As the saying goes, there are two kinds of motorcyclists: Those who have fallen off their bikes and those who will. The insurance industry assesses the corporate world’s cybersecurity risk much the same way. Everyone is equally at risk, and, therefore, everyone pays the price for higher insurance premiums. Not a day seems to go by without news of a high-profile security breach. It’s no surprise, then, that the cybersecurity insurance market is expected to rise to $7.5 billion by 2020, according to PwC. Even worse, the industry does not have effective actuarial models for corporate cybersecurity, say Mike Baukes and Alan Sharp-Paul, the co-founders and co-CEOs of UpGuard. The two audacious Australians have developed what they say is a better way to assess the risk for cybersecurity breaches. Alan Sharp-Paul (L) and Mike Baukes (R), Co-Founders and CO-CEOs, UpGuard The pair’s company recently unveiled its Cybersecurity Threat Assessment Rating (CSTAR), the industry’s first cybersecurity preparedness score for businesses. UpGuard’s CSTAR ranking is a FICO-like score that allows businesses to measurably understand the risk of data breaches and unplanned outages because of misconfigurations and software vulnerabilities, while also offering insurance carriers a new standard by which to more effectively assess risk and compliance profiles. According to Baukes and Sharp-Paul, many companies forego available policies due to perceived high cost and uncertainty that their organizations will suffer an attack. With countless patches and endpoint fixes slapped onto IT infrastructure to hastily remediate breaches, companies have found themselves with less visibility into their core systems than ever before and, as a result, no way to understand how at-risk they are for hacks. With CSTAR, businesses are able to regain transparency into their own stack and take the appropriate steps to bolster their cybersecurity. Insurance carriers, meanwhile, can make smarter underwriting decisions while accelerating the availability of comprehensive and cost-effective cybersecurity insurance policies for businesses. It’s a win-win for both the insurance industry and for businesses. After spending years in financial services in Australia and the U.K. and witnessing the disarray of corporate IT, Up-Guard's two co-founders decided they could make a difference by developing a better way for corporations to understand their software portfolios and their associated potential risk for security breaches. Baukes says, “Our experience showed that that there were thousands of applications and thousands of machines powering all of this critical infrastructure. And the thing that we learned throughout all this was just how hard it is for an IT organization to understand and get a handle on what they’ve got." “Today, everything is out in the cloud," Sharp-Paul says. "We’re all more connected. Employees are connected 24 hours a day, seven days a week. Now what keeps CIOs and CEOs up at night is, ‘If we get breached, I could get thrown in jail. I could get sued.’ It’s a very, very different world we live in today. We built a system to help companies understand and prevent downtime, and helping them save on project costs is just as relevant today from a security perspective." The two initially started a consulting company to help companies catalogue and manage their software platforms and applications. According to Sharp-Paul, “We realized the biggest problem companies have from an IT perspective is that they don’t really have appropriate visibility into what they’ve got and how it’s changing because so many things are changing daily in these environments that it’s really hard for them to know what 'good' looks like." Sharp-Paul and Baukes's consulting led them to develop software to automate the process, providing the means to quickly and effectively crawl every server and software application to present a profile of what needed to be updated or patched and to identify the system holes that allowed for security breaches. As Baukes tells it, “Getting that all to mix well and be safe, secure and capable of pinpointing where problems go wrong really quickly is an incredibly difficult task. So, we built up the first commercial version of the product—a very rudimentary version—and we shopped it around, and people were very excited at the time." From there, the pair realized their software had commercial potential and implications more far-reaching than what they had first thought. “We started with that very simple version with a few sales and no sales force—just Alan and [me] at the time—growing to the point now where we now have 3,000-plus customers, and the team is steadily being built,” Baukes says. Now, the company has nearly 50 employees and is growing fast. The Mountain View, CA–based company attracted early seed funding from the likes of Peter Thiel, Dave McClure and Scott Petry, leading to a near $9 million Series A funding underwritten by August Capital. The co-CEOs admit the co-managing arrangement is unconventional and would be challenging to make work under different circumstances. However, Baukes and Sharp-Paul feel their skills and temperament complement each other. “To be honest, when people ask us about it, my first response is always that it’s a terrible idea," Sharp-Paul says. "And that’s not because it’s been a horrible experience for us. It’s because I kind of think we’re really the exception. And the only reason I say that is that I know the unique things we went through and the type of people we are that makes this work. I can’t imagine that being a common thing at all." Baukes is generally a more aggressive and strategic thinker, while Sharp-Paul describes himself as more pragmatic and conservative. Sharp-Paul and Baukes first worked together at the Colonial First State Investment firm back in Sydney, where the two lived the DevOps experience before DevOps became the buzzy concept that it is today. There, Sharp-Paul was a web developer, and Baukes was a systems administrator, and they talked a lot about things like continuous integration and continuous delivery. “Now these are all fantastic things," Sharp-Paul says. "But you need a foundation or a basis of understanding what you have. I mean, we like to say you can’t automate what you don’t understand. Or you can’t secure or fix what you don’t understand. And that’s always missing. Everyone’s trying to rush to this goal of DevOps or moving to the cloud. Everyone wanted to be there, but companies and vendors in particular weren’t helping businesses on the journey there." Baukes says, “Once you have that base understanding of what you have, then that opens everything else up. You can think about DevOps. You can think about automation. At the time, we were thinking, ‘Why hasn’t anyone thought to do this before?’ It seemed like such a foundational, basic thing. It was almost like it was so foundational that everyone just moved past it, and they were looking at the next shiny thing down the road. I think that was the white space. That was our opportunity. We jumped on it." As it turns out, in the world of corporate IT, applications never get retired. Even worse, the people who manage them move on because the life cycle of an employee at a company is short. As as result, the institutional knowledge about these applications is lost. “Corporate memory is so short typically," Sharp-Paul says. "They often get to this point five years down the track where they rediscover this server or this application, and everyone’s too scared to touch it because they don’t know what it does. They don’t know how it works. The people with the knowledge just left with it all in their heads. We come across that all the time." Sharp-Paul and Baukes had always seemed destined to do something on their own. “I always had a healthy disrespect for authority. Throughout my corporate life, I was looking outside to see what else is [WAS?] out there," Sharp-Paul says. "I actually started the first step of creating a business on my own—with something as mundane as a French language website that I used when I moved overseas for a couple of years. ... It taught me that I can actually build something myself that makes money.” Baukes agrees. “The big difference is that I grew up in an immigrant family in the middle of nowhere, effectively. I won’t say the Australian Outback, but really rural," he says. "We built everything ourselves. My father was a great wheeler and dealer. So, I learned a lot of from him. I fell into all of this by playing computer games and was really good at it, frankly. For me, that was a springboard into an accidental corporate life. I always knew that I would do something else.” Now, for the future? Baukes says, "It makes good business sense to quantify the risk in your company’s IT systems and report it effectively. And I think that for us, we could continue growing our business with that in mind—giving people visibility, helping them get to the truth of what they’ve got, teaching them how to configure it, and showing them if they’re vulnerable. That is beginning to accelerate for us, and we’re incredibly proud of that. "We truly believe that, over time, CSTAR will be adopted as an industry standard that companies and carriers alike can rely on to make critical coverage and cybersecurity decisions."

Workers’ compensation is one of the most highly regulated lines of insurance. Every form filed and every payment transaction is an opportunity for a penalty. Claims can stay open for 30 years or longer, leading to thousands of transactions on a single claim. Each state presents different sets of compliance rules for payers to follow. This bureaucracy is adding significant cost to the workers’ compensation system, but is it improving the delivery of benefits to injured workers? Lack of Uniformity Workers’ compensation is regulated at the state level, which means every state has its own set of laws and rules governing the delivery of indemnity and medical benefits to injured workers. This state-by-state variation also exists in the behind-the-scenes reporting of data. Most states now require some level of electronic data interchange (EDI) from the payers (carriers or self-insured employers). There is no common template between the states; therefore carriers must set up separate data feeds for each state. This is made even more complex when you factor in the multiple sources from which payers must gather this data for their EDI reporting. Data sources include employers, bill review and utilization review vendors. The data from all these vendors must be combined into a single data feed to the states. If states change the data reporting fields, each of the vendors in the chain must also make changes to their feeds. Variation also exists in the forms that must be filed and notices that must be posted in the workplaces. This means that payers must constantly monitor and update the various state requirements to ensure they stay in full compliance with the regulations. Unnecessary Burden Much of the workers’ compensation compliance efforts focus on the collection of data, which is ultimately transmitted to the states. The states want this information to monitor the system and ensure it is operating correctly, but is all this data necessary? Some states provide significant analytical reports on their workers’ compensation systems, but many do little with the data that they collect. In a world concerned about cyber risk, collecting and transmitting claims data creates a significant risk of a breach. If the data is not being used by the states, the risk associated with collecting and transmitting it seems unnecessary. Another complication is that there are multiple regulators involved in the system for oversight in each jurisdiction. Too often, this means payers have to provide the same information to multiple parties because information sent to the state Department of Insurance is not shared with the state Division of Workers’ Compensation and vice versa. Some regulation is also outdated based on current technology. Certain states require the physical claims files to be handled within that state. However, with many payers now going paperless, there are no physical claims files to provide. Other states require checks to be issued from a bank within those states. Electronic banking makes this requirement obsolete. How Is This Driving Costs? All payers have a significant amount of staffing and other resources devoted to compliance efforts. From designing systems to gathering and entering data, this is a very labor-intensive process. There have not been any studies on the actual costs to the system from these compliance efforts, but they easily equate to millions of dollars each year. States also impose penalties for a variety of things, including late filing of forms and late and improper payment of benefits. The EDI process makes it possible for these penalties to be automated, but that issue raises the question of the purpose of the penalties altogether. These penalties are issued on a strict liability basis. In other words, either the form was filed in a timely manner or it was not. A payer could be 99% compliant on one million records, but they would be automatically penalized for the 1% of records that were incorrect. In this scenario, are the penalties encouraging compliance, or are they simply a source of revenue for the state? A fairer system would acknowledge where compliance efforts are being made. Rather than penalize every payer for every error, use the penalties for those that fall below certain compliance thresholds (say, 80% or 90% compliance). The laws themselves can be vague and open to interpretation, which leads to unnecessary litigation expenses. Terms such as “reasonable” and “usual and customary” are intentionally vague, and often states will not provide further definition of these terms. How Can We Improve? One of the goals of workers’ compensation regulations is to ensure that injured workers are paid benefits in a timely manner at the correct rate and that they have access to appropriate medical treatment. There was a time when payers had offices located in most states, with adjusters handling only that state. Now, with most payers utilizing multi-state adjusters, payers must be constantly training and educating their adjusters to ensure that they understand all of the nuisances of the different states that they handle. The ability to give input to regulators is also invaluable, and payers should seek opportunities to engage with organizations to create positive change. Groups such as the International Association of Industrial Accident Boards and Commissions (IAIABC) and the Southern Association of Workers' Compensation Administrators (SAWCA) provide the opportunity for workers’ compensation stakeholders to interact with regulators on important issues and also provides the opportunity to seek uniformity where it makes sense (EDI, for example). There needs to be better transparency and communication between all parties in the rule-making process so that regulators have a better understanding of the impact these rules have on payers and the effort required to achieve compliance. Developing standards in technology would be helpful for both the payers and the states. If your systems cannot effectively communicate with the other systems, you cannot be efficient. Upgrading technology across the industry, particularly on the regulatory side, has to become a priority. Finally, we need to give any statutory reforms time to make an impact before changing them again because the constant change adds to confusion and drives costs. In the last 10 years, there have been more than 9,000 bills introduced in various jurisdictions related to workers’ compensation. Of those, about 1,000 have actually been turned into law. People expect that these reforms will produce the desired results immediately, when in reality these things often take time to reach their full impact. These issues were discussed in depth during an “Out Front Ideas With Kimberly and Mark” webinar on Feb. 9, 2016. View the archived webinar at http://www.outfrontideas.com/archives/.

"The Google Compare service itself hasn’t driven the success we hoped for." Google Compare announced in an email to its partners that it would be shutting its insurance and financial products comparison service tools in the U.S. and U.K. as of March 23. The lack of traction in both usage and revenue generation were named as two key reasons. Those were the headlines across the industry this week. So Google Compare is done – for now. This is big news for the insurance industry, which has spent the last year figuring out how to shield itself from the potential impact that the tech giant would make. It turns out Google didn’t make much of a splash after all. In addition to insurance, Google is backing out of credit cards, banking and mortgage products. Google said  it is shutting down for now and focusing on “improving the customer experience.” Maybe Google will be back in a year, maybe five years, but what can we learn from it now? When Google Compare was launched in the U.S. last year, it took the industry by storm. The agent/broker ecosystem was skeptical of any success, but they were also fearful – given Google’s size, wealth and talent. Could Google disrupt personal auto quoting? What the agent/broker ecosystems did was to keep their (potential) enemy close by understanding what they were doing. They watched and hoped for failure. Meanwhile, a handful of insurers signed up to be part of the California launch: those insurers who could easily connect to the Google platform and wanted to be part of a potential success. And these companies had to explain their actions to their agents – who were in the wings watching and waiting to see what would happen. I have my own thoughts on why Google Compare failed this first go-around. First, consumers can get these quote comparisons elsewhere – insurers already do this. Next, maybe customers just aren’t quite ready for self-service compare engines – but by all accounts, they soon will be. I don’t think Google underestimated the complexity of insurance, nor do I think it underestimated the consumer. I think, probably, that the timing was off, and Google didn’t differentiate itself from existing solutions with comparative raters. Google probably lacked some of the innovation that would have been needed to differentiate itself from others in the market. Google Compare, like many start-ups, has failed, at least for now. At SMA, we talk all the time about how there is an innovation journey and how even the best-laid plans will sometimes fail. Part of the journey is learning through failure and then coming back better than ever. This is especially true in insurance. The industry is complicated. It’s complex and heavily regulated. It experiences slow growth, a slow pace of change and relatively small profits. And it requires lots of resources, cash and expertise committed for a long time before it pays off. SMA research shows 88% of insurers understand that innovation projects may fail. Part of that acceptance indicates a growing ability to learn from failure. So where do you place your bets moving forward? Will Google Compare opting out of insurance cause new disruption? Will new solutions move in to fill the void? Many will place their bets on strong incumbents and today’s ecosystem. Insiders believe that, with Google Compare moving out, it will become unappealing for outsiders to move in and try to understand it, saying the barriers to success are too high. Others will say that something will come to disrupt and challenge the traditional ways of the comparative raters and that outsiders, with their naivete and innovative thinking, will find a pin hole in the ecosystems and exploit the market. Either way, the wonderful thing about innovation is that it is the essence of change. The only constant is change. Things happen so quickly. Innovation can flip an industry on its side overnight. Google Compare isn’t going away forever; it is just shutting the blinds. While this may be a small win for the establishment insurers who viewed Google’s entry as a threat, it doesn’t mean these organizations should rest on their laurels. The time is now to innovate, fill a void and improve overall services. Finally, failures and what we learn from them serve to set the ground work for change and innovation. It is part of the innovation journey to improve and adapt. As we continue this year, I am confident there will be more changes to the industry … so stay tuned.

“Google Compare kaput” - Shefi Ben Hutta A few weeks ago, I published an article here on ITL saying that the insurance industry, in general, would not be “disrupted.” I received both a lot of positive and (politely) negative feedback, including a rebuttal by Nigel Walsh. And then just this week, Google, the single-most-often-pointed-to culprit for the probable insurance disruption, dropped a bombshell: that it is shutting its Google Compare insurance service. That whisking sound you hear is me taking my victory lap. All kidding aside, although the urge to take a victory lap is strong, my calmer, rational side realizes that this news does not mean what some might think it means. While my beliefs are that disruption, as has occurred in other industries, will not happen in insurance, Google’s exit from this space is NOT evidence that I am correct. What I believe has transpired is the following:

1. The insurance business overall is complex. Software cannot eat this elephant whole.
2. Google underestimated how difficult the business is, especially in the segment Google Compare was fighting for, which is distribution. Getting new customers in insurance is quite challenging. Customers want value in their insurance transactions, which a website and a rater cannot imitate.
3. Google’s opportunity cost of capital is high, and Google Compare couldn’t meet an acceptable threshold because of its inability to get traction. Brian Sullivan of Risk Information recently said that Google Compare got 10% of the business it forecasted. Ouch!

Those on the disruption side of things promise that, much like the Terminator, Google will "be back.” I actually think that is possible, after some of the issues are ironed out, such as expectations. Once upon a time, I would have been an eager Google Compare customer. So I have no doubt that there is a market for its offering. But there is a bigger market for insurance customers who want someone else to do the un-thrilling work of getting their insurance in place because those customers either don’t have the expertise or don’t wish to be bothered by the process at all. Consider a recent example in my own timeline. My current auto and property policies were purchased online several years ago. I didn’t need an agent because I was more than happy to do the work myself to save a few dollars. No longer. I recently moved across the country, back to the East Coast. The last thing I wanted to do was deal with address and other changes that are required when you move across state lines. I also didn’t want to research all of the licensing and car registration procedures I’d have to go through in the weeks following my move. So I found an agent. Within a couple of days, that burden had been lifted from me. I am less likely to personally do the insurance buying going forward. I would rather be doing something else altogether than researching and buying insurance. The whole experience was well worth the commission paid. And then there are customers who don’t know much about insurance at all: teen drivers, new homeowners and new parents, to name just a few potential insurance customers where the guidance of a trusted adviser will save a lot of time and future headaches. Can we really expect teen drivers to understand anything more than getting the cheapest policy possible so that they can drive? My newly minted teen driver spent days trying to get her car on the road because she chose the Cockney-accented spokes-lizard insurance, which provided nearly zero support for her real problem, which was the DMV. My response: ”You should have gone to an agent. He would have done all that work for you.” A lesson learned, I hope. How about a new homeowner trying to get insurance to cover the property and family? An insurance agent will help with issues around replacement values, limits of liability, deductible options and coverage differences between carriers. Can machine learning get to the point where it can replace all of that? Perhaps. But add to this, additional complexities such as how should a family put together auto, property, umbrella and other insurance policies (such as flood, earthquake, jewelry, non-admitted products) together to optimize effectiveness, and I think the technologists looking to disrupt are a long, long way away from being able to effectively deliver the value that an agent/broker is already providing. As the stakes are raised, the human touch will remain invaluable. This is not to say that the state of the current agency system is acceptable. Agents need to step up their game. Agents have been one of the biggest offenders in not using technology to further their significance. Agents have chiefly been great sales people. They have to be. They are selling an imperfect product whose value is difficult to quantify. In today’s environment, agents need to scale their sales presence outside of the face-to-face transaction toward a digital world. The agent might be able to overcome my objections when we are looking at each other, but, today, I am communicating via digital means, and I can simply ignore the agent. Agents need to use technology to better market to, communicate with an educate customers. They also need to take a page from insurers and use data to understand and quantify risk so that they can recommend the best solutions and not just a policy with the lowest price. Agents are used to providing multiple options to customers; now they need to use data to get an information advantage. Does this mean that agents need to become part underwriter, part adjuster, part actuary while remaining part salesperson to survive? I think so. For the modern agent or broker, Google Compare was not seen as a serious threat. Top agents know the value they bring and are not easily substituted for with technology. Twenty years from now, the landscape for buying insurance will look very different from today but I wager that, for many of the reasons I have outlined here, the insurance agent will still have a significant role for consumers who value their time and possessions.

How many times do wellness promoters have to admit or prove that wellness doesn’t work before everyone finally believes them? Whether one measures clinical outcomes/effectiveness, savings or productivity, the figures provided by the most vocal wellness promoters and the most “successful” wellness programs yield the same answer: Wellness doesn’t work.

• Outcomes/Effectiveness

Let’s start with actual program effectiveness. Most recently, Ron Goetzel, head of the committee that bestows the C. Everett Koop Award, told the new healthcare daily STAT News that only about 100 programs work, while “thousands” fail. In that estimate, which works out to a failure rate well north of 90%, he is joined by Michael O’Donnell, editor of the industry trade journal, the American Journal of Health Promotion (AJHP). O’Donnell says that as many as 95% of programs fail. (For the record, I have no beef with him, because he once willingly admitted that I am “not an idiot.”) The best example of this Goetzel-O’Donnell consensus? McKesson, the 2015 Koop Award winner. McKesson’s own data –even when scrubbed of those pesky non-participants and dropouts who are too embarrassed to allow themselves to be weighed in – shows an increase in body mass and cholesterol: Vitality Group, which contributed to this McKesson award-winning result as a vendor, wants your company to publicly disclose how many fat employees you have. Why? So that you are “pressured” (their word) into hiring a wellness vendor like Vitality. Yet Vitality admits it can’t get its own employees to lose weight. McKesson and Vitality continue a hallowed tradition among Koop Award-winning programs of employees not losing noticeable weight. For instance, at Pfizer, the 2010 award-winner, employees who opened their weight-loss email lost all of three ounces: Maybe it’s unfair to pick programs based on winning awards. Awards or not, those programs could have cut corners. Perhaps to find an exception to the rule that wellness can’t improve outcomes, we should look to the most expensive program, Aetna’s. Unfortunately, even Aetna registered only the slightest improvement in health indicators, throwing away $500/employee in the process. Why that much? Aetna decided to collect employee DNA to predict diabetes, even though reputable scientists have never posited that DNA can predict diabetes. So even award winners, wellness vendors themselves and gold-plated programs can’t move the outcomes needle in a meaningful way, if at all. Bottom line: It looks like we finally have both consensus on the futility of wellness, and data to support the wellness industry admission that way north of 90% of programs do indeed fail to generate outcomes. Savings Because wellness promoters now say most programs fail, it is no surprise they also say most programs lose money. Once again, this isn’t us talking. The industry’s own guidebook – written by Goetzel and O’Donnell and dozens of other industry leaders -- shows wellness loses money. We have posted that observation on ITL before, and no one objected. However, very recently, the sponsors of this guidebook (the Health Enhancement Research Organization, or HERO) did finally take issue with our quoting statistics from their own guidebook. They pointed out -- quite accurately -- that their money-losing example was hypothetical. It did not involve numbers they would approve of, despite having published them. (At least, we think this is what HERO said. One of their board members has learned that they have sent a letter to members of the lay media, telling them not to publish our postings. We are told HERO’s objection centers on our quoting their report.) To avoid a lawsuit for quoting figures they prefer us not to quote, we substituted their own real figures for their own hypothetical figures -- and using real figures from Goetzel’s company, Truven Health Analytics, multiplied the losses. This very same downloadable guidebook notes that these losses, as great as they are, actually exclude at least nine other sources of administrative costs--like internal costs, impact on morale, lost work time for screenings, etc. (Page 10). Truven also excludes a large number of medical costs (Page. 22): One could only assume that including all these administrative and medical losses in the calculation would increase the total loss. Lest readers think that this consensus guidebook is an anomaly, HERO is joined in its conclusion that wellness loses money by AJHP. AJHP published a meta-analysis showing a negative ROI from high-quality studies. Productivity RAND’s Soeren Mattke said it best: "The industry went in with promises of 3-to-1 and 6-to-1 ROIs based on healthcare savings alone. Then research came out that said that’s not true. They said, 'Fine, we are cost-neutral.' Now research says: 'Maybe not even cost-neutral.' So they say: 'It’s really about productivity, which we can’t really measure, but it’s an enormous return.'" The AJHP stepped up to make Dr. Mattke appear prescient. After finding no ROI in high-quality studies, proponents decided to dispense with ROI altogether. “Who cares about ROI anyway?” were O’Donnell’s exact words. Because health dollars couldn’t be saved, O’Donnell tried to estimate productivity impact. But honesty compelled him to admit that workers would need to devote about 4% of their time to working out to be 1% more productive on the job. Using his own time-and-motion figures, and adding in program costs, his math creates a loss exceeding $5,200/employee/year. I would have to agree with O’Donnell, based on my experience in the 1990s as the CEO of a NASDAQ company. Ours was a call center company, which meant someone had to answer the phones. If I had let employees go to the gym instead of working, I would have had to pay other employees to cover for them. Our productivity would have taken a huge hit, even if the workouts bulked up employees’ biceps to the point where they could pick up the phone 1% faster. Where Does This Leave Us? Despite our using their own figures, wellness promoters may object to this analysis, saying they didn’t really intend for these conclusions to be reached. Intended or not, these are the conclusions from their figures, and theirs largely agree with ours, expressed in many previous blog posts on ITL. And, of course, our website, www.theysaidwhat.net, is devoted to exposing vendor lies. The bottom line is, no matter whose “side” you are on, the answer is the same. Assuming you look at promoters’ actual data or statements instead of listening to the spin, the conclusion is the same: Conventional wellness doesn’t work. It’s time to move on.

In April 2015, Lloyd’s of London launched the Target Operating Model (TOM) project. TOM is a central body responsible for delivering modernization to the still heavily paper-based wholesale insurance transactions in the London insurance markets. You can state, "I Support TOM," on a registration site or you can "like" TOM on social media. The project has had several "innovation" events. It has an orange logo reminiscent of the 1990s, when orange was the new black. The project has even tried to coin yet another tech mashup term for the London insurance markets surrounding Lloyd’s: InsTech. This is not the first time the London insurance markets have tried to modernize. They are serial reformers, and their attempts have had varying degrees of success (from total failure to middling impact). Limnet (London Insurance Market Network) made progress with electronic data interchange in the 1980s and early 1990s. Electronic Placement Support (EPS) worked in the late 1990s, but few used it. Kinnect, at a cost conservatively quoted as £70 million, was abandoned in 2006. Project Darwin, which operated from 2011 to 2013, achieved little. The Message Exchange Limited (TMEL) is a messaging hub for ACORD messages that has had modest success, but most people still use email. Numerous private exchanges or electronic messaging ventures have gained only partial market shares. Xchanging Ins-Sure Services (XIS), a claims and premiums processing joint venture, was formed in 2000 and runs adequately but still has a lot of paper involved. A swift walk round Lloyd’s, perhaps passing by the famous Lamb Tavern in Leadenhall Market, reveals a lot of heavy bundles of paper, lengthening the arms of long-term insurers. Does ontogeny recapitulate phylogeny? Ernst Haeckel (1834–1919) was a German biologist and philosopher who proposed a (now largely discredited) biological hypothesis, the "theory of recapitulation." He proposed that, in developing from embryo to adult, animals go through stages resembling or representing successive stages in the evolution of their remote ancestors. His catchphrase was “ontogeny recapitulates phylogeny.” In a similar way, TOM seems to be going through all the previous stages of former wholesale insurance modernization projects, databases, networks and messaging centers, but it may come out at the end to realize the potential of mutual distributed ledgers (aka blockchain technology). Information technology systems may have now evolved to meet the demanding requirements of wholesale insurance. And wholesale insurance differs from capital market finance in some important ways. First, insurance is a "promise to pay in future," not an asset transfer today. Second, while capital markets trade on information asymmetry, insurance is theoretically a market of perfect information and symmetry—you have to reveal everything of possible relevance to your insurer, but each of you has different exposure positions and interpretations of risk. Third, wholesale insurance is "bespoke." You can’t give your insurance cover to someone else. These three points lead to a complex set of interactions among numerous parties. Clients, brokers, underwriters, claims assessors, valuation experts, legal firms, actuaries and accountants all have a part in writing a policy, not to mention in handling subsequent claims. People from the capital markets who believe insurance should become a traded market miss some key points. Let’s examine two: one about market structure, and one about technology. TIn terms of market structure: People use trusted third parties in many roles—in finance, for settlement, as custodians, as payment providers and as poolers of risk. Trusted third parties perform three roles, to:

• Validate — confirming the existence of something to be traded and the membership of the trading community
• Safeguard — preventing duplicate transactions, i.e. someone selling the same thing twice or "double-spending"
• Preserve — holding the history of transactions to help analysis and oversight and in the event of disputes.

Concerns over centralization The hundreds of firms in the London markets are rightly concerned about a central third party that might hold their information to ransom. The firms want to avoid natural monopolies, particularly as agreed information is crucial over multi-year contracts. They are also concerned about a central third party that must be used for messaging because, without choice, the natural monopoly rents might become excessive. Many historic reforms failed to propose technology that recognized this market structure. Mutual distributed ledgers (MDLs), however, provide pervasive, persistent and permanent records. MDL technology securely stores transaction records in multiple locations with no central ownership. MDLs allow groups of people to validate, record and track transactions across a network of decentralized computer systems with varying degrees of control of the ledger. In such a system, everyone shares the ledger. The ledger itself is a distributed data structure, held in part or in its entirety by each participating computer system. Trust in safeguarding and preservation moves from a central third-party to the technology. Emerging techniques, such as smart contracts and decentralized autonomous organizations, might, in the future, also permit MDLs to act as automated agents. Beat the TOM-TOM Because MDLs enable organizations to work together on common data, they exhibit a paradox. MDLs are logically central but are technically distributed. They act as if they are central databases, where everyone shares the same information. However, the information is distributed across multiple (or multitudinous) sites so that no one person can gain control over the value of the information. Everyone has a copy. Everyone can recreate the entire market from someone else’s copy. However, everyone can only "see" what their cryptographic keys permit. How do we know this works? We at Z/Yen, a commercial think tank, have built several insurance application prototypes for clients who seek examples, such as motor, small business and insurance deal-rooms. The technical success of blockchain technologies in cryptocurrencies—such as Bitcoin, Ethereum and Ripple—have shown that complex multi-party transactions are possible using MDLs. And, we have built a system that handles ACORD messages with no need for "messaging." Z/Yen’s work in this space dates to 1995. Until recently, though, most in financial services dismissed MDLs as too complex and insecure. The recent mania around cryptocurrencies has led to a reappraisal of their potential, as blockchains are just one form of MDL. That said, MDLs are "mutual," and a number of people need to move ahead together. Further, traditional commercial models of controlling and licensing intellectual property are less likely to be successful at the core of the market. The intellectual property needs to be shared. A message is getting out on the jungle drums that MDLs, while not easy, do work at a time when people are rethinking the future of wholesale insurance. If TOM helps push people to work together, perhaps, this time, market reform will embrace a generation of technology that will finally meet the demands of a difficult, yet essential and successful, centuries-old market. Perhaps TOM should be beating the MDL drums more loudly.

Case evaluation is part art and part math. And we’re not even talking calculus; we’re talking arithmetic. A surprisingly large number of lawyers tell me they’re bad at math. They’re not alone. CNN anchor Chris Cuomo recently had his math corrected by co-anchor Michaela Pereira while discussing Powerball lottery numbers. You can’t come up with a realistic evaluation of a workers' compensation claim if you can’t quantify the component parts: permanent disability, life pension, Medicare-eligible and non-Medicare-eligible future medical. In mediation caucus, when parties give me their offer or demand, I often ask how they came up with that number. I want their best argument, the one that will convince the other side. The first answer I get is often vague, something like, “We thought it would settle the case.” Workers' compensation professionals often neglect running the numbers. Getting parties to see the same numbers moves them toward settlement. I recently got a call about an offer in a personal injury case. I questioned the plaintiff’s attorney about what he thought this number represented. His answer didn’t sound right to me. I asked him, “Did you ask them how they came up with that number?” No, he hadn’t. I suggested the attorney ask opposing counsel that question to allow things to move forward, toward settlement. Random demands and offers are unlikely to settle a claim. Before you assume the other side is being unreasonable or before you respond, ask: How did you get to that number?

In Part 1 and Part 2 of this series, David Toomey and I described a wildly successful collaboration with Virginia Mason Medical Center (VM) and a few Seattle employers. During the the time of the VM collaboration, we invited major physician groups to meet with the employers. One of the most memorable meetings was with the CEO and chief medical officer (CMO) from a very well-regarded physician group in Seattle that has high fees but low performance. As you would suspect, the employers were better prepared for this meeting than they had been for the meetings with VM. When the CEO and CMO talked about their strong emphasis on quality, the employers asked about quality monitoring and the process of care. Rather than acknowledging opportunities for further analysis and professing an openness to collaboration, the providers responded with confidence about their model of care. Afterward, the employers expressed concerns about whether this premier provider could improve care and reduce costs. We posed a couple of questions: Are you saying you don’t want this provider in the network? Are you really ready to tell your leadership that this physician group, which many executives use, is not in the top tier? The employers were aware of the dynamics with network configuration and the trouble that businesses have when a provider is dropped from the network and even a few employees complain. The employers responded that they wanted to have additional meetings with this group, because of its reputation. After a couple of follow-up meetings, the employers recognized that this group was not committed to the process of care that they expected. They decided that the group should not be in the performance-based network. Importantly, the employers were now equipped to discuss their rationale with their leadership teams. The CEO of the provider group felt respected, because of the time the employers spent with him, even though he did not like the outcome. He eventually acknowledged the group had work to do. Employers make purchasing decisions with suppliers every day. For some reason, the healthcare procurement process involves the carriers and other vendors but often skips the actual suppliers of healthcare (except in a fairly small, but rapidly growing, number of major corporations). The big question is: Why are more self-insured employers not engaging directly with providers? In a broad network, there will be a bell curve around performance. Most employers say they want quality providers in their networks, but half the providers in their broad-based networks are below average. While everyone espouses “quality,” the variation in care is significant, and the medical ethics around treatment often drive that differential. Healthcare is big business. It is time to reward employees and channel them to primary care physicians and specialists who are truly committed to medically appropriate care. A major reason why healthcare costs grow faster than general inflation is because most self-insured employers are simply not dealing with healthcare providers in the way we have described in this series of posts.

The number and the potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014. And the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before—and a total expected to reach 50 billion by 2020 —there are more potential targets for attackers, and there is more potential for accidental breaches. What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the 2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon. So, how do you keep your organization’s data—and that of your clients and customers—safe? It’s not just a matter of investing in better technology and more robust systems, according to Aon cyber insurance expert Stephanie Snyder Tomlinson, who says, “A lot of companies find that the weakest link is their employees. You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-It note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.” From intern to CEO: Simple steps everyone can take It’s easy for individuals to become complacent about data security, says Aon’s global chief privacy officer, Brad Bryant. But, with cyber threats increasing, it’s more important than ever to be aware of seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization. According to Bryant, there are four key things that everyone can do to help protect themselves and their organizations from the rising cyber threat:

• Be alert to impersonators. Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
• Don’t overshare. If you give out details about your personal life, hackers may be able to use them to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
• Safely dispose of personal information. A surprising amount of information can be retained by devices, even after wiping hard drives or performing factory resets. To be certain that your information is destroyed, you may need to seek expert advice or device-specific instructions.
• Encrypt your data. Keeping your software up to date and password-protecting your devices may not be enough to stop hackers, should your devices fall into the wrong hands. The more security, the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data To protect your, your customers’ and your and clients’ information, investing in better cyber security is one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right. Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations pursue to limit the risk and make sure they’re getting the basics right:

• Build awareness. Educate employees on what social engineering fraud is, especially those in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
• Be cautious. Always verify the authenticity of requests for changes in money-related instructions, and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin and destination.
• Be organized. Develop a list of pre-approved vendors and ensure employees are aware. Review and customize crime insurance—when it comes to coverage or denial, the devil is in the details.
• Develop a system. Institute a password procedure to verify the authenticity of any wire transfer requests, and always verify the validity of an incoming email or phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new, but the scale of the threat is increasing, making following this advice more important than ever. Fitzgerald warns, “Social engineering fraud is one of the greatest security threats companies can encounter today. ... This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites, to impersonating an IT engineer, to baiting with a USB drive.” How governments are driving data protection The potential consequences of inadequate data security are becoming more serious, and courts and regulators are focusing on this issue globally. The European Union is considering a Data Protection Directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on the protection of customers data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and U.S. Bryant warns: “Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction. ... Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.” Changing E.U. rules aren't the only thing that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of Internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations. Why getting the basics right is critical As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever. Bryant says, “Given the large scope and impact of the various changes in data protection law—coupled with the drastic increase in fines—becoming educated on how to protect our data is more business-critical now than ever before."

In America, 30 million people will struggle with an eating disorder at some point in their life. With statistics this high, it is likely that someone you know, or perhaps even you, has struggled with this mental health issue. Family members, friends and even coworkers can struggle with anorexia, bulimia and binge eating disorder. Despite their prevalence, eating disorders are treatable. It is important to know the signs and symptoms as well as what to do if someone you know is at risk—especially in the workplace. Our workplaces are often a source of stress. Deadlines, long hours and strained relationships can leave us feeling tired and vulnerable. When we feel down, we can be more susceptible to mental illness, including eating disorders, and stressful times can exacerbate existing conditions. With eating disorders, as with most illnesses, early intervention is important. Businesses are in an excellent position to help employees who may be struggling with an eating disorder. Wellness programs can help raise awareness and encourage treatment. And anonymous screening programs can be an effective way to assist employees. Anonymous and confidential mental health screenings are designed to help individuals examine any thoughts or behaviors that may be associated with eating disorders. After completing the self-assessment, users are provided with helpful resources and treatment information, if necessary. Although the screenings are not diagnostic, they will determine if someone is exhibiting symptoms associated with an eating disorder and if that someone should seek help. Some common eating disorder signs and symptoms include:

• Frequent comments about feeling “fat” or overweight
• In general, behaviors and attitudes indicating that weight loss, dieting and the control of food are becoming primary concerns
• Skipping meals or taking small portions of food at regular meals
• Hiding body with baggy clothes
• Evidence of binge eating, including disappearance of large amounts of food in short periods or lots of wrappers and containers indicating consumption of large amounts of food
• Maintaining an excessive, rigid exercise regimen—despite weather, fatigue, illness or injury—because of the need to “burn off” calories
• Drinking excessive amounts of water or using excessive amounts of mouthwash, mints and gum

If you are concerned that a coworker may have an eating disorder, there are things you can do to help. Rather than focus on issues related to their physical appearance, let your coworker know you have noticed a change in their behavior. Perhaps the quality of their work has suffered or their mood has changed. Let them know that you care and offer helpful resources. If your workplace offers a wellness or screening program, share that information. Anonymous eating disorder screenings are always available at MyBodyScreening.org. Be sure to follow-up with the coworker to see how they are doing. Support systems are important as they work toward recovery. The National Action Alliance for Suicide Prevention is a public-private partnership advancing the National Strategy for Suicide Prevention, put forward by the U.S. surgeon general. The alliance supports mental health and suicide prevention programs in the workplace and endorses mental health screenings as part of those programs. Screenings can make a difference in mental health and suicide prevention. As millions of adults struggle with eating disorders, workplaces can make an impact by spreading awareness, offering screenings and encouraging treatment. It is in the best interest of an employer to help workers stay healthy and productive. Wellness and screening programs are a proven way to do this.