I have been spending a fair amount of time over the last few months, talking and listening to board members and advisers, including industry experts, about cyber risk. A number of things are clear:

• Boards, not just those members who are on the audit or risk committee, are concerned about cyber and the risk it represents to their organizations. They are concerned because they don’t understand it – and the actions they should take as directors. The level of concern is sufficient for them to attend conferences dedicated to the topic rather than relying on their organizations.
• They are not comfortable with the information they are receiving on cyber risk from management – management’s assessment of the risk that it represents to their organization; the measures management has taken to (a) prevent intrusions, (b) detect intrusions that got past defenses and (c) respond to such intrusions; how cyber risk is or may be affected by changes in the business, including new business initiatives; and, the current level and trend of intrusion attacks (some form of metrics).
• The risk should be assessed, evaluated and addressed, not in isolation as a separate IT or cyber risk, but in terms of its potential effect on the business. Cyber risk should be integrated into enterprise risk management. Not only does it need to be assessed in terms of its potential effect on organizational business objectives, but it is only one of several risks that may affect each business objective.
• It is impossible to eliminate cyber risk. In fact, it is broadly recognized that it is impossible to have impenetrable defenses (although every reasonable effort should be made to harden them). That recognition mandates increased attention to the timely detection of those who have breached the defenses, as well as the capability to respond at speed.
• Because it is impossible to eliminate risk, a decision has to be made (by the board and management, with advice and counsel from IT, information security, the risk officer and internal audit) as to the level of risk that is acceptable. How much will the organization invest in cyber compared with the level of risk and the need for those same resources to be invested in other initiatives? The board members did not like to hear talk of accepting a level of risk, but that is an uncomfortable fact of life – they need to get over and deal with it!

The National Association of Corporate Directors has published a handbook on cyber for directors (free after registration). Here is a list of questions I believe directors should consider. They should be asked of executive management (not just the CIO or CISO) in a session dedicated to cyber.

1. How do you identify and assess cyber-related risks?
2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk and so on) and not just “IT-risk”?
3. How do you evaluate the risk to know whether it is too high?
4. How do you decide what actions to take and how much resource to allocate?
5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
6. How do you assess the potential risks introduced by new technology? How do you determine when to take the risk because of the business value?
7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
9. Can you respond appropriately at speed?
10. What procedures are in place to notify you, and then the board, in the event of a breach?
11. Who has responsibility for cybersecurity, and do they have the access they need to senior management?
12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce risks by signing up for new cloud services?

I welcome your thoughts, perspectives and comments.

In my role as market connector, I constantly meet people with all kinds of job titles, many of which did not exist even a few years ago. Some reflect a “cool” factor more than substance. Others signal strategic intent translated into an organizational decision. Recently, there’s been a burst of senior-level titles speaking to a new view of the customer. These include chief customer officer, chief customer experience officer and variants. What are these roles about, and what value can they bring? I’m not one to believe that titles by themselves matter much. In fact, I think the hierarchical behavior and entitlements that titles convey can be destructive to the collaborative environment needed to nurture enduring, customer-centric results. But I also think it’s worth any executive’s time to contemplate the value of an empowered chief customer or experience officer and why other companies might be going down this path. Is it right for you? Is it real or is it window dressing? What can it potentially accomplish? Who should wear this hat to generate impact? Why have a chief customer or experience officer? Last month, I wrote about marketing myths and truths in an age of technology disruption and customer empowerment. Any leader should look at all of her resources – including people, dollars and infrastructure – and drive the changes required to attract and win the loyalty of target customers. For the vast majority of companies, the status quo is not the answer. The chief customer or experience officer defines and steers the transformation by defining the execution plan aligning resources to deliver on the customer needs that matter. The plan should link customer priorities to a business’ financial objectives. He mobilizes employees, and his appointment can be a powerful signal from the CEO that the customer must be at the center of everything the company does. Why won’t status quo work? Traditional company structures were not built around the customer. Companies were organized for efficiency, control and predictability. The problem is that these priorities by themselves end up constraining the agility fundamental to delivering a productive, positive customer experience – one that motivates trial, purchase, recommendation and other behaviors reflecting loyalty to a brand. The chief customer or experience officer provides leadership to help the company embrace agility as key to a customer experience that is managed to deliver business results – top and bottom line. At the same time, she must partner with peers to ensure the company does not lose sight of the basics of efficiency and control, especially to meet regulatory mandates that are “lights on” needs in the insurance sector. What’s going on in your organization? Start by asking yourself a few questions:

• When decisions are being made, are employees at all levels and functions contemplating the impact on the customer? Do employees shape their actions around delivering value to the customer? Does anyone ask, “What’s the impact on the customer?” And, do other participants in the conversation care?

• Does your organization act as though the right experience will deliver business results, or do people express the belief that doing what the customer wants is a tradeoff to financial results? If the latter is the case, you are likely receiving a strong signal that your journey to a great customer experience may require a sharp pivot.

• Do you measure customer satisfaction across the entire experience? Does your methodology gather only customer service feedback for the subset of customers who are reaching out, or do you look at channel results holistically?

• Are you using a methodology that connects customer satisfaction to the end-to-end experience of doing business with you all the way through to how satisfaction levels directly affect financials? A “yes” to this last question means you are closer to best-in-class practices.

What’s right for my organization? If you want to steer your organization toward being truly customer-focused – if you believe this is a must-do in today’s economy – a chief customer or experience officer provides one approach that can be a mobilizing force for change. As with any business goal, the buck has to stop with an individual, and that individual has to be someone below the CEO for day-to-day actions toward results. The title matters less than the accountability, leadership profile and empowerment of whoever is given this mission. Be aware that merely appointing someone to a role accomplishes little. Driving customer metrics requires the same kind of ownership as any result you are trying to achieve. But such an appointment does not absolve the CEO or the rest of the C-suite from taking accountability for the transformation to customer-centricity. The rest of the executive team must align with the chief customer or experience officer’s plans and engage to drive action among the people they lead. What does it take to set the role up for success? This role is not for the faint-hearted. Frankly, the technical skill background can be just about anything. The make-or-break will be the leadership profile: an influencer, a collaborator, a team-builder and someone who is a dot-connector, a naturally customer-obsessed person who is curious enough to always ask, “What would our customers want/say/think/do?" And an astute observer who recognizes that great experiences come from deep understanding of people’s behavior - how they complete tasks and go about solving life’s daily problems. Then there are the must-dos for any role to be taken seriously and set up for success – real resources to get the job done, shared expectations of time-to-impact and metrics that link your customer strategy to bottom-line impact along with the IT capability to get at the metrics with accuracy on a routine basis. What’s the downside? The chief customer or experience officer is a change agent. As in any change agent role, there are above-average risks to carrying out the mission with success. As in any transformation role there will be conflict. Make the conflict a stimulus for constructive steps forward, and see it as a way to achieve big breakthroughs, but be ready for conflict to happen. Strong leaders know how to convert conflict into opportunity. The bottom line Even exploring the value and impact of a chief customer or experience officer means you recognize the need to boost your organization’s customer focus. Remember, being customer-focused doesn’t mean giving customers anything they want. It’s about:

• Zeroing in on the audience you want to serve
• Being able to identify audience members so you can establish and build authentic relationships
• Inspiring them to see your brand and offerings as relevant to their lives
• Achieving win/win outcomes for these individuals as well as for your business.

What business does not want to make this happen? So, what are you waiting for?

Based on what our clients are telling us, I can’t imagine that there are many boards of directors that haven’t recently talked about data. With everyone focusing on security issues and the risks inherent in not adequately plugging data vulnerabilities, every board has had its wake-up call. Managing the downside is only one part of the issue. There is also great upside to be found in the data to drive strategic growth. Studies have shown that organizations that have already transformed themselves through data continue to get better at using data faster than others. The leaders are still increasing their leads. Where there is the opportunity for revolutionary data use, there is also the possibility of being left in the dust. For every WalMart and Uber, there’s a Sears and Yellow Cab company. So, boards need to look at the upside and see data as the means to cross-enterprise improvement. For better market penetration, use your data. For greater operational efficiency, look to your data. For lower risk or reduced fraud or stronger service, create a data framework that will give you both utility and knowledge. We are entering into an explosive period of data availability from outside the organization. If we use it well, it will yield insights that will make today’s decision-making look like the punch-card era. Though these data conversations are started at the highest levels, they must be continued and fostered at every level. In coming weeks, we will be looking at the opportunities and consequences of data conversations — where to start, what to avoid, building a data culture and understanding data’s true value to your organization. I hope you’ll join the discussion.

Some, like me, who have dedicated their lives to the maintenance and improvement of physical and mental health, may not consider themselves traditional, clinical “healthcare workers.” We may feel as if we work on the fringe, on the outside. We are not nurses or physicians. We work in public health, wellness, nutrition, occupational safety, health economics, fitness, risk management, pharmacy, laboratory, research, insurance and other similar non-traditional clinical professions. We may feel we make a lesser impact on patient care and overall community wellness and vitality. Given historical reference, however, this is absolutely untrue. The term "healthcare" (whether one word or two) has not been used at all in books, papers, references or published text over hundreds of years, until the mid-1980s. But since the late 1700s, those of us “living on the fringes” have been healthcare workers in the true sense of the practice. We may not provide bedside patient care in a healthcare or hospital setting, but we do:

• Prevent infectious disease by promoting the use of vaccines;
• Protect the public from pathogenic organisms through water and food sanitation;
• Prevent addiction and antibiotic resistance through pharmaceutical stewardship;
• Manage repercussions from post-traumatic stress with mental health interventions;
• Research global disease trends to stop them in their tracks;
• Manage risk by improving safety, security and improving quality;
• Decrease work-related injury and illness by creating safe workplaces, and
• Prevent heart disease and weight-related cancers by promoting regular exercise.

Those efforts ensure that a population’s health (both physical and mental) does not suffer, that it is either maintained or, better yet, improved. We are the “Un-Healthcare Workers.” It is especially important that traditional healthcare organizations and healthcare workers know this now. As healthcare systems around the world are caring for patients with emerging infectious diseases like Ebola and re-emerging vaccine-preventable diseases like measles, they need to consider that we un-healthcare workers have responsibility for protecting our communities. If we can prevent diseases from becoming epidemic in our communities, healthcare providers working in healthcare settings like hospitals can focus more on providing needed care to those with emergent injuries and chronic disease. The American Public Health Association (APHA), which has represented people protecting the public since 1872, announced a policy in November on preventing Ebola and "globally emerging infectious disease threats" that marked a significant change in the recognition of the "un-healthcare worker." The APHA identified the need to focus efforts on preventing infectious disease in the community and workplaces as a means to protect healthcare systems from exposure to diseases that may change the overall landscape of inpatient care. In the process, the APHA advocates for the role that we “un-healthcare workers” have in maintaining and improving the physical and mental health of our population so that healthcare workers can focus on medical interventions for those who really need it. Sound, science-based public policy and fiscally grounded public health funding can do what it did for the hundreds of years prior to the mid-1980s; it can protect our communities from disease, so that we can protect the vitality of our healthcare systems.

On May 11, 2015, in a case that is being widely celebrated as one of the first coverage rulings involving a “cyber” insurance policy, a federal court ruled that Travelers has no duty to defend its insured in Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, Inc., et al. Although the Travelers case does not involve cyber-specific coverage issues, the case nonetheless carries some important takeaways for insureds, insurers and many other interested spectators. Here is a brief summary of the ruling and five key takeaways: The Facts The insured, Federal Recovery, was in the business of providing processing, storage, transmission and other handling of electronic data for its customers, including Global Fitness. In particular, Federal Recovery agreed to process Global Fitness’s gym members’ payments under a servicing retail installment agreement. Global Fitness sued Federal Recovery, alleging that Federal Recovery wrongfully refused to return member account data to Global Fitness, including member credit card and bank account information. Global Fitness asserted claims for tortious interference, promissory estoppel, conversion, breach of contract and breach of the implied covenant of good faith and fair dealing. The Cyber Policy The policy at issue was a “CyberFirst” policy issued by Travelers. The policy included a technology errors and omissions liability form, which stated that Travelers “will pay those sums that [Federal Recovery] must pay as ‘damages’ because of loss ... caused by an ‘errors and omissions wrongful act’....” The key term “errors and omissions wrongful act” was defined to include “any error, omission or negligent act.” In addition to covering potential damages, the Travelers policy provided defense coverage, stating that Travelers “will have the right and duty to defend [Federal Recovery] against any claim or ‘suit’ seeking damages for loss to which the insurance provided under one or more of ‘your cyber liability forms’ applies.” Federal Recovery tendered the defense of the underlying Global action to Travelers, which initiated litigation seeking a declaration that it wasn't required to provide coverage. Travelers argued that it did “not have a duty to defend [Federal Recovery] against the original or amended complaints in the Global action because Global [Fitness] does not allege damages from an ‘error, omission or negligent act.’” The Coverage Disputes: Scope of Coverage and Duty to Defend Although Travelers involves underlying cyber-related facts and a “cyber” insurance policy, the coverage issues arising out of the facts and policy certainly are not cyber-specific. Travelers’ declaratory judgment action raises two coverage disputes concerning: (1) the scope of coverage afforded by the technology errors and omissions policy at issue, as shaped by its key “wrongful act” definition; and (2) the scope of an insurer’s duty to defend under Utah law. While arising in the context of “cyber”-related facts surrounding electronic account and payment data, and under a “cyber” insurance policy, the coverage disputes at issue in the Travelers case are precisely the types of disputes that we routinely see in the context of errors and omissions and other claims-made liability coverages. (1) The Scope of Coverage As to the scope of coverage, errors and omissions, D&O, professional liability and other claims-made policies, like the policy at issue in the Travelers case, typically cover “wrongful acts,” a term that typically in turn is defined as “any negligent act, error or omission,” or similar language. There are scores of cases addressing whether intentional and non-negligent acts fall within or outside the purview of a covered “wrongful act.” Unfortunately, and in contrast to other decisions, the U.S. District Court for the District of Utah in the Travelers case took a narrow view of the key language, ruling that “[t]o trigger Travelers’ duty to defend, there must be allegations in the [underlying] action that sound in negligence.” The court further found that there were “no such allegations.” In contrast, other courts have appropriately upheld coverage for various types of intentional and non-negligent conduct under errors and omissions and other claims-made policies. As one commentator has summarized: Claims-made policies typically afford coverage for claims by reason of any “negligent act, error or omission.” What if an insured is held liable for a non-negligent act? Most courts have held that the insured is still entitled to coverage. The strongest argument in favor of that conclusion is that (i) an “error” or “omission” encompasses more than negligent conduct, and (ii) if only negligent errors and negligent omissions were covered, the “error or omission” language would be rendered redundant. To the extent some may wish to reference other cases addressing cyber-related fact patterns, those cases exist. For example, in 1995, the Supreme Judicial Court of Massachusetts in USM Corp. v. First State Ins. Co.10 upheld coverage under an errors and omissions policy for a breach of express warranty claim involving the insured’s failure to develop and deliver a turnkey computer system that would perform certain functional specifications. The errors and omissions policy at issue in the USM case, similar to the policy at issue in the Travelers case, covered claims against the insured “by reason of any negligent act, error or omission.” Also, the insurers in USM, like the insurers in Travelers, argued that the policy only covered the insured for negligent acts. The USM court rejected the insurers’ arguments, noting that courts have not limited coverage under errors and omissions policies to circumstances involving negligence: Other courts have not limited liability under “errors and omissions” policies to circumstances involving negligence but have recognized certain non-negligent errors as being within the coverage afforded. Cases involving the words such as “negligent act, error or omission” (the crucial language of the policies before us) have not consistently determined that an error must be a negligent one if coverage is to be available. *** Because some, but not all, judicial opinions have rejected the interpretation of errors and omissions policies for which the insurers contend, if it was the insurers’ intention, the crucial words of the policy should have been amended to eliminate the ambiguity and to make clear that coverage extended only to negligent errors. Potential policyholders could then have more accurately determined whether such coverage met their needs. Because of the uncertainty about the scope of the word “error,” the insurers as authors of the policies must suffer the consequences of the ambiguity. The New York Appellate Division’s decision in Volney Residence, Inc. v. Atlantic Mut. Ins. Co. is likewise instructive. In that case, the Appellate Division held that the insurer had a duty to defend a federal RICO action in which the insured defendants “were alleged intentionally to have committed acts of self-dealing and fraud.” Applying well-established rules of contract interpretation, the court ruled that there was a duty to defend: The policy provision in question covers claims arising from “a negligent act, error or omission,” which term is defined as “any negligent act, error or omission or breach of duty of [the] directors or officers while acting in their capacity as such.” The definition is susceptible of more than one meaning and can be understood to cover any breach of duty of the directors or officers, not exclusively negligent breaches of duty. Ambiguities in an insurance policy are to be resolved against the insurer. Other cases are to the same effect. (2) Scope of the Duty to Defend Turning to the separate issue of the duty to defend, it is well established that the duty to defend is very broad—broader than the duty to indemnify. The duty to defend is typically triggered if there is some potential for coverage, and, in many jurisdictions, it is appropriate to look outside the facts pled in the underlying complaint to determine whether there is a duty to defend. Again, unfortunately, the court in the Travelers case took a narrow view of the insurer’s duty to defend. Even assuming for the sake of argument that the policy covered only negligence, the underlying complaint alleged, among other things, that Federal Recovery “retained possession of member accounts data, including the billing data, which was the property of Global Fitness ....” Allegations surrounding improper retention of data, even if that retention ultimately was wrongful or not legally justifiable, clearly may arise out of negligence as opposed to intentional conduct. Travelers Takeaways Putting aside the ultimate merits of the court’s ruling, and whether this case addresses any coverage issues that are appropriately characterized as “cyber” issues, Travelers offers at least five key takeaways: First, Travelers illustrates that decisions involving cyber insurance policies are coming and, considering all of the attention and buzz surrounding an otherwise seemingly mundane errors and omissions case, insureds and insurers alike are anxiously awaiting and anticipating the guidance those decisions may provide. Second, Travelers underscores that the types of coverage disputes that we will see arise out of cyber-related facts and, under cyber insurance policies, often will involve, or at least will intertwine with, the types of disputes that routinely arise in connection with traditional insurance coverages, including errors and omissions coverage and general liability coverage. This is useful for insureds to appreciate toward the goal of being prepared for future potential coverage disputes under cyber policies. Third, Travelers underscores the importance of securing a favorable choice of forum and choice of law in insurance coverage disputes. Until the governing law applicable to an insurance contract—cyber or otherwise—is established, the policy can be, in a figurative and yet a very real sense, a blank piece of paper. Fourth, although its label as a first cyber case is debatable, Travelers at a minimum has spotlighted the approaching disputes under cyber liability policies, which should remind insureds of the need to be prepared for, in addition to the traditional types of coverage issues and disputes that can arise under those policies, the potential cyber-specific coverage issues and disputes that may arise, such as the scope of coverage for “cloud”- related exposures. Fifth, Travelers illustrates the importance of obtaining the best possible policy cyber language at the initial coverage placement and renewal stage. Unlike some types of traditional insurance policies, cyber policies are extremely negotiable, and the insurer’s off-the-shelf language can often be significantly negotiated and improved—often for no increase in premium. It is important for the insured to understand its unique potential risk profile and exposure— and what to ask for from the insurer. Often in coverage disputes, the issue of coverage comes down to a few words, the sequence of a few words or even the position of a comma or other punctuation. It is important to get the policy language right before a dispute. And while the Travelers case addresses coverage issues that are not cyber-specific, the fundamentals of successfully pursuing coverage under traditional insurance coverage are important to keep in mind as we enter a time and space in which coverage disputes based on underlying cyber-related factual scenarios, and under specialized cyber insurance coverages, are poised to become commonplace.

Companies are generating mountains of unstructured data and, in doing so, unwittingly adding to their security exposure. Unstructured data is any piece of information that doesn’t get stored in a database or some other formal data management system. Some 80% of business data is said to be unstructured, and that percentage has to be rising. Think of it as employee-generated business information—the sum total of human ingenuity that we display in the workplace, typing away on productivity and collaboration software and dispersing our pearls of wisdom in digital communications. Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction Unstructured data is all of the data that we are generating on our laptops and mobile devices, storing in cloud services, transferring in email and text messages and pitching into social media sites. Many companies are just starting to come to grips with the complex challenge of figuring out how to categorize and manage this deluge of unstructured data. Sensitive data at risk But what’s more concerning is the gaping security exposure. It was unstructured data—in the form of a text message transcript of employees conversing about deflating footballs—that blindsided the New England Patriots NFL team and its star quarterback, Tom Brady. Yet the full scope of risk created by unstructured data is much more profound. “The risk that unstructured data poses dwarfs that of any other type of data,” says Adam Laub, product management vice president at STEALTHbits Technologies. “It is the least understood form of data in terms of access, activity, ownership and content.” STEALTHbits helps companies that use Windows Active Directory identify and keep more detailed track of shared files that hold unstructured data. That may sound basic. Yet the fact that STEALTHbits is part of a thriving cottage industry of technology vendors helping organizations get a grip on unstructured data is truly a sign of the times. I met with Laub as he was pitching STEALTHbits’ technology at the recent RSA Conference in San Francisco. “Any single file can contain the data that puts an organization in the headlines, and turning a blind eye to the problem or claiming it’s too big to handle is not a valid excuse for why unstructured data hasn’t been secured properly,” Laub says. A decade and a half has elapsed since the Y2K scare. During that period, business networks have advanced and morphed and now tie extensively into the Internet cloud and mobile devices. Time to close loophole Along the way, no one had the foresight to champion a standard architecture to keep track of—much less manage and secure—unstructured data, which continues to grow by leaps and bounds. Criminals certainly recognize the opportunity for mischief that has resulted. It’s difficult to guard the cream when the cream can be accessed from endless digital paths. Just ask Morgan Stanley. Earlier this year, a low-ranking Morgan Stanley financial adviser pilfered, then posted for sale, account records, including passwords, for 6 million clients. The employee was fired and is being investigated by the FBI. But Morgan Stanley has to deal with the hit to its reputation. “The urgency is that your information is under attack today,” says Ronald Arden, vice president at Fasoo USA, a data management technology vendor. “Somebody is trying to steal your most important information, and it doesn’t matter if you’re a small company that makes widgets for the oil and gas industry or you’re Bank of America.” Fasoo’s technology encrypts any newly generated data that could be sensitive and fosters a process for classifying which types of unstructured data should routinely be locked down, Arden told me. Technology solutions, of course, are only as effective as the people and processes in place behind them. It is incumbent upon executives, managers and employees to help make security part and parcel of the core business mission. Those that don’t do this will continue to be easy targets. Steps forward Simple first steps include identifying where sensitive data exists. This should lead to clarity about data ownership and better choices about granting access to sensitive data, says STEALTHbits’ Laub. This can pave the way to more formal “Data Access Governance” programs, in which data access activities are monitored and user behaviors are baselined. “This will go a long way towards enabling security personnel to focus on the events and activities that matter most,” says Laub. Smaller organizations may have to move much more quickly and efficiently. Taking stock of the most sensitive information in a small or mid sized organization is doable, says Fasoo’s Arden. “If you are a manufacturing company, the intellectual property around your designs and processes are the most critical pieces of information in your business, if you are a financial company it’s your customer records,” Arden says. “Think about securing that information with layers of encryption and security policies to guarantee that that information cannot leave your company.” Some unstructured business data is benign and may not need to be locked down. “If I write you a memo that says, ‘We’re having a party tonight,’ that’s not a critical piece of information,” says Arden. “But a financial report or intellectual property or something related to healthcare or privacy, that’s probably something that you need to start thinking about locking down.”

Recently, I bought a copy of Time magazine’s publication, TIME 100 Ideas That Changed the World: History’s Greatest Breakthroughs, Inventions and Theories, in an airport book store while on a business trip. It was certainly a compact and interesting read, highlighting amazing innovations that we now accept as the norm of human existence on Planet Earth, from the discovery of germs to the foundation of a seven-day week to the building of the World Wide Web. I was amazed as I read through it and was reminded of how human existence since the beginning of recorded history has been truly shaped through ideas turned into game changing innovation results. The purpose of this blog is not to get philosophical about our evolution as humans but, rather, to relate it to the world we live in every day: insurance. So of course, after I paged through the Time book, my wheels started spinning around the 100 ideas that have changed insurance – and I started to reflect on how we as an industry got to where we are today. The history of innovation in insurance has largely been shaped by advances made in technology external to the industry. As markets, businesses and consumers start to access better ways of doing business, insurance companies adjust to meet those demands. The same can be said for many other industries. But insurance is unique because its very core concept is to protect our customers’ assets from loss and mitigate risks. So, inherently, the insurance industry will always adapt in some form to technology changes to assist the customer. That is what we do every day – we adapt – though some days we don’t necessarily remind ourselves of the core mission. I started to ask myself, if we had to make a list, what would be the 100 ideas that changed insurance? I think it would be too hard to classify, in terms of the entire evolution of our ecosystem, because the last 100 years have changed so much. So let’s just focus on the last 40 years from a technology perspective: mainframes ... client servers ... personal computers ... development of core systems and automated business processes ... data processing to information systems ... typewriters to the fax machine, copiers, printers, scanners and even email ... our world on the World Wide Web ... mobile phones ... web applications ... smart phones ... big data ... telematics and even some of the emerging technologies like Internet of Things, wearable devices, artificial intelligence, semantic technologies and even drones and aerial imagery. The list of maturing and emerging technologies does just go on and on. It might be hard to pare it down to just 100 ideas, even by looking at just technology. The point is, when we talk of ideation and innovation, sometimes we forget to reflect on where we have been. Forty years ago, if someone described writing a blog for you that you could read on your mobile device, you may have seriously questioned their sanity. Today, it is commonplace. As we move rapidly through 2015 – look at plans; take the time to reflect on successes; take the time to reflect on where we truly have been. Sometimes these reflections are the seeds of new ideas, new ways of doing business and new ways to gain an edge. Just think, for every great solution out there, there is a better one possible. Innovation should be inspiring our work, and I am excited to see where it leads us.

“In business there are two ways to make money; you can bundle or you can unbundle.” –Jim Barksdale We have spent a series of articles introducing catastrophe models and describing the remarkable benefits they have provided the P&C industry since their introduction (article 1, article 2, article 3, article 4). CAT models have enabled the industry to pull the shroud off of quantifying catastrophic risk and finally given (re)insurers the ability to price and manage their exposure to the violent and unpredictable effects of large-scale natural and man-made events. In addition, while not a panacea, the models have leveled the playing field between insurers and reinsurers. Via the use of the models, insurers have more insight than even before into their exposures and the pricing mechanics behind catastrophic risk. As a result, they can now negotiate terms with confidence, whereas prior to the advent of the models and other similar tools, reinsurers had the upper hand with information and research. We also contend that CAT models are the predominant cause of the reinsurance soft market via the entry of alternative capital from the capital markets. And yet, with all the value that CAT models have unleashed, we still have a collective sour taste in our mouths as to how these invaluable tools have benefited consumers, the ones who ultimately make the purchasing decisions and, thus, justify the industry’s very existence. There are, in fact, now ways to benefit customers by, for instance, bundling earthquake coverage with homeowners insurance in California and helping companies deal with hidden volatility in their supply chains. First, some background: Bundling Risks Any definition of insurance usually addresses the concept of risk transfer: the mechanism that ensures full or partial financial compensation for the loss or damage caused by event(s) beyond the control of the insured. In addition, the law of large numbers applies: the principle that the average of a large number of independent identically distributed random variables tends to fall close to the expected value. This result can be used to show that the entry of additional risks to an insured pool tends to reduce the variation of the average loss per policyholder around the expected value. When each policyholder’s contribution to the pool’s resources exceeds the expected loss payment, the entry of additional policyholders reduces the probability that the pool’s resources will be insufficient to pay all claims. Thus, an increase in the number of policyholders strengthens the insurance by reducing the probability that the pool will fail. Our collective experiences in this world are risky, and we humans have consistently desired the ability to shed the financial consequences of risk to third parties. Insurance companies exist by using their large capital base, relying on the law of large numbers, but, perhaps most importantly, leveraging the concept of spread of risk, the selling of insurance in multiple areas to multiple policyholders to minimize the danger that all policyholders will experience losses simultaneously. Take the peril of earthquake. In California, 85% to 90% of all homeowners do NOT maintain earthquake coverage even though earthquake is the predominant peril in that state. (Traditional homeowners policies exclude earth movement as a covered peril). News articles point to the price of the coverage as the limiting factor, and that makes sense because of that peril’s natural volatility. Or does it make sense? Is the cost of losses from earthquakes in California considerably different than, say, losses from hurricanes in Florida, in which the wind peril is typically included in most homeowners insurance forms? Earthquakes are a lot more localized than hurricanes, but the loss severity can also be more pronounced in those localized regions. Hurricanes that strike Florida can be expected with higher frequency than large damage-causing earthquakes that shake California. In the final analysis, the average projected loss costs are similar between the two perils, but one has nearly a 100% take-up rate vs. the other at roughly 10%. But why is that so? The answer lies in the law of large numbers, or in this case the lack thereof. Rewind the clock to the 1940s. If you were a homeowner then, the property insurance world looked very different than it does today. As a homeowner back then, you would need to virtually purchase separate policies for each peril sought: a fire, theft and liability policy and then a windstorm policy to adequately cover your home. The thought of packaging those perils into one convenient, comprehensive policy was thought to be cost-prohibitive. History has proven otherwise. The bundling of perils creates a margin of safety from a P&C insurer’s perspective. Take two property insurers who offer fire coverage. Company A offers monoline fire, whereas Company B packages fire as part of a comprehensive homeowners policy. If both companies use identical pricing models, then Company B can actually charge less for fire protection than Company A simply because the additional premium from Company B affords peril diversification. Company B has the luxury of using premiums from other perils to help offset losses, whereas Company A is stuck with only its single-source fire premium and, thus, must make allowances in its pricing that it could be wrong. At the same time, Company B must also make allowances in the event its pricing is wrong, but can apply smaller allowances because of the built-in safety margin. This brings us back to the models. It is easy to see why earthquake and other perils, such as flood, was excluded from homeowners policies in the past. Without models, it was nearly impossible to estimate future losses with any sort of reliable precision, leaving insurers the inability to collect enough premium to compensate for the inevitable catastrophic event. Enter the National Flood Insurance Program (NFIP), which stepped in to offer flood coverage but never fundamentally approached it from a sound underwriting perspective. Instead, in an effort to make the coverage affordable to the masses, the NFIP severely underpriced its only product and is now tens of billions of dollars in the red. Other insurers bravely offered the earthquake peril via endorsement and were devastated after the Northridge earthquake in 1994. In both cases, various market circumstances, including the lack of adequate modeling capabilities, contributed to underpricing and adverse risk selection as the most risk-prone homeowners gobbled up the cheap coverage. Old legacies die hard, but models stand ready to help responsibly underwrite and manage catastrophic risk, even when the availability of windstorm, earthquake and flood insurance has been traditionally limited and expensive. The next wave of P&C industry innovation will come from imaginative and enterprising companies that use CAT models to economically bundle risks designed to lower the costs to consumers. We view a future where more CAT risk will be bundled into traditional products. As they continue to improve, CAT models will afford the industry the confidence needed to include earthquake and flood cover for all property lines at full limits and with flexible, lower deductibles. In the future, earthquake and flood hazards will be standard covered perils in traditional property forms, and the industry will one day look back from a product standpoint and wonder why it had not evolved sooner. Unbundling Risks Insurance policies as contracts can be clumsy in handling complicated exposures. For example, insurers have the hardest time handling supply chain and contingent business interruption exposures, and rightly so. Because of globalization and extreme competition, multinational companies are continuously seeking value in the inputs for their products. A widget in a product can be produced in China one year, the Philippines the next, Thailand the following year and so on. It is time-consuming and resource intensive to keep track of not only how much of a company’s widgets are manufactured, but also what risks exist surrounding the manufacturing plant that could interrupt production or delivery. We would be hard-pressed to blame underwriters for wanting to exclude or significantly sublimit exposures related to supply chain or business interruption; after all, underwriters have enough difficulty just to manage the actual property exposures inherent in these types of risks. It is precisely this type of opportunity that makes sense for the industry to create specialized programs. Unbundle the exposure from the remainder of the policy and treat it as a separate exposure with dedicated resources to analyze, price and manage the risk. Take a U.S. semiconductor manufacturer with supply exposure in Southeast Asia. As was the case with the 2011 Thailand floods or the 2011 Tohoku earthquake and tsunami, this hypothetical manufacturer is likely exposed to supply chain risks of which it is unaware. It is also likely that the property insurance policy meant to indemnify the manufacturer for covered losses in its supply chain will fall short of expectations. An enterprising underwriter could carve out this exposure and transfer it to a new form. In that form, the underwriter can work with the manufacturer to clarify policy wording, liberalize coverage, simplify claims adjusting and provide needed additional capacity. As a result, the manufacturer gets a risk transfer mechanism that more precisely aligns with the balance sheet affecting risks it is exposed to. The insurer gets a new line of business that can provide a significant source of new revenue using tools such as CAT models and other analytics to price and manage those specific risks. By applying some ingenuity, the situation can be a win/win all around. What if you are a manufacturer or importer and rely on the Port of Los Angeles or Miami International Airport (or any other major international port) to transport your goods in and out of markets? This is another area where commercial policies handle business exposure poorly, or not even at all. CAT models stand ready to provide the analytics required to transfer the risks of these choke points from business balance sheets to insurers. All that is required is vision to recognize the opportunity and the sense to use the toolsets now available to invent solutions rather than relying on legacy group think. At the end of the day, the next wave of innovation will not come directly from models or analytics. While the models and analytics will continue to improve, real innovation will come from creative individuals who recognize the risks that are causing market discomfort and then use these wonderful tools to build products and programs that effectively transfer those risks more effectively than ever. Those same individuals will understand that the insured comes first, and that rather than retrofitting dated products to suit a modern-day business problem, the advent of new products and services is an absolute necessity to maintain the industry’s relevance. The only limiting factor preventing true innovation in property insurance is imagination and a willingness to no longer cling to the past.