Virtually every business relies on a network to conduct its daily operations. This often involves the collection, storage, transfer and eventual disposal of sensitive data. Securing that data continues to be a challenge for organizations of all sizes and across multiple business sectors. Social Security numbers, W-2 forms, payment cards and intellectual property have significant value on the black market and provide motivation for hackers to steal. Many corporate IT departments respond to these threats by devoting vast amounts of resources to technological defenses. Criminal perpetrators, however, seem to remain one step ahead of even the best cybersecurity efforts. They have altered their strategies by perpetrating human-based fraud. One emerging tactic involves what we have come to know as "social engineering." This type of fraud occurs in a multi-stage process. Criminals first gather information, form relationships with key people and finally execute their plan. By exploiting our natural tendencies to trust others, criminals have been highly successful in convincing people to hand over some of their most valuable data assets. In fact, according to the FBI, from October 2013 to August 2015, more than 8,000 social engineering victims from across the U.S. were defrauded of almost $800 million (the average loss amounted to $130,000.) See also: Dark Web and Other Scary Cyber Trends There are several methods of social engineering that are seen frequently, including the following seven:

• ­Bogus Invoice: A business that has a long-standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to one from a legitimate account and would need scrutiny to determine if it was fraudulent.
• ­Business Executive Fraud/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.
• ­Interactive Voice Response/Phone Phishing (aka "vishing"): Using automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution and directs the recipient to respond to "verify” confidential information.
• ­Dumpster Diving and Forensic Recovery: Sensitive information is collected from discarded materials — such as old computer equipment, printers, paper files, etc.
• ­Baiting: Malware-infected removable media, such as USB drives, are left at a location where an employee may find them. When an employee attaches the USB to her computer, criminals can ex-filtrate valuable data.
• ­Tailgating: Criminals gain unauthorized access to company premises by following closely behind an employee entering a facility or by presenting themselves as someone who has official business with the company.
• ­Diversion: Misdirecting a courier or transport company and arranging for a package/delivery to be taken to another location.

How to avoid being defrauded in the first place: Given the rising incidence of social engineering fraud, all companies should implement basic risk avoidance measures, including these eight:

• Educate your employees so they can learn to be vigilant and recognize fraudulent behavior;
• Establish a procedure requiring any request for funds or information transfer to be confirmed in person or via phone by the individual supposedly making the request.
• Consider two-factor authorization for high-level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
• Avoid free web-based email and establish a private company domain, and use it to create valid email accounts in lieu of free, web-based accounts.
• Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchical information and out-of-office details.
• Do not open spam or unsolicited email from unknown parties, and do not click on links in the email. These often contain malware that will give subjects access to your computer system.
• Do not use the “reply” option to respond to any financial emails. Instead, use the “forward” option and use the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
• Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.

Despite these efforts, organizations can still fall victim to a social engineering scheme. These incidents can be reported to the joint FBI/National White Collar Crime Center - Internet Crime Complaint Center (IC3) at www.ic3.gov. See also: Best Practices in Cyber Security The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat because these incidents often involve the compromise of personally identifiable information, which can later be used for identity thefts from multiple people. This prospect for more theft will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. The thefts often then lead to litigation and significant financial and reputational harm to businesses. Costs can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs. Fortunately, the insurance industry has developed insurance policies that can transfer these risks. Crime insurance policies can cover fraudulent funds transfers, while cyber insurance policies may cover costs related to unauthorized access of personally identifiable information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations. For example, some crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal. Other insurers might add policy language to crime policies to cover this situation. Cyber insurance policies can be customized to offer coverage for the following:

• ­Network Security Liability: Liability to a third party as a result of a failure of your network security to protect against destruction, deletion or corruption of a third party’s electronic data; denial of service attacks against Internet sites or computers; or transmission of viruses to third-party computers and systems.
• Privacy Liability: Liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information that had been entrusted to it in the normal course of business.
• Electronic Media Content Liability: Coverage for personal injury and trademark and copyright claims arising out of creation and dissemination of electronic content.
• Regulatory Defense and Penalties: Coverage for costs associated with response to a regulatory proceeding resulting from an alleged violation of privacy law causing a security breach.
• Breach Event Expenses: Expenses to comply with privacy regulations, such as notification and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm, outside counsel and forensic investigator.
• Cyber Extortion: Payments made to cybercriminals to decrypt data that has been encrypted by ransomware.
• Network Business Interruption: Reimbursement of your loss of income or extra expense resulting from an interruption or suspension of computer systems because of a failure of network security or system failure. Includes sub-limited coverage for dependent business interruption.
• Data Asset Protection: Recovery of costs and expenses you incur to restore, recreate or recollect your data and other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.

In summary, businesses need to be vigilant in addressing the ever-evolving risks related to their most valuable assets. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and to mitigate the damages if they do. Turning your employees from your weakest link into your greatest assets in the battle is one way; risk transfer to insurance products is another.

Back in the '70s, Chris Mandel quite literally stumbled into insurance, as a result of a racketball injury at Virginia Polytech Institute when he suffered a detached retina. After two months of lying flat in a hospital bed, he had to forego his post-graduate job in retail management and start looking for employment in D.C. — he began an unexpected career in managing claims at Liberty Mutual. Mandel excelled in his job but realized a career in claims management wasn't what he wanted. So, in the early '80s, he moved to Marsh brokerage for five years and set up a risk management program for an AT&T spinoff that evolved into what is now Verizon. He then left Marsh to be Verizon’s first risk manager — building its program from scratch. By the '90s, he landed in several top corporate risk management positions at the American Red Cross, Pepsico/KFC and Triton Global Restaurants (YUM Brands). Mandel also began his six-year volunteer stint as the president of RIMS (1998-2004), after serving in many different key RIMS leadership roles. He earned an MBA in finance from George Mason University along the way. By 2001, Mandel was on several advisory boards (i.e. Zurich, AIG, FM Global and Liberty Mutual), before making a career and geographic move to the USAA Group in San Antonio. There, he built an enterprise risk management (ERM) program because he saw a “broken traditional approach” to risk management. After nearly 10 years of developing an ERM program lauded in the industry (including by AM Best, Moody’s and S&P), Mandel was promoted at USAA to head of enterprise risk management, as well as president and vice chair of Enterprise Indemnity, a USAA commercial insurance subsidiary. While at USAA, he was recognized as Business Insurance’s Risk Manager of the Year (2004). His dream was to be a corporate chief risk officer, but he saw that title more often going to “quants,” (like actuaries), rather than risk professionals. So, as a well-known and sought-out industry spokesperson and visionary, Mandel moved on from USAA in 2010 to found a Nashville-based risk management consulting group, then-called rPM3 Solutions, which holds a patent on a game-changing enterprise risk measurement methodology. Then, in 2013, he moved to Sedgwick as a senior vice president. He is responsible for conducting scholarly research, driving innovation, managing industry relations and forging new business partnerships. In early 2016, he was appointed director of the newly formed Sedgwick Institute, which is an extension of the firm’s commitment to delivering innovative business solutions to Sedgwick's clients and business partners — as well as the whole insurance industry. In 2016, Mandel was awarded RIMS' distinguished Goodell Award (see video below). When asked what he sees as critical strengths for someone entering risk management, Mandel said: “I try to hire managers who can think strategically and who can convince C-suiters and boards of the value of being resilient in addressing a company’s risk profile. Progressive leaders understand the strategy to leverage risk for value.” A holistic approach, as he describes it, “seeks a vantage point that can assess both the upside and downside of all foreseeable risks.” He believes true innovation evolves from a company’s risk-taking. “It’s not so much identifying what or when adversity is going to happen, it’s how a company responds to risk in order to minimize disruption,” he said. In assessing his personal strengths and accomplishments, Mandel feels that a person needs to be “emotionally intelligent” — able to adapt to different people in organizations. He doesn’t consider himself a people person but says he learned to be one the hard way. He advises: “Team spirit is putting other people first and helping them succeed. ... Admit your failures and build trustworthiness from your mistakes.” Besides writing, teaching, speaking and (still) playing racketball, he serves an active role as an advisory board member of Insurance Thought Leadership. He and his wife also serve in church ministries, where he often plays guitar alongside his grown children, who are ordained ministers. Mandel said, “I’m blessed by a Creator who’s had my back.”

How can a bank — or any organization — become less secure in its attempts to become more secure?  Let me tell you. Security must do two things: protect and enable. If your security doesn’t enable people to do what they have to do, they will inevitably circumvent it, creating all sorts of exception conditions as they do. And that is the path to perdition (and hacking). Security often fails because people who design security are much better at throwing up roadblocks than they are creating pathways. This month brought yet another story chronicling the theft of millions of passwords by hackers, once again highlighting the importance of implementing “not-just-password security” at places that really matter. See also: The Need for a Security Mindset But I’m about to turn off two-factor authentication for my bank, right at the moment when everyone seems hell-bent to turn it on. Why? Because it doesn’t make me safer if it doesn’t work; it just prevents me from accessing my money. Tangled in red tape I’ve run into classic red-tape headaches with my bank recently as I try very hard to use its two-factor authentication scheme. A quick review: Two-factor authentication adds a strong layer of security by requiring that two tests be met by a person seeking access — a debit card and a PIN code, for example, representing something you have and something you know. Online banks and websites are slowly but surely nudging everyone toward various forms of two-factor authentication because it really does make life harder for hackers. Most of these two-factor forms involve the use of smartphones, as they have become nearly ubiquitous. Log onto a website on a PC, and a confirmation code is sent to your phone — something you have (the phone) and something you know (the password). Simple but elegant, and far harder for bad guys to crack. It’s great — when it works. But what about when it doesn’t? Consumers get new phones all the time. If the code is tied to the physical handset, the code doesn’t work any longer. What then? It turns out that this can be a very vexing problem. I’ve been a USAA banking customer for decades. The financial services firm has ranked atop customer satisfaction surveys seemingly forever, and for good reason; it really does take good care of members. At least it did, until it tried to implement two-factor security. A Symantec app loaded onto your smartphone offers a temporary token — a six-digit code — that changes every 30 seconds. The token is tied to the physical handset. Only a person who knows your PIN and can access the token on that handset can log onto the website. Sure, it’s a tiny hassle to pull out the phone every time you want to log on to the website, but that’s a fair price to pay for security. New phone, new problems However, the hassle becomes immense when it becomes time to change handsets. So immense that I couldn’t fix my login and access my bank for 24 hours. And that’s happened to me twice in the past year. Why? Chiefly because USAA isn't set up to deal with the problem of new handsets. The real problem came next. People change phones roughly every two years, so this new handset problem must come up often enough. Yet it’s obvious USAA operators aren't ready to handle the problem when consumers call. Each time I reached an operator, I had to spend a lot of time explaining the problem. On the first call, the operator merely changed my mobile application login settings after putting me on hold for minutes. When I protested, she said she had to transfer me to a special department — and then the phone went dead. After a second call, where I again waited, the operator was sympathetic but put me on hold quickly and wasted a lot of time trying to set me up with a new phone number. It took awhile before I could convince her that “new phone” meant “new handset” not “new number.” We eventually agreed that all I needed was someone to turn off two-factor and issue me a temporary password so I could go in and re-establish the connection between my handset and my account. But after another long hold and transfers to two other operators, I was told they were having trouble issuing temporary passwords and was asked if I could call back. See also: Best Practices in Cyber Security I’ve left out many steps in this saga. At each stage, I was subject to strict authentication questions. That’s fine; I was asking for a new password, after all. But at the end of my fruitless journey through tech support, when I asked if I could somehow get express treatment when I called back just to find out if I could get a temporary password, I was told, “No.” So, next time, I will have to, once again, convince a primary operator who I am, that I am having token problems and that I need a temporary password. My experience last time was similar, so I know I'm not just the victim of bad luck. The last time this happened, I was sure to give the operator who finally liberated my account some specific feedback: There needs to be a tidy process for dealing with people who get new handsets. Obviously, that hasn’t occurred. So, the first thing I will do when I can access my account is disable the token. While I am afraid of hackers, I’m more afraid of not being able to access my money because my bank has poorly implemented a security solution. Leaving the country? Good luck! USAA is hardly the only firm having trouble dealing with two-factor issues. Independent security analyst Harri Hursti told me about the foibles consumers face when dealing with two-factor authentication that relies on text messages. “The moment you start traveling, all bets are off. Text messages over roaming are far from reliable — they either are never delivered, or they experience regular delivery delays over 10-15 minutes,” Hursti said. “Basically, in order to do banking when traveling internationally, you need to start by turning all security off. And yet you are knowingly getting into an increased security risk environment.” Gartner security analyst Avivah Litan says these kinds of issues not only threaten adoption of two-factor security but actually create more pathways for hackers. “Two-factor, in this case, actually weakens security rather than strengthens it,” Litan said. “I always tell our clients that their security is only as strong as its weakest link, and when they disable two-factor authentication on the account, they likely ask the account holder to verify their identity by answering easily compromised questions, which any criminal who can buy data on the Dark Web has access to. So not only does two-factor authentication without proper supporting processes annoy and greatly inconvenience good legitimate customers, it also does little to keep the bad guys out.” Perhaps this problem isn’t that common yet, as uptake on two-factor is still relatively small. But with each password hack, more people will turn on two-factor authentication. If companies blow the implementation, consumers will just as quickly turn it off again. Protect and enable, or we’re all at greater risk. This piece was written by Bob Sullivan. More related stories: As U.S. switches to EMV payment cards, fraudsters exploit still-open loopholes Convenience of mobile computing comes at a security cost Small banks, credit unions on front lines of cybersecurity war

This material was presented at the Global Insurance Symposium in Des Moines, Iowa. The author, a senior official in the U.S. Commerce Department, has updated with a brief introduction.  

Why should an insurer employ data science? How does data science differ from any other business analytics that might be happening within the organization? What will it look like to bring data science methodology into the organization? In nearly every engagement, Majesco’s data science team fields questions as foundational as these, as well as questions related to the details of business needs. Business leaders are smart to do their due diligence — asking IF data science will be valuable to the organization and HOW valuable it might be. To provide a feel for how data science operates, in this first of three blog posts we will touch briefly on the history of data mining methodology, then look at what an insurer can expect when first engaging in the data science process. Throughout the series, we’re going to keep our eyes on the focus of all of our efforts: answers. Answers The goal of most data science is to apply the proper analysis to the right sets of data to provide answers. That proper analysis is just as important as the question an insurer is attempting to answer. After all, if we are in pursuit of meaningful business insights, we certainly don’t want to come to the wrong conclusions. There is nothing worse than moving your business full-speed ahead in the wrong direction based upon faulty analysis. Today’s analysis benefits from a thoughtfully constructed data project methodology. As data mining was on the rise in the 1990s, it became apparent there were a thousand ways a data scientist might pursue answers to business questions. Some of those methods were useful and good, and some were suspect — they couldn’t truly be called methods. To help keep data scientists and their clients from arriving at the wrong conclusions, a methodology needed to be introduced. A defined yet flexible process would not only assist in managing a specific project scope but would also work toward verifying conclusions by building in pre-test and post-project monitoring against expected results. In 1996, the Cross Industry Process for Data Mining (CRISP-DM) was introduced, the first step in the standardization of data mining projects. Though CRISP-DM was a general data project methodology, insurance had its hand in the development. The Dutch insurer OHRA was one of the four sponsoring organizations to co-launch the standardization initiative. See also: Data Science: Methods Matter CRISP-DM has proven to be a strong foundation in the world of data science. Even though the number of available data streams has skyrocketed in the last 20 years and the tools and technology of analysis have improved, the overall methodology is still solid. Majesco uses a variance of CRISP-DM, honed over many years of experience in multiple industries. Pursuing the right questions — Finding the business nugget in the data mine Before data mining project methodologies were introduced, one issue companies had was a lack of substantial focus on obtainable goals. Projects didn’t always have a success definition that would help the business in the end. Research could be vague, and methods could be transient. Research needs focus, so the key ingredient in data science methodology is business need. The insurer has a problem it wishes to solve. It has a question that has no readily apparent answer. If an insurer hasn’t used data scientists, this is a frequent point of entry. It is also the one of the greatest differentiators between traditional in-house data analysis and project-based data science methodology. Instead of tracking trends, data science methodology is focused on  finding clear answers to defined questions. Normally these issues are more difficult to solve and represent a greater business risk, making it easy to justify seeking outside assistance. Project Design — First meeting and first steps Phase 1 of a data science project life cycle is project design. This phase is about listening and learning about the business problem (or problems) that are ready to be addressed. For example, a P&C insurer might be wondering why loyalty is lowest in the three states where it has the highest claims — Florida, Georgia and Texas. Is this an anomaly, or is there a correlation between the two statistics? A predictive model could be built to predict the likelihood of attrition. The model score could then be used to determine what actions should be taken to reward and keep a good customer, or perhaps what actions could be taken to remove frequent or high-risk claimants from the books. The insurer must unpack background and pain points. Does the customer have access to all of the data that is needed for analysis? Should the project be segmented in such a way that it provides for detailed analysis at multiple levels? For example, the insurer may need to run the same type of claims analysis across personal auto, commercial vehicle, individual home and business property. These would represent segmented claims models under the same project. See also: What Comes After Big Data The insurer must identify assumptions, definitions, possible solutions and a picture of the risks involved for the project, sorting out areas where segmented analysis may be needed. The team must also collect some information to assist in creating a cost-benefit analysis for the project. As a part of the project design meetings, the company must identify the analytic techniques that will be used and discuss the features the analysis can use. At the end of the project design phase, everyone knows which answers they are seeking and the questions that will be used to frame those answers. They have a clear understanding of the data that is available for their use and have an outline of the full project. With the clarity to move forward, the insurers move into a closer examination of the data that will be used. In Part 2, we will look at the two-step data preparation process that is essential to building an effective solution. We will also look at how the proliferation of data sources is supplying insurers with greater analytic opportunities than ever.

Navy SEALS are the ultimate team. Through precision teamwork, they accomplish almost-impossible feats, such as safely hunting down Osama bin Laden at night in a foreign country. While each SEAL is a formidable fighting machine, it’s the team that does amazing things. Working in the insurance industry isn’t hazardous to life and limb, but it’s also a team endeavor. Success requires well-honed teams of underwriters, actuaries, agents, marketers, IT experts and others. No one succeeds without good teammates — something I was taught during team-building activities and something I was reminded of recently. After attending a Blue Cross Blue Shield conference in San Diego, 32 of us attended a Navy SEAL boot camp on Coronado Island. This “light” boot camp was a great experience, giving us a small insight into what our servicemen and -women go through during initiation and the importance of teamwork in the military and business. We were put into two teams of 16 that were then broken up into four boat crews with people of similar heights. There was the usual physical training, during which we were told we were too hot (so we had to cool off and get into ocean) and then too clean (so we had to roll in the sand) and then too dirty (so we had to get back into the ocean). There were team obstacle races, memory games, log drills, runs, cold ocean work and more — all starting at 5:30 a.m. So why wasn’t I in my comfortable hotel bed at that early hour? Because it was fun, and, once I started, I didn’t want to let my team — or myself — down. Finishing the boot camp was something I couldn’t have done on my own, but having teammates meant I didn't get an automatic pass. I still had to learn to work with those teammates in the same way mountain climbers must work with theirs — and you must work with yours. See also: The Keys to Forming Effective Teams Here are some lessons I learned while at the boot camp: Help, encourage and trust your teammates  While racing and carrying a log overhead, the first thing our four-man boat crew did was try and assess how we could best help each other carry the weight. We knew we needed to step in-time so that we would not trip on each other. Walter, an ex-Marine, called out the steps from the rear. During the race, another teammate’s shoulder became very sore due to a recent operation. I moved forward to take his weight. We stayed positive, encouraged each other — and we ended up beating the young guys. Communicate and establish a shared vision At first, it was a little hard to communicate (as none of us knew each other), but we knew that the sooner we could communicate the sooner we’d have an advantage. Together, we decided what the core mission and everyone’s role was. This might seem obvious, but it’s easy to lose sight of goals when faced with challenges. Whether you support your team by linking arms and sitting in the ocean while being pounded by waves or implement software or work to win market share, a shared vision will keep the team focused and on-track. Be flexible, keep it fun and stay warm You might have a plan, but be ready to make adjustments at any time. Just when we thought we understood a drill, our instructors would make it a little more interesting. Todd, my teammate with the sore shoulder, got our boat crew singing during our runs. I encouraged our crew to hug to stay warm when many began to shiver from the cold-water drills. Together, as a team, we finished the boot camp. There were some who gave up or got hurt; they grabbed a doughnut and a coffee and left. But we hung in there, breaking the boot camp activities down into one task at a time — and we got through each of those tasks together. All of us will inevitably have our own mountains to climb and oceans to cross. Yet, regardless of the landscape, we will require the help of others to reach our destination. Through the power of positive teamwork, we can harness skills beyond our own and achieve success we might not otherwise see.

More than seven years after the onset of the global crisis, the financial sector continues to attract unwanted headlines, with the spotlight shifting somewhat from banks to insurers. Consequently, regulators are taking a heightened interest in organizations’ risk management and underlying cultures. In 2014, the International Association of Insurance Supervisors (IAIS) called for insurers to demonstrate “the ability to promote a sound risk and compliance culture across the group.” The Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system, has also issued guidance on risk culture, stating: “Supervisors should satisfy themselves that risk cultures are based on sound, articulated values and are carefully managed by the leadership of the financial institution. Furthermore, the FSB stated: “Institutions with a strong culture of risk management and ethical business practices are less likely to experience damaging risk events and are better placed to deal with those events that do occur.” Why risk culture matters Risk culture can be described as the way in which decision-makers (at all levels within an insurer) consider and take risks. When risk appetite is fully agreed and understood, all employees are conscious of risk in their everyday decision-making, appreciate the trade-offs between risk and reward and consider the interests of the wider organization above their individual objectives. However, defining risk culture and establishing a sound risk management framework is a considerable challenge. Traditionally, "risk" within insurance is seen as solely the domain of the actuary, and employees in customer-facing or product design positions may have never acknowledged there is a risk management element to their work. Consequently, many organizations fail to prevent excessive or inappropriate risk-taking, which can, in some cases, cause significant losses, penalties and negative publicity. One example is the recent U.K. payment protection scandal, where insurance companies and bancassurers have to pay billions in compensation for mis-selling of policies. In organizations with weak or undeveloped risk cultures, responsibility for risk management is unclear, with lack of board oversight and direction, low awareness of risks among employees and deficiencies in risk monitoring, reporting and controls. The risk management function itself is typically under-resourced and under-qualified, while key individuals such as the chief risk officer (CRO), the chief financial officer (CFO) and the approved actuary often have multiple risk decision-making roles that create an excessive workload. Perhaps more importantly, individuals are not measured or given an incentive for risk performance, and there is an over-tolerant attitude to breaches or mistakes, with those taking excessive or inappropriate risks rarely disciplined, implying that such behavior is acceptable. Within a branch network or telephone service center, staff may be under considerable pressure to meet targets, which can lead to sales of products that are not always a) in the customers’ best interests and b) in line with strategic goals. Incentive schemes are partly to blame; they reward salespeople primarily for goals set by their immediate managers, which may prioritize volume over quality. (These can apply both to direct sales and those made through intermediaries.) See Also: The Key to Building Effective Risk Culture Insurance companies’ reputations are also at daily risk from poor service quality resulting from slow, inaccurate or unfair claims handling or marketing messages that over-promise benefits (such as speed of replacement for stolen or damaged goods or availability of rental cars to replace damaged vehicles). A poorly designed online sales process can easily cause customers to self-select the wrong products. Compliance reporting for regulations — including Solvency II and International Financial Reporting Standards (IFRS) — can also highlight weaknesses in risk management. Insurers may be unable to demonstrate that controls are in place and are being adhered to, and they fail to produce accurate reporting that paints a true picture of the business. Consequently, regulators are raising the bar by demanding more risk-sensitive capital regimes as well as stress and scenario requirements. They are also, increasingly, requiring a clearly articulated risk appetite statement and better assessments of risk management frameworks and risk culture, as well as expecting senior executives to be rewarded directly for encouraging sensible risk-taking behavior that supports long-term corporate financial interests. From awareness to action Ultimately, culture is all about action — not policies or documentation. With regulators showing an increasing interest in risk culture and behavior, how can companies take a barometer of their current capabilities to make relevant improvements? There are three important questions to address:

1. Does the organization have appropriate structures and processes in place to define the desired culture?
2. Are those structures and processes adequate to create the desired culture?
3. Do structures and processes drive effective behaviors in practice?

An in-depth evaluation involves close scrutiny of risk and compliance policies, past interactions with regulators and detailed observations of staff behavior at all levels. By seeking the views of a cross-section of employees and managers, leaders can better understand employees’ attitudes toward risk management and how risk management policies, procedures and systems work in practice, highlighting any gaps. Data analysis can reveal patterns of customer complaints, regulatory fines and requests for closer supervision and monitoring across different departments and locations. Such incidents should be monitored constantly and their root causes identified to offer a continuous indicator of cultural performance. This is a sizable investment requiring strong endorsement from leaders. Insurance companies with strong risk cultures are likely to exhibit four key characteristics: 1. Tone at the top The board and executive management should drive risk culture, with leaders exhibiting total consistency in words and actions, taking a visible lead in risk management activities — and being fully accountable when risk parameters are breached. By making risk a formal standing agenda item at board and management forums, the company's leaders can demonstrate risk management's importance to all stakeholders. They must ensure all employees are aware of the organization’s approach to risk management, reward positive behavior and act decisively when inappropriate risks are taken (if necessary through disciplinary action). It is very helpful to keep in touch with front-line activity through regular visits to branches and contact centers. 2. Communication Although leaders set the tone, they can’t be alone in delivering messages about the importance of risk. Senior managers of divisions and business units are also part of the communication process, which must filter down through the organization — and between departments — to the most junior people. In this way, everyone can understand the risk appetite and capacity at the individual, team, department and company level. In addition to recording sales calls, staff should engage in focus groups, surveys and one-on-one interviews to ensure they are continually aware of the risk culture and are conforming to procedures. Rather than acting as static recipients of advice, all employees should be encouraged to share information and feel safe to challenge unacceptable behavior and to escalate issues. This calls for clear channels for whistle-blowing, implying it is acceptable to criticize the business’ activities without fear of retribution. 3. Responsiveness In a risk-aware culture, issues are escalated and dealt with swiftly and decisively before they can become major problems, with a central point of contact for all employees for the management and treatment of risks. And, crucially, any learning from such incidents is assessed and built into future policies and behavior to avoid a recurrence. If something slips through the cracks, management should analyze why staff did not comply with protocols and re-educate people on the importance of such checks and balances — as well as stressing the need to act within the "spirit" of risk management. 4. Commitment Risk must become second nature to all, not something that applies only to actuaries or a central risk team. High-profile cultural transformation programs often fail to achieve lasting change because they don’t focus sufficiently on individuals or explain how people should behave to be more risk-aware. To make cultural change happen, leaders must understand the day-to-day dilemmas faced by staff — such as management pressure on sales numbers — and address these issues directly. Performance management and related compensation systems are key to gaining commitment and should balance local branch/office sales targets with wider organizational goals, as well as rewarding good risk management behavior. That will deter staff from taking unnecessary risks in pursuit of short-term profit. Whether selling in person, by phone, online, directly or through intermediaries, the same principles of fairness and appropriateness must apply. The approval process for new marketing initiatives has to be robust to ensure the business has the capability to meet any promises. Risk management also requires new skills to identify, assess and mitigate risks, which calls for tailored training and coaching. Good for compliance, good for the business As well as increasing the chances of remaining compliant, a strong risk culture gives the board and shareholders greater confidence in an insurer’s integrity and in its ability to meet customer expectations. Comparison websites may have made the sector more price-driven, but customers still appreciate doing business with companies that are seen to be acting in a customer's interests, often through a company offering relevant products, attentive customer service and a swift, fair claims process. See Also: Building a Risk Culture Having invested in risk processes and frameworks, insurance companies must also devote resources to building a risk culture, to bringing frameworks to life and to ensuring adherence to policies. Once this has been achieved, all employees — not just actuaries — will be able to say they are risk managers. In a strong risk culture...

• The board and executive management drive risk culture
• Every employee understands and embraces the organization’s risk appetite and risk management framework
• Threats or concerns are identified and escalated swiftly, with employees comfortable (and encouraged) to raise issues
• Individuals are clear about the risks inherent in their strategic and day-to-day decisions
• Every employee continuously learns from the experiences of others
• Personal and organizational interests are aligned via appropriate performance metrics; links to remuneration risk behavior is monitored regularly, with swift corrective actions taken after any breaches;  and staff are encouraged to consult with a superior when it is unclear whether a particular action is outside the organization’s risk tolerance

Questions for insurers

• Is your board able to articulate the kind of risk culture it wants, and can it explain this clearly to all employees?
• Does your board have a road map toward a strong risk culture, and can it demonstrate steps it is taking in this direction?
• Are risks being identified, measured, managed and controlled in a manner consistent with the organization’s risk appetite?
• Does your staff understand and adhere to the organization’s risk appetite — as it relates to their particular roles?
• Do employee incentives promote long-term financial sustainability?
• Do employees at all levels have the skills to manage risk effectively?

Reprinted from (Regulatory Challenges Facing the Insurance Industry in 2016,) Copyright: 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name and logo are registered trademarks or trademarks of KPMG International. All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of a particular situation. For additional news and information, please access KPMG's global web site.

In my last D&O Discourse post, “The Future of Securities Class Action Litigation,” I discussed why changes to the securities litigation defense bar are inevitable: In a nutshell, the economic structures of the typical securities defense firms — mostly national law firms — result in defense costs that significantly exceed what is rational to spend in a typical securities class action. As I explained, the solution needs to come from outside the biglaw paradigm; when biglaw firms try to reduce the cost of one case without changing their fundamental billing and staffing structure, they end up cutting corners by foregoing important tasks or settling prematurely for an unnecessarily high amount. That is obviously unacceptable. The solution thus requires us to approach securities class action defense in a new way, by creating a specialized bar of securities defense lawyers from two groups: lawyers from national firms who change their staffing structure and lower their billing rates and from experienced securities litigators from regional firms with economic structures that are naturally more rational. See Also: Future of Securities Class Actions But litigation venues are regional. We have state and federal courts organized by states and areas within states. Because lawyers need to go to the courthouse to file pleadings, attend court hearings and meet with clients in that location, the lawyer handling a case needs to live where the judge and clients live. Right? Not anymore. Although the belief that a case needs a local lawyer persists, that is no longer how litigation works. We don’t file pleadings at the courthouse; we file them on the Internet from anywhere (even from an airplane). These days, in most cases, there are just a handful of in-person court hearings. And the reality is that most clients don’t want their lawyers hanging around in-person at their offices because email, phone calls and Skype suffice. Even document collection can be done mostly electronically and remotely. And with increasingly strict deposition limits and witnesses located around the country and the world, depositions don’t require much time in the forum city, either. In a typical Reform Act case, where discovery is stayed through the motion-to-dismiss process, the amount of time a lawyer needs to spend in the forum city is especially modest. If a case is dismissed, the case activities in the forum city (in a typical case) amount only to (1) a short visit to the client's offices to learn the facts necessary to assess the case and prepare the motion to dismiss and (2) the motion-to-dismiss argument, if there is one. Indeed, assuming a typical securities case requires 1,000 hours of lawyer time through an initial motion to dismiss, fewer than 50 of those hours — one-half of 1% — need to be spent in the forum city.  The other 99.5% can be spent anywhere. Discovery doesn’t change these percentages much.  Assume it takes another 10,000 hours of attorney time to litigate a case through a summary judgment motion (so 11,000 total hours). Four lawyers/paralegals spending four weeks in the forum city for document collection and depositions (a generous allotment) yields only another 640 hours. So, in my hypothetical, only 0.63% of the defense of the case requires a lawyer to be in the forum city. The other 99.37% of the work can be done anywhere. Because a biglaw firm would litigate a securities class action with a larger team, the total number of hours in a typical biglaw case would be much higher (both the total defense hours and the total number of hours spent in the forum city), but the percentages would be similar. And the cost of travel does not move the economic needle. Of course, if a firm is willing not to charge for travel time and travel costs to the forum city, there is no economic issue. My firm is willing to make this concession, and I would bet others are, as well. Even if a firm does charge for travel cost and travel time, the cost is minuscule in relationship to total defense costs. For example, my total travel costs (airfare and lodging) for a five-night trip to New York City are typically less than the cost of two biglaw partner hours. Of course, there are some purposes for which local counsel is necessary, or at least ideal: someone who knows the local rules, is familiar with the local judges and is admitted in the forum state. But the need to use local counsel for a limited number of tasks doesn’t present any economic or strategic issue, either — if the lawyers’ roles are clearly defined. Depending on the circumstances, I like to work either with a local lawyer in a litigation boutique that was formed by former large-firm lawyers with strong local connections or with a lawyer from a strong regional firm. I just finished a case where the local firm was a boutique and a case where the local firm was another regional firm. In both cases, the local firms charged de minimis amounts. In some cases, the local firm can, and should, play a larger role, but whatever the type of firm and its role, the lead and local lawyers can develop the right staffing for the case and work together essentially as one firm — if they want to. All of these considerations show securities litigation defense can and should be a nationwide practice. It is no longer local. We need to look no further than the other side of the “v” for a good example. Our adversaries in the plaintiffs’ bar have long litigated cases around the country, often teaming up with local lawyers from different firms. Like securities defense, plaintiffs’ securities work requires a full-time focus that has led to a relatively small number of qualified firms. The qualified firms litigate cases around the country, not just in their hometowns or where their firms have lawyers. This all seems relatively simple, but it requires us all to abandon old assumptions about law practices that are no longer applicable and embrace a new mindset. Biglaw defense lawyers need to obtain more economic freedom within their firms to reduce their rates and staffing for typical securities cases, or they must face the reality that their firms perhaps are better-suited only for the largest cases. Regional firms must recruit more full-time securities litigation partners and be willing not to charge for travel time and costs. And companies and insurers must appreciate that securities litigation defense will improve — through better substantive and economic results in both individual cases and overall — if they recognize a good regional firm with dedicated securities litigators can defend a securities class action anywhere in the country and can usually do so more effectively and efficiently than a biglaw firm.

As this election year unfolds, many are questioning what created Donald Trump. Why him? Why now? On the other end of the spectrum, the same could be said of Bernie Sanders. In the benefits world, I relate the political landscape to Zenefits and former CEO Parker Conrad. What is it that allowed Zenefits to come to be? As Zenefits now regroups to begin its post-Conrad journey, firms like Namely are getting press and stepping into the market in a similar way. Some say Silicon Valley breeds arrogance and often enables young entrepreneurs to create companies and attack the market and competitors with a vengeance. These young guns want to disrupt the market and change the rules of the game to deliver something new and better. See Also: How Likely Is Zenefits to Change? Whether you agree with the Zenefits model or not, you can’t argue with its results. According to Bloomberg, the company's revenue was close to $63 million annually as of the fourth quarter of 2015. This means: • $63 million in customers fired their broker because Zenefits promised something their current broker was not delivering; • $63 million in customers valued what I think is the equivalent of a $5 per-employee-per-month (PEPM) technology more than they valued the services delivered by their $25-$35 PEPM benefit broker; and • $63 million in customers did not care that there was no local service. While Conrad has left this stage, the conditions that allowed him to grow his business still exist. And I am sure the Zenefits executives and investors — including Andreessen Horowitz and Fidelity — are not going to let $63 million in revenue slip away without a fight. What Zenefits accomplished is to let the world know there are many employers out there that value what Zenefits promised to deliver. In fact, according to industry analyst and marketing guru Mark Mitchell of the Starr Conspiracy, there was $2.1 billion invested in the human capital management technology and services space in 2015 and $600 million in the first quarter of 2016. As Mitchell said at a recent conference, “Those checks are being cashed.” Soon, there will be a tsunami of new products, services and marketing in the human capital management (HCM) technology and service areas that are going to hit the market. Employers will be getting phone calls and webinar invites and attending conferences where these new solutions will be heavily promoted. Case in point: Have you ever seen a TV commercial or heard a radio commercial about HR technology before Zenefits and Namely? This is a hot market, and as one venture capital firm representative said to me, “We are only interested in investing in firms that go after the benefits commissions.” The commission is in play, and $2.1 billion in investment capital knows it. I have been in the benefit business since 1986, and many of the same problems still exist. Administration is still complex. Benefits are still confusing and are only getting more confusing. Costs are still going up. And now, in today’s world, cost shifting onto employees is creating financial stress on them. It is getting worse, not better. As long as the current market does not solve these problems, then there is an opportunity for someone else to do so. In the political arena, whether Trump wins or loses, the conditions that allowed him to secure the nomination aren’t going away. Certainly, the millions who support him won’t disappear overnight. They are still Americans living in our society. In the benefits world, whether Zenefits survives also doesn’t matter. The conditions that enabled it to enter the market and grow still exist. Employers still want what Zenefits promised. Managing benefits is still burdensome. Costs are still going up. People still don’t understand their health insurance. The market conditions have not changed. The opportunity for another company like Zenefits — or 10 of them or 100 of them -- still exists. And while Parker Conrad is in the rear view mirror, others are coming. And it will be a tsunami. This was originally written for Employee Benefit Advisor Magazine. The post can be seen here.

Overview A quarter of a century after the Worldwide Web began to transform the Internet into the indispensable tool we all rely on today, we’re entering a new digital revolution. Over the next four years, the number of connected devices is expected to grow to as many as 50 billion, according to the 2015 Ponemon Global Cyber Impact Report sponsored by Aon. Business is expected to make up a far larger percentage of Internet of Things (IoT) usage than the consumer — IoT is more about smart factories and computer-controlled office systems than shiny gadgets like smart watches and fitness trackers. The risks are becoming physical. Some of these new devices could cause serious real-world damage. We’ve already seen manufacturing plants seriously damaged by cyber attacks and electricity grids and automobiles shut down by hackers. It’s only a matter of time before such threats become more common and more physically dangerous to both people and property. With the rise of new technology comes fresh opportunity for business — but also new risk. In the workplace, every new connected device represents a new link in the IT chain. With the age of the Internet of Things upon us, what are the new risks and what do business leaders need to know to be prepared?