Please join me for "Path to Transformation," an event I am putting on May 10 and 11 at the Plug and Play accelerator in Silicon Valley in conjunction with Insurance Thought Leadership. The event will not only explore the sorts of technological breakthroughs I describe in this article but will explain how companies can test and absorb the technologies, in ways that then lead to startling (and highly profitable) innovation. My son and I have been teaching these events around the world, and I hope to see you in May. You can sign up here. Over the past century, the price and performance of computing has been on an exponential curve. And, as futurist Ray Kurzweil observed, once any technology becomes an information technology, its development follows the same curve. So, we are seeing exponential advances in technologies such as sensors, networks, artificial intelligence and robotics. The convergence of these technologies is making amazing things possible. Last year was the tipping point in the global adoption of the Internet, digital medical devices, blockchain, gene editing, drones and solar energy. This year will be the beginning of an even bigger revolution, one that will change the way we live, let us visit new worlds and lead us into a jobless future. However, with every good thing, there comes a bad; wonderful things will become possible, but with them we will create new problems for mankind. Here are six of the technologies that will make the change happen.

Digital transformation, changing cultural values, resource scarcity and environmental impact concerns are affecting every industry, including insurance. Those changes are accelerating the growth of the sharing economy and the demand for resource optimization. The rise of sensors and intelligent digital ecosystems are blurring the boundaries between the digital and physical worlds and generating massive new data sources. Next-generation analytics and artificial intelligence are coming on-stream to harness that data. Adapting to and succeeding within this digitally transformed world will require changes in every aspect of the financial services industry, and the processes by which it delivers value to its customers. To check on the state of innovation in insurance, the Silicon Valley Innovation Accelerator and Celent combined to conduct a study that combined a quantitative survey with qualitative discussions with key players. Here are the results: Please consider joining us for the series of Insurance Disrupted conferences. The next will be held March 22-23 in Silicon Valley. ITL readers receive a 15% discount here.

Steve Jobs was famous for saying; “A lot of times, people don’t know what they want until you show it to them.” He was most often referring to focus groups and "industry experts" as the last places he’d look for ideas on innovation and disruption. I’ve often wondered what Jobs would have said if asked to reimagine insurance distribution in America. I think he might have obsessed about a customer-centric mindset, a fierce focus on trust and a single place for managing risk. Not what you typically see from those trying to disrupt LeadGen in insurance today. Others Will Follow GoogleCompare Out TheZebra.com, Insurify.com, QuoteWizard.com, GoogleCompare … the list appears to be endless these days – represent a group of "innovators" who didn’t think what the consumer might want from an insurance experience, and in turn are delivering a toxic insurance shopping experience clouded by opaque offers like providing an Expert Virtual Insurance Agent. What’s worse, many in the FinTech vertical – investors and media alike -- are talking about these "innovations" without ever taking them for a test drive. Imagine the editor of Car & Driver simply publishing the latest hype for a new Ford Truck model as gospel without taking the vehicle for a spin. So, why not take a spin. Ask for a quote from theZebra.com or QuoteWizard.com, AND give the company your actual email address and cell phone number. Then buckle up. Calls… emails… ad nauseam. And most of the outreach is not even from the LeadGen company you connected to. In fact, most of these LeadGen companies don’t actually sell insurance. They simply sell the customer and everything the customer has shared about themselves to others. How can that be? Their Words – Not Ours TheZebra.com home page promises the consumer "insurance in black and white." Reminds me of Apple when it launched its iconic iPod with the simple phrase: "1,000 songs in your pocket." Pretty snappy. But unlike Apple, which simply delivered on its promise, here's what theZebra.com says it will actually do to the consumer and the personal information she provides. (As it happens, the privacy disclosure about buying insurance "in black and white" is in grey on the Zebra.com website. As my Dad would say, there are some things you just can’t make up. These are actual excepts from the company web site. The boldface is ours. SHARING OF PERSONAL INFORMATION The Zebra may rent, sell or share Personal Information or Location Based Information it collects about you to or with third parties. Personal Information and Location Based Information collected from you is commonly used to provide you with products and services and to comply with any requirements of law. By submitting your e-mail address and/or phone number (as the case may be) via The Zebra or our properties, you authorize us to use that e-mail address and phone number to contact you periodically, via e-mail, SMS text message, and manually-dialed and/or auto-dialed telephone calls, concerning (i) your insurance-related or quote requests, (ii) any administrative issue regarding our services and/or (iii) information or offers that we feel may be of interest to you. We may also send e-mails to you periodically regarding updated quotes or offerings. You may opt out of receiving e-mails from us at any time by unsubscribing as set forth in the applicable e-mail. Additionally, by filling out information on The Zebra as part of your request for information about insurance policies and quotations, you authorize us to provide that information to various insurance companies, insurance agents and other related third parties that participate in our network. Some insurance companies or third parties may then provide your personal information to their insurance carriers, suppliers and other related vendors in order to generate price quotations and information relevant to insurance policies that you have requested. These third parties may use the contact information (including telephone number(s)) you have provided to contact you directly with quotations by means of telephone (manually or auto-dialed), fax, email and postal mail, even if you have registered your phone number(s) on local and/or national no-call lists. You further acknowledge and agree that each third-party that receives your quote request from this website or from our affiliates may confirm your information through the use of a consumer report, which may include among other things, your driving record and/or credit score. For purposes of faxing, it is understood that insurance companies or third parties have an established business relationship with each user of this website, if required to comply with the then current law. We may also share certain personal information or location-based information with institutions providing possible product offerings to you based on the information you submit through the Website (e.g. financial institutions and/or insurance companies), and/or certain The Zebra vendors in order to allow them to use that information to obtain and provide us with additional information about you, and/or product offerings that might be of interest to you. Decades of Trust Put at Risk in a Digital Instant Iconic insurance brands, like AllState, Amica, Esurance and MetLife – are just a few of the insurance carriers featured inside these LeadGen sites. This isn’t complicated. As consumers, all of us are very wary of providing our personal information to anyone – always looking for assurances that the receiver of our personal information is someone we can trust. As insurance professionals, we will always require personal, non-public information to underwrite risk. It is critical as an industry that we preserve the public’s trust that we will respect their confidence and protect their data. In my company, we do a lot of work with financial institutions, and even though they might complain about regulatory overreach, most bank CEOs are proud to state in BLACK AND WHITE: We will not share/sell your personal information with third parties. Look at the fight Apple and Google are prepared to wage to protect the personal data on someone’s cell phone - so focused about protecting the assumption of trusted privacy implicit in their brands. When insurance carriers specifically, and our industry in general, support or, worse, encourage these LeadGen models, they put our brands, our hard-fought reputation of trust, and an emerging generation of customer-centric, omni-channel-licensed insurance advisers at risk. Insurance isn’t a commodity as long as underwriting is required, and regulators require massive balance sheets to stand at the ready to settle claims. Personal information, whether provided person to person or online, or via virtual driving analytics aggregation tools - it’s the customers’ data. And we as customers want to know who they are giving it to and how it’s being used. If carriers don’t question this toxic experience called LeadGen, you can bet consumers and their advocacy groups will shortly assemble a collective voice to express their dissatisfaction to regulators – and the regulators will be quick to respond. I can hear Sen. Elizabeth Warren and the Consumer Finance Protection Bureau (CFPB) decrying the misrepresentations and mistreatment suffered by the consumer when they provide their personal information under the guise of a black-and-white shopping experience -- only to learn their information has in fact been down-streamed to others again and again. Our entire industry will be painted with a very unflattering brush. Just as the outlandish behavior of certain mortgage origination companies drew harsh scrutiny for all lenders in the last decade, think of insurance commissioners and Congress taking aim at the "grey print" of these LeadGen models: the CFPB alleging potential unfair, deceptive or abusive acts and practices (UDAP) violations because of the problematic impact on the consumer. Going Forward For the carriers, the dilemma is real. Traditional brick and mortar local agencies as distribution platforms are going away. They have no large, scalable, addressable markets that can be engaged digitally. GEICO is relentlessly accumulating market share by going direct to consumers. It’s almost understandable that, given those constraints, some of America’s most powerful insurance brands are putting their brand equity at risk on these LeadGen platforms in an effort to remain visible, reaching for any option to remain viable. An alternative solution is emerging. Insurance cCarriers and our industry must focus on imagining a new type of licensed agent with the tools that will let them provide a transformative insurance shopping experience for insureds – a lifetime of simple, comfortable, obsessively trustworthy insurance purchases and service. And we, as agents, from the Big I on down, have to imagine a new generation of insurance advisers and insurance agencies. Think of them as meta agents operating in meta agencies. Can we imagine a new generation of agent that can instantly access all of the public and non-public information about a customer’s character and collateral, deliver it to a stable of insurance carriers that are prepared to underwrite that risk, in exactly the format they need it in, get instant quotes from the carriers that reflect the customer’s risk tolerance and assets to be insured, be available to provide any of the advisory insights the customer might want – all exactly at the moment the customer has an insurance need? A new generation of agents, operating in a new generation meta-agency -- fulfilled in their work as risk managers and customer advocates, operating in a seamless, frictionless ecosystem in lifelong service to the customer. And all with an obsessive commitment to trust. Can you hear Steve Jobs in his iconic black turtleneck on stage wondering the same out loud? A New-Generation Agent and Agency A new generation of agent and agency is emerging – empowered and excited to deliver insurance solutions to consumers, operating inside companies that have long and deep trusted brand equity with the consumer, an obsessive commitment to trust. And, having earned that trust, these agents have access to everything a carrier needs to know about the consumer's character and collateral, eliminating the dreaded "insurance interview and application" or, worse, "the LeadGen hustle." This new agent never prospects, sells or steers a customer – the agent simply focuses on delivering a frictionless shopping, comparing, buying and post-purchase service experience tailored to each unique customer exactly at the instant the customer needs it -- again, with an obsession for trust. We believe the role of an agent, with a completely reimagined operating environment, is more important and more valuable than ever before. A new generation of agents and agency is emerging – reimagined to reflect what the customer actually wants, even though, in the iconic words of Steve Jobs, "They didn’t know it."

The research firm Gartner has a great model for showing the relative maturity of different technologies. It's called the Hype Cycle, and it looks like this: Source: https://en.wikipedia.org/wiki/Hype_cycle There are five phases. First, a technology emerges, triggering a myriad of ideas for potential applications. Startups are founded, commentators predict it will change everything, incumbents include it in the SWOT (strengths, weaknesses, opportunities and threats) analysis section of their annual strategic plan. These expectations reach a peak and then start to decline as technical limitations, barriers to consumer adoption and regulatory concerns emerge. Chastened, new technologies then slowly regain credibility as people focus on how they can be applied to create real value in the here and now. Finally, they achieve mainstream adoption and acceptance. So what would the hype cycle of insurance disruption look like, in 2016? I think something like this: The hottest topics of discussion in insurance right now are those left-most on the chart. We can expect the next 12 months to see seed-stage angel and VC investments in start-ups addressing the insurance implications of IoT/connected home (Domotz), blockchain (Everledger), drones (Drox) and maybe even artificial intelligence (Brolly). Meanwhile, insurance industry incumbents will continue appointing chief digital officers, opening digital garages and launching venture funds and start-up incubators with the aim of getting a stake in the next generation of InsurTech companies. It will be a few years before we see whether these investments are creating value. On the other side of the peak of inflated expectations, there is a deepening malaise around peer-to-peer (P2P) insurance. New York’s Lemonade may have just raised a $13 million seed round, but it has a long hard road ahead. The company's somewhat hubristic claim to be the world’s first P2P insurer suggests executives aren’t aware of Friendsurance or Guevara and the challenges these admirable businesses have faced in creating a value proposition that consumers can understand and buy into. P2P insurance remains intellectually exciting to insurance industry insiders but deeply unappealing to ordinary people. Do you want to feel social pressure from your friends not to make a home insurance claim if you spill paint on the carpet? No, neither do I. It will take a radically different articulation of the P2P consumer proposition for it to gain more traction -- probably one that doesn’t focus at all on the product mechanics. If the appeal of P2P insurance is in decline, big data is in the trough. There is even a bot that substitutes the phrase “chronic farting” in any tweet that mentions it. Consolidating a global insurer’s data assets on a single platform and then powering the whole organization with advanced analytics seems about as realistic as boiling the ocean. But away from these grandiose projects, there are specific insurance use cases where big data has tangible value today. Underwriting using Twitter data is already as powerful as traditional question sets. At Bought by Many, we’ve analyzed the anonymized search data of 3 million U.K. Internet users to identify where the biggest gaps are between consumer demand for insurance and the products being supplied by the industry. Meanwhile, social media data, particularly from Facebook, is hugely powerful for insurance distribution – not just for targeted advertising but for understanding and serving people’s unique insurance needs. There is also a number of technologies that are mainstream in other sectors but still haven’t been fully adopted in insurance – programmatic advertising, even web analytics. The most egregious example is mobile. 75% of U.K. adults now use mobile Internet, and yet encountering a mobile-optimized or responsively designed insurance quote and buy process is still a pleasant surprise. Perhaps this reflects insurance companies’ bad experiences of developing apps that no one downloaded during the earlier phases of smartphone adoption; but surely getting mobile sorted should be a higher priority for insurers than launching an incubator. Mobile-first insurance startups like Worry + Peace and Cuvva can provide inspiration. When it comes to technology, insurance isn’t a leader, it’s a follower. So it’s in the smart application of maturing technologies that the biggest opportunity for insurance disruption lies.

The Wall Street Journal reported that 20 large U.S. companies joined to fight high healthcare costs, launching the aptly named Health Transformation Alliance. Employers account for one in five dollars spent on healthcare in the U.S., yet they have relatively weak influence in the marketplace. But these influential companies are intent on aggressive action. With this kind of unified leadership, the alliance promises to shake the foundations of our health care economy. There have been other efforts to harness the power of the business community to improve health care. My organization, the Leapfrog Group, is one such effort, founded by Business Roundtable in 2000 to address quality and patient safety in hospitals. Based on what we’ve learned over the past 16 years, here are three key principles for the alliance to start with:

1. Lowering costs won’t automatically lower prices.

Whenever the subject of cost reduction comes up, some providers tout the enormous cost savings they have put in place through improved efficiencies, better technology or less invasive procedures. Recently, they have also pointed to the potential of large hospital system mergers to reduce costs through economies of scale. But employers are right to wonder why their own healthcare price tag continues to rise, despite these marvelous advances. Why don’t they see the cost savings? Simply put, cost savings to the provider are not the same as cost savings to the purchaser. This sounds like such an obvious point. But the obfuscation over whose costs are saved persists and trips up progress year after year, with purchasers left scratching their heads. The alliance members will succeed in cutting their own prices only if they clearly demand that cost-reduction strategies have visible and substantial effects on their own bottom lines.

2. Lowering prices won’t automatically lower costs.

Even if purchasers do succeed in lowering prices, the cost-reduction job is not done. That’s because the amount of waste in healthcare is profound. The Institute of Medicine estimates that as much as one-third of all costs are associated with unnecessary services, errors, infections and management inefficiencies. Not all providers are the same, and some incur much more waste than others. Whatever the price of a particular procedure, it’s no bargain when there are infections, complications and mismanagement—or if the procedure wasn’t medically necessary in the first place. This is not chump change, this is game change. A 2013 study in the Journal of the American Medical Associaton (JAMA) reported that, on average, purchasers paid $39,000 extra when a patient contracted a surgical site infection. That excess doesn’t show up on the claim as a line item called “waste.” It is buried in a series of excess fees, tests, treatments and time spent in the hospital. Employers intent on cutting costs must factor wastefulness into the pricing equation.

3.  Focus on the market incentives.

Our system of costs and pricing creates perverse incentives. The more a provider wastes, the more it can bill the employers. New financing models are slowly emerging, aimed at achieving value—the novel idea that payments align with patient outcomes. One of the most promising models is called “bundled pricing,” in which a health system is paid one total price for a particular procedure, including physician fees, radiology, hospital charges, etc. In this model, a provider is given incentives to actually reduce waste, so it maximizes profit under the bundle. Some large employers have developed bundled pricing arrangements with a select group of health systems, for a select group of procedures. Walmart is a leader in this, as are employer members of the Pacific Business Group on Health. What have they found? A significant reduction in waste and better care for employees. Another promising use of bundled pricing is coming from international medical tourism. Health services and pharmaceuticals are often much less expensive overseas than in the U.S. Most international providers offer bundled pricing and concierge hosting services. For example, Health City Cayman Islands offers bundled prices for certain heart and orthopedic surgeries, including all facility and physician fees, along with pre- and post-operative care at a lovely beachfront hotel. Its prices are one-fourth to one-fifth those for comparable services in the U.S. The problem with medical tourism: determining the quality of international providers. Employer groups, like the Health Transformation Alliance, must address this in their work. Once again, waste and quality need to be factored into the cost equation.

Limelight Health, the winner of our start-up Showcase at our first Insurance Disrupted | Silicon Valley, gives a sense of what's to come with innovation in insurance. Limelight Health has a product called QuotePad, which is one of the first real-time, mobile, all-in-one quoting platforms for health insurance and benefits professionals. (The others highlighted at the Showcase are Rig - GroupHub - roost - Jumpstart Recovery - Zenehome - Sureify.) Jason Andrew, CEO of Limelight, says what his company is doing is a harbinger of even bigger changes: “We are witnessing one of the largest transformations in the history of a multitrillion-dollar industry. New technology is changing the game for the entire insurance ecosystem. Quicker, more seamless data integration is changing the insurance process, from the way consumers research and purchase insurance to how claims are underwritten. As a result, companies large and small are sprinting to keep up with the demand for agile and integrated technology platforms that can harness this growing data volume and extract real value from it.  The largest carriers are now paying attention to big data, spending more money on research and bringing on data scientists to analyze and shape the future of insurance. “ As the industry moves from a legacy framework to a series of more connected systems with intelligent logic built in, all parties involved in the selling and decision-making process will be allowed to spend more time executing decisions and much less time on the administrative work that is a large and protracted part of the process today. Andrew says, “For the health insurance market, which is fragmented with a lot of outdated systems that don’t connect or communicate easily, and where redundancy often leads to a high probability of error, we see this as being where QuotePad will make a significant impact on the insurance industry.” Limelight Health was born in February 2014. Before that, the insurance technology boom had not fully launched, and it took several years of pitching, partnering and persistence to gain the attention of an industry that now supports the cause. Prior to 2014, no one was really interested in investing in insurance. What we now know as #insuretech and #fintech was not the sexy vertical it is today. And we're just getting started. If you’re in the industry you are probably keenly aware of some of the changes that are coming, but not all. Please consider joining us for future Insurance Disrupted conferences, with our start-up Showcases. The next will be held March 22-23 in Silicon Valley. ITL readers receive a 15% discount here. Organizer and host of Insurance Disrupted Conference: Silicon Valley Insurance Accelerator - SVIA Innovation Partner: Insurance Thought Leadership Conference sponsors: Aflac, Munich RE, Captricity, Zendrive, XL Innovate, Saama Technologies, CRC Insurance Brokers, Novarica  

Zenefits is in trouble. Serious, existential trouble. Some community-based benefit brokers are watching the calamity at Zenefits unfold with a mixture of schadenfreude and relief. Given the scorn and ridicule Zenefits heaped on these brokers, taking pleasure from its misfortune is hard to resist. Feeling relief, however, misreads the situation and is dangerous to one’s career. Zenefits’ Troubles  Zenefits could go out of business, and several of its employees could be jailed as a result of the business practices reported by William Alden of BuzzFeed News and other journalists. While unlikely, this is a possibility because:

• Zenefits allegedly used unlicensed agents to sell and service 83% of its policies in Washington state. If proven, Zenefits could face as much as a $2.8 million fine, and some employees could go to prison. Zenefits allegedly used unlicensed agents in other states, too, which could add to these fines.

• Zenefits created software enabling some California employees to lie to regulators concerning the time they spent on pre-licensing training. California law requires those applying for an insurance license to devote 52 hours to this curriculum. Zenefits employees signed a form, under penalty of perjury, that they had done so. Some may not have. Perjury is a felony in California, and conviction can result in as much as four years' imprisonment. If Zenefits cheated in qualifying agents to sell in California, other regulators are no doubt looking into whether the company did this in their states, too.

• If found guilty of violating consumer protection laws, state regulators could revoke Zenefits’ insurance licenses. Without the license, Zenefits could no longer sell new policies, and insurance companies would likely terminate, for cause, their Zenefits contracts. The insurers would then stop paying commissions to Zenefits even on previously sold policies. License revocation in one state could result in losing their licenses elsewhere. A cascade across the country of revoked licenses and terminated contracts could cost Zenefits tens of millions of dollars.

• If Zenefits loses its licenses, commissions on current policies and ability to sell new ones, then some of its more recent investors may demand their money back. (Let me be clear: I am not accusing anyone at Zenefits of committing fraud or any other crimes. What follows is totally and only hypothetical and speculative.) In May 2015, Zenefits raised $500 million in a capital round led by Fidelity Investments and private equity firm TPG. If Zenefits management knowingly hid legal problems from them (and I’m not accusing anyone of doing so), then Fidelity and TPG could claim inducement by fraud, seek to rescind their contract and demand Zenefits return their investment. I’m not saying this happened or that investors were misled in any way. Nonetheless, I’d be surprised if Fidelity and TPG lawyers are not also speculating about this.

Zenefits' worst case scenario, then, is that the company pays millions of dollars in fines, loses many millions more in revenue, sees employees jailed, can no longer sell insurance, irreparably damages its brand and must repay some investors. Maintain Perspective That’s a pretty scary worst-case scenario. Based on we know today, it is also highly unlikely to happen. No regulator has found Zenefits in violation of anything. Regulators are unlikely to impose the most severe penalties available to them if their investigations do not reveal consumer harm. The steps David Sacks, Zenefits’ new CEO, is taking will likely mitigate any penalties imposed on the company. Several employees, including former CEO Parker Conrad and sales VP Sam Blond have already left the company, and more may follow. Zenefits now has its first compliance officer. Mr. Sacks also seeks to change Zenefits values. I’m skeptical, however, that Zenefits can or will quickly change its culture and core values. I respect Mr. Sacks’ intentions, experience and abilities. He deserves a chance to make his turnaround work. Yet changing a company’s culture usually takes considerable time, and Zenefits’ culture is deeply infused with the Silicon Valley ethos of speed, innovation, disruption and risk taking. To transform Zenefits requires a different world view. Yet in announcing Mr. Parker’s resignation, the company added three board members—all current investors with no domain expertise. In fact, no current Zenefits board members or executives listed on the site appear to have any experience in running a human resources firm, payroll company or insurance agency—the services Zenefits delivers. What they share is deep experience in well-known tech companies. Zenefits may be a technology company, but that tech is supposed to accomplish something. Only in places like Silicon Valley would lack at the top of the company of this domain expertise be celebrated. Zenefits seems to exist in a Valley-sized bubble, and it’s tough to change what’s in a bubble from the inside. The Real Lesson of Zenefits Yet Zenefits is likely to survive. It reportedly has enough cash on hand and no need to seek more. The most probable outcome from the various investigations is that, absent findings of intentional and substantial criminal malfeasance, Zenefits will keep its licenses, carriers will continue paying commissions and investors will keep their money in the company. We don’t yet know how Zenefits' saga plays out. What we do know are some lessons this scandal teaches, especially to brokers: Lesson one: Consumer protection laws matter. Violate them, and there’s a huge price to pay; as there should be. Lesson two: Arrogance is unbecoming and unhealthy. Zenefits is a company whose leaders proclaimed that community-based brokers were dead meat, promised to drink brokers’ milkshakes, claimed brokers barely knew how to use email, described their profession as a dead beast lying in the desert and, well, you get the idea. The danger is that arrogance of this magnitude easily morphs into hubris. Zenefits’ hubris was the apparent belief that it could ignore rules if they get in the way of achieving the growth promised investors. Lesson three: Even broken companies get some things right. Zenefits identified a latent customer demand. Clients want more from brokers than help with benefit plans. They want to focus on their businesses and not be distracted by HR and benefit administration. Zenefits success makes clear there’s a disadvantage to only selling and servicing insurance plans. Clients want more from their brokers. Even in the unlikely event Zenefits goes away, this client need will not. Lesson four: There’s more where they came from. Zenefits’ demise would not mean the end of well-funded tech companies challenging community-based benefit brokers. If Zenefits falls to the wayside, others are ready to take its place using the same tactic of giving away software to employers in exchange for being named the employers’ broker of record on benefit policies. Seeing a bully humbled is always fun, and there’s no harm in brokers enjoying the sight of Zenefits in disarray. Those brokers who believe Zenefits predicament means they no longer need to step up the services and value they deliver their clients, however, are making a costly mistake.

As investment bankers and their lawyers pore over the details of a potential corporate merger, a new and troubling issue has emerged that could affect the terms of the deal, or even derail it. Cyber risk is now a top agenda item, not only for deal makers but for shareholders, regulators and insurance companies. While assumption of risk is nothing new when acquiring a company, assuming cyber risk raises a whole new set of concerns that must be addressed early in the M&A process. Specific industries, such as healthcare, financial services and retail might require detailed attention to data risk as it applies to HIPAA (Health Insurance Portability and Accountability Act) standards, financial regulation and PCI (payment card industry) compliance. A thorough analysis of the target company’s network systems needs to be part of the due diligence process and may require the services of a network assessment vendor. Insufficient cyber security and the need for significant remediation of these networks could lead to unforeseen expense and may be a consideration in final negotiations of the target price. Understanding the evolving face of hackers should also be a consideration. Hackers have traditionally been motivated solely by financial gain. However, as evidenced by recent cyber attacks against Sony, Ashley Madison and the Office of Personnel Management, hackers may be driven by political agendas or moral outrage or may be part of state-sponsored cyber espionage. If the acquired company comes with intellectual property or produces controversial products or services, it could be at higher risk of attack. Regulatory Issues Affecting M&A Increased regulatory risk for the acquiring company should also be of concern. Regulators in the U.S. and around the world have had a laser focus on privacy matters and have made their authority known in two recent court decisions.

• On Aug. 24, 2015, a decision was made that will have profound impact on how the CIO, compliance officers, cyber security officials and others view what is an acceptable level of cyber security. In Federal Trade Commission v. Wyndham Worldwide Corp. et al. No. 14-3514, slip op. at 47 (3rd Cir. Aug. 24, 2015), the FTC alleged Wyndham failed to secure customers' sensitive data in three separate incidents. As a result, 619,000 customer records were exposed, leading to $10.6 million in fraudulent charges. The Third Circuit Appeals Court affirmed the FTC’s authority to regulate cyber security standards under the “unfair practices” of the Federal Trade Commission Act. Therefore, key stakeholders in the acquiring and target companies need to come to terms regarding acceptable levels of cyber security before the deal is closed.
• On Oct. 5, 2015, the European Union’s Court of Justice declared the U.S. and E.U. Safe Harbor framework invalid. The ruling abolishes an agreement that once allowed U.S. companies to move E.U. residents' digital data from the E.U. to the U.S., and it will affect approximately 4,000 companies. For some companies, the ruling could drastically alter their business models. Therefore, an acquisition of any of these companies will require careful consideration as to how the company collects and uses the online information of the residents in the 28 countries that make up the E.U. An acquiring company could face regulatory scrutiny and costly litigation for noncompliance of their newly acquired entity.

Transferring Your Cyber Risk One method to provide protection for the acquiring company would be to enter into a cyber security indemnity agreement with the targeted company. The agreement can exist for a period after closing, but there should be an expectation that—after a specified length of time long enough to remediate and integrate the target company’s IT networks—the agreement will expire. The liability protections should be as broad as possible and should include all directors and officers, who are often named in derivative lawsuits in the aftermath of a data breach. The agreement should address the many different actions that might be required after an unauthorized network intrusion of the target company. Costs related to defense attorneys, IT forensics firms, credit monitoring vendors, call centers, public relations companies and settlements should be anticipated. The firms to be hired, the rates they will charge and the terms of reimbursement to the acquiring company should be outlined in the agreement. Many businesses have also turned to cyber insurance as a means to transfer cyber risk. In fact, the cyber insurance industry has grown to $2 billion in written premiums, with some expecting it to double by 2020. Cyber policies typically cover a named insured and any subsidiaries at the time of policy inception. Parties in a merger should be aware that M&A activity will likely have an impact on existing cyber insurance policies and often require engagement with insurance companies. When an insured makes an acquisition during the policy term, the insurance carrier often requires notification of the transaction pursuant to policy terms specifically outlined in the policy. Because cyber insurance policies are written on manuscript forms, there is no one standard notification requirement, and compliance terms will vary from insurance company to insurance company. If the target company has revenue or assets over a certain threshold, the named insured may be required to:

• ƒProvide written notice to the insurance carrier before closing;
• Include detailed information of the newly acquired entity;
• Obtain the insurer’s written consent for coverage under the policy;
• Agree to pay additional premium;
• Be subject to additional policy terms.

Cyber risk can have a huge impact on any M&A activity. Legal liability and the means to transfer it should be a top priority during the transaction. There likely will be a big impact on existing insurance coverage. All parties need to focus on their rights and responsibilities and must engage the right experts to maximize protections in the process.

We often hear reference to the “deep” or “dark” web. What exactly is the deep or dark web? Is it as illicit and scary as it is portrayed in the media? This article will provide a brief overview and explanation of different parts of the web and will discuss why you just might want to go there. THE SURFACE WEB The surface web or “Clearnet” is the part of the web that you are most familiar with. Information that passes through the surface web is not encrypted, and users' movements can be tracked. The surface web is accessed by search engines like Google, Bing or Yahoo. These search engines rely on pages that contain links to find and identify content. Search engine companies were developed so that they can quickly index millions of web pages in a short time and to provide an easy way to find content on the web. However, because these search engines only search links, tons of content is being missed. For example, when a local newspaper publishes an article on its homepage, that article can likely be reached via a surface web search engine like Yahoo. However, days later when the article is no longer featured on the homepage, the article might be moved into the site's archive format and, therefore, would not be reachable via the Yahoo search engine. The only way to reach the article would be through the search box on the local paper's web page. At that time, the article has left the surface web and has entered the deep web. Let’s go there now... THE DEEP WEB The deep web is a subset of the Internet and is not indexed by the major search engines. Because the information is not indexed, you have to visit those web addresses directly and then search through their content. Deep web content can be found almost anytime you do a search directly in a website -- for example, government databases and libraries contain huge amounts of deep web data. Why does the deep web exist? Simply because the Internet is too large for search engines to cover completely. Experts estimate that the deep web is 400 to 500 times the size of the surface web, accounting for more than 90% of the internet. Now let's go deeper... THE DARK WEB The dark web or “darknet” is a subset of the deep web. The dark web refers to any web page that has been concealed because it has no inbound links, and it cannot be found by users or search engines unless you know the exact address. The dark web is used when you want to control access to a site or need privacy, or often because you are doing something illegal. Virtual private networks (VPNs) are examples of dark web sites that are hidden from public access unless you know the web address and have the correct log-in credentials. One of the most common ways to access the dark web is through the Tor network. The Tor network can only be accessed with a special web browser, called the Tor browser. Tor stands for “ The onion router” and is referred to as “Onionland.” This "onion routing" was developed in the mid-1990s by a mathematician and computer scientists at the U.S. Naval Research Laboratory with the purpose of protecting U.S. intelligence communications online. This routing encrypts web traffic in layers and bounces it through random computers around the world. Each “bounce” encrypts the data before passing the data on to its next hop in the network. This prevents even those who control one of those computers in the chain from matching the traffic’s origin with its destination. Each server only moves that data to another server, preserving the anonymity of the sender. Because of the anonymity associated with the Tor network and dark web, this portion of the Internet is most widely known for its illicit activities, and that is why the dark web has such a bad reputation (you might recall the infamous dark web site, Silk Road, an online marketplace and drug bazaar on the dark web). It is true that on the dark web you can buy things such as guns, drugs, pharmaceuticals, child porn, credit cards, medical identities and copyrighted materials. You can hire hackers to steal competitors' secrets, launch a DDOS (distributed denial of service) attack on a rival, or hack your ex-girlfriend's Facebook account. However, the dark web accounts for only about .01% of the web.

Most critics and supporters of the Oklahoma option (OKO) have one thing in common: a misunderstanding about the applicability of the Employee Retirement Income Security Act (ERISA). In part, this misunderstanding is widespread because it hasn’t yet garnered the attention of tax authorities and attorneys, and those of us who aren’t tax attorneys are reluctant to engage this subject because we fear we will be misinterpreted as giving tax advice. Let me be absolutely clear—nothing in this article should be construed as tax advice, as I am not qualified to offer such advice. But the ProPublica and NPR journalists who assume ERISA must govern the taxation of OKO benefits simply because it governs the taxation of Texas nonsubscription (TXNS) benefits^[1] aren't qualified, either. Put simply, ERISA’s governance of OKO workplace injury claims has yet to be demonstrated in any way, and it was certainly not confirmed by rulings in 2015 by two federal judges for the Western District of Oklahoma who considered the jurisdiction of federal courts over OKO-based claims and appeals processes.. There was never any intent in the Oklahoma legislation to have ERISA govern the OKO, and the term “ERISA” never appears—not once!—in the language of the Oklahoma law. Even more importantly, two-and-a-half years after passage, there is zero case law to support any claim that ERISA applies to OKO. These revelations may be counterintuitive for industry insiders and regulators, but what should be intuitive is that state and federal court systems are in charge of ruling on state and federal laws. Consultants, employers, employees, investigative journalists, insurance carriers, brokers, attorneys, ivory tower experts, doctors and conference debaters don’t get to make such calls. The only ones whose opinions matter are the judges in a position to make these determinations, and the only two judges known to have had the opportunity to consider any issue concerning the relationship between the OKO and ERISA concluded that the judges did not have jurisdiction over cases where the employer sought to have ERISA govern employee appeals of decisions regarding occupational OKO claims. In April 2015, Judge Joe Heaton of the U.S. District Court for the Western District of Oklahoma issued an order regarding ERISA’s applicability to the occupational accident components of OKO plans in the case of Cavazos v. Harrah Nursing Center (aka Marsh Pointe) that, in part, reads: "Marsh Pointe alleges … that, pursuant to the Oklahoma [Employee] Injury Benefit Act, it has elected to be exempt from the Administrative Workers’ Compensation Act and become a 'qualified employer' by meeting certain requirements including the adoption of a written benefit plan. That well may be. Nonetheless, the case [filed by the plaintiff] arose 'under the workmen’s compensation laws' of the State of Oklahoma. As such, it may not be removed to any district court of the United States." Judge Heaton’s ruling was a narrow one, aimed only at determining whether the federal court could exercise jurisdiction over the case before it. That case had been removed by the employer to federal court from the Oklahoma Workers’ Compensation Commission (OWCC), based on the assertion that ERISA ought to govern the employee’s pursuit of a claim against her employer’s OKO plan. The court held that, regardless of whether ERISA applied to certain aspects of the OKO plan, the employee's claim arose under Oklahoma’s WC laws and, therefore, a specific federal jurisdictional statute (28 USC §1445(c)) prevented removal of the case to federal court. Judge Heaton sent the matter back to the OWCC, and his order made it crystal clear that such cases cannot be removed to the federal court system.^[2] In other words, ERISA (a federal law) does not give federal courts jurisdiction over the occupational accident claims of employees whose injury benefit plans are governed by the OKO (a state law)—no matter how frequently ERISA is referred to in an employer’s benefit plan and regardless of whether ERISA applies to other aspects of that benefit plan. The Cavazos case was the first real opportunity we had to see whether removal of such claims to the federal courts was possible. Then, in September, Judge Stephen Friot (from the same Western District Court of Oklahoma) followed Heaton’s logic in Vasquez v. Dillards, our second opportunity to see whether federal court involvement in the OKO claims process was available. The decision read: "The court concludes that the [Oklahoma Employee Injury Benefit Act] is part of Oklahoma’s statutory scheme governing occupational injuries and workplace liability; in other words, the OEIBA is part of Oklahoma’s statutory scheme governing workmen’s compensation." The case before Judge Friot was a bit different procedurally, but it came to the same result. In the Vasquez case, the employee received an adverse decision from her employer regarding her claim for benefits under the employer’s OKO plan. She then sought review by the OWCC as provided for in the Oklahoma statute. The employer removed the case to federal court, contending that the company's plan was governed by ERISA and, therefore, that ERISA pre-empted state law on the issue and that the federal court had exclusive jurisdiction. The employee moved to remand the case to the OWCC. Judge Friot sided with the employee and remanded the case, which was to be expected post-Cavazos. The ruling in Vasquez (which features a more detailed discussion than the one provided by Judge Heaton in Cavazos) concludes that 28 USC §1445(c) (the same jurisdictional statute relied upon by Judge Heaton) barred removal of the case to the federal court, even if, as Judge Friot specifically presumed for purposes of his ruling, the “plan under which [the employee files] claims may be … an ERISA plan.” The explicit—and antiquated—language from the 1974 ERISA law indicates that ERISA doesn’t apply to “workmen’s compensation.” ERISA’s authors recognized a long tradition of federal deference to individual states on workers' compensation issues. While the OKO is different from traditional workers' compensation, in the only cases known to address the issue thus far, the federal court system has concluded that it cannot exercise jurisdiction over the on-the-job injury claims of OKO employees. Die-hard ERISA champions, as it turns out, can cling just as stubbornly to obsolete ideas as can workers' compensation stakeholders. But OKO supporters don’t need to win such folks over; the law is already on the side of progress. The OKO clearly seeks to stand on its own, and it doesn’t want ERISA as a crutch. Being free from ERISA has advantages beyond tax implications. The OKO clearly sits much closer to traditional workers' compensation than does TXNS—and, as such, OKO may be regularly accepted as a replacement in the state’s important oil and gas industry. In both Texas and Oklahoma, the larger energy companies almost always require traditional workers' comp to be held by contracted companies. That won’t change in Texas, but it very well could in Oklahoma. Moreover, these federal court orders should provide solace to the Sooner State because they suggest the oversight and development of this new creation will be the responsibility of Oklahomans.^[3] [1] See “Inside Corporate America’s Campaign to Ditch Workers’ Comp,” an installment in the Insult to Injury series. [2] The court remanded the case just two days after it was removed without seeking briefs from either party. [3] To date, all three branches of the Oklahoma state government have actively or tacitly supported the OKO. At worst, the state has adopted a wait-and-see approach to this new alternative. At best, Oklahomans—sans attorneys—are eager to discover whether the incredibly promising early gains made possible through the OKO are sustainable over the long term. At WorkersCompensationOptions.com, we’re convinced the gains are sustainable. There’s nothing theoretical about our promise of delivering superior care to employees at reduced costs to employers. We’re already doing it in Oklahoma, and we at WCO are proud to be part of this long overdue transformation.