money in the door. And they can decide what’s on the list of what’s needed, as long as it can be argued that it matches the diagnostic code.

That’s called “fee-for-service” medicine: We pay a fee for every service, every drug, every test. There’s a code for everything. There are no standard prices or even price ranges. It’s all negotiated constantly and repeatedly across the system with health plans, employers, even with Medicare and Medicaid.

We pay them to do it, and the payment system demands it. Imagine a hospital system that bent every effort to providing health and healthcare in the least expensive, most effective way possible, that charged you $1 for that 69-cent bottle of saline water, that eliminated all unnecessary tests and unhelpful procedures, that put personnel and cash into helping you prevent or manage your diabetes instead of waiting until you show up feet-first in diabetic shock. If it did all this without regard to how it is paid it would soon close its doors, belly up, bankrupt. For-profit or not-for-profit makes little difference to this fact.

If we want them to act differently, we have to pay them differently.

Paying for Healthcare Differently

But wait, isn’t that the only way we can pay? Because, you know, medicine is complicated, every body is different, every disease is unique.

Actually, no. There is no one other ideal way to pay for all of healthcare, but there are lots of other ways to pay. We can pay for outcomes, we can pay for bundles of services, we can pay for subscriptions for all primary care or all diabetes care or special attention for multiple chronic conditions, on and on; the list of alternative ways to pay for healthcare is long and rich.

See also: Fixing Misconceptions on U.S. Healthcare  

There are now surgery centers that put their prices up on the wall, just like McDonald's — and they can prove their quality. There are hospital systems that will give you a warranty on your surgery: We will get it right, or fixing the problem is free.

Look: You get in an accident and take your crumpled fender to the body shop. Every fender crumples differently, maybe the frame is involved, maybe the chrome strip has to be replaced, all that. So there is no standard “crumpled fender” price. But it is not the first crumpled fender the body shop has ever seen. It’s probably the 10,000th. They are very good at knowing just how to fix it and how much it will cost them to do the work. Do you pay for each can of Bondo, each disk of sandpaper, each minute in the paint booth? No. They write you up an estimate for the whole thing, from diagnosis to rehab. Come back next Thursday, and it will be good as new. That’s a bundled outcome. It’s the body shop’s way of doing business, its business model.

There are new business models arising now in healthcare (such as reference prices, medical tourism, centers of excellence, “Blue Choice” and other health plan options) that force hospitals and surgical centers to compete on price and quality for specific bundles, like a new hip or a re-plumbed heart.

Healthcare is a vast market with lots of different kinds of customers in different financial situations, different life stages, different genders, different needs, different resources, yet we have somehow decided that in pretty nearly all of that vast market there should be only one business model: diagnostic-code-driven fee for service. Change that, and the whole equation changes. It’s called business model innovation. If we find ways to pay for what we want and need, not for whatever they pile onto the bill, they will find ways to bring us what we want and need at prices that make sense. That’s called changing the incentives.

Already Happening

Is this pie in the sky? No, it’s already happening, but in ways that are slow and mostly invisible to anyone but policy wonks, analysts and futurists like me. The industry recognizes it. Everyone in the healthcare industry will recognize the phrase “volume to value,” because it is the motto of the movement that has been building slowly for a decade. It’s shorthand for, “We need to stop making our money based on volume — how many items on the list we can charge for across how many cases — and instead make our money on how much real value, how much real health, we can deliver.”

Self-funded employers, unions, pension plans and tribes are edging into programs that pay for healthcare differently with reference prices, bundled prices, onsite clinics, medical tourism, direct pay primary care, instant digital docs, team care, special care for those who need it most, all kinds of things. The Affordable Care Act set up an Innovation Center in the Centers for Medicare and Medicaid Services, and the government has been incrementally pushing the whole system more and more into “value” programs.

Are We There Yet?

So why hasn’t it happened yet? Why aren’t we there yet?

Because it’s hard, it’s different and it hurts. And there is a tipping point, a tipping point that we have not gotten to yet.

It is very hard to loosen your grip on a business model as long as that business model pays the bills. We built this city on fee for service, these gleaming towers, these sprawling complexes, these mind-bending levels of skill and incomprehensible technologies. To shift to a different business model requires that everybody in the healthcare sector change the way they do everything, from clinical pathways to revenue streams to organizational models to physical plants to capital formation, everything all the way down. And it’s all uncharted territory, something the people who run these systems have not yet done and have little experience in. It’s guaranteed to be the end of the line for some institutions, many careers, many companies.

So far, the government “volume-to-value” or “value-based-payment” programs are incremental, baby steps. They typically add bonus payments to the basic system if you do the right thing or cut payments a few percentage points if you don’t. My colleague health futurist Ian Morrison calls these programs “fee for service with tricks.” They do not fundamentally change the business model.

Private payers such as employers have only gradually been getting more demanding, unsure of their power and status as drivers of change in this huge and traditionally staid industry. Systems such as Kaiser that have a value-based business model (so that they actually do better financially if they can keep you well) still have to compete in a system where the baseline cost of everything they need, from doctor’s salaries to catheters, is set in the bloated fee-for-service market. So movement is slow, and we are not yet at the tipping point.

Back to Who Pays

This is not a libertarian argument that everyone should just pay for their own healthcare out of their own pocket and let the “free market” decide. The risks are far too high, and we are terrible at estimating that risk, financial or medical. All of us are; even your doctor is; even I am. A cancer can cost millions. Heck, a bad stomach infection that puts you in the hospital for 10 days could easily cost you $600,000. Bill Gates or Warren Buffet can afford that; you and I can’t.

We need insurance to spread that risk not only across individuals but across age groups, across economic levels and between those who are currently healthy and those who are sick. For it to work at all, the insurance has to be spread across everyone, even those who think they don’t need it or can’t afford it. You drive a car, you have to have car insurance, even if you are a really safe driver. You buy a house, you must have fire insurance, even though the average house never burns down. You own and operate a human body, same thing, even though at any average time you hardly need medicine at all.

If we are to have insurance for everyone, we need to subsidize it for those who have low incomes — and this has nothing to do with whether they “deserve” help, or even with whether healthcare is a right. It’s about spreading the cost of a universal human risk as universally across the humans as possible. At the same time, such subsidies need to be given in a way that helps people feel that they are spending their own money, that they have a stake in spending it wisely. This is not simple to do, but it can be done.

This is also not necessarily an argument for a single-payer system. Single payer, by itself, will not solve the problem. It doesn’t change the incentives at all. It just changes who’s writing the check. What the system needs most is fierce customers, people and entities who are making choices based on using their own money (or what feels like it) to pay for what they really need. This forces competition among healthcare providers that drives the prices down. That means the system needs variety, a lot of different ways of paying for a lot of different customers. If we can figure out how to do that in a single-payer system, well then we’re talking.

Obviously the ultimate customer in healthcare is the individual, because medicine is about treating bodies, and we have exactly one to a customer. But the risk is too high at the individual level, and the leverage is too low.

See also: 5 Breakthrough Healthcare Startups

So employers, pension plans and specialized not-for-profit mutual health plans whose interests really line up with the interests of their employees or members can act as proxies. They can force providers of healthcare (hospital systems, medical groups, labs, clinics) to compete for their business on price and quality. They can refuse to pay for things that the peer-reviewed medical literature shows are unnecessary. They can pay for improvements in your health rather than just fixing your health disasters. They can help their members and employees become fierce customers of healthcare with information and with carefully titrated incentives.

Here’s one example of an incentive: A payer says to its members, “You need a new knee? Great, fine. Here are all the high-quality places you can get that done in your area. You can choose any that you like. But here’s a list of high-quality places in your area that do it for what we call a “reference price” or even less. Choose one of those places, and we will pay for everything from diagnosis to rehab. You can choose a place with a higher price if you like, but you’ll have to pay the difference yourself.” With reference prices, the employee or member partners with the payer in becoming a fierce, demanding customer, and prices for anything treated this way come crashing down.

Both payers and individuals, by being fierce customers, can force the healthcare providers in turn to become fierce customers of their suppliers, forcing pharmaceutical wholesalers and device manufacturers to bid on getting their business. “This knee implant you are asking us to pay $21,000 for? We see you are selling it in Belgium for $7,000. So we’ll pay $7,000, or we’ll go elsewhere.” The “price signals” generated by fierce customers reverberate through the entire system.

What’s the look and feel?

“Healthcare for half” sounds to most people like a Greyhound bus station with stethoscopes, like flea market surgeries and drive-through birthing centers. Paradoxically, though, a lean, transparent system catering to fierce customers of all types would feel quite the opposite, offering more care, even what might feel like lavish care, but earlier in the illness or more conveniently. It might mean a clinic right next door to your workplace offering private care on a walk-in basis, no co-pay, even your pharmaceuticals taken care of — or you could choose to go elsewhere to another doctor that you like more, but you have to schedule it and pay a copay for the visit. Why will providers make healthcare so convenient and personal? Because if they are paid to be responsible for your health it’s worth the extra effort and investment to catch a disease process early, before it gets expensive.

It might mean, when your doctor says you need an MRI on that injury, getting on your smart phone to conduct an instant spot auction that allows high-quality local imaging centers to bid for the business if they can do it in the next three hours. It might mean, if you are in frail health or have multiple chronic diseases, being constantly monitored by your nurse case manager through wearables and visited when necessary or once a week to help keep you on an even keel. It might mean your health system not being so quick to recommend a new knee, and offering instead to try intensive physical therapy, mild exercise and painkillers to see if that can solve the problem first (Pro tip: It often does).

Changing the fundamental business model of most of healthcare will be difficult and painful for the industry. But if we look to other countries and say, “Why do their systems cost so much less than ours? Why can’t we have what we want and need at a price we all can afford?” — this is the answer.

Change the way we pay for healthcare, not just who pays, and we can rebuild the system to be at the same time better and far cheaper.

As part of efforts by Congress to overturn various regulations published during the waning days of the Obama administration, the House of Representatives on March 1 passed HJR 83 on a largely party-line vote. The resolution, unlike what we have come to expect in congressional work product, is a model of conciseness: “That Congress disapproves the rule submitted by the Department of Labor relating to ‘Clarification of Employer’s Continuing Obligation to Make and Maintain an Accurate Record of Each Recordable Injury and Illness’ (published at 81 Fed. Reg. 91792 (December 19, 2016)), and such rule shall have no force or effect.” The rule, announced by the Occupational Safety and Health Administration (OSHA), created a continuing obligation to maintain accurate injury and illness records for five years (OSHA 300 Log). The rule also required the accurate filing of Form 301 incident reports throughout the five-year, retention-and-access period if employers do not prepare the report when first required to do so, HJR83 is a technical way to say that the Dec. 19, 2016 rule will be nullified if the Senate concurs and President Trump signs the legislation. In case there was any doubt, on Feb. 28 the office of the president issued a statement saying, “If this bill were presented to the president in its current form, his advisers would recommend that he sign it into law.” See also: What Trump Wants to Do on ACA   When the Senate received HJR 83 on March 2, it immediately introduced SJR 27 to accomplish the same purpose and with identical language. Critics of the regulation felt that it was a last-hour effort to undo the decision of a panel of the U.S. Court of Appeals for the District of Columbia Circuit in AKM LLC (dba Volks Constructors) v. Sec’y of Labor, 675 F.3d 752 (D.C. Cir. 2012). In that case, per OSHA’s interpretation, the five-year retention requirement for these injury and illness logs created five years of potential liability for inaccurate record keeping. In other words, there was a continuing duty to maintain the accuracy of the logs. In Volks, however, the court unanimously disagreed with the Department of Labor and decided that there was no such continuing duty. The court held that no citation may be issued after the expiration of six months following the occurrence of any violation, following the general limitation on citations contained in the U.S. Code under the Occupational Safety and Health Act. OSHA did not challenge the Volks decision. Instead, OSHA pointed to the concurring opinion of Circuit Judge Merrick Garland, who agreed that OSHA’s interpretation was wrong, but because of a lack of regulatory authority and not necessarily a lack of statutory authority. That distinction was enough for the Department of Labor to adopt the challenged regulations, and Garland’s opinion was quoted extensively in the Federal Register by OSHA in support of its actions. Congress, it appears, will be the ultimate arbiter of that issue. The creation of a continuing duty arguably makes it easier to prove that record keeping violations were willful. That increases the exposure to penalties. While OSHA's comments in the Federal Register when the regulation was published downplayed the additional obligations of employers in complying with the law, employers and associations expressed concerns about how the “continuing violations” would be managed by employers and enforced by OSHA. These comments suggest that the compliance costs are real and material. The National Federation of Independent Businesses (NFIB) says the regulation will cost the economy $1.9 billion over five years. OSHA disagreed with that assessment. (Federal Register, Vol. 81, No. 243, p. 91806). See also: Captives: Congress Shoots, Misses   It is important to remember that if Congress doesn’t act and the president does not sign the resolution, the regulation will be in effect. The bigger picture of how to deal with a wide range of regulations from the Department of Labor, including OSHA, is a much larger topic. There are certainly controversial regulations that must be reviewed by the new nominee for Secretary of Labor, Alex Acosta, once he is confirmed. For the moment, however, this record-keeping rule is on the path of disapproval, much to the relief of employers across the country.

The criticism of Uber continues to pile up. Last week, the car service was found to use secret software to evade government regulators, and a video showed its chief executive in a verbal altercation with one of the company’s drivers. Previously, the company’s self-driving cars raised safety concerns in San Francisco when, because of faulty and incomplete technology, they reportedly barreled through red lights and crossed over bike lanes. Uber has recently been accused of sexual harassment, intellectual property theft and other questionable behavior. Uber isn’t alone. Silicon Valley is gaining a reputation for being obsessed with making money at any cost, i.e. Theranos, which made false claims and risked lives. The tech industry is becoming too much like the finance industry, which a decade ago caused the Great Recession with its greed. See also: Did Uber Just Make a Wrong Turn?   The irony is that both industries compete for top engineering talent from our colleges. And each corrupts these students in a different way. Finance uses their knowledge to engineer our financial system, while tech focuses it on making money rather than on lifting up humanity. My greatest fear after joining Duke’s engineering school in 2004 was that my students would end up joining investment banks or management consultancies or, when they joined the tech industry, would act as Uber and Theranos executives have. We teach our students core technologies but do not give them the vision to better the world. That is why we need people with good values and ethics leading the way. We need innovators who care about enriching humanity rather than just themselves. We need people who give back to the world and make it a better place. There are positive examples, of course, with successful executives like Bill Gates devoting large portions of their wealth to public health and other notable causes. These are the values we need to instill in our engineering students — before they absorb the corruption of our investment banks and big business. This year, Carnegie Mellon’s engineering dean, James Garrett, presented me with the opportunity to teach students how they might use technology to solve humanity’s grand challenges and build billion-dollar businesses by helping 1 billion people. I jumped at the chance. I wanted to try an experiment: teaching students the potential of technology to solve big problems like clean water, energy, education, disease and hunger. The idea is not to build silly apps, as Silicon Valley does, but to design real solutions to global problems. A decade ago, it would have seemed wishful thinking to say that students could effect change on such a scale. It was only governments and big research labs that could solve grand challenges — and they required big grants and budgets. But that is no longer the case. The cost of building world-changing innovations has fallen so low that motivated graduates can do it. These young dreamers can build technologies that solve these problems. Unconstrained by the idea of what is impossible, they can help take us into a world in which we worry more about sharing prosperity than about fighting over what little we have. Witness the threshold we have already crossed with Moore’s law. Our smartphones are many times faster than the supercomputers of yesteryear and, by 2023, will exceed the human brain in both processing and storing information. We are seeing exponential advances in technologies such as sensors, artificial intelligence, robotics and genomics. And their convergence is making amazing things possible. Cheap sensors and networks, for example, are enabling the development of a web of connected devices, called the Internet of Things. Besides increasing the energy efficiency of our homes and tracking our bodily functions, this web of sensors enables the automation of manufacturing, the creation of smart grids and cities, and a revolution in agriculture. The combination of sensors, artificial intelligence and computers enables robots to do the work of humans: to assemble electronics, drive cars and look after the elderly. And digital tutors can take students into virtual-reality worlds and teach them engineering, mathematics, language and world history. The same technologies are enabling entrepreneurs to transform healthcare. We can use artificial intelligence to help us learn how the environment, including the food we eat and the medicines we take, affects the complex interplay between our genes and our organisms. The human genome has been mapped digitally, and artificial intelligence may even enable us to engineer cures for certain diseases. See also: Is Insurance Having an Uber Moment?   But these technologies all have a dark side and can be used in destructive ways. As easily as we can edit genes, we can create killer viruses, alter the human germ line and inadvertently destroy ecosystems dependent upon an insect we casually exterminate. As easily as nursing the elderly, robots can become killing machines. Our future can be either a “Star Trek” utopia or a “Mad Max” wreck; it all depends on the choices we make and how we educate our students. I have no idea whether my attempts at Carnegie Mellon will succeed in equipping these young engineers with the values to pursue something more worthwhile than personal gain at global expense, but it is certainly worth a try. Our students are our future, and that motivates me to enable them to fulfill grand visions. We need to launch similar experiments in schools across the U.S. and the world. 

Women know we thrive when we are together. All the way back to ancient times — in the red tent or carrying water from the river — women have relied on each other for support, encouragement and help with basic survival. Nonetheless, women today report feeling isolated at work and have trouble breaking into the professional networks and sponsors critical to their career advancement. Recent data collected in a comprehensive study tracking various trends related to women in global corporate leadership revealed women are three times more likely to rely on networks made up of mostly women. Because men hold more senior positions than women do, women only associating with women limit their access to leaders who can open doors to advancement in their careers. Paradoxically, women choose to rely on other women and thrive when they rely on other women, but the very reliance on other women limits their career opportunities. For ease of conversation, I’ll label this the “network paradox,” and I’ll describe it as a problem. See also: Value in Informal Employee Networks   The accepted solution to the network paradox is to integrate women into the well-established, centuries-old male network. Men have built a robust and extensive professional network, and most successful male executives have figured out how to tap into it. Research shows men have more interaction with senior managers, have more access to challenging and career-advancing assignments, are consulted more often for input on major decisions and receive informal feedback significantly more often than women. Understandably, people view this disparity as unfair, and, consequently, workplaces are devoted to creating a gender-neutral environment. In addition to training programs, HR departments manufacture mentoring relationships between men and women, create specific and detailed hiring and review processes that are viewed as gender-neutral and set goals for senior executives focused on accountability and results. The underlying assumption is that if it’s the male network that creates an advantage, we should include women in that network on an equal basis. At the risk of sounding too negative, that approach is never going to work. In response to the realization that because women thrive together and are significantly more likely to network with other women, we have decided the solution is to put women with men and hold people accountable for ignoring the fact that they are women. Put more positively, we want to create an integrated network that benefits men and women, and we have set about adding women to the existing framework. I propose that, instead, we should first build a network of women. The prevailing solution ignores the essence of the paradox: Women strongly prefer to network with other women. Despite overwhelming evidence that the male-dominated network is more effective at creating career paths to leadership, women are three times more likely to network with other women. Let’s respect that and put it to good use. Women in corporate leadership are isolated from each other. Companies have, at most, a few women in senior leadership. But across all companies, there are many women leaders who should be brought together. Circling back to my opening remark, women throughout history have thrived when they spend time together. A network of women will function in the same way the male network functions today. Women with deep and enduring relationships will support each other, make introductions for each other, mentor each other, provide informal feedback, steer career-making opportunities to each other and fundamentally generate power and influence for the group. As a first step, building this network does not require creating artificial relationships; data shows women naturally gravitate toward each other for this purpose. What is required is a commitment by senior executives to the goal — and a focus on accountability and results. See also: Why Women Are Smarter Than Men   The insurance and technology industries, both of which have a dearth of women in leadership, are the perfect industries to lead the world through this paradox to the future. In insurance and financial services, 57% of the entering workforce is female and only 21% of top executives are. In technology, the entering workforce is 36% female and only 19% of top executives are. More pressingly, as the demand for tech workers increases every year, the number of women entering the field decreases, creating a deficit of qualified workers to fill available jobs. Redirecting resources from the futile exercise of manufacturing and monitoring artificial gender-neutral access to the existing male-dominated network to the creation of a network of women will organically equalize what men and women are experiencing at work.

The insurance industry is ripe for disruption, drawing a flood of investment and spurring all sorts of smart conversations. But many insurance companies today are either confused or are just shooting in the dark hunting that “big thing” (unknown) in the name of innovation. The good news is that the fear of disruption has pushed the innovation agenda for many companies. But there are only a handful of players in the industry who are taking innovation seriously. For such companies, innovation is never accidental, seasonal or impulsive. Rather, it is an integral part of the company's culture of organization and is a continuous process. Are you a victim of “innovation phobia?” Innovation makes many players in the industry nervous, forcing them to act fast to do something innovative or deliver superior values to clients in difficult times, spurring a reactive innovations race in the market. The sad part is that such “knee jerk” reactions last for short lifespans and do not deliver any value to an organization. Typically, such momentum often dies within 12 to 18 months because of reasons such as change of organization priority, leadership change, shortage of funds, skill shortage, poor support within an organization, company politics and resistance of companies to change. Companies burn millions of dollars each year in the name of reactive innovation. Is it time for organizations to assess if they are the victim of the innovation phobia? Are there better ways to use their funds? The answers are yes. See also: How to Create a Culture of Innovation   Build meaningful offerings, not just elegant facilities and prototypes In the last 12 months, innovation activities have ignited insurance industry collaboration with startups and insurtech. Other innovation players are picking this up, which is a good thing and a positive sign for the industry. Keywords such as “incubator,” “accelerator,” “innovation labs,” “garages” and  “design thinking” are gradually becoming the jargon of the insurance industry. Many companies have built (or are building) large, elegant facilities for innovating, assembling teams, creating fancy prototypes and leveraging newer technologies. Few companies are funding startups and few have started separate venture capital funds to capitalize future opportunities. Things are really changing — and fast. Still, the big questions remain:

• Are these real attempts toward innovation?
• Are these meager reactions triggered because of innovation phobia?
• Are these attempts to create a market illusion that your company is innovating?

None of the above aspects can guarantee success. The hard reality is that such efforts are not sufficient for innovation. Innovation is not about building fancy facilities or shiny prototypes that anyone can mimic easily. It is not about the number of experiments or proof of concepts you are developing. It is also not about the number of hackathons you sponsor or the total partnerships you have with startups or insurtech firms. It is about creating something meaningful for customers that is distinctive in the market and gives you a long-term competitive advantage. And it is about understanding your future customer's needs, market insights and evolving industry trends in a timely manner (ahead of your competitors) and about building something meaningful that customers will value the most. Addressing the “missing” elements of innovation in your organization Innovation is not an easy thing and cannot happen as a matter of reactive actions. Unless organizations build a culture for innovation; make it a continuous process; invest in people and capabilities; and commit themselves for long-term innovation, any efforts toward achieving innovation are going to be shortsighted. Failures are an inevitable part of innovation, so building a culture that encourages failures and motivates teams to think big, imagine the future, gather insights, validate assumptions and deliver value with greater agility are important part of innovation. It is time for companies to be honest and discover the missing elements of innovation in their organization. Innovation is about building a foundation for the future of the company; it is about creating a futuristic business, talent, expertise and the people of tomorrow. Many of today's innovation efforts are merely trying to keep pace with the emerging technologies — such technologies are threatening the existing business models of insurance companies. If you look closely, you would agree that such scenarios have existed for many decades in the industry. It is impossible to keep the same business pace when technological changes are maturing and evolving at a faster pace. There is a need to look for some missing element in your organization, which, when paired with emerging powerful technologies, can bring the real innovation out. Invest in market intelligence and competitors' moves Successful innovation demands long-term organizational commitment, unique market insights, customer validation-feedback, talent, organizational agility and correct assessment of timings of market readiness for any new value proposition. If you look closely at the history of some of the most successful innovation companies (such as Google, Apple, GE, P&G, PepsiCo and Toyota), you would notice that such high-performance companies have assessed the market, customer behavior and competitors' moves very cautiously and constantly and have made appropriate investments in the journey for innovation. These companies have built an innovation culture over years. Unfortunately, today, companies do not have the patience to gather the right intelligence on the market and the insights on customers' behavior. And many companies just want to take advantage of becoming the first movers without doing the proper homework about market readiness, competitors, customer needs and the industry preparedness. Beware of those fancy insights that everyone knows Many companies’ innovation agendas get biased and influenced by a few survey results from the top consulting and analyst firms; few companies are also using future market size projections from the global research companies as a part of justification for the company's innovation efforts. By and large, the entire insurance industry is referring to the same set of intelligence and insights. If that is the case, there is little possibility that meaningful offerings would emerge that can disrupt the industry as a whole. If you are going to create another new-style offering (similar to that of others or that can be mimicked easily), by leveraging the similar market insights and similar technologies, your innovations efforts are likely to deliver poor results. Beware of those commoditized insights and research reports that may distract you from doing genuine innovation. See also: Innovation Won’t Work Without This You must invest in assessing market intelligence and customer intelligence continuously. Your futuristic offerings are likely to be as differentiated as those of the unique market and customer insights you gather. Align your innovation efforts accordingly, leveraging the best proven technologies and the expertise of your people and partners. Going back to basics Industry players must assess if they are addressing innovation requirements holistically. How accurately a company infers future market movement, customer behavior and demands — and creates offerings in a timely manner ahead of its competition — plays a critical role in the success of innovation. If you think this type of innovation sounds more like gambling or shooting a gun up in the air, you are advised to spend your money on some other initiatives that can improve your business performance faster. Now is the time to invest in your people and build capabilities (underwriting, risk management, sales and distribution, claims, etc). It is the time to build core foundations and address the missing elements of innovations within your organization. Conclusion Innovations are critical for a company of any size. Insurers must commit themselves to innovating and must build an innovation-centric culture in their organization. Insurers must honestly assess if they are a victim of innovation phobia and must address the missing elements and innovation gaps in their organization. The distinctiveness of market insights, customer preferences, competitors' moves and industry readiness plays an important role in the potential success of the innovation. Innovation is never accidental but, rather, is a continuous process that requires the best talent, best capabilities and agility. The role of technology and the startup community cannot be ignored in innovation. Insurers must stop innovating in the dark and instead start fixing the broken elements that are hindering the company's growth. Learn about Innovator's Edge, a first-of-its-kind insurtech matchmaking platform.

I have to admit that when now-President Donald Trump uttered the phrase “The Cyber” during the first presidential debate, I was right there with the tech community in the eye-rolling that followed. “The Cyber” memes were born, along with real concern about the then-candidate’s grasp on cybersecurity, and, with the announcement of former New York City Mayor Rudy Giuliani as the cyber czar, those concerns multiplied. The seeming “misunderestimation” — or possibly anti-comprehension — regarding something so crucial to national security may not on the surface seem like a consumer issue, but it is. Our nation’s approach to cybersecurity at this juncture — beset by hostile state-sponsored attacks on our electoral process; expertise and secret information grabs from major industries and the federal government; and ransomware attacks — is a matter of the utmost urgency, and the now-president has said as much, to his credit. But Trump’s response can’t be just a marketing move or a branding opportunity — things he gets. There must not be merely the appearance of change, with commissions talking and debating endlessly but with little to show for it. There must be actual boots-on-the-ground solutions — now. Unfortunately, I don’t think that’s what will happen. Consumer protection at risk The Consumer Financial Protection Bureau specifically comes to mind if Trump does as many are predicting he will do and makes it yet another piece of President Obama’s dismantled legacy. The CFPB was an important accomplishment of the Dodd-Frank Wall Street Reform and the Consumer Protection Act of 2010. The agency is charged with protecting consumers from the predatory financial practices that brought about the economic meltdown of 2007-08 and watching out for signs of future trouble. The CFPB has the power to ban financial products deemed “deceptive, unfair or abusive” and to impose penalties on companies that take advantage of consumers. Barring a judicial miracle, current CFPB Director Richard Cordray is almost certainly going to receive one of Trump’s signature “you’re fired” communiqués. Worse, an anti-CFPB former Texas representative, Randy Neugebauer, appears to be the leading candidate to get the job. See also: Election Elevates Cyber Issues for 2017   Among other things, Neugebauer thinks that payday lenders are too roughly treated by the CFPB and that all business contracts should contain mandatory arbitration clauses (barring class action suits). He also thinks the CFPB should be headed not by a single director, but by a commission of people from both sides of the aisle. Those of us who support the CFPB believe that this would diminish the agency’s ability to go after dangerous practices that harm consumers in a timely and effective way. The Trump transition team did not respond to a request for comment regarding its plans for the CFPB or Cordray. This is about appointing the right people It was reported that the cybersecurity czar role in the Trump administration will fall to the president’s close associate and campaign stalwart: Giuliani. There is a connection here between what appears to be afoot at the CFPB and the next administration’s approach to cybersecurity. Both represent bad decisions based on a basic incomprehension of what is at stake and of what needs to happen next. The CFPB works -- specifically, the single-director approach. Instead of hiring an opponent of the agency to presumably dismantle it, we should be using it as a model to create a single-director federal agency that emulates the CFPB to oversee cybersecurity. As it stands, Giuliani will be bringing together experts working on cybersecurity solutions and business leaders who are targeted by hackers from the energy, financial and transportation sectors. The next step that is missing here is a government agency that can fine entities that do not meet the threshold for cybersecurity best practices — mandated employee education, maintaining technology and tools, hiring experts — that the agency would determine and set as a standard. (You can learn more about how to protect yourself from cyber threats like identity theft here and can monitor two of your free credit scores for signs of foul play every 14 days on Credit.com.) In a recent interview, Giuliani said of the Trump, “He’s going to elevate this to a very large priority for the government — and I think, by doing this, he’s trying to elevate this as a priority for the private sector.” Depending on private sector As the Christian Science Monitor’s Passcode noted, quoting the former NYC mayor, the idea here is pretty simple: Trump will go straight to the public to “educate people on how important (cybersecurity) is, even to the point of their own personal protection.” That is a fantastic idea that everyone should applaud. Whether the user is in the Pentagon or logging onto a free Wi-Fi network, our cybersecurity too often comes down to an individual clicking or not clicking on a malware-laden link or falling prey to some other security pratfall. That said, any agency dedicated to cybersecurity would need to work closely with the military and intelligence communities and would also have to focus its resources on real solutions to the dangers we face, many of them extinction-level threats. The person running it would have to be at the cutting edge of cybersecurity best practices. See also: Insurance Industry Can Solve Cyber   When the news came down of Giuliani’s cyber czar role, experts almost immediately hit Twitter with reasons why this was a bad idea. (Trump’s team also didn’t respond to requests for comment regarding this choice. Giuliani was not readily available for comment, either.) As it happens, the cybersecurity community took a look at the website of Giuiliani’s cybersecurity company, giulianisecurity.com. They found serious problems, including expired SSL, no https and an exposed CMS login — just to name a few. You don’t need to know what these things are, but the cyber czar sure does. There can be no “oops” in his or her record. Full disclosure: CyberScout sponsors ThirdCertainty. This story originated as an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners. This article originally appeared on ThirdCertainty.

As insurers, we are no strangers to running into price sensitivity, then copying the competition and buying business. When we still fail, we blame the economy. But the truth is that the complexity of our products, the lack of differentiation in our services and the distance we’ve kept from our consumers is what results in price sensitivity. This, in turn, results in our need to buy business by encouraging intermediaries and discounting premiums — which then results in copying each other for validation of our assumptions, even when we take calculated risks because we care about our commitment to the market and our responsibility to consumers. What a vicious circle we’ve created for ourselves. Being a student of this industry, my observation is that we are running out of ways to get ourselves out of this mess. Trying new ideas means having to deal with channel conflict and spending time and energy appeasing intermediaries to ensure our promise to pay. So I decided we should create niches and build new experiences for these niches that will challenge established norms with very little disruption to business as usual. Having pets all my life before moving to Singapore as an expat, I found it strange that the number of pets in Singapore was on the rise but that there was no insurance for pets (other than the meager endorsement to home and contents policies for third-party liability mandated by the Agri-Food & Veterinary Authority of Singapore (AVA) for dog licenses). The fact is that some insurers tried writing pet insurance many years ago but made losses and took the product off their shelves. Singapore is a financial capital, mind you, that commands the presence of all the major global insurers and banks. See also: Industry Trends for 2017   I was determined to make a difference and continued to persuade the head of personal insurance (a passionate leader who has earned my respect and appreciation) to consider pet insurance. Our propensity to act created momentum for others and engaged talent at all levels — soon, we had every pet lover and pet owner in the organization offering to help and test ideas. Thus, PetCare, Singapore’s first comprehensive pet insurance coverage, was born. This caught the attention of the media and pet forums; suddenly everyone was talking about us. We started with insurance for dogs, taking every aspect of their life into account. We had to minimize our exposure to begin with and had to learn from our experience in the market. But, soon enough, cat owners wanted the same treatment. So we included cats and increased our benefit offering in a year’s time. Two years into the market, we became the experts and had other insurers copying us in a rapid frenzy and fear of missing out. The time had come to brand and market PetCare at scale. I wanted to create the Apple of insurance and the Uber of service. Then, I came across this video. Check it out… MasterFoods asked Aussie families one simple question: “If you could have dinner with anyone, living or dead, who would you choose?” What they uncovered surprised everyone. We humans know when we are being sold to, and we recognize the passion and care of brands that are trying to do things for the greater good. At PetCare, we now had a business that was close to our hearts and those of our consumers, and we were on a journey to build a strong emotional connection with them through compelling experiences. In our efforts, we have not only created a business but found a much more powerful way to connect —one that differentiates us from the competition and makes us market leaders in our own right. Liberty Insurance: Pet Care from Michael Hanson on Vimeo.

Ostriches are often characterized as hapless birds that bury their heads in the sand whenever danger approaches. In fact, they are highly astute escape artists. They use their great speed to overcome their inability to fly. Much in the same way that ostriches are limited in their defensive actions because they cannot fly, we need to recognize that, when making decisions, our biases are part of our cognitive DNA. In the same way that the ostrich has adapted to risk by taking into consideration its physical limitations, we humans, when thinking about risk, need to develop policies that take into consideration our inherent cognitive limitations. We need to learn to be more, not less, like ostriches — hence the paradox — if we are to be better prepared for disasters. We read about disasters all the time and often see post-disaster coverage about what people should have done in the situation: They should have put up their storm shutters, they should have evacuated, they should have purchased earthquake insurance — and so on. But people tend to disregard these warnings because of six major decision-making biases. People have a hard time foreseeing future consequences (myopia); are too quick to forget losses from the past (amnesia); are inclined to think losses will occur to others rather than themselves (optimism); are too inclined to prefer inaction over action when faced with risks and maintain the status quo (inertia); fail to base decisions on all of the information that is made available about a risk (simplification); and are overly prone to imitate the behaviors of others who exhibit the same biases (herding). See also: Need for Lifelong Learning in Insurance   Their relative importance varies from situation to situation, but if there is one that it is most fundamental, it is excessive optimism. We have a hard time fully anticipating the physical and emotional toll that disasters can impart, and we are too prone to believe that disasters happen to other people in other places in other times. A second bias that can create serious problems is myopia. There is a tendency for individuals to focus on short time horizons, so they do not undertake protective measures that have long-term benefits, such as not investing in loss reduction measures because of their high upfront costs. Most modern approaches to risk management start by analyzing the objective likelihood and consequences of risks faced by individuals or communities and then design measures that could mitigate these risks — and hope that people will choose to implement them. For example, people in areas prone to earthquakes might be provided with checklists for how to prepare for such events and urged to buy earthquake insurance. But because people often do not adopt these measures, effective risk management has to proceed in the reverse order, starting with an understanding of why people may not choose to adopt risk-reduction measures and then design approaches that work with, rather than against, our natural biases. A behavioral risk audit can — and should — be used as a source of guidance, not just for communities, but also for individuals and households. It should foster a discussion between family members as to the biases that we are most prone to have and suggest measures for overcoming them that the household agrees can be implemented. When unsure how best to prepare for a disaster, we often choose the option that requires the least active mental effort — such as accepting the basic deductible in an insurance policy when one is unsure what is best or deciding to stay at home when uncertain whether to evacuate. Unfortunately, in many cases, accepting these “defaults” can have tragic consequences, such as staying when evacuation is essential. This propensity to look for easy ways out in decision-making, however, can sometimes be flipped on its head by making safety something one needs to actively opt out of rather than opt into. As an example, one might overcome the hesitancy of people in flood-prone areas to buy flood insurance by providing it automatically with the payment of property taxes each year and allowing people who would actively prefer not to have it to apply for a refund of the premium. See also: Next Generation of Insurance Services   The greatest challenge we face is how to embrace cultures of protective action in the long run as a society. The behavioral risk audit offers a tool that can help individuals overcome the psychological biases that often impede preparedness, such as failing to see the future benefits of protective investments and believing that disasters are things that happen to others. Many of the truly long-run risks we face, however — such as those posed by climate change — are even more difficult to deal with as they require collective rather than just individual action. Achieving effective collective action requires us not only to address individual biases but embrace a series of guiding principles of societal-level safety, such as demanding that safety and long-run preparedness be a top priority in government planning and insisting that social equity be a consideration in the formation of policies.