The complexities of the current regulatory environment undoubtedly pose significant challenges for the broad spectrum of financial services companies, as regulators continue to expect management to demonstrate robust oversight, compliance and risk management standards. These challenges are generated at multiple, and sometimes competing, levels of regulatory authority, including state and local, federal and international, and, in some cases, by regulatory entities that have been newly formed or given expanded authority. Their demands are particularly pressing for the largest, most globally active firms, though smaller institutions are also struggling to optimize business models and infrastructure to better address the growing regulatory scrutiny and new expectations. In the first part of this two-part series, we covered the first five key regulatory issues we anticipate will have an impact on insurance companies this year. Here are the final five: 6. Transforming the Effectiveness and Sustainability of Compliance Compliance continues to be a top concern for financial institutions and insurance companies as the pace and complexity of regulatory change, coupled with increased regulatory scrutiny and enforcement activity, have pushed concerns about reputation risk to new levels. These firms need to be able to respond to changes in their internal and external environments with flexibility and speed to limit the impact from potentially costly business shifts or compliance failures. To do so, however, can demand enhancements to the current compliance risk management program that build adaptability into the inter-relationships of the people, processes and technologies supporting compliance activities; augment monitoring and testing to self-identify compliance matters and expand root cause analysis; and integrate compliance accountability into all facets of the business. Compliance accountability starts with a strong compliance culture that is supported by the “tone from the top” and reaches across all three lines of defense, recognizing that each line plays an important role within the overall risk management governance framework. Transforming compliance in this way allows it to align on an enterprise-wide basis with the firm’s risk appetite; strategic and financial objectives; and business, operating, functional and human capital models. 7. Managing Challenges in Surveillance, Reporting, Data and Control Driven largely by regulatory requirements and industry pressures for increased speed and access, trade and transaction reporting has become increasingly complex. Capturing and analyzing vast amounts of data in real time remains a massive challenge for financial services firms, as regulators continue to initiate civil and criminal investigations and levy heavy fines on broker-dealers, investment banks and insurance companies based on failures to completely and accurately report required information. In addition, ensuring compliance with federal and state laws prohibiting money laundering, financial crimes, insider trading, front running and other market manipulations and misconduct remains critically important. In the coming year, it will be essential for financial institutions and insurance companies to reassess the strength and comprehensiveness of their compliance risk management programs to better manage and mitigate both known and emerging regulatory and legal risks and respond to prospective market structure reforms. See Also: Should We Take This Risk? 8. Reforming Regulatory Reporting The financial services industry, including the insurance sector, continues to face challenges around producing core regulatory reports and other requested financial information, as demands from both regulators and investors have increased exponentially in the wake of the financial crisis. For insurance companies, the IAIS faces a significant challenge as there is no common basis of accounting applied across jurisdictions, either for regulatory or financial reporting purposes. The need for consistent regulatory reporting has been highlighted by the efforts of the IAIS to develop an insurance capital standard for IAIGs as well as basic capital requirements (BCR) and a higher loss absorbency (HLA) for global systemically important insurers. The IAIS is moving toward a market-consistent basis of valuation for both assets and liabilities to underpin this effort. Complementing the work previously performed by the Financial Stability Oversight Council, which solicited comment on certain  aspects of the asset management industry that included requests for additional financial information that would be helpful to regulators and market participants, the SEC published rules to modernize and improve the information reported and disclosed by registered investment companies and investment advisers (Investment Company Reporting Modernization, proposal published in June 2015). Among other areas of reform, the SEC’s rule is intended to provide enhanced information that will be used to monitor risks in the asset management industry as a whole and increase the transparency of individual fund portfolios, investment practices and investment advisers, particularly for derivatives, securities lending and counterparty exposures. Fund administrators and managers will likely need to carefully contemplate and implement new governance, operational and reporting capabilities that will be necessary to support enhanced reporting and disclosure requirements. 9. Examining Capital Recovery and Resolution Planning and the EPS for large U.S. bank holding companies, foreign banking organizations and insurance and nonbank financial companies have brought capital planning and liquidity risk management to the forefront, as regulators have sought to restore both public and investor confidence in the aftermath of the financial crisis. Financial institutions, including nonbank SIFIs, are required to demonstrate their ability to develop internal stress testing scenarios that properly reflect and aggregate the full range of their business activities and exposures, as well as the effectiveness of their governance and internal control processes. A growing number of state regulators have adopted the Own Risk and Solvency Assessments (ORSA) requirement to support insurers’ risk management and capital adequacy. The international development of an insurance capital standard for IAIGs continues along with BCR and HLA requirements. In the U.S., the NAIC and state regulators are working closely with the Federal Insurance Office, the Federal Reserve and industry participants to develop a group capital assessment. Insurers, however, are challenged to fit capital requirements originally designed for banks into the insurance business model along with group capital into local entity capital requirements. The potential variability and current uncertainty resulting from these and other pending requirements may limit funding flexibility and make capital planning difficult, as financial institutions will need to consider the ties between capital and liquidity in areas such as enterprise-wide governance, risk identification processes, related stress testing scenarios and interrelated contingency planning efforts. 10. Managing the Complexities of Cross-Border Regulatory Change The largest financial institutions and insurance companies must now understand and manage regulatory mandates across more jurisdictions and services than ever before. Regulatory obligations and cross-border pressure points continue to challenge global financial firms to move past their current reactionary mode of response to tackling high-impact regulatory change. For insurers and their regulators (both international and domestic), the integration of ComFrame (Common Framework) into local entity requirements as they are adopted by individual jurisdictions will be such a challenge. Anticipating the recognition of “equivalence” or a covered agreement for certain U.S. regulations under Solvency II for U.S. insurers operating in Europe is another. However, to address these challenges, financial institutions and insurance companies will need to consider implementing a regulatory change management framework that is capable of centralizing and synthesizing current and future regulatory demands and incorporates both internally developed and externally provided governance, risk management, and compliance regulatory change tools. This framework will enable financial entities to improve coordination across their operations and gain insights that can improve overall performance, ensure risk management and compliance controls are integrated into strategic objectives, avoid redundancy and rework and better address regulatory expectations in a practical and efficient way. This piece was co-written by Amy Matsuo, Tracey Whille, David White and Deborah Bailey.

On April 6, 2016,  the Department of Labor (DOL) released its long-awaited fiduciary rule. It is clear that things will never be the same. While the fiduciary rule is limited in the products that it applies to, it is a clear sign that the time has arrived for the Insurance Consumer Bill of Rights. Some complain bitterly about the rule -- William Shakespeare has Queen Gertrude say in Hamlet, "The lady doth protest too much, methinks" -- but there is clearly a trend, with the DOL's fiduciary rule, the proposed rule by the SEC, new consumer protection rules for seniors and the amount of complaints to the Consumer Financial Protection Bureau. To go from Shakespeare to a more modern poet: Bob Dylan sang, "The times they are a-changing." It is time for the insurance industry to wake up. If the way business is conducted remains as is on products not covered by the fiduciary rule, there will be further regulations and scrutiny thrust upon the insurance world, and there will less opportunity to have a voice at the table. Insurance Agents, Distribution Systems and Reasonable Compensation: The traditional agent system has been fading away over the last couple of decades. There are very few companies that still have their own "captive" agents. "Captive" agents are those who primarily represent one specific insurance company such as Northwestern Mutual Life, New York Life, Mass Mutual, State Farm, Farmers, Allstate, etc. and who receive office space and other support from that company. Most insurance is now sold by agents who represent multiple insurance companies and who try to find the optimal coverage for their clients at the most affordable premiums. Of course, there are agents who are driven by commissions, and those are the ones who are most affected by the fiduciary rule and whatever comes next.  Acting in the best interests of a client is something the majority of agents strive to do, but enough agents don't that this type of regulatory change is warranted. Insurance companies are rethinking their distribution strategies, as shown by MetLife and AIG. MetLife recently sold off its Premier Client Group (retail distribution entity with approximately 4,000 advisers). American International Group (AIG) sold off its broker-dealer operation. And a number of insurance companies have withdrawn from the U.S. variable annuity marketplace over the last few years: Voya (formerly ING), Genworth, SunLife and Fidelity stopped selling MetLife Annuities. The real concern for insurance companies and agents is that they will no longer be able to sell a product that can't be fully justified as suitable to clients. In other words, selling the annuity with the highest commission and the best incentives will no longer cut it. While the DOL rule only applies to those annuities sold in qualified plans, is it really a stretch of the imagination to consider class action lawsuits against agents who are not following the same practices outside of qualified plans? And of course there is the issue of reasonable compensation. Reasonable compensation under the BICE is not specifically defined and is certainly open to interpretation. The DOL notes several factors in determining reasonable compensation: market pricing of services and assets, the cost and scope of monitoring and the complexity of the products. There is the interpretation that advisers who have more education (certifications, degrees, licenses, etc.) may be able to justify higher fees or commissions. This is also a good thing as this will encourage advisers to improve their skill set and be of better service to their clients. The Insurance Quality Mark is a great way for agents to show their level of expertise and professionalism. That Ticking Sound You Hear? The current distribution system is ineffective with the types of products sold and the accompanying incentives. Agents receive higher compensation for less competitive products, and they receive incentives for making sales targets. This is traditional for sales in any industry. However, as we've seen in the investment community, there are few traditional commissioned stock brokers and investment advisers, while the majority are now fee-based planners. Consumers expect more and are more financially literate. The Internet especially has changed the way financial products are sold. And insurance is part of the financial world. The Securities Exchange Commission may finally be spurred to move forward with its own fiduciary regulation. SEC Commissioner Mary Jo White has stated that fiduciary reform is in order at the commission, and that the SEC should harmonize the rules for investment advisers and broker-dealers serving retail clients. And will FINRA (Financial Industry Regulatory Authority),  NAIC (National Association of Insurance Commissioners), the CFPB (Consumer Financial Protection Bureau), the U.S. House of Representatives, the U.S. Senate or some other body move forward with their own set of rules and regulations? The marketing material that I see from many firms is, "We put our customers first." Thomas E. Perez, the secretary of labor, said in an interview: "This is no longer a marketing slogan. It's the law." The pressure is on annuity companies and insurance companies to design simpler products with lower fees and increased transparency. Everyone needs to rethink the entire sales and policy management process and follow the best practices outlined in the Insurance Consumer Bill of Rights. It requires insurance agents to place their clients' (insurance consumers) best interests first to the best of their ability. The Insurance Consumer Bill of Rights focuses on common-sense, thorough communication and providing quality service in a way that benefits everyone. Following the Insurance Consumer Bill of Rights is a win for everyone. The Bottom Line:  Insurance agents, insurance brokers and insurance companies can be the leaders in providing insurance consumers with rights or can be led by follow-ups to the DOL's fiduciary rule. The DOL's fiduciary rule is not the end, it is only the beginning. Again, it is good business for everyone when firms must fairly disclose fees, compensation and material conflicts of interest associated with their recommendations and not give their advisers incentives to act contrary to their clients' interests. (It's a sad state that such a requirement is necessary.) The future is up to us. If we start to treat annuities and cash value life insurance as the complex financial vehicles that they are and start to better educate our clients and ourselves and carefully service them, then there will be positive outcomes. If we continue with the current approach, lack of education and disclosure, more contracts will terminate and there will be significant negative consequences for policy/contract owners and their beneficiaries, and agents may very well find themselves as defendants in litigation. The Insurance Consumer Bill of Rights:

1. The Right to Have Your Agent Act in Your Best Interest: to the best of her ability. Keep in mind that agents are not fiduciaries and are agents of the insurance company(ies). An agent recommendation should not be influenced by commissions, bonuses or other incentives (cash or non-cash). An agent should not collect a fee and a commission from the same client for the same work.
2. The Right to Receive Customized Coverage Appropriate to Your Needs: An insurance agent should review your potential coverage needs per each line of coverage under consideration and take into account any existing coverage. Any new recommended coverage must fill a need (gap in coverage). Any replacement must be carefully reviewed with all pros and cons considered and presented in writing to the consumer.
3. The Right to Free Choice: You have the right to receive multiple competitive options and to choose your company, agent and policy. Agents, brokers and companies must inform you in simple language of your coverage options when you apply for an insurance policy. Different levels of coverage are available, and you have the right to know how each option affects your premium and what your coverage would be in the event of a claim.
4. The Right to Receive an Answer to Any Question: You're the buyer, so you have the right to ask any question and to receive an answer. The answer should fully and completely address your question or concern in full and be understandable. If you don't understand something, you as as the buyer have a duty to ask questions, and, if you still don't understand, you shouldn't buy that policy.
5. The Right to Pay a Fair Premium: There must be full disclosure on how policy premiums are calculated and the impact of different risk factors specific to the type of coverage proposed. Also, information should be provided on factors that may reduce the premium in the future.
6. The Right to Be Informed: You need to receive complete and accurate information in writing – anything said or promised orally must be put in writing. This includes full Information on any recommended insurance company, including name, address, phone number, website and financial strength rating(s).
7. The Right to be Treated Fairly and Respectfully: This includes the right to not be pressured. If there is a deadline, the reason must be presented. If an offer is too good to be true, then it most likely is too good to be true. Insurance agents and companies should keep information private and confidential.
8. The Right to Full Disclosure and Updates: You must receive notice of any changes in the coverage in easy-to-understand language and any relevant changes in the marketplace. All relevant information and disclosure requirements (required or not) on an insurance product must be presented to the client. You must receive in writing a summary of all surrender charges, length of surrender period and any additional costs for early termination. In any replacement situation, all pros and cons must be submitted in writing.
9. The Right to Quality Service – You must be able to have your coverage needs reviewed at any time upon request, whenever a major event would affect coverage and at least annually. The agent must determine if changes have occurred with the client or in the marketplace that would dictate changes to the insurance coverage. This includes prompt assistance on any claims.
10. The Right to Change or Cancel Your Coverage: This right must come without any restrictions or hassles.

View the Department of Labor conflict of interest final rule by clicking ere. Support the Insurance Consumer Bill of Rights by signing the petition and sharing this post.

No, the title does not have a typo. ERRM refers to Enterprise Risk and Resiliency Management. And, no, it is not necessarily new. When ERM is practiced in a mature and robust fashion, it should add to an organization’s resiliency. Resilience refers to both the ability to rebound after a loss has occurred due to risk that could not be fully mitigated or was unrecognized and also the ability to capitalize on the upside risk. Let's look at two scenarios. Company A, an industrial manufacturer, implemented ERM several years ago. Its risk committee, recognizing changing climate conditions and weaknesses in an aging facility, got approval for a multi-year investment in flood protection. This decision was made part of the strategic plan. Not only did the company invest in flood gates for its access points to lower levels, but it also cemented over unneeded windows and redesigned storage racks at sub-levels. All drainage lines around the facility were tested and repaired, if required. Very importantly, its business continuity and disaster recovery plans were updated and had been rehearsed doing table top rehearsals. So, when a one-in-50-year flood occurred and crippled other businesses in the area for weeks, Company A was virtually unaffected. It was able to resume full business operations in two days. On top of that, it was able to capitalize on the excellent press coverage it got locally, which enhanced its ability to attract the talent it had been seeking from the area. For this company, ERM was more than identifying risks and creating reports. It was about taking action to build true resiliency in the face of risk. See Also: How to Measure the Value of ERM Company B, a woman’s clothes design and manufacturing company, practiced ERM with a very strategic approach. By that is meant, the risks to the company’s strategic direction were focused on first and became a key component of the risk identification and mitigation processes. When changes in customer preferences and buying habits were identified as risks to the current strategy, the strategy was adjusted accordingly. Since women were trending toward buying fewer and more basic garments, (for example, slacks that could be worn with multiple tops), while buying more accessories at more expensive prices, the company added new product lines such as jewelry and handbags. As margins became squeezed at less diversified companies, this company prospered. Its quick reaction to emerging risk by adding product lines was rewarded with year-over-year return on equity (ROE) increases for each year of the strategic plan period. In other words, the company found the upside of risk and enhanced its resiliency because of it. These hypothetical companies, based loosely on actual ones, illustrate that ERM is not just about risk; ERM is about resiliency. It is about the ability to address risk in such a way as to wind up in as good or better a position as the company was before having dealt with the risk or its impact. How do companies embed resiliency into their ERM programs?   Each of the following points enables greater resiliency, when practiced consistently:

• ERM needs to be strategic. First, risks to the strategy must be analyzed as well as operational and other risks. Second, risk mitigation plans for all risks that require a significant commitment of organizational resources need to be documented in the strategic plan to ensure there is proper allocation of such resources. In its fifth annual risk report, PwC has a recommendation that reinforces this idea while adding the element of business continuity planning, “Ensure strong triangulation between strategy, risk management and business continuity management.”
• ERM must be seen to offer insights not only to the downside of risk but also to the upside. How does a given risk offer an opportunity in addition to or instead of a threat? If rising raw material costs are posing a risk to profitability, how can buying consortiums, vertical integration, multi-year contracts or changing the material composition of products pose opportunities? Innovation has a role to play in seeing and responding to the upside of risk. Indeed, risk and managing risk can be catalysts for innovation.
• ERM mitigation plans need to be as bold as necessary to meet the potential impact level posed by the risk. For example, it does little good to mitigate a reputational risk by issuing a statement of corporate values when hiring a new senior team is what is needed. A particular mitigation plan may need to be as big as entering a new market or leaving an established one, moving a manufacturing center to a new location or making a sizeable technology investment to stay competitive or safeguard property.
• Business continuity and disaster recovery plans are not sufficient to create resiliency. Public relations plans are also necessary to support resiliency. When there is a serious, public risk event, stakeholders want to know the what, why and how it will be handled. Companies such as British Petroleum (during the BP oil spill in the Gulf) and Toyota (during the faulty power window allegations and recall) learned that statements by CEOs could make the situation worse than it already was thereby heightening the risk. PR plans need to spell out how the company will communicate in terms of transparency, tone and types of meaningful responses it is prepared to make to address the issue in question.
• ERM must be a continuous process where risks are updated and mitigation plans are monitored and adjusted on a regular basis. Given the pace of change, the ERM process must be as dynamic as the environment within which it exists. When a risk morphs, the actions planned to address it must morph with it, when new risks emerge, tactics to deal with them must be developed. Complacency or slow reaction time will sabotage an ERM process. As such, neither must be allowed to invade the process. If they do, resiliency will surely be sacrificed.

The marketplace continues to see seismic disruption and more massive shocks than ever before. Companies lacking the ability to bounce back from the effect of these will not be able to survive long-term. That is why every effort must be made to create a resilient form of risk management that deserves to be labeled ERRM.

The power of social media is undeniable. Whether it’s political movements, disasters, or breaking news, social media delivers unfiltered information instantaneously to people around the world. When a catastrophe occurs today, comments, pictures and video are likely to appear on the Internet as it happens. For instance, a deadly explosion at a Texas fertilizer plant was caught live on video and posted to social media, as was an enormous explosion that rocked the Chinese port of Tianjin. But when social media posts about a catastrophe go viral, the company involved can be in for a struggle. To avoid getting left behind, companies need to prepare for how they will communicate using social media when a catastrophe strikes. A company that plans ahead and is able to mount a robust response may not only salvage its reputation, but may actually enhance its public image if it is seen as managing a difficult situation well. Because many companies lack this kind of communications expertise, they may want to work with consultants that can help them prepare for a disaster and respond appropriately. In addition, they should consider insurance that provides coverage for experienced public relations catastrophe management services to protect their corporate reputation. Social Media Plays a Crucial Role in a Crisis When it comes to disasters, mobile apps and social media are seen by the public as crucial ways to get information, according to a Red Cross survey. During Superstorm Sandy in 2012, social media played a significant role in providing official information and combating rumors. When Cyclone Tasha struck Australia in 2010, the Queensland Police Service made extensive use of Twitter to provide information to people spread over a vast area. Social media, however, is widespread and public information, which means that if there is an explosion, fire, or other disaster, chances are someone may be streaming it live to the Internet, tweeting about it, posting it to Facebook or uploading pictures to Instagram even before the affected company is aware of it. In essence, that means public opinion about the incident, as well as the company involved, is already being shaped, possibly without any direction from corporate communications. Because information travels so quickly through social media, the public no longer has to wait for the evening news to receive the most up-to-date information. Therefore, companies are not afforded the luxury of time to gather all available facts before addressing the public. Traditional media and news organizations are also feeling an increased amount of pressure. Since social media has enabled news to travel quicker, stories may not receive the same level of scrutiny as they once did. That leaves plenty of opportunity for the spread of misinformation, which can be very difficult to counteract. On the Internet, inaccurate information may persist long after it has been thoroughly discredited elsewhere. Embrace Social Media in Crisis Communications To handle the social media aspect of a crisis, companies need to be able to act immediately or risk allowing reporters and “citizen journalists” to tell the story they want to tell, which may not provide a complete and accurate picture. Being unprepared can lead to inconsistent messaging, or even misstatements that may create confusion and ultimately damage a corporation’s reputation. A company that is seen as clumsy in its media response to a crisis risks losing credibility. See Also: Should Social Media Have a Place? When a disaster is handled well – by providing the public with timely and accurate information as well as proper reassurances about its products and services – an organization can actually bolster its reputation. While social media accelerates the media cycle, it can also enable a company to take control of its image by acting as a primary and reliable source of information when a catastrophe occurs. This requires planning and preparation. An initial step is to review the corporate crisis communication plan to understand its limits in social media. A traditional crisis plan provides for one-way, controlled communication through prepared statements, press conferences, marketing tools, and commercials. Such an approach is likely to be viewed as unresponsive by the public seeking immediate information. Incorporating social media into the traditional plan provides for two-way communication that allows for debate, insight, and opposing viewpoints that can guide the company’s responses. The social media plan, however, should remain consistent with the company’s traditional media efforts. The company should provide consistent messaging in both traditional and social media about its culture and philosophy, the actions it is taking and the expected results, and its concern for those who have been affected.

Cyber crime is the fastest-growing segment of the global criminal economy, now including state-sponsored hacking from the likes of North Korea, China and Russia. According to a 2015 FBI report, cyber crime has now overtaken illegal drug activity, moving into first place. As a result, the cyber liability insurance market is surging. Premiums are expected to top $5 billion by 2018. More than 60 companies currently offer cyber liability coverage on a standalone basis. Much of the underwriting for cyber risks includes the company-specific details and security breach data available in the public domain through websites such as Privacy Rights.  According to Privacy Rights, nearly one billion records have been stolen from organizations of all sizes that are all running anti-virus software and firewalls. Unfortunately, anti-virus software misses as much as 30% of malware. Firewalls are perimeter traffic cops with no intranet security capabilities. How does a savvy cyber insurance or reinsurance underwriter determine when breach-prevention measures have been taken by a given risk? How can today’s technology solutions be used to disarm the hackers and prevent cyber losses, reducing the potential for a significant claim? Today, like never before, we face the frequent barrage of spear phishing attacks, new forms of very creative and nasty malware such as remote access Trojans (RATs), ransomware, zero-day malware (that means your antivirus doesn’t yet have a signature for the malware), not to mention the risks of malicious insiders, infected laptops coming and going behind our firewalls. In addition, many small and medium-sized businesses (SMBs) face increased scrutiny by government regulators. Cyber crime is growing at a tremendous rate – it’s become an organized, big business opportunity for criminals, projected to grow to $600 billion this year, larger than any other form of crime, according to the World Bank. Cyber liability underwriters will want to appreciate what a network security, cyber risk management-focused, underwriting prospect looks like relative to the broader market. All cyber liability enterprise policyholders are not equal when measuring breach prevention methods and techniques that may be deployed with an eye toward mitigating significant future losses. You might ask – why would my smaller business be a target – we’re not Bank of America – we’re not Home Depot or TJMAXX or Anthem? Yes, they all are big targets for big hackers, but cyber criminals don’t discriminate. In fact, they find SMBs easier targets because, traditionally, your level of defenses against cyber crime might not be as advanced as those at Bank of America – which has a $400 million annual information security budget. To the cyber criminals in in the dark corners of the Internet, you’re called a "soft" target – they feel you are easier to exploit. One piece of ransomware and you might be out of business. Some of the latest ransomware exploits will not only encrypt your laptop or desktop, but they also look for file servers and do the same, automatically. Then, you won’t have any access to your own files – or, even worse, customer records – until you pay the ransom. The FBI even recommends you pay the extortion fee. We find this all wrong. It’s completely backward. We cannot let ourselves be victims. It’s time to get more active and be one step ahead of the next attack – you are a target but you don’t have to be a victim. It all starts with best practices. For example, if you did frequent daily backups and tested these backups, then, when you’ve been victimized by ransomware, instead of paying the extortion fee, why not wipe the infected computer, re-image it then restore the latest backup? When asked, most SMBs say "I don’t do frequent, daily, backups” or “I haven’t figured out how to wipe and re-image all of our systems in the event they get infected.” So, it’s that simple, one best practice – Backup and Restore -- would save you thousands of dollars in extortion fees. You could thumb your nose at the cyber criminals instead of giving them some of your hard-earned revenue. Cyber liability policy terms and conditions should reflect more favorably on “Breach Prevention”-focused organizations. Best practices are things you do - steps you take - actions and plans, risk management and claims mitigation techniques. Within those plans, we are certain you will include which security countermeasures to budget for this year. Seven Best Practices to Reduce Risk Although we thought about going into details about recent security concepts, such as next-generation endpoint security or network access control, it seems more appropriate to focus on the best practices instead of the best security tools you might consider deploying. For example, we consider encryption a best practice and not a product or tool. We are sure you'll find many commercial and freely available tools out there. You can always evaluate those tools that you find most suited for your own best-practice model. So let’s consider the following as MUST-DO best practices in cyber security to defend your SMB against the risk of a breach: 1) Roll out corporate security policies and make sure all your employees understand them. 2) Train employees and retrain employees in key areas – acceptable use, password polices, defenses against social engineering and phishing attacks. 3) Encrypt all records and confidential data so that it’s more secure from prying eyes. 4) Perform frequent backups (continuous backups are even better than daily backups) and have a re-image process on hand at all times. 5) Test your system re-imaging and latest backups by restoring a system to make sure the backup-restore process works. 6) Better screen employees to reduce the risk of a malicious insider. 7) Defend your network behind your firewall using network access control (NAC) – and make sure you can block rogue access (for example, the cleaning company plugging in a laptop at midnight) and manage the bring your own device (BYOD) dilemma. More Than 95% of Breaches Happen Behind Firewalls – It’s Usually an Employee Mistake How many times have you heard of a trusted insider falling for a phishing scam or taking a phone call from someone sounding important who needed "inside" information? It's happening too frequently to be ignored. Some employees love browsing Web sites they should not or gambling online or chatting using instant messenger tools. You need to educate them about acceptable usage of corporate resources. They also usually don't know much about password policies or why they shouldn't open the attachment that says "you've won a million - click here and retire now." It's time to start training them. Invite employees to a quarterly "lunch and learn" training session. Give them bite-sized nuggets of best practice information. For example, teach them about the do's and don't's of instant messaging. If you are logging e-mail for legal purposes, which in some cases is required by law (SEC requirements for financial trading firms), let them know that you are doing it and why you are doing it. Give them some real-world examples about what they should do in case of an emergency. Teach them why you've implemented a frequent-password change policy and why their password should not be on a sticky note under their keyboard. Let these sessions get interactive with lots of Q&A. Give an award once per year to the best security compliant employee who has shown initiative with your security policies. If you can keep them interested, they will take some of the knowledge you are imparting into their daily routines. That's the real goal. Are My Best Practices Working? Time for Self-Assessment Before an Audit Perform your own security self-assessment against these best practices recommendations I’ve listed above. Find all of the holes in your information security environment so that you can, document them and begin a workflow process and plan to harden your network. Network security is a process, not a product, so to do it right, you need to frequently self-assess against the best guidelines you can find. Boards of directors, CEOs, CFOs and CIOs are under extreme compliance pressures today. Not only are they charged with increasing employee productivity and protecting their networks against data theft, but they are also being asked to document every aspect of IT compliance. We recommend, whether or not an outside firm is performing IT compliance audits, that you begin performing measurable compliance self-assessments. You'll need to review those regulations that affect your organization. In the U.S., these range from GLBA for banks to HIPAA for healthcare and insurance providers to PCI for e-tail/retail to CFR-21-FDA-11 for pharma to SOX-404 for public companies. Some states have their own regulations. In California, for example, if there has been a breach in confidentiality due to a successful hacker attack, companies are required by law to publish this information on their Web sites. The California Security Breach Information Act (SB-1386) requires the company to notify customers if personal information maintained in computerized data files has been compromised by unauthorized access. California consumers must be notified when their name is illegitimately obtained from a server or database with other personal information such as their Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account. If you are a federal government agency, you need to comply with Executive Order 13231, to ensure protection of information systems for critical infrastructure, including emergency preparedness communications and the physical assets that support such systems. Also, if you are a non-profit organization, you are not exempt from the reporting requirements of regulations in your industry (banking, healthcare, etc.). Please make sure to seek legal counsel if you are not sure of which regulations you'll need to address. The easiest thing you can do to prove you are in compliance is to document your steps of protecting data. Document Your Best Practices Documentation showing that you’ve implemented best practices for risk reduction and against cyber crime will come in handy if you ever have a breach and need to defend yourself to enforce your cyber insurance policy or to keep the government regulators off your back. This kind of documentation is also good in the event someone sues your organization. You should be able to prove that you have in place all the best policies and practices as well as the right tools and INFOSEC countermeasures for maintaining confidentiality, availability and integrity of corporate data. By frequently assessing your compliance posture, you'll be ready to prove you "didn't leave the keys to the corporate assets in the open." If your network is ever hijacked and data is stolen, you'll have done your very best to protect against this event and it will be less of a catastrophe for your organization. Do you have a cold, warm or hot backup site in case of a critical emergency? If not, you should start planning one. If you can't afford one, could you create a "virtual" office telecommuting situation where your organization could continue to operate virtually until you've resolved your emergency situation? Knowing we are under constant attack and risk, now is the best time to begin implementing these seven best practices for network security. Hackers, malicious insiders and cyber-criminals have had their field day this year, and it’s only going to get worse - hijacking our SMB networks and placing most organizations at risk of being out of compliance, tarnishing our brands, reducing our productivity and employee morale -- placing most of us in the passenger seat on a runaway Internet. By taking a more active approach, setting measurable goals and documenting your progress along the way, you might find yourself in the drivers’ seat of cyber security.

The First Appellate District Court of Appeal has closed what could have turned into a significant expansion of the concept of “sudden and extraordinary employment condition” contained in Labor Code § 3208.3(d) with a reversal of a W.C.A.B. decision awarding benefits for a psychiatric injury in Travelers Casualty and Surety Co v W.C.A.B. (Dreher). The applicant was employed as a live-in maintenance supervisor for an apartment complex and had been employed for only 74 days at the time of his injury on Oct. 19, 2009. He was walking in the rain from one building to another in the complex, when he slipped and fell on a slippery concrete sidewalk sustaining multiple significant injuries, including fractured pelvis, injuries to his neck, right shoulder, right leg and knee. He also suffered gait derangement, a sleep disorder and headaches. As a result of those injuries, he developed psychiatric complaints as a consequence of his multiple surgeries and continuing issues. A medical report supported a relationship between his injury and a psychiatric disorder. However, at trial, the WCJ denied his claim for his psychiatric condition on the basis that his employment failed to meet the minimum six-month requirement for employment under Labor Code § 3208.3(d) and further determined the exception for a “sudden and extraordinary employment condition” had not been met. On reconsideration, a split panel reversed the WCJ holding and determined that the applicant’s fall on slippery concrete met the sudden and extraordinary requirement of the statute. The Court of Appeal granted Travelers’ petition for writ of review. After dealing with some procedural issues, the court got to the heart of the matter. Reviewing the multiple cases outlining the criterion for applying the sudden and extraordinary employment condition, the court refused to find that a slip and fall on a sidewalk met the criterion. Citing the landmark decision in Wal-mart v W.C.A.B., the court noted that the mere fact the injury was accidental did not meet the statutory exception: “If the argument were made that an accidental injury constitutes a ‘sudden and extraordinary employment condition,’ we would reject it. For one thing, such an interpretation would mean that psychological injuries resulting from accidents would not be subject to the six-month rule, but such injuries arising from cumulative physical injury would be governed by that limitation; this distinction would make no sense, and we are reluctant to attribute irrational intentions to the Legislature.” See Also: Appeals Court Settles Key Work Comp Issue The court also rejected the argument advanced by applicant that the unexpectedly catastrophic nature of the injury served as a basis for an extraordinary employment condition. “Here, the statute provides that the six-month limitation does not apply if the psychiatric condition is caused by a ;sudden and extraordinary employment condition.' (§ 3208.3, subd. (d).) The statute does not include the nature of the injuries resulting from an incident as a basis for the exception. Had the Legislature intended to include the nature of the injury as a factor in the definition of a sudden and extraordinary employment condition, it knew how to do so…. "Accordingly, although Dreher’s injury was more serious than might be expected, it did not constitute, nor was it caused by, a sudden and extraordinary employment event within the meaning of section 3208.3, subdivision (d). The evidence showed that Dreher routinely walked between buildings on concrete walkways at the work site and that he slipped and fell while walking on rain-slicked pavement.” The court further noted the burden was on the employee to prove the sudden and extraordinary employment condition, and the applicant’s testimony that he was “surprised” by the slick surface did not demonstrate that his injury was caused by an uncommon, unusual or totally unexpected event. The matter was remanded to the W.C.A.B. with instructions to deny the claim for psychiatric injury. Comments and Conclusions: This is a relatively short appellate decision but with a firm result. The court was clearly of a mind that the W.C.A.B.’s interpretation of what constituted a sudden and extraordinary employment condition did not meet the common sense test for legislative interpretation. Commissioner Caplane, in her dissent in the W.C.A.B. decision, had noted that the majority’s opinion on what constituted a sudden and extraordinary event could be applied to virtually every claim because injuries were almost always unexpected when they occurred. While the court did not make a specific comment, the idea that an employee slipping on a wet sidewalk was in any way shape or form “extraordinary” simply did not pass the smell test. The court’s holding that the nature of the injuries sustained did not figure into the equation is also of considerable help in defining application of the rule under Labor Code § 3208.3(d). While the court’s interpretation of Labor Code § 3208.3(d) is helpful for that section, I do not think this decision is going to have any impact on our understanding of the language in Labor Code § 4660.1(c)(2)(B), with the exception created for “catastrophic injuries.” That section clearly intends there be consideration of the nature of an injury in the determination of whether additional psychiatric sequelae is to be included in the calculation of PD.

Selling insurance is complicated. Not impenetrable, but complicated. The sales process is sort of like a tangled piece of string— it’s easy to see the beginning and end but hard to figure out what’s happening in the middle. When you start untangling, you’ll find prospect lists, telemarketing, direct mail, traditional marketing and web-based lead generators uncovering and enticing potential customers. You’ll also find captive agents, independent agents or brokers, wholesalers, direct telephone sales, the Internet, affiliates, carriers and carrier-like entities selling various products. Some of these strategies work in coordination or create feedback loops — a customer sees a TV ad, which prompts him to submit a form online, which adds him to a direct mail list, which points him to an online aggregator, which puts him in touch with an independent agent selling insurance on behalf of a managing general agency… as you can see, the number of distribution permutations is considerable. However, at American Family Ventures, we appreciate simplicity. We classify insurance distribution start-ups using four groupings: lead generation, agency/brokerage, managing general agency (MGA) and carrier. As pictured above, the primary distinctions between participants in each group arise from the amount of insurance risk they bear and their control over certain aspects of the insurance transaction (for example, the authority to bind and underwrite insurance policies). However, many other tradeoffs await insurance start-ups navigating among these four groups. If you consider the evolution of digital customer acquisition, including new channels like mobile-first agencies and incidental channels, choosing a niche becomes even more complicated. In this post, I’ll discuss some of the key attributes of each group, touching on topics relevant for start-ups new to the insurance ecosystem. Please note, in the interest of time and readability, this post is an overview. In addition, any thoughts on regulatory issues are focused on the U.S. and are not legal advice. LEAD GENERATION Lead generation refers to the marketing process of building and capturing interest in a product to create a sales pipeline. In the insurance context, because of the high-touch sales process, this historically meant passing interested customers to agents or call-center employees. Today, lead-generation operators sell to a variety of third parties, including online agencies and digital sales platforms. Let’s consider a few key attributes of lead-generation providers: Revenue model — There are a variety of lead-selling methods, but the most common is “pay per lead,” where the downstream lead buyer (carrier or channel partner) pays a fixed price for each lead received. When pricing leads, quality plays a big role. Things like customer profile, lead content/data, exclusivity, delivery and volume all affect lead quality, which frequently drives the buyer’s price-sensitivity. As a lead-generation provider, you’ll generally make less per customer than others in the distribution chain, but you’ll also assume less responsibility and risk. Product breadth — With the Internet and enough money, you can generate leads for just about anything. Ask people who buy keywords for class action lawsuits. However, start-ups should consider which insurance products generate leads at acceptable volumes and margins before committing to the lead-generation model. Some products are highly competitive, like auto insurance, and others might be too obscure for the lead model to scale, like alien abduction insurance (which, unbelievably, is a real thing). Start-ups should also consider whether they possess information about customers or have built a trusted relationship with them — the former is often better-suited to lead generation, and the latter can facilitate an easier transition to agency/brokerage. Required capabilities (partnerships) — Lead-generation providers need companies to buy their data/leads. Their customers are usually the other distribution groups in this post. Sometimes, they sell information to larger data aggregators, like Axciom, that consolidate lead data for larger buyers. Generators need to show lead quality, volume and uniqueness to secure relationships with lead purchasers, but beyond that they don’t typically require any special partnerships or capabilities. Regulation — While I won’t go into detail here, lead-generation operators are subject to a variety of consumer protection laws. AGENCIES AND BROKERAGES Entities in the agency/brokerage group (also called “producers”) come in a variety of forms, including independent agents, brokers, captive agents and wholesale brokers. Of note, most of these forms exist online and offline. Independent agents represent a number of insurance carriers and can sell a variety of products. Brokerages are very similar to independent agents in their ability to sell a variety of products, but with a legal distinction — they represent the buyer’s interests, whereas agents represent the carriers they work for. Captive agents, as the name suggests, sell products for only one insurer. While this might seem limiting, captive agents can have increased knowledge of products and the minutiae of policies. Finally, some brokers provide services to other agents/brokers that sell directly to customers. These “wholesale brokers” place business brought to them by “retail agents” with carriers, often specializing in unique or difficult placements. An important difference between the lead-generation group and the agency/brokerage group is the ability to sell and bind policies. Unlike the former, the latter sells insurance directly to the consumer, and in some cases issue binders — temporary coverage that provides protection as the actual policy is finalized and issued. Some attributes of agencies and brokerages: Revenue model — Agencies and brokerages generally make money through commissions paid for both new business and on a recurring basis for renewals. The amount you earn in commissions depends on the volume and variety of insurance products you sell. Commission rates vary by product, typically based on the difficulty of making a sale and the value (profitability) of the risk to the insurance carrier. Start-ups should expect to start on the lower end of many commission scales before they can provide evidence of volume and risk quality. Agents and brokers can also be fee-only (paid for service directly and receive no commission), but that’s rare. Product breadth — Agencies and brokerages sell a variety of products. As a rule, the more complex the product, the more likely the intermediary will include a person (rather than only software). Start-ups should also consider tradeoffs between volume and specialization. For example, personal auto insurance is a large product line, but carriers looking to appoint agents (more detail below) in this category usually have numerous options, including brick and mortar and online/mobile entities. Contrast this with a smaller line like cyber insurance, where carriers may find fewer, specialist distributors who understand unique customer needs and coverages. Required capabilities (partnerships) — Agencies and brokerages are appointed by carriers. This process is often challenging, particularly for start-ups, which are non-traditional applicants. Expect the appointment process to take a while if the carrier isn’t familiar with your acquisition strategy or business model. Start-ups trying to accelerate the appointment process can start in smaller product markets (e.g. non-standard auto) or seek appointment as a sub-producer. Sub-producers leverage the existing appointments of a independent agency or wholesaler in exchange for sharing commissions. You could also apply for membership in an agency network or cluster — a group of agents/brokers forming a joint venture or association to create collective volume and buying power. Regulation — Agencies and carriers need a license to sell insurance. Each state has its own licensing requirements, but most involve some coursework, an exam and an application. As we’ve recently seen with Zenefits, most states have a minimum number of study hours required. There are typically separate licenses for property, casualty, life and health insurance. Once you have a license, many states have a streamlined non-resident licensing process, allowing agencies to scale more quickly. MANAGING GENERAL AGENCIES (MGAs) A managing general agent (MGA) is a special type of insurance agent/broker. Unlike traditional agents/brokers, MGAs have underwriting authority. This means that MGAs are (to an extent) allowed to select which parties/risks they will insure. They also can perform other functions ordinarily handled by carriers, like appointing producers/sub-producers and settling claims. Start-ups often consider setting up an MGA when they possess data or analytical expertise that gives them an underwriting advantage vs. traditional carriers. The MGA structure allows the start-up more control over the underwriting process, participation in the upside of selecting good risks and influence over the entire insurance experience, e.g. service and claims. We’ve recently witnessed MGAs used for two diverging use cases. The first type of MGA exists for a traditional use case — specialty coverages. They are used by carriers that want to insure a specific risk or entity but don’t own the requisite underwriting expertise. For example, if an insurer saw an opportunity in coverage for assisted living facilities but hadn’t written those policies before, it could partner with an MGA that specializes in that category and deeply understands its exposures and risks. These specialist MGAs often partner closely with the carrier to establish underwriting guidelines and roles in the customer experience. Risk and responsibilities for claims, service, etc. are shared between the two parties. The second type of MGA is a “quasi-carrier,” set up through a fronting program. In this scenario, an insurance carrier (the fronting partner) offers the MGA access to its regulatory licenses and capital reserves to meet the statutory requirements for selling insurance. In exchange, the fronting partner will often take a fee (percentage of premium) and very little (or no) share of the insurance risk. The MGA often has full responsibility for product design and pricing and looks and feels like a carrier. It underwrites, quotes, binds and services policies up to a specific amount of written authority. These MGAs are often set up when a startup wants to control as much of the insurance experience as possible but doesn’t have the time or capital to establish itself as an admitted carrier. Some important characteristics: Revenue model: MGAs often get paid commissions, like standard agencies/brokerages, but also participate in the upside or downside of underwriting profit/loss. Participation can come in the form of direct risk sharing (obligation to pay claims) or profit sharing. This risk sharing functions as “skin in the game,” preventing an MGA from relaxing underwriting standards to increase commissions, which are a function of premiums, at the expense of profitability, which is a function of risk quality. Product breadth: MGAs of either type often provide specialized insurance products, at least at first. The specialization they offer is the reason why customers (and fronting partners) agree to work with them instead of a traditional provider. That said, you might also find an MGA that sells standard products but takes the MGA form because it has a unique channel or customers and wants to share in the resulting profits. Required capabilities/partnerships: Setting up an MGA generally requires more time and effort than setting up an agency/brokerage. This is because the carrier vests important authority in the MGA, and therefore must work with it to build trust, set guidelines, determine objectives and decide on limits to that authority. Start-ups looking to set up an MGA should be ready to provide evidence they can underwrite uniquely and successfully or have a proprietary channel filled with profitable risks. Fronting often requires a different process, and the setup time required varies based on risk participation or obligations of the program partner. Start-ups should also carefully consider the costs and benefits of being an agency vs. MGA — appointment process difficulty vs. profit sharing, long-term goals for risk assumption, etc. Regulation: MGAs, like carriers, are regulated by state law. They are often required to be licensed producers. Start-ups should engage experienced legal counsel before attempting to set up an MGA relationship. CARRIERS Insurance carriers build, sell and service insurance products. To do this, they often vertically integrate a number of business functions, including some we’ve discussed above — product development, underwriting, sales, marketing, claims, finance/investment, etc. Carriers come in a variety of forms. For example, they can be admitted or non-admitted. Admitted carriers are licensed in each state of operation; non-admitted carriers are not. Often, non-admitted carriers exist to insure complex risks that conventional insurance marketplaces avoid. Carriers can also be “captives” — essentially a form of self-insurance where the insurer is wholly owned by the insured. Explaining captives could fill a separate post, but if you’re interested in the model you can start your research here. Attributes to consider: Revenue Model: Insurance carrier economics can be complicated, but the basic concepts are straightforward. Insurers collect premium payments from insureds, which they generally expect to cover the costs of any claims (referred to as “losses”). In doing so, they profit in two ways. The first is pricing coverage so the total premiums received are greater than the amount of claims paid, though there are regulations and market pressures that dictate profitability. The second is investing premiums. Because insurance carriers collect premiums before they pay claims, they often have a large pool of capital available, called the “float,” which they invest for their own benefit. Warren Buffett’s annual letters to Berkshire shareholders are a great source of knowledge for anyone looking to understand insurance economics. Albert Wenger of USV also recently posted an interesting series that breaks down insurance fundamentals. Product breadth: Carriers have few limitations on which products they can offer. However, the products you sell affect regulatory requirements, required infrastructure and profitability. Required capabilities/partnerships: Carriers can market and sell their products using any or all of the intermediaries in this post. While carriers are often the primary risk-bearing entity — they absorb the profits and losses from underwriting — in many cases they partner with reinsurers to hedge against unexpected losses or underperformance. There are a variety of reinsurance structures, but two common ones are excess of loss (reinsurer takes over all payment obligations after the carrier pays a certain amount of losses) and quota share (reinsurer pays a fixed percentage of every loss). Regulation: I’ll touch on a few concepts, but carrier regulation is another complex topic I won’t cover comprehensively in this post. Carriers must secure the appropriate licenses to operate in each country/state (even non-admitted carriers, which still have some regulatory obligations). They also have to ensure any capital requirements issued by regulators are met. This means keeping enough money on the balance sheet (reserves/surplus) to ensure solvency and liquidity, i.e. maintaining an ability to pay claims. Carriers also generally have to prove their pricing is adequate, not excessive, and not unfairly discriminatory by filing rates (their pricing models) with state commissioners. Rate filings can be “file and use” (pre-approval not required to sell policies), or “prior approval” (rates must be approved before you can sell policies). CONCLUSION In this overview, I did not address a number of other interesting topics, including tradeoffs between group choices. For example, you should also consider things like exit/liquidity expectations, barriers to entry and creating unfair advantages before starting an insurance business. Perhaps I’ll address these in a future post. However, I hope this brief summary sparks questions and new considerations for start-ups entering the insurance distribution value chain. I’m looking forward to watching thoughtful founders create companies in each of the groups above. If you’re one of these founders, please feel free to reach out!

In a previous article, we mentioned the Centers for Medicare and Medicaid Services' (CMS’s) new provider reimbursement model, Medicare Access and CHIP Reauthorization (MACRA), which replaces the current reimbursement formula. MACRA will include an incentive component that will replace those in plans today; performance criteria will roll out in 2019. From the providers’ lens, they are faced with the need to hire more administrative resources to keep up with the tracking of their performance, and the big question is: Are consumers making different choices based on the performance results of a physician or hospital? When there are more than 150 different measures in place today, how is an occasional consumer of healthcare services able to assess the most important criteria in finding the right physician? During a recent employers’ conference on the East Coast, the forum featured two panels consisting of the health plans and the providers. The panels were set in a Q&A format to enlist the leaderships’ views on various topics facing the employers, and it was a fascinating dialogue we have attempted to capture below. In the first panel with the execs of five major carriers, the opening question asked for a one-minute overview of their health plan’s area of focus in addressing the employers’ challenges. The responses were consistent among the leaders — the focus is on the individual consumer and value-based contracting. When the discussion evolved into quality criteria and outcomes to identify high-performing physicians, the leaders acknowledged that defining quality and outcomes is a challenging endeavor, and each health plan has its own formula to assess the providers’ performance. One commented that a physician practicing in the morning could be viewed as a top performer by a carrier, while that afternoon, she could be ranked as a poor performer by another, even though the physician was delivering the same process of care for all her patients. The leaders agreed that employers really needed to weigh in on what was important to them so that there was greater consistency in the scoring logic with the physician community. See Also: Are Your Health Cost Savings an Illusion? The next panel was with the chief medical officers (CMOs) from the major systems and a primary care practice, and a number of relevant things were learned. There was unanimity in the frustration with the variation in the quality metrics being used by commercial carriers and CMS. One physician said he had never been asked for input on the quality metrics, and he was ready to engage in that discussion. The physician leaders asked for the employers to outline what was important to them so there could be a common set of standards for the commercial market — a consistent request from the leaders of both healthcare stakeholders. Two of the CMOs were primary care physicians, and they both acknowledged that we have not given enough attention to the resource that has the greatest opportunity to lower employers’ costs — the family doctor. The primary care physicians can build trusting relationships with employees; they can help avoid the unnecessary services being provided; and they can help educate and channel the patients into the appropriate specialist, when they are equipped with quality and cost information. The CMO from the largest health system acknowledged that there was 30% variation (aka waste) in the way care was being delivered within the community and that there was opportunity to improve the results. If we know there is variation in care even with performance-based contracts in place, what is the catalyst to get serious on consistency? Are there any other services that you purchase with a 30% variance? Would you continue spending money for that service knowing there is wasted spending? After the event, there was a conversation with an employer, and we discussed the employers’ opportunity to help shape and define the quality metrics. This employer stated that he did not have experience or knowledge on how to establish criteria, and he was surprised to hear health plans were looking for his guidance, because he thought it was their role. When the discussion moved to the employer's overall business, he acknowledged its internal business units established the quality criteria in assessing the vendors’ performance. So, how do we move beyond the billboards and the marketing campaigns to understand the healthcare suppliers’ performance? Who has the greatest opportunity to drive change in a free-market system? We believe the one paying the bill has the ability to drive a more consistent outcome for high-quality, cost-effective healthcare. Let’s recognize and reward the physicians who are delivering a Six Sigma approach to healthcare so the other suppliers will be motivated to change. It’s time for employer-driven healthcare.

A convergence between the cyber insurance and tech security sectors is fast gaining momentum. If this trend accelerates, it could help commercial cyber liability policies create a fresh wellspring of insurance premiums, just as life insurance caught on in the 1800s and auto policies took off in the 1900s. The drivers of change are substantive. As companies scramble to mitigate risks posed by steadily worsening cyber threats, insurers and underwriters are hustling to meet overheated demand for cyber liability coverage. The cyber insurance market expanded by roughly 60% from 2014-15, topping about $3 billion last year. ABI Research sees no slowing of that breakneck growth rate and estimates the global cyber insurance market will top $10 billion by 2020. However, for that projection to be realized, the insurance sector must somehow attain the capacity to build reliable actuarial tables that are fundamental to any type of insurance sales. Trouble is, gauging a company’s security posture has turned out to be a much more complex endeavor than anything the insurance industry has mastered before — such as assessing human life expectancy or calculating how much risk to assign a particular driver. There is endless network traffic data, to be sure. But, at present, there is no efficient means to bring it to bear. And to complicate things, companies fear bad publicity and often vigorously resist sharing the type of valuable attack intelligence needed to calculate risk profiles. See Also: IRS Is Stepping Up Anti-Fraud Measures “It’s the wild, wild West,” says Mike Patterson, vice president of strategy at Rook Security. “Everyone is jumping in the market chasing premiums, and they are doing it without a full understanding of the risk involvement, from an underwriting perspective.” Enter the burgeoning tech security sector. Security vendors supply some $75 billion of security hardware, software and services annually. And with cyber threats continuing to intensify, tech security is on track to continue growing at an estimated 5% to 12% annual rate over the next few years. As security vendors develop and deliver more sophisticated prevention and detection technologies, they are amassing larger, richer data sets about the resiliency of company networks. It seems obvious to some, but the accelerating convergence of insurance and security is inevitable. “Underwriters are really trying to figure out how to quantify the risks of the policies they’re underwriting,” says Craig Hinkley, CEO of web application security vendor WhiteHat Security. “We’ve been researching our customers’ websites and web applications for 15 years, so we’re actually swimming in actuarial data right now.” Models to watch The questions of the moment: Who will be the early adopters?; and which collaborations will emerge as enduring models? ThirdCertainty interviewed a handful of tech security vendors at the giant RSA cybersecurity conference in San Francisco in March that are testing the waters. Here is a rundown on three of them: WhiteHat Security WhiteHat recently struck a partnership with Franchise Perils, an insurer of online retail websites —Franchise Perils will contribute toward the purchase of WhiteHat’s flagship service, Sentinel, for any online retailer purchasing a cyber policy. This amounts to a steep discount, enticing clients to use WhiteHat’s cutting-edge technology. Craig Hinkley, WhiteHat Security CEO

Part of WhiteHat’s services include helping corporate clients test their digital defenses with a small army of ethical hackers who “attack” the company and expose weaknesses. If a company quickly fixes its vulnerabilities, WhiteHat will give it a higher score in its WhiteHat Security Index, ranging from 0 to 800 — similar to a credit rating for consumers. “That translates into a safer, more secure website and web application, which reduces the probably of you being hacked,” Hinkley says. “And that’s exactly what underwriters need to know for cyber insurance policies.” For businesses that fix their vulnerabilities, WhiteHat guarantees the companies will not get hacked. If they do get hacked, WhiteHat will pay as much as $500,000 in remediation costs for the data breach. FourV Systems This start-up has just introduced an innovative threat intelligence monitoring and security posture scoring system aimed, for the moment, mainly at large enterprises in financial services, healthcare and government. Casey Corcoran, FourV Systems vice president of strategy FourV’s goal is to enable a large retailer or bank to monitor the status of its network security day-to-day, or even hour-to-hour, much as a business routinely tracks daily sales, says Casey Corcoran, vice president of strategy at FourV. “You could tell by noon whether the pattern that you’re seeing in your risk is shaping up properly for that day of the week,” says Corcoran, a former tech executive at Jos A. Bank Clothiers. “If it’s not, you can fix it.” FourV CEO Derek Gabbard foresees a day in the not-too-distant future when a senior executive will wake up in the morning, glance at her Apple watch and use a FourV app to check the company’s security risk index. Derek Gabbard, FourV Systems CEO The idea is to create “risk discussions that are nontechnical, easy-to-understand and jargon-less for the leadership team,” Gabbard says, “so that they have confidence in the work that the chief information security officer and his teams are doing.” Once FourV gets some traction and amasses large enough data sets, it expects to be able to see — and eventually to be able to predict — risk patterns in vertical industries. Such analysis should be very useful in building actuarial tables, Gabbard told ThirdCertainty. The company already has begun brainstorming how it might go about selling that data directly to the insurance industry, perhaps even by developing a dashboard customized for underwriters. Rook Security This tech security vendor supplies managed security services and does forensics investigations of network breaches. Rook investigators respond like a cyber SWAT team to all types of cyber threats, whether that may be a minor data breach that is easily fixed or a deadly cyber attack that requires teams of cyber investigators to jet around the globe. Listen to a podcast: Drivers behind the rise of cyber insurance Communication surrounding cyber attacks can be messy and full of mistakes that worsen the damage, according to J.J. Thompson, Rook’s CEO. So Rook’s new War Room app has set up a digital command center for tech and security teams to monitor attacks and to respond swiftly. Mike Patterson, vice president of strategy, Rook Security Whether Rook arrives before or after a breach, it quickly gets an inside look at the state of network security. Mike Patterson, Rook’s vice president of strategy, told ThirdCertainty that the readiness of companies varies widely. Some companies boast strong security staffs, resources and planning, while others only have one or two full-time security people — or none at all. “Not everyone is as prepared as they should be,” Patterson says. “But that’s changing, with much more awareness now on the importance of security and taking care of your data.” Rook is seeking to be the default option — brought in by the insurer — for post-breach incident response and forensics. It is also looking to provide a service where Rook would be retained by a company to come in and improve security postures so the client qualifies for cyber coverage or gets better pricing. “It’s a really good opportunity to go shopping for cyber insurance because you’re going to get great rates, and everyone is going to be a little bit slack on the writing terms because they want that business,” Patterson says. ThirdCertainty’s Edward Iwata contributed to this story.

This is part of a series of interviews by Shefi Ben Hutta with insurance practitioners who bring an interesting perspective to their work and to the industry as a whole. Here, she speaks with Hesus Inoma at WeSavvy. Describe WeSavvy in 50 words or fewer: WeSavvy is a digital insurance platform that gives customers cash back on their insurance premiums when they walk, run or cycle. WeSavvy’s mission is to give back customers control over their insurance premiums. Why WeSavvy? We believe the current insurance model is broken. We need to shift the current model from one of indemnification (payout in the event of a claim) to one of loss prevention and control. This can only be achieved by changing the current industry model from one that penalizes to one that rewards the customers for positive behaviors. If we take the healthcare industry in the U.S. as an example, between 2010 and 2015 premiums have increased by more than 26%, leaving customers completely powerless and at the mercy of year-on-year increases. WeSavvy showcases a better way to transform the healthcare insurance industry, by giving the customer full control of healthcare expenses. How did you decide to pursue the idea of WeSavvy? I’m passionate about the digitalization of insurance, yet WeSavvy is personal to me. Back in 2012, I was overweight, and my 2013 New Year’s resolution was to lose weight. I unleashed the power of my community to support me through my journey, and I successfully lost weight throughout 2013 and became very healthy. However, my health insurance premiums went up in 2014, and there was no way for me to effectively communicate my personal journey to my insurer. That’s when I decided, in late 2014, to quit my job and build WeSavvy, a platform that grants the insurer the ability to personalize quotes and empower policyholders to gain back control over insurance premiums. What’s in a name? I wanted a name that reflects our core beliefs that “We” as a community [friends, family, network] can leverage technology and be “Savvy” tackling the obstacles placed in front of us in relation to insurance. Describe your typical client: In everything we do at WeSavvy, we keep the policyholder [our end customer] in mind. Our current business model is B2B2C [business to business to consumer], where we leverage current networks present within the insurance industry to reach the policyholder. Our clients are insurers and agents looking to meet the expectations of the next generation of customers, whether millennials or digital natives. What does competition look like? We’re often compared to Vitality. The difference between WeSavvy and Vitality is the tangibility of our rewards mechanism. We want to ensure customers receive tangible rewards, which increases their disposable income. Vitality’s main focus is the insurer, and [Vitality has] partnered exclusively with one insurer in every new market it has entered. What happens to the other insurers and agents? Our focus is to service the market as a whole and all participants of that market. Our technology will be available to every insurer or agency that would like to better serve its customers. We will leave our user experience for another day! You took part in the Deloitte Digital Disruptor; what did you learn?  The biggest lesson I’ve learned was that the industry wants to embrace innovation, but, at times, the internal infrastructure and culture is not there to move at a pace of a start-up. Insurers that create the internal infrastructure and culture to move at the required pace will be the ones that reap the biggest rewards. You’re currently taking part in the Global Insurance Accelerator; lesson learned? We’ve perceive the main insurance hubs as being London and New York, and it turns out that Des Moines is a hidden gem for our market. The concentration of insurance companies in Des Moines is mind-blowing. Des Moines is truly “Kicking ass, taking names and selling insurance” [to quote the city's slogan]. I’d advise any insurance company that is thinking of setting up an innovation lab or is looking to work with start-ups to reach out to Brian Hemesath and see what he has created here. The conditions for a start-up to succeed are truly embedded in this 100-day program. Where do you see WeSavvy in five years? WeSavvy will be the catalyst in transforming how the insurance industry is perceived. Insurance is an awesome product, but it has failed to communicate its true value to the customer. Insurance is one of the best mechanisms of risk transfer, and it forms the bedrock of every developed society. I see WeSavvy growing from strength to strength, year on year, and moving into other insurance products, which have failed to engage and resonate with the customers. We have no exit strategy, for the simple reason that, if I exited from WeSavvy, my next venture would still be in insurance; and I love what WeSavvy as a company stands for: personal and social empowerment. You never know, we might IPO one day! Best life lesson: “Your Health is your wealth” is one of my best lessons as it taught me [after my mother passed away for cancer] that if there’s anything we could do to extend our time with our loved ones in this life, we should do it! To see more of the “A Word With Shefi” series, visit her thought leader profile. To subscribe to her free newsletter, "Insurance Entertainment," click here.