Cyber insurance is a potentially huge, but still largely untapped, opportunity for insurers and reinsurers. We estimate that annual gross written premiums are set to increase from around $2.5 billion today to reach $7.5 billion by the end of the decade.

Businesses across all sectors are beginning to recognize the importance of cyber insurance in today's increasingly complex and high-risk digital landscape. In turn, many insurers and reinsurers are looking to take advantage of what they see as a rare opportunity to secure high margins in an otherwise soft market. Yet many others are still wary of cyber risk. How long can they remain on the sidelines? Cyber insurance could soon become a client expectation, and insurers that are unwilling to embrace it risk losing out on other business opportunities.

In the meantime, many insurers face considerable cyber exposures within their technology, errors and omissions, general liability and other existing business lines. The immediate priority is to evaluate and manage these "buried" exposures.

Critical exposures

Part of the challenge is that cyber risk isn't like any other risk that insurers and reinsurers have ever had to underwrite. There is limited publicly available data on the scale and financial impact of attacks. The difficulties created by the minimal data are heightened by the speed with which the threats are evolving and proliferating. While underwriters can estimate the likely cost of systems remediation with reasonable certainty, there simply isn't enough historical data to gauge further losses resulting from brand impairment or compensation to customers, suppliers and other stakeholders.

A UK government report estimates that the insurance industry’s global cyber risk exposure is already in the region of £100 billion ($150 billion), more than a third of the Centre for Strategic and International Studies’ estimate of the annual losses from cyber attacks ($400 billion). And while the scale of the potential losses is on a par with natural catastrophes, incidents are much more frequent. As a result, there are growing concerns about both the concentrations of cyber risk and the ability of less experienced insurers to withstand what could become a fast sequence of high-loss events.

Insurers and reinsurers are charging high prices for cyber insurance relative to other types of liability coverage to cushion some of the uncertainty. They are also seeking to put a ceiling on their potential losses through restrictive limits, exclusions and conditions. However, many clients are starting to question the real value these policies offer, which may restrict market growth.

Insurers and reinsurers need more rigorous and relevant risk evaluation built around more reliable data, more effective scenario analysis and partnerships with government, technology companies and specialist firms. Rather than simply relying on blanket policy restrictions to control exposures, insurers should make coverage conditional on regular risk assessments of the client's operations and the actions they take in response to the issues identified in these regular reviews. The depth of the assessment should reflect the risks within the client's industry sector and the coverage limits.

This more informed approach would enable your business to reduce uncertain exposures while offering the types of coverage and more attractive premium rates clients want. Your clients would, in turn, benefit from more transparent and cost-effective coverage.

Opportunities for Growth

There is no doubt that cyber insurance offers considerable opportunity for revenue growth.

An estimated $2.5 billion in cyber insurance premium was written in 2014. Some 90% of cyber insurance is purchased by U.S. companies, underlining the size of the opportunities for further market expansion worldwide.

In the UK, only 2% of companies have standalone cyber insurance. Even in the more penetrated U.S. market, only around a third of companies have some form of cyber coverage. There is also a wide variation in take-up by industry, with only 5% of manufacturing companies in the U.S. holding standalone cyber insurance, compared with around 50% in the healthcare, technology and retail sectors. As recognition of cyber threats increases, take-up of cyber insurance in under-penetrated industries and countries continues to grow, and companies face demands to disclose whether they have cyber coverage (examples include the U.S. Securities and Exchange Commission's disclosure guidance).

We estimate that the cyber insurance market could grow to $5 billion in annual premiums by 2018 and at least $7.5 billion by 2020.

There is a strong appetite among underwriters for further expansion in cyber insurance writings, reflecting what would appear to be favorable prices in comparison with other areas of a generally soft market -- the cost of cyber insurance relative to the limit purchased is typically three times the cost of cover for more-established general liability risks. Part of the reason for the high prices is the still limited number of insurers offering such coverage, though a much bigger reason is the uncertainty around how much to put aside for potential losses.

Many insurers are also setting limits below the levels sought by their clients (the maximum is $500 million, though most large companies have difficulty securing more than $300 million). Insurers may also impose restrictive exclusions and conditions. Some common conditions, such as state-of-the-art data encryption or 100% updated security patch clauses, are difficult for any business to maintain. Given the high cost of coverage, the limits imposed, the tight attaching terms and conditions and the restrictions on whether policyholders can claim, many policyholders are questioning whether their cyber insurance policies are delivering real value. Such misgivings could hold back growth in the short term. There is also a possibility that overly onerous terms and conditions could invite regulatory action or litigation against insurers.

Cyber Sustainability

We believe there are eight ways insurers, reinsurers and brokers could put cyber insurance on a more sustainable footing and take advantage of the opportunities for profitable growth:

1. Judging what you could lose and how much you can afford to lose

Pricing will continue to be as much of an art as a science in the absence of robust actuarial data. But it may be possible to develop a much clearer picture of your total maximum loss and match this against your risk appetite and risk tolerances. This could be especially useful in helping your business judge what industries to focus on, when to curtail underwriting and where there may be room for further coverage.

Key inputs include worst-case scenario analysis for your particular portfolio. If your clients include a lot of U.S. power companies, for example, what losses could result from a major attack on the U.S. grid? A recent report based around a "plausible but extreme" scenario in which a sophisticated group of hackers were able to compromise the U.S. electrical grid estimated that insurance companies would face claims ranging from $21 billion to $71 billion, depending on the size and scope of the attack. What proportion of these claims would your business be liable for? What steps could you take now to mitigate the losses in areas ranging from reducing risk concentrations in your portfolio to working with clients to improve safeguards and crisis planning?

2. Sharpen intelligence

To develop more effective threat and client vulnerability assessments, it will be important to bring in people from technology companies and intelligence agencies. The resulting risk evaluation, screening and pricing process would be a partnership between your existing actuaries and underwriters, focusing on the compensation and other third-party liabilities, and technology experts who would concentrate on the data and systems area. This is akin to the partnership between CRO and CIO teams that are being developed to combat cyber threats within many businesses.

3. Risk-based conditions

Many insurers now impose blanket terms and conditions. A more effective approach would be to make coverage conditional on a fuller and more frequent assessment of the policyholder's vulnerabilities and agreement to follow advised steps. This could include an audit of processes, responsibilities and governance within your client's business. It could also include threat intelligence assessments, which would draw on the evaluations of threats to industries or particular enterprises, provided by government agencies and other credible sources. It could also include exercises that mimic attacks to test weaknesses and plans for response. As a condition of coverage, you could then specify the implementation of appropriate prevention and detection technologies and procedures.

Your business would benefit from a better understanding and control of the risks you choose to accept, hence lowering exposures, and the ability to offer keener pricing. Clients would in turn be able to secure more effective and cost-efficient insurance protection. These assessments could also help to cement a closer relationship with clients and provide the foundation for fee-based advisory services.

4. Share more data

More effective data sharing is the key to greater pricing accuracy. Client companies have been wary of admitting breaches for reputation reasons, while insurers have been reluctant to share data because of concerns over loss of competitive advantage. However, data breach notification legislation in the U.S., which is now set to be replicated in the EU, could help increase available data volumes. Some governments and regulators have also launched data sharing initiatives (e.g., MAS in Singapore or the UK's Cyber Security Information Sharing Partnership). Data pooling on operational risk, through ORIC, provides a precedent for more industry-wide sharing.

5. Real-time policy update

Annual renewals and 18-month product development cycles will need to give way to real-time analysis and rolling policy updates. This dynamic approach could be likened to the updates on security software or the approach taken by credit insurers to dynamically manage limits and exposures.

6. Hybrid risk transfer

While the cyber reinsurance market is less developed than its direct counterpart, a better understanding of the evolving threat and maximum loss scenarios could encourage more reinsurance companies to enter the market. Risk transfer structures are likely to include traditional excess of loss reinsurance in the lower layers, with capital market structures being developed for peak losses. Possible options might include indemnity or industry loss warranty structures or some form of contingent capital. Such capital market structures could prove appealing to investors looking for diversification and yield. Fund managers and investment banks can bring in expertise from reinsurers or technology companies to develop appropriate evaluation techniques.

7. Risk facilitation

Given the ever more complex and uncertain loss drivers surrounding cyber risk, there is a growing need for coordinated risk management solutions that bring together a range of stakeholders, including corporations, insurance/reinsurance companies, capital markets and policymakers. Some form of risk facilitator, possibly the broker, will be needed to bring the parties together and lead the development of effective solutions, including the standards for cyber insurance that many governments are keen to introduce.

8. Build credibility through effective in-house safeguards

The development of effective in-house safeguards is essential in sustaining credibility in the cyber risk market, and trust in the enterprise as a whole. If your business can't protect itself, why should policyholders trust you to protect them?

Banks have invested hundreds of millions of dollars in cyber security, bringing in people from intelligence agencies and even ex-hackers to advise on safeguards. Insurers also need to continue to invest appropriately in their own cyber security given the volume of sensitive policyholder information they hold, which, if compromised, would lead to a loss of trust that would be extremely difficult to restore. The sensitive data held by cyber insurers that hackers might well want to gain access to includes information on clients' cyber risks and defenses.

The starting point is for boards to take the lead in evaluating and tackling cyber risk within their own business, rather than simply seeing this as a matter for IT or compliance.

See the full report here.

It took a while for me to understand baseball: I didn't get it until someone pointed out that I was watching the game when I should have been watching the season.

Much of the game's strategy snapped into focus -- and the differentiation between game-day action and long-term success illustrates key lessons that information security executives need to learn.

Love it or hate it, Moneyball is part of the game now. Moneyball and sabermetrics-applying sophisticated statistical analysis to baseball records-helps teams avoid overspending on showy all-arounders and focus instead on key metrics, however unusual, to build a successful team.

Information security should follow the same strategy. (And most chief information security officers (CISOs) probably feel more kinship with the cash-strapped Oakland Athletics, pioneers of Moneyball, than with the flush New York Yankees.) CISOs will see that, as in baseball, relying on a few stars to carry the team is a short-sighted and potentially costly plan.

In his 2014 Black Hat keynote, computer security analyst Dan Geer declared the end of the era of information security generalists. It can be hard to measure the contributions of specialists. We understand the easy metrics intuitively-the "batting averages" of information security. But it is the hard and subtle metrics that really teach us something new. Getting these metrics will require automation and thoughtful changes to existing sources of unstructured data: processes performed manually can't keep pace with business needs.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

Alongside the outmoded concept of star all-arounders, we also should toss the concept of clutch players. Statistically, they don't exist, and seeking them out in a technical organization is asking to be deceived; individual heroics are dramatic but not sustainable. An organization's long-term success won't be seen in the individual who burns the midnight oil to deploy the patch of the week, but in the one who quietly solves the problems around reliable, rolling deployments.

CISOs should also listen to the refrain of baseball commentators: "fundamentals." A team that cannot execute basic, everyday maneuvers flawlessly is not prepared to get fancy. There's no point in deploying a shiny intrusion-detection system or hiring an expensive, full-contact "red team" unless operations can convince you that every last default password has been changed.

Finally, we can take one more lesson from the game: Every so often, be sure to stand up and stretch.

For anyone who has spent time on the open sea, especially in a small craft, you know the sea can be quite the moody mistress. Some days, the gale winds are howling. Some days the sea is as smooth as glass. The financial markets are quite similar.

In late August, the U.S. equity market experienced its first 10% price correction in four years. That ended the third longest period in the history of the market without a 10% correction, so in one sense it was long overdue. But, because the U.S. stock market has been as smooth as glass for years now, it feels as if typhoon winds are blowing.

Cycles define the markets' very existence. Unfortunately, cycles also define human decision making within the context of financial markets.

Let's focus on one theme we believe will be enduring and come to characterize financial market outcomes over the next six to 12 months. That theme is currency.

In past missives, we have discussed the importance of global currency movements to real world economic and financial market outcomes. The issue of currency lies at the heart of the recent uptick in financial market "swell" activity. Specifically, the recent correction in U.S. equities began as China supposedly "devalued" its currency, the renminbi, relative to the U.S. dollar.

Before we can look at why relative global currency movements are so important, we need to take a step back. It's simply a fact that individual country economies display different character. They do not grow, or contract, at the same rates. Some have advantages of low-cost labor. Some have the advantage of cheap access to raw materials. Etc. No two are exactly alike.

Historically, when individual countries felt the need to stimulate (not enough growth) or cool down (too much inflation) their economies, they could raise or lower country-specific interest rates. In essence, they could change the cost of money. Interest rates have been the traditional pressure relief valves between various global economies. Hence, decades-long investor obsession with words and actions of central banks such as the U.S. Fed.

Yet we have maintained for some time now that we exist in an economic and financial market cycle unlike any we have seen before. Why? Because there has never been a period in the lifetime of any investor alive today where interest rates in major, developed economies have been set near academic zero for more than half a decade at least. (In Japan, this has been true for multiple decades.) The near-zero rates means that the historical relief valve has broken. It has been replaced by the only relief valve left to individual countries -- relative currency movements.

This brings us back to the apparent cause of the present financial market squall -- the supposed Chinese currency devaluation that began several weeks ago. Let's look at the facts and what is to come.

For some time now, China has wanted its renminbi to be recognized as a currency of global importance -- a reserve currency much like the dollar, euro and yen. For that to happen in the eyes of the International Monetary Fund (IMF), China would need to de-link its currency from the U.S. dollar and allow it to float freely (level to be determined by the market, not by a government or central bank). The IMF was to make a decision on renminbi inclusion in the recognized basket of important global currencies in September. In mid-August, the IMF announced this decision would be put off for one more year as China had more "work to do with its currency." Implied message? China would need to allow its currency to float freely. One week later, China took the step that media reports continue to sensationalize, characterizing China’s action as intentionally devaluing its currency.

In linking the renminbi to the dollar for many years now, China has "controlled" its value via outright manipulation, in a very tight band against the dollar. The devaluation Wall Street has recently focused on is nothing more than China allowing the band in which the renminbi trades against the dollar to widen. With any asset whose value has been fixed, or manipulated, for so long, once the fix is broken, price volatility is a virtual guarantee. This is exactly what has occurred.

China loosened the band by about 4% over the last month, which we believe is the very beginning of China allowing its currency to float freely. This will occur in steps. This is the beginning, not the end, of this process. There is more to come, and we believe this will be a very important investment theme over the next six to 12 months.

What most of the media has failed to mention is that, before the loosening, the renminbi was up 10% against most global currencies this year. Now, it's still up more than 5%, while over the last 12 months the euro has fallen 30% against the U.S. dollar. Not 4%, 30%, and remarkably enough the lights still go on in Europe. Over the last 2 1/2 years, the yen has fallen 35% against the U.S. dollar. Although it may seem hard to believe, the sun still comes up every morning in Japan. What we are looking at in China is economic and financial market evolution. Evolution that will bring change and, we assure you, not the end of the world.

Financial market squalls very often occur when the markets are attempting to "price in" meaningful change, which is where we find ourselves right now.

What heightens current period investor angst is the weight and magnitude of the Chinese economy, second largest on planet Earth behind the U.S. With a devalued currency, China can theoretically buy less of foreign goods. All else being equal, a cheaper currency means less global buying power. This is important in that, at least over the last few decades, China has been the largest purchaser and user of global commodities and industrial materials. Many a commodity price has collapsed over the last year. Although few may realize this, Europe's largest trading partner is not the U.S., it's China. European investors are none too happy about recent relative currency movements.

Relative global currency movements are not without consequence, but they do not spell death and destruction.

A final component in the current market volatility is uncertainty about whether the U.S. Fed will raise interest rates for the first time in more than half a decade. Seriously, would a .25% short-term interest rate vaporize the U.S. economy? Of course not, but if the Fed is the only central bank on Earth possibly raising rates again that creates a unique currency situation. Academically, when a country raises its interest rates in isolation, it makes its currency stronger and more attractive globally. A stronger dollar and weaker Chinese renminbi academically means China can buy less U.S.-made goods. Just ask Caterpillar and John Deere how that has been working out for them lately. Similarly, with a recent drop in Apple's stock price, are investors jumping to the conclusion that Apple's sales in China will fall off of the proverbial cliff? No more new iPhone sales in China? Really?

The issue of relative global currency movements is real and meaningful. The change has been occurring for some time now, especially with respect to the euro and the yen. Now it's the Chinese currency that is the provocateur of global investor angst. Make no mistake about it, China is at the beginning of its loosening of the currency band, not the end. This means relative currency movements will continue to be very important to investment outcomes.

We expect a stronger dollar. That's virtually intuitive. But a stronger dollar is a double-edged sword -- not a major positive for the near-term global economic competitiveness of the U.S., but a huge positive for attracting global capital (drawn to strong currencies). We have seen exactly this in real estate and, to a point, in "blue chip" U.S. equities priced in dollars, for years now.

In addition to a higher dollar, we fully expect a lower Chinese renminbi against the dollar. If we had to guess, at least another 10% drop in the renminbi over next 12 months. Again, the price volatility we are seeing right now is the markets attempting to price in this currency development, much as it priced in the falling euro and yen during years gone by. Therefore, sector and asset class selectivity becomes paramount, as does continuing macro risk control.

Much like a sailor away far too long at sea, the shoreline beckons. We simply need to remember that there is a "price" for being free, and for now that "price" is increased volatility. Without question, relative global currency movements will continue to exert meaningful influence over investment outcomes.

These are the global financial market seas in which we find ourselves.

Workers' compensation was established more than 100 years ago as a "grand bargain" between employers and labor. Injured workers gave up their right to sue employers in civil court for workplace injuries, making workers' compensation the "exclusive remedy" for such injuries. In exchange, injured workers received statutory benefits in a no-fault system. Over time, we have seen a number of different challenges to this grand bargain.

Is Exclusive Remedy Exclusive?

The answer to this question is clearly no. Nearly every state has a very narrow statutory exception to exclusive remedy if the injury was caused by an "intentional act" of the employer. Some states have a lower threshold if it is determined that the employer's actions were "substantially certain" to cause injury. In both of these cases, lawsuits filed by injured workers against their employer rarely succeed, and most suits do not survive past summary judgment.

However, there are many other ways in which the exclusive remedy of workers' compensation can be circumvented. These include:

• Statutory Exceptions - New York employers in the building trades are still exposed to civil litigation in addition to workers' compensation under the Scaffold Law. This allows workers in the construction industry to file suit against their employer if the injury arose from an "elevation-related hazard." New York is currently the only state that still has such legislation in place, with Illinois repealing its Structural Work Act in 1995.

• Third-Party-Over Actions - Some states allow civil litigation surrounding a work injury under a third-party-over action. In such cases, the employee sues a third party for contributing to the injury and then the third party brings in the employer on a contributory negligence action. For example, if an accident involves machinery, the machine manufacturer can bring the employer into the suit, alleging that it trained employees inadequately, that the machine was not properly maintained or that it was modified by the employer.

• Dual Capacity Suits - Dual capacity suits allow the employee to sue the employer as supplier of a product, provider of a service or owner of premises. For example, if a worker is injured using a machine manufactured by the employer, some states allow that injured employee to file suit against the employer based on its negligence as the manufacturer.

• RICO Suits – Filing claims under the Racketeer Influenced and Corrupt Organizations Act (RICO) is a more recent method to attempt to avoid exclusive remedy protections. This federal law was originally designed to fight organized crime. In Michigan, Colorado and Arizona, the courts allowed injured workers to pursue a RICO complaint against their employer on the grounds that the employer "conspired" to deny medical treatment to injured workers by limiting physician referrals and prescribing practices and exercising undue influence over treating physicians.

• Constitutional Challenges - Constitutional challenges are the latest avenue for attempting to circumvent exclusive remedy protections. There was much attention given to the Padgett case in Florida, where a judge ruled that the workers' compensation statutes were unconstitutional because statutory changes that reduced benefits to workers and raised thresholds of compensability had eroded the "grand bargain" to the point that it was no longer valid. This case was reversed on appeal because of a technicality, so the higher courts never ruled on the merits of the argument.

Is No Fault Really No Fault?

Again, the answer is clearly no. Many states allow for a workers' compensation claim to be disputed if it is proven that the injured worker was intoxicated at the time of the accident. In addition, some states allow for a reduction in benefits if the accident occurred because the worker violated a safety rule, such as not following lock-out/tag-out procedures or not using protective gear.

Unintended Consequences of Statutory Change and Litigation

Courts in Missouri, Illinois and Pennsylvania have ruled that, if a work injury is excluded under the workers' compensation statutes, the employee can bring a civil suit against the employer. The courts are hesitant to provide no means for an injured worker to pursue compensation, so when statutory language is tightened up and certain conditions are excluded from workers' compensation coverage it opens the door for potential civil action.

This issues also arises when the workers' compensation claim is denied because the worker is not in "course and scope" of employment. If the worker falls on the employer's premises, and the employer denies the claim under workers' compensation, then the employee can sue under civil liability.

Not All Workers Are Protected

In many states, there are workers who are not required to be covered under workers' compensation. In 14 states, smaller employers with five employees or fewer do not have to secure coverage. In 17 states, there is no legal requirement for coverage of agricultural workers. Finally, half the states do not require coverage for domestic workers, and five states specifically exclude coverage for these employees.

Opt-Out Legislation

Opt-out legislation, by its very nature, allows for an option to the grand bargain of traditional workers' compensation. What many do not realize is that workers' compensation has always been optional in Texas. Both employers and workers can choose to opt out of the workers' compensation system and, instead, be subject to civil litigation in the event of employee injuries.

Oklahoma now allows employers an "option" to traditional workers' compensation. Plans must be approved by the state and must provide the same level of benefits as workers' compensation. Such plans provide employers greater control over choice of medical providers.

Opt-out legislation is currently being considered in Tennessee and South Carolina, and it is likely that similar legislation will be introduced in additional states in the future.

Causation Thresholds

There is significant variation among states in the threshold for a condition to result in a compensable workers' compensation claim. In Tennessee, the injury must "primarily arise" from work (50% or greater). However, in California and Illinois, if the work is a contributing factor (1% or greater), the employer is responsible for that condition under workers’ compensation. Employers argue that these low causation thresholds undermine the grand bargain by greatly expanding what is considered a workers' compensation injury.

Conclusion

As workers’ compensation has evolved, there have been many exceptions to the original premise behind the “grand bargain.” The courts have continued to allow exceptions to exclusive remedy and expanded causation standards. Statutory reforms have also resulted in classifications of employees and work conditions that are excluded from workers’ compensation. These trends are expected to continue.

Recently, I wrote about innovation and changing the way we acknowledge, nurture and incorporate it into our organizational culture. There are many areas where our industry desperately needs transformation and innovation. Our very survival depends on new ideas.

We at SMA are witnessing remarkable progress -- innovation is on a bullet train! -- but we have some observations about the opportunities and the obstacles for new ideas. There are high hopes for a boatload of great ideas -- creative product offerings, process improvements, better ways to engage the customer, more effective service modes, new approaches to capitalize on maturing and emerging technologies, etc. But the reality is that in many organizations, the innovation path is lined with obstacles that leave potentially success-producing concepts off the table and out of the picture. In many cases, these roadblocks are not intentional -- in fact, they are not even apparent to the very leaders who are working hard to stimulate innovation.

Some insurers are open to any and all new ideas -- every single one! Any and all innovation ideas are nurtured. In contrast, other insurers have targeted their innovation efforts by assigning teams to look at specific process areas or business lines. A project approach makes it easier to manage and measure but can limit the scope of the vision. Other insurers designate the responsibility for innovation to a department head, frequently IT or a line of business. With this approach, responsibility is assigned, typically with accompanying funding, but it too can be limiting because of unintended gatekeepers and biased priorities.

Innovation requires a nurturing environment, one that encourages people to submit ideas with the confidence that this is a place to explore and experiment - to assess the state of readiness, address potential obstacles, find probable pitfalls and measure the potential for success with the assurance that failure is acceptable. Once an idea is explored, there needs to be a place for it to mature and flourish or a graceful way to table it until timing is right, and in some cases a gentle way to kill it. The ideal is an environment with no gating criteria, no judgment, no politics.

Embracing true transformation and innovation requires a thorough and straightforward examination of the current role innovation is allowed to play within your organization. To discover the roadblocks, begin by asking these five questions:

• Is there a genuine acceptance that valuable ideas can come from any level within our organization?
• Are employees empowered to offer suggestions without the fear of embarrassment or possible reprimand?
• Is there authentic encouragement for an exchange of opinions?
• Does a pathway for fresh ideas exist?
• Have we demonstrated administrative as well as executive support for innovation in general?

Unlike companies in quite a few other industries, insurers have a book of business of clients who potentially expect to conduct business in a different (and "older") manner than new prospects might. Life insurers have to provide service to clients for three, four, five or more decades. P&C insurers selling long-tail coverage also have to provide service for multiple decades.

Why does this matter?

This matters because insurers that keep the same clients for 10 or more years have to approach applying technology like a juggler striving to keep multiple objects in the air. Insurers must juggle the technology expectations of present clients with what future clients will be comfortable using.

I'm not saying that insurers can expect to succeed in the present or the future by keeping the multiplicity of unique core administration systems that most insurers have. I am saying that insurers must craft their client go-to-market strategies and concomitant technology tactical initiatives to enable the insurers to service clients using a range of capabilities.

Commerce, and many other aspects of life (e.g., work and entertainment), are rapidly becoming mobile. Millions use social media channels throughout each day. But ... that does not mean that insurers should look to mobile or social media to interact with all of their clients.

Continually probe

Insurers must continually probe the manner in which current and future clients want to interact with them.

I think the result will be a client interaction choice board supported by current and emerging technologies that will continually change at the pace of insurers' clients' comfort levels.

What do you think?

There is a navigational term called "dead reckoning." It is taken from the period before radar and GPS. Back then, navigators used the sun and the stars to get from point A to point B, until point B got to within sight.

It worked as follows: Once you knew where you started, knew where you were going and knew your speed, you could use the sun and the stars to set your bearings and chart a course. There was always much uncertainty and large margins for error built into navigational estimates.

This is what board risk governance looks like today. Instrumentation is poor. Most available data is not current. It does not tell us where we are today. It is historic. It's a bit like buying last month's newspaper today. Interesting, useful, but not up to date.

In the board room solace, or concern, can be taken from management information. However very many non-executive directors are nervous. They know that they are getting old news. They know that they carry the same statutory obligations as their executive director colleagues but that the executive directors have the most up-to-date news.

The boardroom equivalent of the crow's nest includes strategic and integrated reports as well as risk reports on what today are highly networked organizations. Organizations are no longer vertically integrated. Organizations no longer have jurisdiction or control over all of the non-financial activities (i.e. the operations) that drive business results. To make matters worse, we live in a hyper-connected, multispeed, uncertain world where multiple things can have multiple impacts on reputation and business operations.

In the boardroom, there is an awful lot more uncertainty than certainty.

What Nassim Nicholas Taleb has told us is his seminal, spine-chilling Black Swan and Antifragility is that not only are we buying yesterday's news but that the news we are getting is hugely erroneous. He talks of the ludic fallacy, much of which is embedded in contemporary risk management practices.

What Taleb is also telling us is that discontinuity is the new norm. And that the organizations that will thrive in the future are the ones that will take their energy from that discontinuity.

But how is this to be done?

From 35,000 feet, it looks like integration of risk, strategy and decision-making processes.

At 500 feet, it looks like measurement of alignment (remember this is dead reckoning!) with both internal organizational and international proven and accepted guidelines linking risk, strategy and decision-making processes.

Can organizations move beyond dead reckoning and get better instrumentation? Absolutely! I will come back to this in a later post.

In the meantime, consider the prize:

Empirical evidence underpinning an assured calculation of:

1. Sustainability of current performance,
2. Enhancement of future performance,
3. Soundness of transformational strategies,
4. Management capability to defend reputation and operations under abnormal and adverse conditions,

This makes a difference when talking with credit raters, funders, investors, regulators and a whole swath of other stakeholders.

What's the barrier to entry for organizations?

Is it cost? Not really.

It is:

1. Integration of board audit/risk/strategy committee(s)/terms of reference
2. A track record in seeking and receiving external attestations
3. Already understanding:

a. The value of linking corporate objectives, strategies, governance and risk management decision making processes,

b. Setting organizational agility as a strategic imperative,

c. The need to integrate governance, risk and compliance roles, processes and key performance indicators (KPIs)

The immediate gains? Access to, and lower cost of, capital than your less capable competitors

The immediate benefits?

• Increasing management's understanding of strengths and areas for improvement in integrating risk, strategy and decision-making processes across the organization

• Supporting implementation of the organization's strategy through improved alignment of objectives with mission, vision and values of the organization

• Achieving and maintaining abilities to make, and execute, decisions across the enterprise, and seamlessly shift direction (called organizational agility), when called to:

- Grasp opportunities,

- Increase performance,

- Avoid threats and risks.

In my next post, I will talk about how we can get from dead reckoning to up-to-date calculations of risk, strategy and decision-making process integration -- at the pace of change!

There seems to be a growing mismatch between what consumers want from their insurers and how insurers are attempting to satisfy them. Is it intentional, or is the lack of alignment between insurers and their customers because of some unforeseen technology hurdles that require too much work to correct? Key relationship indicators are all pointing toward growing communication issues. To build long-lasting relationships, insurers need to address their external communication issues, but only after they have determined that they are truly interested in listening to what the customer has to say. In April 2015, Majesco commissioned a survey of 1,000 insurance customers in the UK. The respondents came from a broad cross section of occupations, ages and incomes. The survey pointed out some insurance industry issues, with implications for all geographic markets, and also uncovered some details that may be worth further exploration. In a two-part blog, I am going to focus on the findings and what we should do about them. The first of our findings was striking. What insurers seem to think is important to consumers isn't always what consumers say is a priority when it comes to choosing an insurer. Insurers and consumers agree on the importance of pricing -- insurers say they want to provide a competitive price, and consumers say they want a reasonable and understandable price -- but then the two sides differ. Insurers want to build loyalty and referrals through branding. Customers want relevant products, a high level of service from a wide array of options, clarity about products and a simple process. Here is where we begin to find some problems. Pricing Problem #1 - Majesco's study found that many consumers are focused on price -- but not all. Companies that focus on price and not a) service levels, b) relevant products or c) ease of access may alienate 30-40% of insureds. The policyholders least focused on price are naturally those who are more affluent - those who can afford more products and higher premiums to cover greater assets - so insurance companies are putting their best customers at risk. Pricing Problem #2 - Clients are more likely to find pricing information on aggregator sites than on their own insurer's website. While some insurers were digitally sleeping, aggregators cropped up and stole their territory. Aggregators may be a source of fuel for new business, but they are most certainly also poised to be a major contributor to client attrition. Technology improvements and marketing efforts aimed at price messaging within the client base can help stem the flow of lost policyholders. Besides pricing problems, there are two service problems that cropped up in Majesco's survey, as well. Service Problem #1 - One in three survey respondents felt that insurers were failing on minimum service levels. The Majesco survey found that between 47% and 60% of respondents are contacted by their insurance company only once per year! The irony here is that insurers are traditionally risk-averse, doing anything to avoid incurring an additional 1% to 2% of risk. Yet disruptive technologies have brought to market a new breed of competitor that could grab 33% of their business because of inattention. That is a tremendous risk! Improving service through more digital and mobile communication (and even through more phone calls and mailings) will lower insurer risk. Service Problem #2 - Insurers don't seem to realize that what consumers are asking for, such as improved self-service through improved technology, will actually save on administrative costs. While some insurers seem to be waiting for a better scenario, there is no time better than now to build a labor-saving business case that improves customer communications. In this case, listening to the customer will do more than improve relationships; it will improve the bottom line. The Majesco survey uncovered additional surprising data, as well, related to desired products vs. product offerings. Younger insurance customers (under 35) were surprisingly less influenced by price than older customers; price, while always important, may become even less important than service, brand trust and product types in the coming years. It is clear that often insurer perceptions are no match for consumer realities. To clear away these notions, insurers need to listen to their customers, listen to trends and embrace the idea that giving the customer what she wants can be a key to success. In my next blog, we will look at the practical aspects of developing a listening organization. What actions can insurers take to hear their customers, act upon their needs and anticipate the development of products that will take them into the next generation? How can technology assist insurers as they rebuild a relevant relationship? I hope you'll join me as we discuss several options that insurance companies can use to stay effective and remain competitive.

Imagine you're the CFO at a firm involved in sensitive M&A discussions with your bankers, and you receive an email asking for a small bit of non-public information on your company, the kind you've passed on before. You send the information - and later find you were the victim of a sophisticated cyber-attack.

Now imagine you're in charge of operations at a manufacturing facility. Out of the blue, your employees report that they have lost control of key systems. It's impossible to shut down a blast furnace correctly, endangering the safety of employees and others and threatening massive damage. You, too, have been the subject of a cyber-attack.

These events underscore the new reality in cyber risk management: It is no longer just an IT issue. Everyone - from individual employees to risk managers to your board of directors - now has a stake in managing cyber risk comprehensively, across the enterprise.

Following are seven key stakeholders to consider as you look at your cyber risk management strategy:

1. Risk manager: Risk managers can ensure various stakeholders are connected in terms of assessing, managing and responding to cyber risk. Understanding the evolving cyber insurance market and overall risk finance options is also important.
2. CFO: Concerns range from the potential costs of a cyber event and what the impact could be on the bottom line to the security of the office's sensitive information.
3. CEO/board of directors: Accountable for overall business and company performance, they have a fiduciary duty to assess and manage cyber risk. Regulators, including the Securities and Exchange Commission and Federal Trade Commission, have made clear they expect companies' top leadership to be engaged on the issue.
4. Legal/compliance: As regulations around cyber develop, legal and compliance roles become increasingly important in keeping other stakeholders informed and engaged. And, if a cyber incident occurs, lawsuits often follow within hours.
5. Operations: Maintaining daily operations, business processes and workplace stability is critical during a cyber event.
6. Human resources/employees: Simple errors - or deliberate actions - by employees can lead to costly cyber incidents. Training on best practices is critical, especially with the rise in sophisticated "spear phishing" attacks targeting specific employees.
7. Customers/suppliers: Interactions with customers and vendors can open you up to an attack. You need to understand the protections they have in place so they don't become the weak point in your cyber defenses.

Protecting your organization's data and individuals' privacy is becoming more difficult by the day. Successful cyber-defense strategies are comprehensive and multi-pronged. A critical component is understanding and defining the roles and responsibilities of all key stakeholders.

To participate in a webcast on how to assess cyber risk, click here.

There's a thundering herd running through Iowa this year -- and not just the herd of presidential candidates. There also is a herd of technological innovators driving considerable change in insurance. Many people find it intriguing that technology innovators are coming through Iowa, but Iowa is an insurance state and home to some of the largest insurance companies in the U.S. Iowa also is home to niche companies that price out very specific risks to targeted markets. In my role as Iowa's insurance commissioner, I've met with many entrepreneurs whose ideas will improve, enhance and create value for insurance companies and consumers. In these meetings, I hear a fairly consistent and constant theme: State insurance regulators are a major burden for entrepreneurs and, in turn, for their ideas for innovation. However, when I walk them through what regulators do and provide them a copy of the Iowa insurance statutes and regulations that empower my office, I've found that most haven't read even one word of insurance law before working on an idea or creating a product or service. To be clear, I don't believe I stand in the way of innovation. On the contrary, I am very supportive of innovation. But my fellow regulators and I do have an important job -- consumer protection. Insurance is one of the most regulated industries in the nation because, for the insurance system to work, when things go wrong and a consumer needs to make an insurance claim the funds to pay the claim must be available. The days on which people file insurance claims may be the worst days in their lives, and they may be very vulnerable. Perhaps a loved one passed away; a home is destroyed; an emergency room visit or major surgery is needed; someone may be entering a long-term care facility; a car is totaled; or injuries are preventing a return to work. Insurance is a product we buy but really hope we never use. However, when we need to use it, we want the company to have the financial resources to pay the claim. It's our job as regulators to make sure the companies in our states are financially strong enough to pay claims in a timely fashion. Insurance is regulated at the state and territorial level by 56 commissioners, superintendents or directors. The state-based regulatory system has served consumers well for more than 150 years and demonstrated extreme resilience in the last financial crisis. My fellow commissioners and I are public officials either elected or appointed to our respective posts. We are responsible and accessible to the citizens of our states or territories. However, I do understand that complying with the laws of all the states, District of Columbia and territories poses challenges to entrepreneurs. In recognition of this, state regulators have worked together to help minimize differences between states through the National Association of Insurance Commissioners, thereby creating a more nationally uniform framework of insurance regulation while recognizing local markets and maintaining power in the hands of the states. The job of an insurance regulator sounds easy. We exist to enforce the state's laws, to make sure that companies and agents follow that law and to ensure that companies domiciled in our state are in financial position to pay claims when required. As with many things, the duties of regulators are more difficult than they appear. Regulators need to have great knowledge of multiple lines of insurance, technological advances, financial matters and marketing practices. In reality, the execution of our job duties in enforcing our state's laws may at times cause friction with some innovative ideas. As I stated, I don't believe that I or my fellow regulators stand in the way of innovation. I believe that a robust and competitive market that delivers value to the consumer is one of the best forms of consumer protection. However, our insurance laws are also designed to make sure that insurance companies stay in the market and keep the promises that they have made to their customers when the products were originally sold. In executing my duties as commissioner, I pay a great deal of attention to innovation and developments. I personally spend time with entrepreneurs, investors and others to learn about new trends and ideas. My commitment to enforcing state laws, combined with the laser focus on protecting consumers, requires keeping abreast of innovation. My office addresses more than 6,000 consumers' inquiries and complaints every year. People on my staff address issues quickly and care deeply about their roles in helping Iowans. I've learned in my nearly three years as commissioner that many consumers don't understand the insurance they own. They may have relied on an agent, or purchased insurance coverage on their own, hoping it will suit their needs. However, when life happens and an insurance claim needs to be made, consumers may discover the coverage they purchased did not suit their needs. For instance, some people may discover their health plan network doesn't have healthcare providers near their home. Others may discover too late that certain items lost in a fire were not covered under their homeowners' policy. Some consumers may discover that the very complex product that they bought simply did not measure up to their expectations. Having consumers be comfortable with making a purchase and not understanding what they purchased is a culture we need to change. Some consumers desire to simply establish a relationship with an insurance agent or securities agent they feel they can trust, schedule automatic withdrawals from their bank account to be invested or submit their premiums for their insurance products as required so they can ultimately focus their attention on all the other activities that occupy our busy lives. In essence, they forget that they purchased the coverage, and, while it may have been the right purchase at that time, it may not fully suit their needs now or when they need to file a claim. Insurance regulators and the insurance industry need to encourage consumers to learn more about their coverage needs and the insurance they actually purchase. Innovation that leads to personalizing insurance and better consumer understanding is a good thing. Innovation that increases speed-to-market, enables better policyholder relations through in-force management and provides more value to the consumer is a good thing. However, all that innovation must comply with our state’s laws. To that end, I've met with several entrepreneurs to highlight issues that would arise with certain proposed business models. I enjoy discussing ideas about our industry and sharing Iowa's perspective. Innovation can help consumers, and it's my hope that entrepreneurs continue to work with regulators to develop new products and services. This collaboration helps both the regulators and the entrepreneurs and has led to some very positive and healthy dialogue in Iowa.