The service of risk management within insurance companies needs to innovate. Today, a small fraction of commercial customers take advantage of risk management services provided by insurance agencies. And insurance companies are fine with this, as they have limited supply -- or people -- that can provide risk management services. But what if the same high level of risk management services could be offered to all customers of an insurance company? How would an insurance company go about offering widespread, and high-quality, risk management services? The Solution to Better Risk Management Is Your People (Plus Technology) Insurance agencies currently engaged in risk management services have a distinct advantage: the accumulated knowledge of its people that provide contract reviews for customers. I had this epiphany as I was reading through a slidedeck titled "Innovation is almost impossible for older companies," which states: "People have acquired skills that, at moments, have given significant advantages to companies in order to prosper." Insurance agencies now must figure out how to harness the risk management skills of its people in new ways. The alternative is scary for my insurance professional friends, because someone else -- someone with new technology and a new supply of risk management knowledge -- will figure it out instead. Insurance companies could quickly be out-innovated, as occurred to the taxi industry. For some time, the taxi industry had skills that allowed it to prosper. Taxi companies used technology and money to set up phone numbers that could be called to request a ride; these companies also stockpiled just enough cars and drivers to meet the minimum level of demand. But then Uber came along and created a better technology that connected riders to a different (and bigger) pool of drivers. The taxi industry got out-innovated. Insurance agencies are composed of people who have acquired risk management skills. My friends in the industry can review contracts with the best of them. But each of them has a limited capacity to complete contract reviews based on hours in the day. So not all customers get risk management services (either because they don't know about them or don't want to pay for them). A technology will come along that will expand the supply of risk management services. One insurance consultant thinks that technology will be a computer avatar that analyzes and predicts risks independently. I think the idea of an independently functioning risk management avatar is misguided. I am reminded of a quote from Zero to One, written by the founder of Paypal, Peter Thiel: "Better technology in law, medicine and education won't replace professionals; it will allow them to do even more." Better Technology Will Allow Insurance Professionals to Do More I continue to be drawn to the word "collaboration" as I envision the future of insurance technology. Recently, I spent time evaluating software solutions in the insurance industry. All of the solutions I reviewed are focused on step one, what I call "Make it Digital." Only within the last five to 10 years have insurance carriers and agencies gone paperless, and the insurance software companies are filling this need. Digital is not enough. Paperless is not enough. Insurance technology must connect people and the knowledge that they create. Don't think about just connecting to your customers. Think about connecting your team. Imagine if your entire risk management team could work as a living, breathing entity to assess and evaluate risk. When Agent Jim in Kansas City has a question about liquidated damages in Texas, he should be able to quickly identify work completed by Agent Bob in Dallas dealing with this exact issue. He can then evaluate the work and bring Bob in on any follow-up questions. I have yet to find an insurance carrier or agency that has figured this out. This is where the opportunity lies in insurance technology: collaboration.

Retailers do it. Auto dealers do it. From wholesale parts suppliers to craigslist sellers and kids with lemonade stands, everyone knows that if you are going to take the trouble to sell something you should sell it for its full value. Many insurers, however, are stuck within semi-fixed pricing models that don’t allow them to capture the most profit they can from each policy. Today, insurers can change that because they have the ideal vehicle to help them optimize pricing and improve their margin — quote data. Quote data, when analyzed and tested on a continual basis and kept within the boundaries of the rate filing, can yield dramatic insights into purchase patterns and price tolerance. Plus, optimizing price with quote data is an analytics concept that will excite nearly everyone in the organization. Why should insurers consider using quote data to modify pricing or products? Insurers have actuarial models and underwriters who understand the market, plus they have rate plans that have already been filed for specific products. Quote data is ripe with excellent, relevant insights. The reason we see Google, Overstock and Amazon dipping into insurance quoting is because they grasp the potential in marrying purchase pattern data with price testing. For insurers, quote data tested against purchase patterns is a gold mine waiting to be tapped. What do insurers have to gain?

• New data yields new insights and can result in new decisions. (The ability to analyze multiple risk factors, even at the quote stage, is improving.)
• Insurers can decide to charge more based on what they learn.
• Insurers can decide to go after lower-margin, high-quality business.
• They can go after low-margin, high-efficiency business.
• They can identify business that they don’t really want.
• They can answer the competitive threats of new entrants that are poised to capture an increasing share of the market.

Is optimization the right way to make decisions? For the most part, the days of “from the gut” decisions are over. Human brains are predictable enough that they can be mined for decision data and yield well-patterned insights across similar individuals with similar decision patterns. Amazon, Pandora and Google can effortlessly predict a consumer’s next areas of interest and likely purchases without the individual ever telling them anything. The messages we receive from nearly everywhere are “optimized” because they are proven to most likely produce a positive reaction from us. Optimization is data science that works. Pricing is the second step of optimization; it concerns itself with how much a certain type of prospect will pay at that point in time through that particular channel. As an example, consider a couple purchasing a boat two days before Memorial Day weekend. They are in the showroom using a quote aggregator on her mobile phone. They may be willing to pay more for insurance because of the need to move through underwriting quickly. Quote data over time may also prove that two boater certification questions need to be added to the quote process for first-time boat purchasers to keep the product profitable, either through adjusting price or filtering out applicants. Insurers have a leg up on traditional online retailers because prospects do tell us something about themselves before they purchase, to get an accurate price. This kind of pricing optimization isn’t limited to online purchases. It can be done through agency channels and even through traditional direct mail. But the best data accessibility and ability to test is through website and mobile channel metadata. How insurers optimize price — finding opportunities among the limits. There are several areas for insurers to consider when optimizing through quote metrics. First, insurers should be tracking every bit of data and metadata surrounding the application. Every submission document has the bits of a consumer story to tell. For example, how many days is it until renewal? Is a client making a last-ditch effort to get better auto pricing with you before turning elsewhere? Is a prospect shopping around in the last week before her home policy auto-renews? How many apps are coming through a particular channel in a particular day? All of these questions and many more could lead to pricing revisions based upon consumer behavior in the application process. Next, insurers should become highly adept at A/B testing. Consider variables as levers and raise and lower them to reach their limits, then continue monitoring and adapting. For example, begin with quote take-up rates on all submissions. Insurers should consider testing the limits available to the market. Do take-up rates improve when limits are raised? Website metadata can be informative in this regard, as well. What pages do consumers visit and when? Is there a standard path for the person who seems to rush through shopping, quoting and purchasing? Can the insurer raise the price for those who seem to decide quickly in their first visit and lower it for someone who has come back to the site repeatedly, conceivably price shopping? There are hurdles, however. Price testing must be done within the boundaries of the filing and the specific products. Some pricing changes may be able to be implemented immediately, but many will need to go back through the filing process. Pricing always has to happen within the regulatory box, so what is possible in testing may not always be feasible in pricing. But pricing optimization is only one part of the A/B testing equation when it comes to quoting. Quoting data can also be used to more finely tune risk factors and their relationship to take-up rates and claims. This kind of profit optimization is just as critical as pricing optimization, and it requires no regulatory refiling. It is data that can be fed back into actuarial models and may ultimately be useful when used in conjunction with mobile telematics data and a host of other data sources. Even if an insurer planned no immediate repricing of products, the ability to understand price tolerance based upon other quote factors (e.g. age, income, take-up rates, property value) would be helpful in the development of new products. The nuts and bolts of pricing optimization will vary with each insurer’s unique quote process and current market. But the promise it holds is not only a better overall margin per policy, but also the potential to grow volume through unexplored insights and the opportunities to deeply understand individuals, groups and their motivations to purchase insurance. Consumer data analytics is here to stay. The value in quote data is continuing to grow.

ITL Editor-in-Chief Paul Carroll recently hosted a webinar on "Captivating Customers With All-Channel Experiences,” featuring experts from Capgemini and Salesforce.com and the former chief customer experience officer at AIG. To view or listen to the webinar, click here. For the slides, click here.  To see how important it is to provide a seamless, multi-channel experience that will captivate customers, look at our experience with a large North American property and casualty company. Revenue was falling. Too many customers were leaving. Customer service and the overall customer experience were lacking. Antiquated systems – both those facing the customer and the back-end, legacy infrastructure – needed to be modernized. The company began a multi-year transformation, starting with its auto insurance business unit, and then expanded to other areas. With our help, the company designed and deployed a “Quote to Card” capability across multiple channels. The solution provides real-time information by integrating internal and third-party systems. The insurer is now able to complete the “end-to-end” quoting process (build/rate/bind a quote) for both the direct-to-customer channel as well as the agent channel, in a much more efficient and elegant manner. The insurer incorporated a rich analytics component. As a result, it can perform robust online analytics, capturing information such as time spent by a prospect on the site, analyzing when and why a prospect is abandoning the quote process, etc. The insurer can also personalize the user experience, using results from the analytics platform coupled with advanced techniques such as caching and multivariate testing. Subsequently, the insurer added self-service capabilities for customers to conduct billing activities such as reviewing their account summary, paying bills, viewing payment history and updating personal profiles and other information. As a result of the initiatives, the insurer is now able to create a 360-degree view of its customers across sales and service. There has been a 34% increase in customer retention and a 37% increase in customer satisfaction. Meanwhile, costs are dropping. Average times for handling issues are dropping at call centers. Less time is needed to train agents, and their productivity is up 40%. More customers are using self-service channels. Fraud is also declining because the insurer can, for instance, see when people are trying to game the process by fiddling with numbers to get a better quote. Additional capabilities are still being added as part of the multi-year transformation road map. This is the fourth in a series of four articles adapted from the Capgemini white paper “Cloud-Enabled Transformation in Insurance: Accelerating the Ability to Deliver Exceptional Customer Experiences.” The other articles are here, here and here. For the full white paper, click here.

The property/casualty industry has been characterized by its market cycles since… well, forever. These cycles are multi-year affairs, where loss ratios rise and fall in step with rising and falling prices. In a hard market, as prices are rising, carriers are opportunistic and try to "make hay while the sun shines" – increasing prices wherever the market will let them. In a soft market, as prices are declining, carriers often face the opposite choice – how low will they let prices go before throwing in the towel and letting a lower-priced competitor take a good account? Many assume that the market cycles are a result of prices moving in reaction to changes in loss ratio. For example, losses start trending up, so the market reacts with higher prices. But the market overreacts, increasing price too much, which results in very low loss ratios, increased competition and price decreases into a softening market. Lather, rinse, repeat. But is that what’s really happening?

What’s Driving the Cycles?

Raj Bohra at Willis Re does great work every year looking at market cycles by line of business. In one of his recent studies, a graph of past workers’ compensation market cycles was particularly intriguing. This is an aggregate view of the work comp industry results. The blue line is accident year loss ratio, 1987 to present. See the volatility? Loss ratio is bouncing up and down between 60% and 100%. Now look at the red line. This is the price line. We see volatility in price, as well, and this makes sense. But what’s the driver here? Is price reacting to loss ratio, or are movements in loss ratio a result of changes in price? To find the answer, look at the green line. This is the historic loss rate per dollar of payroll. Surprisingly, this line is totally flat from 1995 to the present. In other words, on an aggregate basis, there has been no fundamental change in loss rate for the past 20 years. All of the cycles in the market are the result of just one thing: price movement. Unfortunately, it appears we have done this to ourselves.

Breaking the Cycle

As carriers move to more sophisticated pricing using predictive analytics, can we hope for an end to market cycles? Robert Hartwig, economist and president of the Insurance Information Institute, thinks so. “You’re not going to see the vast swings you did 10 or 15 years ago, where one year it’s up 30% and two years later it’s down 20%,” he says. The reason is that “pricing is basically stable…the industry has gotten just more educated about the risk that they’re pricing.” In other words, Hartwig is telling us that more sophisticated pricing is putting an end to extreme market cycles. The “what goes up must come down” mentality of market cycles is becoming obsolete. We see now that market cycles are fed by pricing inefficiency, and more carriers are making pricing decisions based on individual risks, rather than reacting to broader market trends. Of course, when we use the terms “sophisticated pricing” and “individual risk,” what we’re really talking about is the effective use of predictive analytics in risk selection and pricing.

Predictive Analytics – Opportunity and Vulnerability in the Cycle

Market cycles aren’t going to ever truly die. There will still be shock industry events, or changes in trends that will drive price changes. In "the old days," these were the catalysts that got the pendulum to start swinging. With the move to increased usage of predictive analytics, these events will expose the winners and losers when it comes to pricing sophistication. When carriers know what they insure, they can make the rational pricing decisions at the account level, regardless of the price direction in the larger market. In a hard market, when prices are rising, they accumulate the best new business by (correctly) offering them quotes below the market. In a soft market, when prices are declining, they will shed the worst renewal business to their naïve competitors, which are unwittingly offering up unprofitable quotes. Surprisingly, for carriers using predictive analytics, market cycles present an opportunity to increase profitability, regardless of cycle direction. For the unfortunate carriers not using predictive analytics, the onset of each new cycle phase presents a new threat to portfolio profitability. Simply accepting that profitability will wax and wane with market cycles isn’t keeping up with the times. Though the length and intensity may change, markets will continue to cycle. Sophisticated carriers know that these cycles present not a threat to profits, but new opportunities for differentiation. Modern approaches to policy acquisition and retention are much more focused on individual risk pricing and selection that incorporate data analytics. The good news is that these data-driven carriers are much more in control of their own destiny, and less subject to market fluctuations as a result.

Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR). The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates. With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities. SEMC Resolution Agreement Overview The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected. In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

• SEMC improperly disclosed the PHI of at least 1,093 individuals;
• SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
• SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate. HIPAA-Specific Compliance Lessons OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.” The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations. Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

• Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
• Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
• Conducting other tests and audits of security and compliance with policies, processes and procedures; and
• Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons. One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies. The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips. Risks and Responsibilities of Employers and Their Leaders While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons. HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond. The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements. Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation. While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk. When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules. Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs. Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements. For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority. Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints. Manage HIPAA and Related Risks At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

The Guardian carried a story by Sarah Boseley about the controversy in Europe and other countries about the effectiveness and safety of mammograms. It seems some of the early studies on the issue were deeply flawed. The article says, “Internationally renowned cancer experts have cast fresh doubt on the benefits of breast cancer screening programs, warning that they save fewer lives than previously thought.” Professor Julietta Patnick says, “There are potential risks as well as benefits associated with breast screening, including over-diagnosis, and it is important that women are given information that is clear and accessible before they go for a mammogram.” She calls for women to have truly informed consent so they can decide to have a mammogram or not. This is a controversial area. Should employers be involved in promoting this and prostate screenings? I’m not so sure.

[embed]https://soundcloud.com/insurance-thought-leader/capgemini-salesforce-insurance-thought-leadership-3[/embed] ITL Editor-in-Chief Paul Carroll recently hosted a webinar on "Captivating Customers With All-Channel Experiences,” featuring experts from Capgemini and Salesforce.com and the former chief customer experience officer at AIG. To view or listen to the webinar, click here. For the slides, click here.  In almost all cases, to provide experiences that captivate customers, insurers must modify their legacy technology infrastructure. Some insurers are building an overlay, taking an innovative approach to the technology that customers touch, but that isn’t enough. Insurers need to take a broader look and make sure that new customer technology integrates effectively with back-end systems such as claims, policy administration, billing and enterprise resources planning (ERP). That way, all parts of the enterprise are driving toward providing the desired customer experience. These changes will make agents more satisfied and efficient. The changes will also help captivate customers, who want to deal with all parts of the insurance process as one seamless operation. That means both upgrading the technology for agents and incorporating them tightly into the insurer’s systems. Cloud solutions have proven to deliver capabilities insurers need faster and with less business disruption than traditional, on-premises alternatives. The result is lower total cost of ownership and significantly reduced project risk. Such an approach lets insurers remain firmly focused on the customer. Insurers can focus on designing the customer journey and experience rather than be burdened by the design, build, test and deployment of the technology. To get there from here, insurers need to integrate the interactions among employees, customers and agents and among social networks, internal systems and business processes. The result needs to support any device, use unified business logic and provide access to data. There needs to be a consistent customer experience across all channels (self-service, agents and call centers). Exhibit 3 provides a sample of the necessary components (in this case, on a Salesforce platform):

• Customer Interaction Hub, which provides ease of use and information accessibility
• Platform, which provides multi-device capabilities
• Service Cloud, which helps agents track the history of customers and policies and engage regularly with customers
• A cloud-based contact center telephony system. The system (in this case, Odigo) must provide services such as intelligent call routing, natural language recognition, mobile channel integration, biometrics or voice-based authentication, multi-site routing and management dashboards. The platform must allow customers to originate a transaction in one channel and take it forward in another, such as self-service.
• Document signature software, to allow customers to sign quotes and policies online
• Integration with popular insurance software packages for policy quotes, binding, claims

  When developing for a multi-channel experience, it’s crucial to do lots of A/B testing – changing one variable at a time for a sample of customers, seeing how they react and incorporating those changes that produce better results. It’s also important to actually watch customers to see how they navigate a process – where they stop, where they start up again, where they get sidetracked, where they get confused. We’ve watched customers many times, and the results can be surprising enough to at least require considerable tinkering. For example, with three releases each year, Salesforce has delivered 47 major releases since its inception. Each release is informed by learning from how users behave, adopt and use Salesforce’s features. As a result, more than 1,700 features have been sourced directly from Salesforce’s customer community. In insurance, Salesforce learns from more than 2,500 insurance customers. These continuing improvements happen in an agile fashion, and follow an iterative cycle of release, learn and improve. The race to become a leading insurer that is able to attract, satisfy and retain customers is in full motion. Those insurers that can blend traditional channels and digital channels in a seamless way will lead the race, creating clear competitive advantage with the capabilities in place to capitalize on market disruption over the coming years. The first two articles in this series are here and here. For the white paper from which these articles are adapted, click here.

When training analysts how to deliver more value, two topics have proved the most popular. One is training in Socratic questioning techniques, to get to the real business need. But, as many analysts have "fallen into" this line of work, rather than making a conscious education and career choice, few have been trained in methodologies. With the exponential growth of insight analysts, marketing analysts and data scientists, the emphasis appears to be on just coding skills and software mastery. Where this is the case, too often analysis is an unplanned art, with unreliable timescales and too many "rabbit warrens" being explored. It is perhaps for this reason that the other most popular topic is a high-level structure for analysis. I call this approach the 9-step model for analysis. It comprises the following steps: 1. Socratic Questioning: getting to real business need 2. Planning & Design: defining approach and gathering resources 3. Stakeholder Buy-In: getting agreement on what will be delivered 4. Data: ensuring the needed quality data and learning from it 5. Analysis: including exploratory data analysis and hypothesis testing 6. Insight Generation: converging evidence to get to deeper insights 7. Stakeholder Sign-Off: support for or refining recommendations 8. Storytelling & Visualization: capturing hearts and minds for action 9. Influencing for Action: ensuring appropriate action is taken What's your experience of improving the capability of your customer insight team? Have you focused on developing the skills outlined above or other areas? Please do share your tips, too.

A new breed of financially focused malware has cropped up, using new tactics to evade detection and infect harder-to-compromise systems. The Dyre botnet has successfully compromised tens of thousands of victims in North America. Another banking trojan, Dridex, has successfully compromised thousands of systems in Europe and is increasingly targeting companies and users in the U.S. by sending Word documents carrying malicious macro scripts capable of installing the malware. Security & Privacy News Roundup: Stay informed of key patterns and trends Cloud-based security provider Proofpoint has focused on Dridex since it appeared late last year, tracking efforts by the groups to target companies with Dridex-laden spam. The attackers send out waves of spam every two or three days, using anywhere from two different e-mail templates to more than 1,000, depending on the group behind the attack. The attacks usually last no longer than five hours, and few, if any, antivirus scanners detect the malware in time, says Wayne Huang, vice president of engineering at Proofpoint. “I would say that they are persistent, but they are not APT (an advanced persistent threat) in that they are not focusing on certain organizations,” he says. “They spread malware primarily to monetize.” The rapidly changing templates and the use of macros within Word documents are just two of the techniques that Dridex uses to be an efficient infector. More recent versions of the banking malware have used images to track the number of downloads, and the developers also have added features to foil detection and analysis by automated systems. A number of anti-malware systems open suspicious files or run potentially questionable code in a virtual environment to check for malicious behavior. Yet, attackers have found ways to detect whether their code is running in such a “sandbox.” Initial attempts, for example, would just sleep for an hour or a day, because automated systems typically only executed the code for a few minutes. Most current efforts, however, focus on the anomalies in the system in which the program is running. The developers behind the Dyre malware, for example, used a simple command to count the number of cores being used. Many virtual environments only use a single core for efficency, while multi-core systems are now ubiquitous. Dridex, however, took a simpler tack: Because analysis systems tend to open the suspicious file and wait for any anomalous activity, Dridex is programmed to only execute when the malicious Word document is closed. The evolution of Dridex has made it an effective vehicle for attacks, says Matt Huang, vice president of product management at Proofpoint. “They have been really mutating their techniques, especially to avoid sandbox detection,” he says. “From very early on, they would change e-mail subjects and file titles. Now, we see a greater variety of techniques.” A single attack often will result in hundreds of thousands of e-mails being sent out. The attackers have at least 1.3 billion e-mail addresses from which to choose, Huang says. The attackers also are beginning to zero in on other financial targets, such as cryptocurrencies. In some cases, Dridex has downloaded a trojan known as Pony that can steal more than 30 different cryptocurrencies, such as Bitcoin, from a dozen different types of digital wallets. “Recently, they have been using Pony to steal wallets, because the use of virtual currency has picked up,” Huang says. “They have been quite successful.”

Migrating the technology infrastructure supporting insurance underwriting to “digital” has substantially different meanings depending on who has the floor. For some insurers, it is simply the ability to put a product on the web and offer on-line quotes to prospective policyholders. For others, it is the ability to quote, bind and issue a policy on line. The more sophisticated platforms offer a complete digital marketplace for consumers to shop, obtain pricing, buy, bind, pay for and have policies delivered for a variety of products, offered by multiple carriers, into a secure web-based account, using familiar, digital, “shopping cart” tools and techniques. Still, many carriers need to examine their current systems, which were not built for speed to market or a high degree of automation. The issue for many carriers attempting to go digital is the burden of having web-based sales integrate seamlessly with their legacy systems. I’ve had numerous conversations with executives who bemoan the fact that they can’t offer a product in a different channel because the systems “can’t handle it.” So, carriers are turning away business (and doing their customers a disservice). The Achilles heel for most insurers is that insurance product systems design theory of the '80s and '90s was component-based. It made sense at the time, but it doesn’t any more. The typical carrier legacy system configuration involves a different systems component for practically every function along the product continuum, starting with account acquisition and continuing through agent licensing, underwriting, compliance, rating, quoting, binding, policy issue, premium collection, commission administration and claims payment and ending with financial reporting. Along the way, account data is input into each separate system (sometimes manually, sometimes automatically), resulting in multiple silos of redundant account data. How many employees do you have going through a monthly reconciliation process just to determine you are not double counting business? Wouldn’t it be great if those employees were helping to generate revenue, not figure out if the revenue you think you have is actually revenue? Component-based systems are further complicated because they are often programmed in different languages, come from different vendors, require separate support and maintenance personnel and in many cases rely on programmers who become experts in a very narrow section of the code. (“Don’t ask me about the commission system; I do the billing system.”) The complexity gets compounded with acquisitions of companies that have deployed a similar, component-based approach. Carriers that are serious about a digital transformation need to take a holistic view of the product sales, underwriting and policy administration continuum. Instead of looking at a new component for the underwriting function, a new policy administration system, a new document management system, carriers need to view the entirety of the product process, create a single, relational database and work with a “product agnostic” platform. The ability to put all products on a single system with capabilities to automate underwriting, rating, quoting, binding, policy issue, premium and commission administration is the ideal scenario. Providing access for all users to run all applications from a single system eliminates redundant data entry, programming and maintenance requirements of component-based platforms and enables you and your company to concentrate on the strategic initiatives you’re supposed to focus on.