The world is at an inflection point, with emerging technologies poised to change every aspect of our lives and businesses. Exactly how each industry will be transformed and how insurance will be affected is difficult to predict. However, a number of key trends are gaining prominence, and the implications for insurance are so significant that they bear close watching. SMA’s recently released research report, 2017 Emerging Tech Landscape: Implications for Insurance, identifies those key trends and discusses the developments in eight emerging technologies that have big repercussions for insurance. Two trends, in particular, warrant special consideration:

Objects are moving from smart to intelligent.

The initial phases of “smart” saw many objects becoming smart and connected, such that their activity and the environment around them could be monitored and measured. Now, more things of the IoT are leveraging artificial intelligence to make recommendations and even to make decisions and take actions autonomously. This is true of vehicles, homes/buildings, wearables and many other areas.

Convergence: Insurance in 2017  

Convergence drives value.

The combination, or convergence, of multiple technologies, both new and old, is now underway in a quest to create new value for customers. Technologies such as the IoT, AI, mobile and cloud are being integrated in new ways to provide solutions to the problems of individuals and businesses.

Many emerging technologies are advancing so rapidly that keeping track of them all is a full-time job. The sheer number of companies, products and solutions based on emerging tech that are materializing every day is staggering.

These advancements and announcements will affect insurance in one of three primary ways. Some will enable operational efficiencies and processes, such as artificial intelligence, drones and blockchain. Others will offer new options for rethinking the customer’s experience. Wearables, the IoT and new payment technologies are examples of tech with important implications for customers.

The third manner in which emerging tech will alter insurance will be to change the very nature of risk. Many of these new technologies have great potential to reduce risks of all types for all lines of business. Alternatively, new risks are being introduced, some of which are visible and predictable, while others will be unexpected. Autonomous vehicles come to mind as an area with tremendous promise to reduce accidents. Robotics and wearables can also help remove individuals from unsafe environments or allow for rapid reaction when disaster strikes.

See also: The Great AI Race in Insurance Innovation

The insurance industry is not sitting idly by and watching these changes unfold. Insurers are investing, partnering, piloting, reorganizing and launching initiatives at a pace that is unprecedented in the industry. For example, 41% of insurers say they are actively pursuing partnerships outside the traditional industry boundaries. Innovation initiatives are widespread and have almost become table stakes. The industry is at the front edge of a major transformation, and emerging technologies are a big factor in driving and shaping the change that is underway.

Research documenting the benefits of lifelong learning for individuals and organizations is overwhelming. An EvoLLLution report spelled out these benefits in a survey of employers:

• 96% said continuing education has a positive impact on job performance.
• 78% said it factors into promotion and advancement on the job.
• 87% said it affects compensation and salary.

You may need to ask your manager for investment in your professional development, but there is a good chance the conversation won’t be uncomfortable. Plenty of organizations place a high value on lifelong learning and have programs in place to support employees who want to grow their knowledge base— especially within our industry. As you craft a pitch to pursue an insurance designation or another form of professional development, here’s our four-step guide to help you get started: Step 1 – See what your company offers At organizations that understand the value of continuing education, you may actually find yourself a step behind if you don’t take advantage of professional development opportunities. Check with human resources for a specific process for pursuing education before you approach your boss. You may find that HR has a learning and development program you hadn’t known about. See also: How to Develop an Innovation Perspective   Don’t forget about continuing education credits. Too often these credit hours are an afterthought that are more about checking a box before an imminent deadline than real professional growth—but they don’t have to be. There are lots of ways to make the time spent earning those credits worthwhile. If you’re required to complete continuing education, make part of your pitch explaining why the professional development you’re interested in will help to grow your skillset, being sure to mention that it will also count toward fulfilling your CE credit requirements. Step 2 – Start small It’s unreasonable to expect your organization to pay for an MBA after just a week on the job. Start pursuing professional development by asking for something that won’t require big changes or a significant financial commitment from your organization. Request approval to subscribe to a trade publication, to sign up for a webinar or to attend a local conference. Professional development is a career-long process. As such, you should incorporate education into discussions with your supervisor as you’re discussing career goals, aligning education goals with your career objectives. For example, if you want to gain a strong foundation in general insurance concepts, talk about AINS as a way to build that knowledge base. Step 3 – Prepare your pitch Once you’ve successfully received buy-in for a few smaller investments in continuing education, you can plan a discussion for more significant professional development. Your conversation should be professional and compelling. A couple of tips:

• Rehearse—Structure your pitch to be as convincing as possible and practice it until you’re able to present your case with confidence and passion.
• Ask for approval with confidence—You know this professional development will benefit you and the organization. Work off the assumption that your boss agrees.
• Choose the right time—In some organizations, a performance review is the right time to bring up professional development, but that’s not always the case. Choosing the right time and circumstances may increase your chances of gaining approval for the request.

Step 4 – Spell out the benefits Professional development should go both ways—it should benefit the professional and the organization. Explain how a selected professional development opportunity will improve your skills and improve the organization. Try to do this as specifically as possible: Instead of saying, “AINS will broaden my general insurance knowledge,” consider, instead, “AINS will allow me to be more knowledgeable on coverage options and how we differ from our competitors when I talk to customers.” See also: Getting Back in Step With People’s Needs   Here’s one particularly effective way to increase the benefits your organization will see from your professional development: offer to share your new knowledge with co-workers. Host a few lunches summarizing this knowledge or simply pass along articles, white papers or other materials. You won’t be able to share all of your knowledge, but your efforts will show your boss that you’re committed to maximizing the value your organization will get from your newfound know-how. What tips have you used to get your boss to buy into your passion for lifelong learning? Tell us below!

I need an innovation process like I need a… I was at an event the other day when two things really spoiled my day. The first twinge came in the plenary session. Our host announced that we were about to be shown some videos of front-line staff describing their work frustrations and, in particular, the obstacles that prevented them from doing a better job. Now that sounded like a great initiative, so my curiosity was aroused. The camera focused on a broad group of internal stakeholders, and, very soon, a number of consistent themes and issues began to emerge. My attention was now well and truly grabbed. I waited with interest – and high expectations – for the host to explain how these concerns will be addressed and resolved. And I waited… and I waited… and slowly it dawned on me that I was going to be seriously short-changed. “These videos illustrate how important it is to listen to your front-line staff,” he explained – completely ignoring the fundamental truth that front-line feedback is only valuable when it is turned into actionable, positive outcomes. We had witnessed loyal staff displaying real courage and passion in their filmed interviews – but the all-important reactions and resolutions, together with the two-way communication from an appreciative management, were never even mentioned. Then something else happened that stunned me – and many of my fellow delegates. See also: How to Create a Culture of Innovation   I attended a breakout session on the topic of innovation. One of the key speakers was an independent consultant who specializes in helping major enterprises establish a culture of innovation. I was happily nodding along to his presentation when he dropped this bombshell: “First and foremost, you must have a common approach to innovation. Control is critical. You can’t permit people to innovate in completely different directions.” There was a metaphorical thud as several jaws hit the carpeted floor. By definition, innovation is free-thinking and radical. It shatters the mold by breaking conventions and rules. Thought control is anathema to innovation… or is it? That got me thinking… I have spent most of my life working on highly innovative projects. And I have to concede that most of these projects needed a process. However, this process is certainly not designed to inhibit freedom of thought. It is simply there to focus minds on real-world issues and solutions. Innovation projects have to be anchored in genuine need. If you lose sight of this reality, you will end up with a bunch of brilliant, tangential ideas that have absolutely zero commercial merit… and that is the quickest way to lose management support and funding for innovation. So how do you create a process that focuses innovation without inhibiting it? Well, I hope my diagram will help to concentrate minds… Every innovation effort should start with – and be driven by – the Voice of the (Internal and External) Customers. These key stakeholders can tell you what you need to fix. With a little encouragement, they will also give you rapid feedback on ideas – objective guidance that can you stop you wandering up costly and unproductive blind alleys. And one of the most instant and engaging ways to capture these stakeholder insights is via mobile video. One of our Clustre innovation firms has perfected software for capturing these sentiments. It is a remarkable tool that offers deep analytics and sentiment assessment to surface really valuable insights. Used on a regular basis, it is a unique asset to any innovation project. To kick-start the innovation process, you need to understand the frustrations that customers experience in their dealings with you – and, just as importantly, with your competitors. The same goes for internal customers and stakeholders. Their opinions will reveal the honest (often sobering) truth about the health of your culture and organization. Uber’s success was born out such research. Consumer frustrations with finding reliable private transport and the inconvenience of having to pay in cash for minicabs shaped the whole Uber service concept. It has transformed the global minicab industry by understanding consumer frustrations, addressing real areas of need and resolving them with a bespoke, infinitely scalable service. The message is clear: focus on addressing real Needs and Frustrations and you will deliver relevant, highly commercial solutions. The trick is to: First: Capture and focus on the things that frustrate the majority of people. Second: Concentrate on issues that have the biggest impact on your business and on satisfaction levels. Third: Avoid being side-tracked by the vocal minority who shout and complain the loudest. One of the firms we represent has recently invented a tool that automatically seeks out those core areas of frustration. It reveals to companies not only where consumers are frustrated but also the nature, size and extent of that frustration. This tool has now been used on multiple occasions to help consumer companies conceive entirely new products. Indeed, some of these products have rapidly morphed into the most profitable lines for these companies… the ultimate bottom-line justification for innovation. See also: Innovator’s Edge enhanced to make direct insurance innovation connections If the starting point for innovation is to understand needs and frustrations, then the next step in the process is to Conceive Solutions. Some people think of this as a scientific process – a technology-fueled trip into the outer realms of possibility. I disagree. Essentially, innovation comes from inspired team-building – blending talents and personalities to create the right human chemistry. Here are a few guidelines: Balance. From my experience, you need to strike a balance between radical, out-of-the-box thinkers and down-to-earth, practical engineers. Tether blue-sky thinking to grounded reality. Objectivity. Again, experience has proved the value of involving the people who will ultimately be the customers for your solutions. Cross-pollination. Look outside your specific company and industry for inspired solutions in parallel universes. But, of course, the true merit of any pie is in the eating. Most people struggle with concepts – they can only judge an idea when they see the reality of a product. That’s why I always urge clients to move swiftly from conception to creation:

• Prototyping. This is probably not the forum for diving deep into the prototype process. However, I would like to share the fascinating experience and advice of a close client – the global head of innovation for a global loyalty card operator…
• 30-day limit. His hard and fast rule is to set aside a maximum of 30 days to build a prototype – and not a day longer. It’s a rigid discipline that contains costs and delivers rapid results.
• Outsource. He also tends to outsource the development of the prototype (frequently to firms recommended by Clustre). This allows him to reduce his own headcount, capitalize on the best external services and run several projects at the same time.
• £10k budget. He also sets a hard and fast budget of £10,000 for each prototype. Now, to many people, this will seem a laughable – perhaps even derisory – budget. However, my client always has the last laugh because he has unfailingly delivered a fully functioning (albeit with a limited scope) prototype for this price.

Once you have developed a prototype, it should be shown to the customer representatives and major stakeholders for their verdict. This is the acid test. The Drop or Build decision will be taken there and then. And we can assume that a fair proportion will be buried at this point. However, don’t despair – this is an essential part of the "fail fast, learn quickly" culture that breeds innovation success. If a decision is taken to develop the prototype further, then this should be done in a very measured but agile way. Using a multi-functional team, the goal must be to create a MVP quickly and cheaply for business viability assessment. Tools similar to the one used to surface frustrations can then be used to gauge the level of excitement generated by a new product. This can be invaluable – accurately measuring consumer appeal before any serious commitment is made to invest further in the minimally viable product (MVP). What’s more, there are some really innovative marketing techniques that can measure, with forensic accuracy, this consumer interest. See also: 4 Hot Spots for Innovation in Insurance   So that’s it – my process for innovation. Offer people unlimited freedom to question precepts, push boundaries and break rules. However, within that free-thinking environment, there has to be a healthy mix of blue-sky thinkers and grounded engineers… sensible and very essential budgetary controls… an immutable date for prototype delivery… and, most importantly, a very sharp focus on real-world customer frustrations. Those are the essential tenets for innovation success.

Bill was a 40-something-year-old son in his 70-something-year-old father’s agency. I asked about the agency’s succession plan. He said, “Mike, I’m already running the agency by myself. When Dad dies, nothing changes.” He assumed too much… See also: 3 Ways to Boost Agency Productivity   With a smile and good intentions, I hit him with reality. I asked simply, “What if you die first?” His stunned look told me that he had never considered that possibility. Here’s reality – it might be easy for Bill to succeed his father. It will not be easy for most fathers to succeed a son or daughter. Agents manage risk – it’s what they do. But are you managing your own risks? Really? When an owner dies, becomes disabled, disappears or loses the ability to lead effectively, the best insurance can be a succession plan. A well-thought-out process, planned and reality-checked in advance is mission critical, as these stories show:

• David was a very close friend whom I hadn’t visited with in years. We spoke by phone for an hour on Wednesday Aug. 3, 1994, and committed to meeting for lunch on Monday of the following week. David was murdered that Friday while hiking in a national forest in Arkansas. What were the odds?
• The best producer in the agency was assumed to be the most “natural” person to lead in the future. Unfortunately, great producers are often not good leaders or managers, and their best value for the agency is almost always in production and not management.
• Often a #2 person is great at #2 but not worth a whit on the front lines of #1. But once they “move on up” it may be impossible to move them out.
• Absent formal succession plans implemented immediately, an owner’s death will invite a swarm of competitors ready, willing and able to consume in months the client base and talent it took you decades to grow!

See also: ‘Agency 2020’: Can You Get There? (Part 1)   Develop and implement, NOW, a succession plan for death and every other major contingency in your organization. I said NOW!

Growth in the cyber insurance market has recently occurred at warp speed, with more than 60 companies writing in the U.S. alone and with market premiums amounting to approximately $2.5 billion annually. The impressive year-over-year growth is expected to continue into the foreseeable future, with a variety of estimates placing market premium between $7.5 billion and $20 billion by the end of 2020. This impressive premium growth is because of several factors — perhaps most notably, reporting of the various types of cyber attacks in the news on a regular basis, driving both awareness and fear. Not surprisingly, cyber risk has become a board-level concern in today’s increasingly connected world. Additionally, recent growth of the Internet of Things has given rise to the seemingly infinite number of attack vectors affecting every industry. Individuals and entities of any size, spanning all regions of the world, are potential victims. The apparent need for new apps and devices that link to one another without focus toward security of those apps or devices gives reason to worry. It also creates an immediate need for a suite of security analytics products that helps insurance companies write cyber insurance more confidently. State of Data Actuaries are creative and intelligent problem solvers, but this creativity and intelligence is tested thoroughly when pricing cyber insurance. Actuaries still need the same suite of products used within any other catastrophe-exposed lines of business, but there are many challenges and complications with respect to cyber insurance that make this a particularly difficult task. That is, we still need an underwriting tool, an individual risk-pricing tool and a catastrophe-aggregation model, but certain aspects of these tools vary significantly from what we’ve seen in the past or have grown accustomed to as actuaries. Data lies at the center of any actuarial project, but data in this space is very limited for a number of reasons. To consider why this is the case, let’s take a step back and consider the wider context. We first want to think about both how to define the cyber peril and what types of attacks are possible. Risks could lie anywhere between smaller attacks on individuals involving brute-force attempts to steal credentials and conduct identity theft; and state-sponsored attacks on another government entity involving both physical damage and theft of critically sensitive intelligence. We may see malware deployed on a commonly used piece of software or hardware at a massive scale; infrastructures or processes taken down using denial of service; or a breach of a popular database or platform that affects many entities simultaneously. Many of the attack variants in this hypothetical list have never happened, and some may never happen. Even within those that have happened, information pertaining to the breach — both in terms of the attack specifics used or the actual dollar impact of the attack — is hard to come by. Several third-party data sources are currently available, but they tend to concentrate primarily on those pieces of data or attack types that are most accessible — particularly data breach and privacy violation claims. This, naturally, is a very small subset of what we need to price for as actuaries. Unfortunately, there is fairly loose regulation around the reporting of different types of attacks. Even within the data breach family, there exists tremendous lack of standardization across states with respect to reporting. Criteria for whether a report is required may include whether the data is encrypted, how many people were actually affected by the breach and the type of data stolen (PHI, PII, PCI, etc.). See also: How Actuaries Can Be Faster, More Efficient   External research can be done on public sources to find the aggregate amount of loss in some cases, but there is little to no incentive for the breached entity to provide more information than is absolutely required. Thus, while we want to price data breach events at a very granular level, it’s often difficult to obtain dollar figures at this level. For instance, a data breach will lead to several costs, both first party and third party. A breached entity, at minimum, will likely have to:

• Notify affected customers;
• Offer credit monitoring or identity-theft protection to those affected;
• Work with credit card companies to issue new credit cards;
• Foot bills associated with legal liability and regulatory fines; and
• Endure reputational damage.

It’s impractical to assume that a breached entity would find it attractive to publicize the amount lost to each of these individual buckets. Worse, other events that either don’t require reporting or have never happened clearly give us even less to work with. In these cases, it’s absolutely critical that we creatively use the best resources available. This approach requires a blend of insurance expertise, industry-specific knowledge and cyber security competence. While regulation will continue to grow and evolve — we may even see standardization across both insurance coverages offered and reporting requirements by state or country — we must assume that in the near future, our data will be imperfect. Actuarial Challenges Though many companies have entered the cyber insurance space, very few are backed by comprehensive analytics. Insurers eager to grab market share are placing too much emphasis on the possibility of recent line profitability continuing into the future. The problem here is obvious: Cyber insurance needs to be priced at a low loss ratio because of catastrophic or aggregation risk. Once the wave of profitability ends, it could do so in dramatic fashion that proves devastating for many market participants. The risk is simply not well understood across the entirety of the market, and big data analytics is not being leveraged enough. In addition to the glaring data and standardization issues already discussed, actuaries face the following eight key challenges: 1. No Geographical Limitation On the surface, the cyber realm poses threats vastly different from what we’ve seen in other lines of business. Take geography. We are used to thinking about the impact of geography as it pertains to policyholder concentration within a specific region. It’s well understood that, within commercial property insurance, writers should be careful with respect to how much premium they write along the coast of Florida, because a single large hurricane or tropical storm can otherwise have an absolutely devastating effect on a book of business. Within the cyber world, this relationship is a bit more blurry. We can no longer just look at a map. We may insure an entity whose server in South Africa is linked to an office in Ireland, which, in turn, is linked to an office in San Francisco. As existing threat actors are able to both infiltrate a system and move within that system, the lines drawn on the map have less meaning. Not to say they’re not important — we could have regulatory requirements or data storage requirements that differ by geography in some meaningful way — but “concentration” takes a different meaning, and we need to pay close attention to the networks within a company. 2. Network Risk From an External Perspective In the cyber insurance line, we need to pay attention to the networks external to an insured company. It’s well documented that Target’s data breach was conducted through an HVAC system. By examining Target’s internal systems alone, no one would have noticed the vulnerability that was exploited. As underwriters and actuaries, we need to be well aware of the links from one company to another. Which companies does an insured do business with or contract work from? Just as we mentioned above with apps and devices that are linked, the network we are worried about is only as strong as the weakest link. Another example of this is the recent attacks on a Bangladeshi bank. Attackers were able to navigate through the SWIFT system by breaching a weaker-than-average security perimeter and carrying out attacks spanning multiple banks sharing the same financial network. 3. Significance of the Human Element Another consideration and difference from the way we traditionally price is the addition of the human element. While human error has long been a part of other lines of business, we have rarely considered the impact of an active adversary on insurance prices. The one exception to this would be terrorism insurance, but mitigation of that risk has been largely assisted by TRIA/TRIPRA. However, whenever we fix a problem simply by imposing limits, we aren’t really solving the larger problem. We are just shifting liability from one group to another; in this case, the liability is being shifted to the government. While we can take a similar approach with cyber insurance, that would mean ultimately shifting the responsibility from the insurers to the reinsurers or just back to the insureds themselves. The value of this, to society, is debatable. See also: Cyber Insurance: Coming of Age in ’17?   A predictive model becomes quite complex when you consider the different types of potential attackers, their capabilities and their motivations. It’s a constant game of cat and mouse, where black hat and white hat hackers are racing against each other. The problem here is that insurers and actuaries are typically neither white hat nor black hat hackers and don’t have the necessary cyber expertise to confidently predict loss propensity. 4. Correlation of Attacks In attempting to model the “randomness” of attacks, it is important to think about how cyber attacks are publicized or reported in the news, about the reactions to those attacks and the implications on future attacks. In other words, we now have the issue of correlation across a number of factors. If Company A is breached by Person B, we have to ask ourselves a few questions. Will Company A be breached by Person C? Will Person B breach another company similar to or different from Company A? Will Person D steal Person B’s algorithm and use it on entirely different entity (after all, we’ve seen similar surge attacks within families such as ransomware)? If you as the reader know the answers to these questions, please email me after reading this paper. 5. Actuarial Paradox We also have to consider the implications on the security posture of the affected entity itself. Does the attack make the perimeter of the affected company weaker, therefore creating additional vulnerability to future attacks? Or, alternatively, does the affected company enact a very strong counterpunch that makes it less prone to being breached or attacked in the future? If so, this poses an interesting actuarial dilemma. Specifically, if a company gets breached, and that company has a very strong counterpunch, can we potentially say that a breached company is a better risk going forward? Then, the even-more-direct question, which will surely face resistance, is: Can we charge a lower actuarial premium for companies that have been breached in the past, knowing that their response to past events has actually made them safer risks? This flies directly in the face of everything we’ve done within other lines of business, but it could make intuitive sense depending on incident response efforts put forth by the company in the event of breach or attack. 6. Definition of a Cyber Catastrophe Even something as simple as the definition of a catastrophe is in play. Within some other lines of insurance business, we’re used to thinking about an aggregate industry dollar threshold that helps determine whether an incident is categorized as a catastrophe. Within cyber, that may not work well. For instance, consider an attack on a single entity that provides a service for many other entities. It’s possible that, in the event of a breach, all of the liability falls on that single affected entity. The global economic impact as it pertains to dollars could be astronomical, but it’s not truly an aggregation event that we need to concern ourselves with from a catastrophe modeling perspective, particularly because policy limits will come into play in this scenario. We need to focus on those events that affect multiple companies at the same time and, therefore, provide potential aggregation risk across the set of insureds in a given insurance company’s portfolio. This is, ultimately, the most complicated issue we’re trying to solve. Tying together a few of the related challenges: How are the risks in our portfolio connected with each other, now that we can’t purely rely on geography? Having analytical tools available to help diagnose these correlations and the potential impacts of different types of cyber attacks will dramatically help insurers write cyber insurance effectively and confidently, while capturing the human element aspect of the threats posed. 7. Dynamic Technology Evolution If we can be certain of one thing, it’s that technology will not stop changing. How will modelers keep up with such a dynamic line of business? The specific threats posed change each year, forcing us to ask ourselves whether annual policies even work or how frequently we can update model estimates without annoying insurers. Just as we would write an endorsement in personal auto insurance for a new driver, should we modify premium mid-term to reflect a newly discovered specific risk to an insured? Or should we have shorter policy terms? The dynamic nature of this line forces us to rethink some of the most basic elements that we’ve gotten used to over the years. 8. Silent Coverage Still, all of the above considerations only help answer the question of what the overall economic impact will be. We also need to consider how insurance terms and conditions, as well as exclusions, apply to inform the total insurable cost by different lines of insurance. Certain types of events are more insurable, some less. We have to consider how waivers of liability will be interpreted judicially, as well as the interplay of multiple lines of business. It’s safe to assume that insurance policy language written decades ago did not place much emphasis on cyber exposure arising from a given product. In many cases, silent coverage of these types of perils was potentially entirely accidental. Still, insurers are coming to grips with the fact that this is an ever-increasing peril that needs to be specifically addressed and that there exists significant overlap across multiple lines of business. Exclusions or specific policy language can, in some cases, be a bit sloppy, leading to confusion regarding which product a given attack may actually be covered within. This becomes the last, but not least, problem we have to answer. Conclusion The emerging trends in cyber insurance raise a number of unique challenges and have forced us to reconsider how we think about underwriting, pricing and aggregation risk. No longer we can pinpoint our insureds on a map and know how an incident will affect the book of business. We need to think about both internal and external connections to an insured entity and about the correlations that exist between event types, threat actors and attack victims. In cases when an entity is attacked, we need to pay particular attention to the response and counterpunch. As the cyber insurance market continues to grow, we will be better able to determine whether loss dollars tend to fall neatly within an increasing number of standalone cyber offerings or whether insurers will push these cyber coverages into existing lines of business such as general liability, directors and officers, workers' compensation or other lines. Actuaries and underwriters will need to overcome the lack of quality historical data by pairing the claims data that does exist with predictive product telemetry data and expert insight spanning insurance, cyber security and industry. Over time, this effort may be assisted as legislation or widely accepted model schema move us toward a world with standardized language and coverage options. Nonetheless, the dynamic nature of the risk with new adversaries, technologies and attack vectors emerging on a regular basis will require monitored approaches. See also: Another Reason to Consider Cyber Insurance   In addition, those that create new technology need to realize the importance of security in the rush to get new products to market. White hat hackers will have to work diligently to outpace black hat hackers, while actuaries will use this insight to maintain up-to-date threat actor models with a need for speed unlike any seen before by the traditional insurance market. Some of these challenges may prove easier than they appear on paper, while some may prove far more complicated. We know actuaries are good problem solvers, but this test will be a serious and very important one that needs to be solved in partnership with individuals from cyber security and insurance industries.

Because of today’s technology, any person who has special knowledge of a service or product, or is willing to learn, can go into business as a freelancer. These people can not only be found by potential employers but can fit into their work flow. The result has been an on-demand work force, exemplified by the Uber or Lyft ride-sharing platforms and, in fact, by my company, WeGoLook, which facilitates gig work for our more than 30,000 strong on-demand workforce. On-demand workers can generate substantial additional income without having to jump through the hoops that challenge traditional small businesses. See also: The Uberization of Insurance   Consumers have shifted, too, increasingly demanding that they be able to want to purchase goods and services based on their actual needs -- what they want, when they want it and how they want it -- rather than based on what the market tells them they need. The result has been an on-demand economy that has been meshing with the on-demand workforce. Insurance products face disruption because virtually every consumer purchases insurance at some point -- insurance will have to adapt to both the on-demand nature of work and the on-demand nature of consumption. This is the industry's Uber moment. Insurtech has already led to innovation unlike anything the industry has ever witnessed. Traditional carriers feared a loss of about 20% market share and responded by making substantial investments of their own into technology, distribution methods and product innovation. Even though traditional carriers retained the underwriting and claims administration responsibilities for insurance products being marketed by startups like Lemonade, Slice and Trov, they soon realized they would lose contact with consumers and control of distribution. This has led insurance companies to wisely consider innovation and partnerships to remain relevant during this Uber moment. Innovation Digitally savvy customers want to connect and communicate via smartphone, tablets and laptops. Innovations like bots and AI help the insurer implement these communication requirements without adding thousands of employees and cubicles. Technology, in particular mobile technology, is the key, and insurtech startups have a vast supply of ideas that will meet the needs of the new on-demand consumer preferences. Partnership Insurers willing to invest significant funds to compete will suddenly discover that their traditional IT systems will hinder attempts at innovation. These legacy systems are typically outdated within a few years of installation, and the traditional insurer must look to partnering with well-funded startups rather than replacing all these systems at significant cost. See also: What Will Be the Uber of Insurance?   Partnering can allow for quick implementation of technological advances, such as new communication techniques, and the on-demand workforce can quickly and inexpensively carry out the activities required to implement new processes. For instance, on-demand field service companies like WeGoLook can provide personnel to accommodate the new needs in claims adjusting. Traditional insurers are retooling or partnering to accommodate the preferences of on-demand consumers, but they are in for a wild ride -- or at least very different one -- as they have their Uber moment.

With the EU-approved General Data Protection Regulation (GDPR) set to be implemented in the U.K. on May 25, 2018, this topic must be a consideration for all insight leaders. In my own work with clients and in my conversations with others, I find GDPR is cropping up more often. However, I’ve become a little alarmed at a general sense of complacency and of putting off looking into this for now. Given the scale of impact and the time needed to deliver any significant data projects, I suggest leaders focus on this issue — now. Do you know if you already comply with the likely requirements of GDPR? Have you at least identified any significant data model or systems changes that are needed so that project planning can begin ASAP? Getting clearer on GDPR Two reasons appear as to why people may not have started looking into GDPR yet. The first is that people are awaiting interpretation of elements of GDPR for U.K. businesses from the Information Commissioner (ICO). The ICO did appear a little slow off the mark (perhaps it was waiting for greater clarity on Brexit), but its guidance is beginning to appear. The second issue is a sense that GDPR was not “as bad as expected” or “as draconian as feared,” even if a business leader still isn’t crystal clear on GDPR's scope and impact. See also: Cyber Insurance: Coming of Age in ’17?   Now this blog post is too short to answer all the questions you may have about GDPR. But, given that 2017 will also see data leaders needing to engage with changes in ePrivacy regulation, GDPR is too timely to be ignored. So, I'll use this article to point out some aspects of GDPR that data insight leaders should be considering. In no particular order, here are some potential points of impact to check out: Change in definition of consent The GDPR expands upon and clarifies the looser definition of consent that had previously been in force. That new definition is: “…‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Two key phrases in that text are “unambiguous” and “clear affirmative action.” With the caveat that I am not able to offer any actual or implied legal advice, it’s also worth pointing out that the supporting notes (given the strange name “recitals”) clarify that: “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.” So, the first point of impact that I would encourage leaders to check out is all your data-capture touch-points and comms. Are you sure all operate on positive opt-in and that none are still getting away with the passive opt-out requirement? I won’t bore you with the detailed text here, but GDPR also makes clear that this consent should not be a condition of accessing elements of product or service that don't require the data to operate. It must be “freely given.” Are you sure you don’t have requirements for marketing consent that are hiding behind special offers, competitions or newsletters? Is “legitimate interests” your get-out-of-jail-free card? One of the collective sighs of relief heard from the direct marketing industry when the final text of GDPR was confirmed was that direct marketing was still identified as a “legitimate interest.” To some, that held out the potential for businesses to define their use of data as such, rather than require explicit consent before marketing. A few provisos are still worth clarifying. Recital 47 makes clear that there might be a legitimate interest in direct marketing toward existing customers, but the recital also states that the data subject could “reasonably expect” this to happen. Other caveats make clear that any objection by the data subject would override this “right.” So, while it might seem tempting to have a way around unambiguous positive opt-in, this might be fools gold. I say that because when marketing on such a basis, the onus will be on the data processor to make clear to the data subject that they are using this permission and to provide a suitably clear means of opting out. Are you sure you can explain to your customers in plain English what your use of their data under “legitimate business interests” means? Your profiling has been spotted Another popular topic among those who like to discuss GDPR (you know who you are) is that of “profiling.” By this, the EU means use of personal data to analyze or predict people's performance, behavior, situation, interests, location or movements. Not only is this profiling issue new (as compared to the U.K.’s Data Protection Act), but it includes the right for people to opt out of their data being used for this purpose. Anyone who leads analytics or modeling teams will know this opens a Pandora’s Box. Nowadays, most direct marketing and occasionally all customer interactions are targeted by the use of predictive models. Many models are also personalized or timed through use of segmentations, scores and flags or as a result of behavioral profiling. Now, it’s bad enough that an individual might want to opt out of your company being able to target interactions using standard processes. It's still unclear whether the customer's data should also then be removed from datasets on which any existing models/rules were built and the analytics repeated. What is clear is that data subjects will have a right to object to their information being used and that profiling is only legal with their permission. Do you have data models/structures that capture an individual's permission at this level of granularity? Plus, do you have analytics and modeling processes that enable rebuilds on the basis of customers withdrawing permission for data that was previously in modeling datasets? It's not easy, but a pragmatic solution will need to be found. Plus, it will be your responsibility to inform the data subject of the right to object to such profiling. (How will you explain it?) Will people want to go incognito? Legal cases against Google and Facebook have raised the public awareness of the right to be forgotten. This is another addition via GDPR. Not only will data processors need to make clear that people have this right but that, if they want to opt out, their data must then be erased “without undue delay.” So, data controllers are required to inform data processors of any erasure requests and take all “reasonable steps” to tell other data controllers where data has been shared. Think for a moment about the connections in your current IT systems. If you are a large U.K. corporation, chances are that you not only have a myriad of legacy systems internally but also share data with external systems for operations, marketing and other functions. Do your data models and current processes enable all the data about an individual to be found and erased? Does your answer to that question include confidence in your suppliers' and partners' ability to take action should such an erasure request occur? There are a myriad of details to be worked out on this one. If an individual has asked to be suppressed from marketing, is it reasonable to keep sufficient data to still enforce that request? For now, realize that the bar will be higher than just having a data retention policy and answering subject access requests. You need to test run how you would execute an individual erasure request across your data landscape. See also: Insurers’ Call Centers: a Cyber Weakness?   Building on everything else in GDPR will be the right to data portability. Individuals should have the right to leave and take their data with them. We have all seen the changes in utilities to enable this, and banks are currently preparing for open banking protocols. What about your business? How could you provide customers with all the data they need to easily change provider? That may well be coming — so plan ahead. There is more to GDPR! That’s sufficient information to chew on in this article. But there are more topics for data leaders to worry about. In part-2 of this mini-series, I’ll share my thoughts on these aspects of GDPR:

• Data model impacts (can you prove consent and when is its use-by date?)
• Data protection impact assessments (are you designing for compliance?)
• Record-keeping and contracts (what should these cover?)
• Data protection officers (do you need one, and what should he or she do?)

I hope this article was helpful. Please share your perspective and any lessons learned, as we are all still learning what will work best.

Change — irrespective of the sector, industry, experience, employees, etc. — is sometimes tough to achieve. In many organizations today, transformational change is the least understood, as well as the most difficult type to execute. Although the change may be well-planned, communicated and implemented, most times there will be some level of resistance. One has to remember that change interferes with the culture, behavior and mindset of employees, so, to implement change successfully, you have to manage resistance. Resistance to Change Change is sometimes necessary and inevitable. Unfortunately, workers sometimes view change as a direct attack on their performance or as an unnecessary whim of management. In most cases, resistance arises from threats to norms and traditional ways of doing things; as a result, it is a basic tenet of human behavior to resist any change. I clearly remember my first major experience with change. It was nerve-wracking because I was very confused about the change and how it would affect my daily routine on the job. Quite naturally, I resisted it. To efficiently execute any change, one has to take into consideration the environments your employees have grown accustomed to. Any change to an employee’s psychological contract will, in most instances, fuel that resistance. If management cannot adequately evaluate the impact of the changes taking place, this will lead to the non-fulfillment of the company's strategic objectives. What can management do to mitigate this resistance? Use Change Agents Employees should have a role in the designing, planning and implementation of the change. Get your employees involved, have change agents within the departments and give them the responsibility to engage their fellow staff members about the change in an attempt to sell the vision. See also: Small Steps Drive Significant Change   The change agents should be long-standing employees who have some degree of influence in the company. The principles of social proof taught us that people will naturally follow the crowd. When an employee recognizes that a long-standing compatriot shares the vision of the manager or CEO, these employees will be far more easily convinced to accept the changes, especially if there are trust issues in the organization. Employees aren't just hearing another speech from the boss. Communication Resistance to change is really "resistance to uncertainty." To overcome resistors, the management team must ensure communication plays an integral role. The Change Curve model, illustrated below, describes the four stages most people go through as they adjust to change. It is extremely important that one recognizes these stages: For example, an initial reaction to change may be shock or denial. Communication has to be a priority at this stage. Although employees may be able to absorb a limited amount of information, management must ensure its employees have a natural pathway to access more information if they need it, and management must be patient enough to answer any questions that come up. I have seen some managers refuse to answer staff questions about a change in the organization, and that kind of ridiculous stand by the manager derails the whole process even before it actually begins. In Stage Two, people may fear the impact, feel angry, resist or actively protest against the changes. For many organizations, this is the “danger zone,” and, if this stage is managed badly, the organization may descend into crisis or chaos. Careful consideration should be given to the impact of the changes and to objections people may have. Again, communication and support will play a vital role in minimizing and mitigating the problems people will experience. Stages Three and Four are the turnaround stages. This is where the changes start to become second nature and where people embrace the improvements to the way they work and, in many instances, show the commitment to the changes that took place. To ensure the individual departments are in alignment with the shared goals and objectives of the organization, an organization-wide communication approach — predominantly from the bottom up — must be instituted. I have witnessed the failure of change simply because management did not understand the vital role that communication plays. Leadership Commitment Any management team leading a transformational change must ensure that the vision is consistently communicated. Employees model their behaviors on the actions of management, so leadership must make sure its values are aligned with the core values they are trying to instill in the organization. If the leadership does not “walk the talk” of the change, the whole change process will not go anywhere. The communication will have no impact if management shows no commitment to the change. The organization will always be in a whirlwind of change, with no end in sight. See also: 3 Main Mistakes in Change Management   Change is challenging. Resistance is inevitable. However, if management shows commitment to the process, genuinely communicates and embraces employee feedback, the change process can be very successful.

We were excited to learn last week that the Risk & Insurance Management Society has named Loren Nickel as its Risk Manager of the Year. Loren has been on our advisory board for going on a year...but is perhaps a bit better-known for his day job as the director of business risk and insurance at Google.

While great risk managers generally go unnoticed—the plane that lands safely doesn't get much coverage—Loren's handiwork at least peeks into public view from time to time as Google provides some structure around its "moon shots." The rest of us may focus on the extraordinary possibilities of X projects like the driverless car, recently spun out into a business unit called Waymo as the cars edge ever closer to widespread availability; Loren and his team provide discipline by quantifying the risks so that the X lab, the nascent business units or the parent company know what risk they are assuming and manage it as efficiently as possible. Google may seem to us outsiders as though it has a limitless balance sheet, but even Google needs to be smart about the risks it takes on. 

The announcement from RIMS also notes a contribution by Loren to the theoretical basis for risk management: "Loren co-developed (along with Ward Ching from Aon) the theory behind an important strategic risk management effort, the Efficient Frontier. Used for insurance structure decision-making, the Efficient Frontier helped [Google] simplify such decisions and demonstrated the opportunity to significantly reduce risk as measured by Total Value at Risk, all without an increase in spending." Essentially, Loren and Ward explained how to apply Modern Portfolio Theory—and a whole lot of computing power—to decide what insurance coverage to carry. (The work is part of a book available through RIMS.) 

At ITL, Loren has played a key role in our Shaping the Future symposiums. He has hosted these gatherings of about 30 CEOs of major insurance companies at Google headquarters and has provided thought-provoking technical content—at the meeting last month, Diane Greene, one of the biggest names in Silicon Valley, laid out Google's vision for the cloud and discussed with attendees the implications for insurance. We see these day-and-a-half sessions as crucial to our goal of acting as a catalyst for innovation, and having access to the best technical experts is a huge plus. Loren has also provided important advice about our Innovator's Edge, which now contains information on nearly 900 insurtechs and which we are rolling out to providers that are looking to find suppliers, partners or acquisition candidates as they seek to become more innovative. (Insurtechs: Remember that we will announce our initial "5 Startups to Watch" in "Six Things" next week, drawing from those that have completed our Market Maturity Review. If you want to be considered for our list, you need to go to the site and fill out the review by end of day Friday.)

We are also delighted to announce two additions to our advisory board:

• Michael J. Morrissey, president and chief executive officer of the International Insurance Society. The IIS is the world’s largest and most diverse industry organization, with members representing global insurance leaders, international regulatory authorities and worldwide insurance scholars from more than 95 countries.

• Chuck Wallace, a co-founder of Esurance who had numerous senior positions there. He currently serves as an adviser and consultant with early-stage and high-growth companies, with a focus on insurtech. 

They join an exceptionally distinguished group of advisers, which, as it happens, includes two previous winners of the Risk Manager of the Year Award: Chris Mandel and Jeff Pettegrew. We are in good hands.

A primary challenge for the leaders of any evolving business is how to best allocate limited resources to achieve desired business objectives. This is particularly true with insurance agencies, where the vast majority of firms are small- to medium-sized businesses. These firms (and, particularly, startups) must decide whether to handle core functions such as payroll or human resources internally or to outsource such functions to a specialized provider. Outsourcing can be an effective tool for maximizing resources — but only when certain criteria are met. Some functions are outsourced by default; IT services are a typical example. Most agencies lack the expertise or critical mass to take on this function internally, so they contract with external experts to handle their computers, networking and other information infrastructure. Several other business functions could potentially benefit from outsourcing, but the case is not always so clear. The agency principal should consider three important questions when evaluating outsourcing opportunities: 1. Is the function critical to your business operation, but not a core part of your strategy? If a function is not critical to the business, it should almost certainly be outsourced (if it cannot be eliminated). For tasks critical to a business, the manager should consider if the task is a central element of the business strategy. Critical tasks that are not core to the business strategy are prime candidates for outsourcing 2. Is the function shareable? When a business identifies a function that may be outsourced because it requires special expertise and investment, “shareability” is another consideration. Outsourcing works best when the provider of the outsourced service can leverage its investment in intellectual capital and infrastructure across a pool of similar clients. A robust solution that might be unaffordable for a single firm may become practical and cost-effective when shared as a “multi-tenant” solution (e.g., payroll and HR). See also: A Revolution in Risk Management   3. Does the function require significant management oversight? While it is important that the outsourced service provider give the management team visibility into the function performed, outsourcing efforts often fail if the management team is still required to spend significant, valuable time directing or overseeing the work of the service provider. The Case for Outsourcing License Management and Compliance Services The management of insurance licenses and credentials as well as other compliance services is an outsourcing opportunity that all well-run agencies, brokerages and third-party administrators (TPAs) should consider. Let’s look at how license and compliance management aligns with the questions posed above. Is the function critical to your business operation but not a core part of your strategy? Insurance licenses must be carefully maintained. Over the last several years, state regulators have become more aggressive in sanctioning agents and carriers for non-compliance. As a result, carriers are less tolerant of violations by their agents and are more selective in the agents, brokers and TPAs with whom they will contract. But accurate and timely maintenance of licenses and other compliance functions is not a central driver of the business strategy. In fact, most agency principals consider license maintenance as a “necessary evil.” Is the function shareable? A recently released report by the Professional Insurance Marketing Association states:

“The proliferation of laws and regulations have made it more difficult for carriers, agents, brokers and third-party administrators to satisfy their (compliance) obligations. As a result, regulated entities will likely need to dedicate additional resources to compliance, including personnel and systems….”

Companies can obviously make investments in infrastructure and training of compliance personnel, but the costs can be prohibitive for small- to medium-sized firms, and the results are less than certain. Compliance managers with significant experience are in high demand and, in certain parts of the country, command salaries in the low six figures. When companies decide to invest in training an employee in this area, they run the risk of losing the employee to a competitor once she has obtained the relevant expertise. For most small- to medium-sized insurance agencies, the individual responsible for licensing and compliance also bears other responsibilities and lacks deep compliance expertise because he (1) spends much of his time on non-licensing activities and (2) does not receive adequate education and training. License requirements vary by state, but they apply uniformly to all agency entities. This means that a shared resource (the outsourced license management partner) can assemble a best-in-class service that can be delivered to multiple agency clients on a more cost-effective basis than if the agency built the function internally. With critical mass and an exclusive focus on the licensing/compliance space, an outsourced partner can also stay current on developments across all jurisdictions while maintaining relationships with state insurance regulators to assist clients in avoiding regulatory issues and providing informed remedies when issues do arise. By assembling an experienced team of professionals, the outsourced license management partner can also marshal investments in systems and infrastructure to make license management more efficient and reliable. Today, most agencies track their licenses on a spreadsheet, which can result in errors, missed deadlines and other issues. A related issue faced by agencies is continuity of the licensing function. In-house compliance personnel have historically managed licensing and renewals on an ad hoc basis using Excel spreadsheets or conventional paper filing systems. These approaches may work on a very small scale, but they offer very little in the way of checks and balances because institutional knowledge is not easily translated within the organization and is often lost when the person assigned to manage compliance leaves. Because these firms typically lack robust systems and procedures, the compliance function is difficult to transfer to the new compliance manager. Does the function require significant management oversight? Agency managers should not need to concern themselves with day-to-day maintenance, while still having ready access to the status of their compliance programs so they can take advantage of business opportunities. See also: Insurance Coverage Porn   Here are three case studies of how outsourcing has worked when put in practice by ACCEL Compliance, which specializes in providing outsourced service options for license management and compliance functions for insurance agencies, brokerages and TPAs. ACCEL's experience illustrates how these functions meet the key strategic criteria for outsourcing. CASE 1:  Nationally Licensed P&C Brokerage A nationally licensed property and casualty broker specializing in large complex commercial and municipal construction projects lost its in-house compliance manager and needed to fill the role rapidly.  The firm engaged ACCEL to take over the compliance function, saving the firm the time, expense and risk of recruiting a new hire.  The firm’s president said it saved money and got increased visibility into its compliance function, while ACCEL seamlessly picked up its renewals. CASE 2:  Nationally Licensed TPA A nationally licensed third party administrator of life, health and employee benefits for a number of the largest U.S. insurance companies and affinity programs also recognized benefits in outsourcing its license compliance function. The internal compliance manager said, “While we understand that licensing is necessary to our continued operations, it does not drive our business strategy.  Worrying about lapses in licensing was an unnecessary distraction for myself and our executive management team." CASE 3:  Small, Independent P&C and Surplus Lines Agency A small but growing independent property-casualty and surplus lines insurance agency based in the Southeast faced a rapidly expanding licensing footprint. As with many independent agencies, its founder and CEO had grown the business without adding significant administrative staff and the related expense. He recognized the opportunity to outsource his compliance and license management function and engaged ACCEL, which he said "frees me up to manage the growth of the business and drive revenue."