Insurance regulation has traditionally been the near-exclusive province of the states, a right jealously guarded by the states and secured by Congress in 1945 after the Supreme Court ruled insurance could be regulated by the federal government under the Commerce Clause of the Constitution.

Any fear that the FIO report would call for an end to state regulation proved unfounded, but industry members might be well-advised to prepare for the eventualities that may result as the FIO uses both the soft power of the bully pulpit and the harder power of the federal government to achieve its aims. As the designated U.S. insurance representative in international forums that more and more mold financial services regulation, and as an arbiter of standards that could be imposed on the states, the FIO and this report should not be ignored.

Having met with the FIO’s leadership team, we believe there are concerns that uniformity at the state level cannot be achieved without federal involvement. We further believe the FIO plans to work to translate its potential into an actual impact in the near future, making a clear-eyed understanding of the report and what it may herald for insurers a prudent and necessary step in regulatory risk management.

Insurers’ numerous intricate reinsurance contracts and special pool arrangements, countless policies and arrays of transactions create a massive risk of having unintended exposure. The inability to ensure that each insured risk has the appropriate reinsurance program associated with it is a recipe for disaster.

Having disjointed systems—a combination of policy administration system (PAS) and spreadsheets, for example—or having systems working in silos are sure ways of having risks fall through the cracks. The question is not if it will happen but when and by how much.

• Cession treaties and facultative management
• Claims and events management
• Policy management
• Technical accounting (billing)
• Bordereaux/statements
• Internal retrocession
• Assumed and retrocession operations
• Financial accounting
• AP/AR
• Regulatory reporting
• Statistical reports
• Business intelligence

The study should at least contain the following:

• A detailed report on the company’s current reinsurance management processes.
• A determination of potential gaps between the carrier reinsurance processes and the target solution.
• A list of contracts and financial data required for going live.
• Specifications for the interfaces.
• Definitions of the data conversion and migration strategy.
• Reporting requirements and strategy.
• Detailed project planning and identification of potential risks.
• Repository requirements.
• Assessment and revision of overall project costs.

• General introduction and description of project objectives and stakeholders
• What’s in and out of scope

• Cession requirements
• Assumed and retrocession requirements

• Interfaces/hardware and software requirements

The transition into your first risk management job can be difficult. Whether your boss promotes you into your first risk management job or hires you from another organization, you want to excel at your new position over the long haul. In part, that means avoiding mistakes. We often learn our best lessons when we fail, but some mistakes can seriously hurt your risk management program, harm your reputation or even derail your career. Here are 10 mistakes you can avoid.

1. Don’t rush in with all the answers. You may arrive wanting to form your own alliances and acquire your own team, but avoid making hasty decisions. Give current employees a chance to prove themselves before you transfer them or hire your own team. The same applies to vendor relationships. You can lose a great deal of knowledge about loss history and coverage negotiation if you immediately decide to switch insurance brokers. “Changing brokers can be a great way to create significant coverage gaps or an errors and omissions claim for your friend the new broker,” according to one Atlanta broker. Some vendor alliances, such as relationships with contractors and body shops, may be long-standing, especially in a small town. Rushing in and making changes can cause big ripples in a little pond.
2. Don’t try to do everything at once. In my teens, I read a book called Ringolevio, about a kid named Emmett Groan growing up in the streets of New York City. One of his compatriots frequently warned Emmett when he was about to rush headlong into a decision, “Take it easy, greasy, you’ve got a long way to slide.” I found that advice very applicable in risk management. If you inherit a big job, you will be faced with hundreds of decisions, some big, some small. Take your time. While you may feel overwhelmed at first, chip away at the organization’s most pressing problems. Put out fires as they arise. Then schedule time for you and your advisers — your brokers, your attorneys, your actuaries and your managers – to develop sound strategies and plans.
3. Don’t use a shotgun, use a rifle. If the organization is experiencing too many injuries, for example, don’t jump to an obvious solution like using more personal protective equipment. Talk with front-line supervisors, study historical loss data and consider several options before you throw money at a problem. Once in the door, interview employees, talk with other managers, meet with your vendors and set a few important priorities for your first six months in the job. Using a rifle approach means you’ll have to say “No” to some people. This can cause problems. When possible, explain why you’re declining to act on the problems or the specific issues others may present to you. The more transparently you operate, the less criticism you will face. Openness reduces speculation and helps avoid resentment.
4. Don’t job hop. Most people can be very ambitious early in their careers. Yet too much ambition can hurt your career. Think long and hard before changing jobs. Bad bosses rarely outlast their employees. Deciding to change jobs because of a conflict with a supervisor is often short-sighted. The grass might seem greener on the other side, but sometimes that’s because of a septic tank (to paraphrase a famous comedian). These questions may help you avoid rash decisions.
   • Am I making the change solely to earn more money or for a more prestigious title? If so, will this change “pay for” what I will lose?
   • Am I making the change because I’m feeling unchallenged or bored? If so, what steps can I take to make my current job more challenging? For example, would becoming more active in a trade association, offering expertise to a local nonprofit or mentoring an up-and-coming risk management professional add challenge and interest?
   • How will this affect my retirement financially? Will I be changing retirement systems, or will I lose significant bonuses or vacation because of the change? Always factor those figures into the salary decision. This question becomes more important as retirement age nears.
   • How will this change affect my family and my coworkers? Our coworkers can turn even a challenging job into an appealing one. Do you really want to leave your coworkers? As for family, what ages are your children? Disrupting school-aged children can have negative, long-term consequences.
   • What are the odds I will regret this decision? Go ahead, we’re numbers people. Put a percentage to your decision, then ask yourself if you’re really ready to take that gamble.

   It takes months to settle into a new job. It’s often a year or more before we feel comfortable. Some studies show that many people who change jobs would have done much better if they had stayed put longer. Change for the sake of change frequently is not positive.

5. Don’t entertain gossip about your predecessors. Some at your new organization may try to build an alliance with you at the expense of your predecessor. Short-circuit these conversations whenever possible. Tactfully turn the conversation to another subject or excuse yourself from the conversation. Try not to make an enemy of the person who is trying to get into your good graces.
6. Don’t revisit your predecessor’s decisions. Especially when working with unions, you may find people lined up at your door asking you to revisit your predecessor’s judgments. Unless your predecessor’s conclusions hurt your overall program, don’t rush into undoing the decisions and the work he or she completed. You may not be operating under the same set of facts or with the same long-term vision that the former risk manager had at his or her disposal.
7. Don’t believe your own PR. Never pretend you know more than you know, and don’t start believing your own “press.” While others may soon invite you to participate on panels and present at conferences, remain humble and teachable. It’s terribly painful to learn humility through humiliation.
8. Don’t fail to communicate. A lack of communication is one of the most damaging mistakes a risk manager can make. A risk manager must have the ear of employees across the organization, from line supervisors to senior management. According to Don Donaldson, president of LA Group, a Texas-based risk management consulting group, “A risk manager needs to be an excellent communicator and facilitate his or her message across the entire organization. In my mind, that requires getting out of the office and pressing the flesh; seeing and being seen and listening, really listening, to determine what is going on in the organization.” Management by walking around is one strong tool in a new risk manager’s tool bag. Once people see that you’re willing to leave your office to discover what is happening, whether it’s on the shop floor or on the sewer line, they’ll more readily accept your expertise and counsel.
9. Don’t get discouraged. “New risk managers may make the mistake of thinking that risk management is as important to others in the organization as it is to them,” according to Harriette J. Leibovitz, a senior insurance business analyst with Yodil. “It takes time, and more time for some than others, to figure out that you're more than an irritation to the folks who believe they drive all the revenue.” Over time, you will prove your value to the organization many times over. Until that day, quietly do your job and find encouragement from your risk management peers.
10. Don’t forget to laugh. You will be privy to the peculiarities of human nature both at its finest and at its worst, so don’t forget to find the lighter side of situations when you can. A robust sense of humor will help you through the rough spots and build bonds with your coworkers.

While these are just a few tips to help you in your new role as a risk manager, your peers probably can offer many more ways to ensure success. Over my career in risk management, I have found my fellow risk management professionals to be some of the most generous people in my life, always willing to share their expertise and provide me with a helping hand. Develop and lean on your network. If this is your first job as a risk manager, you’re in for a wonderful experience. Take time along the way to enjoy the experiences, appreciate the great people you will meet and appreciate the lighter side of risk management.

With annual reporting season underway, C-suite executives wake to another day and another data breach. Target, Michael’s, Snapchat, Facebook, Twitter, Adobe -- the list goes on and on. By now, all companies should appreciate that, notwithstanding the most robust and sophisticated network security, any company is a vulnerable next “Target” for a serious cybersecurity incident. Consequences typically include negative publicity, reputational damage that hurts customer and investor confidence, lost market capitalization, claims and legal disputes, regulatory investigations -- and falling stock prices. In the wake of its high-profile data breach, Target’s directors and officers were hit on Jan. 29, 2014, with a shareholder derivative action alleging that “Target shares were trading above $63.50 on Dec. 18, 2013, before the news of the data breach and have fallen over 10.5% to $57.60” and that “Target … has suffered considerable damage from breach.”¹

In view of the recent high-profile data breaches, and the pervasiveness of cybersecurity incidents in general, companies are well-advised to consider whether their current cybersecurity risk factor disclosures are adequate. Proper attention to cybersecurity risk factor disclosures may assist a company in avoiding a Securities and Exchange Commission (SEC) comment letter. Even more importantly, proper attention to cybersecurity risk factor disclosures may decrease the likelihood that a company will face securities class action litigation and shareholder derivative litigation in the wake of a cybersecurity incident that hurts the company’s stock price -- or, at a minimum, may mitigate a company’s potential exposure in the event of such litigation.

The Form 10-Ks that public companies are preparing to file in the coming weeks present a significant opportunity for companies to review and strengthen their cybersecurity risk factor disclosures. Below are five tips that companies may wish to consider in reviewing the adequacy of their existing cybersecurity disclosures:

SEC Disclosure Guidance

By way of background, companies must keep in mind that, although existing disclosure requirements do not (yet) expressly reference “cybersecurity,” the SEC’s Division of Corporation Finance (SEC staff) has emphasized the importance of appropriate cybersecurity disclosures. In the wake of what it termed “more frequent and severe cyber incidents,” the SEC issued cybersecurity disclosure guidance,² which advises companies to review, on a continuing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.³

While acknowledging that no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, the SEC’s guidance stresses that existing requirements oblige companies to make appropriate cybersecurity disclosures. 

SEC Chairwoman Mary Jo White reaffirmed a company’s current cybersecurity disclosure obligations in response to an April 9, 2013, letter received from Senate Commerce Chairman Jay Rockefeller.⁴ In his letter, Chairman Rockefeller urged the SEC to “elevate [its] guidance,” noting that “investors deserve to know whether companies are effectively addressing their cybersecurity risks.” In response, Chairwoman White emphasized that “[e]xisting disclosure requirements … impose an obligation on public companies to disclose risks and events that a reasonable investor would consider material” and that “cybersecurity risks are among the factors a public company would consider in evaluating its disclosure obligations.”⁵ Chairwoman White also highlighted that cybersecurity risk “is a very important issue that is of increasing concern” and stated that the SEC “continues both to prioritize this important matter in its review of public company disclosures and to issue comments concerning cybersecurity.”

In its guidance, the SEC staff advises companies to disclose cybersecurity risks consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, such that the disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the company. The guidance proceeds to advise that appropriate disclosures may include the following:

• Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
• To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
• Risks related to cyber incidents that may remain undetected for an extended period; and
• Description of relevant insurance coverage.⁶

Although the guidance does not add cybersecurity disclosure obligations, it is abundantly clear that failure to make adequate cybersecurity disclosures may subject a company to increased risk of enforcement actions and shareholder suits in the wake of a cybersecurity incident that hurts a company’s stock price.

The Five Tips

The following five tips may assist companies in reviewing the adequacy of their existing cybersecurity disclosures based on the SEC’s disclosure guidance as well as comments issued to approximately 55 companies over the last two years.

1. Perform a cybersecurity risk asssessment. The SEC staff states in its guidance that it expects companies to evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents as well as the adequacy of preventive actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware. To facilitate adequate disclosures, companies should consider engaging in a thorough assessment concerning their current cybersecurity risk profile and the impact that a cybersecurity breach may have on the company’s business. In addition to positioning the company to provide adequate cybersecurity risk factor disclosures, the undertaking of a risk assessment is consistent with the National Institute of Standards and Technology’s recently released Preliminary Cybersecurity Framework.⁷ At a high level, it provides a framework for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices and to identify gaps that should be addressed to progress toward a desired “target” state of cybersecurity risk management.⁸ Although the Cybersecurity Framework is voluntary, organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the Cybersecurity Framework provides a de facto standard for cybersecurity and risk management.

2. Consider disclosing prior -- and potential -- breaches. To the extent a company or one of its subsidiaries has suffered a reported or known cybersecurity event, the company should anticipate that the SEC may issue a comment letter if the event is not disclosed. The following comments are typical of what a company might expect to see: 

• We note that [your subsidiary] announced on its website that a cyber attack occurred during which millions of user accounts were compromised. Please tell us what consideration you gave to including expanded disclosure consistent with the guidance provided by the Division of Corporation Finance's Disclosure Guidance Topic No. 2.
• We have read several reports of various cyber attacks directed at the company. If, in fact, you have experienced cyber attacks, security breaches or other similar events in the past, please state that fact to provide the proper context for your risk-factor disclosure. 

​Notably, the guidance states that appropriate disclosures may include a description of cybersecurity incidents that are material individually or in the aggregate. And the comments issued to date indicate that where a company states that it has not been the victim of a material cybersecurity event, the SEC nonetheless has requested that the company’s risk-factor disclosure be expanded to state generally that the company has been the victim of hacking -- regardless of the fact that prior events were immaterial. A few of the SEC comments to date include (in summary form):

• We note your response that the incident did not have a material impact on the company’s business. To place the risks described in this risk factor in appropriate context, in future filings please expand this risk factor to disclose that you have experienced cyber attacks and breaches.
• You state that you have not experienced a material breach of cybersecurity. Your response does not appear to address whether you are experiencing any potential current business risks concerning cybersecurity. For example, despite the fact you believe you have not experienced a material breach of your cybersecurity, are you currently experiencing attacks or threats to your systems? If you have experienced attacks in the past, please expand your risk factor in the future to state that.
• We note that your response suggests that you have, in fact, experienced third-party breaches of your computer systems that did not have a material adverse effect on the company’s operations. To place the risks described in your current risk factor in appropriate context, in future filings please expand your disclosure to state that you have experienced cyber attacks and breaches.

​In addition, the SEC’s guidance advises that companies may need to disclose known or threatened cyber incidents together with known and potential costs and other consequences. Companies in targeted industries that have not yet suffered a cybersecurity incident (or are not yet aware that they have suffered an incident) should consider disclosing how the company might be affected by a cybersecurity incident -- even if no specific threat has been made against the company. Below are sample summary comments received by companies based on their particular industry or peer disclosures:

• We note press reports that hotels and resorts are increasingly becoming a target of cyber attacks. Please provide risk -actor disclosure describing the cybersecurity risks that you face. If you have experienced any cyber attacks in the past, please state that fact in the new risk factor to provide the proper context.
• Given that other companies in your industry have actually encountered such risks from cyber attacks, such as attempts by third parties to gain access to your systems for purposes of acquiring your confidential information or intellectual property, including personally identifiable information that may be in your possession, or to interrupt your systems or otherwise try to cause harm to your business and operations and have disclosed that such risks may be material to their business and operations, please tell us what consideration you gave to including disclosure related to cybersecurity risks or cyber incidents.
• We note that the incidences of cyber attacks, including upon financial institution or their service providers, have increased over the past year. In future filings, please provide risk-factor disclosure describing the cybersecurity risks that you face. In addition, please tell us whether you have experienced cyber attacks in the past. If so, please also disclose that you have experienced such cyber attacks to provide the proper context for your risk-factor disclosure.

3. Be specific. The SEC staff has advised that companies should avoid boilerplate language and vague statements of general applicability. In particular, the guidance states that companies should not present risks that could apply to any issuer or any offering and should avoid generic risk-factor disclosure. In addition, the guidance states that companies should provide disclosure tailored to their particular circumstances and avoid generic boilerplate disclosure. Companies that offer generally applicable statements may expect to receive comments such as the following:

• You state that, “Like other companies, our information technology systems may be vulnerable to a variety of interruptions, as a result of updating our SAP platform or due to events beyond our control, including, but not limited to, natural disasters, terrorist attacks, telecommunications failures, computer viruses, hackers and other security issues.” Please tell us whether any such events relating to your cybersecurity have occurred in the past and, if so, whether disclosure of that fact would provide the proper context for your risk-factor disclosure.
• We note that you disclose that you may be vulnerable to breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events. Please tell us whether you have experienced any breaches, hacker attacks, unauthorized access and misuse, computer viruses and other cybersecurity risks and events in the past and, if so, whether disclosure of that fact would provide the proper context for your risk-factor disclosures. 

​4. Remember that a vulnerability “road map” is not required. Although the SEC seeks disclosures that are sufficient to allow investors to appreciate the nature of the risks faced by a company, it has made clear that the SEC does not seek information that would create a road map or otherwise compromise a company’s cybersecurity. At the outset of its guidance, the SEC staff states that it is mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts -- for example, by providing a “road map” for those who seek to infiltrate a company’s network security -- and that disclosures of that nature are not required under the federal securities laws. The SEC guidance later reiterates that the federal securities laws do not require disclosure that itself would compromise a company’s cybersecurity.

5. Consider insurance. Network security alone cannot entirely address the issue of cybersecurity risk; no firewall is unbreachable, and no security system is impenetrable. Insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against cybersecurity risk. Reflecting this reality, the SEC guidance advises that appropriate disclosures may include a description of relevant insurance coverage that a company has in place to cover cybersecurity risks. The SEC’s guidance provides another compelling reason for companies to carefully evaluate their current insurance program and consider purchasing cyber and data privacy-related insurance products, which can be extremely valuable.⁹ In the wake of a data breach such as at Target, for example, a solid cyber insurance policy may cover not only liability arising out of potential litigation, such as defense costs, settlements and judgments, but also breach-notification costs and other “crisis management” expenses, including forensic investigation, credit monitoring, call centers and public relations efforts, as well as potential regulatory investigations, fines and penalties. Recent SEC comments have requested information regarding both whether the company has obtained relevant insurance coverage as well as the amount of the company’s cyber liability insurance.

Considering these five tips may assist companies in minimalizing the likelihood of receiving an SEC comment letter (and possibly multiple rounds of comments) and, even more importantly, the likelihood of lawsuits alleging inadequate disclosure in the event of a cybersecurity incident.

¹ Collier v. Steinhafel et al., No. 0:14-cv-00266 (D. Minn.) (filed Jan. 29, 2014), at ¶ 76.

²The guidance defines “cybersecurity” as “body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.”

³SEC Division of Corporation Finance, Cybersecurity, CF Disclosure Guidance: Topic No. 2 (Oct. 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

⁴The April 9, 2013 letter is available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-4bbd-8d64-8c15ba0e4e51

⁵Chairman White’s May 1, 2013 letter is available at http://articles.law360.s3.amazonaws.com/0441000/441415/512013%20Letter%20from%20SEC%20Chair%20White. pdf

⁶While the majority of the guidance is focused on risk factors, the SEC also advises that cybersecurity disclosures may be appropriate in other areas of a company’s filings, including management’s discussion and analysis “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”

⁷The Cybersecurity Framework, available at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf.

⁸Roberta D. Anderson, NIST Unveils Preliminary Cybersecurity Framework, Cybersecurity Alert (Nov. 25, 2013), available at http://www.klgates.com/nist-unveils-preliminary-cybersecurity-framework-11-22-2013/

⁹ Roberta D. Anderson, Before Becoming The Next Target: Recent Case Highlights The Need To Consider Insurance For Data Breaches, Insurance Coverage Alert (Jan. 16, 2014), available at http://www.klgates.com/before-becoming-the-next-target--recent-case-highlights-the-need-to-consider-insurance-for-data-breaches-01-16-2014/

As of January 2013, there were 46 active car-sharing programs and over 1 million members in North America alone. Worldwide, car-sharing companies operate in more than 27 countries on five continents with more than 1.7 million members. Given the momentum behind the sharing economy, it may be time for insurers to take a closer look at this emerging market.

Insurers may have an opportunity to lead innovation in the sharing economy, particularly in the car-sharing market. In much the same way as they have provided sound leadership about innovations in the past, the decisions about whether and how to get involved in the sharing economy should start by looking at some basic questions.

What is the market opportunity?

What is the market size now, and what are the projections? The idea of car-sharing is gaining traction, and thus considerable study is being given to its potential. Insurers should ask themselves not only about market growth projections, but also about what portion of those revenues could belong to insurance.

What are the market needs?

Car-sharing companies and renters are reaching out to insurers to provide insight into their unique business models and risk needs. Take advantage of this opportunity to talk in depth with this potential new customer base, and explore different models and products that might meet their needs.

What types of data are needed for accurate risk assessment, and where can that data be obtained?

Car-sharing companies are already capturing information on their owners and drivers. Further, peer reviews are providing additional data not traditionally available to insurance companies. Work with these start-ups to determine what types of data are available, what needs to be captured and how that data can be collected and used.

How can this data be used to assess whether the car-sharing market aligns with your risk appetite?

Most insurance companies have a clearly defined and communicated risk appetite. By its very nature, the car-sharing market will not automatically fit into any pre-established category. By conducting a careful assessment of market potential and available data, insurance companies can determine if they want to explore this opportunity further.

Insurance companies have always been leaders in developing products and services that meet market needs. Today, with more advanced data-capturing mechanisms and predictive analytics, insurers understand each of their customers at a much more granular level. It’s time for insurance companies to apply this same expertise to the sharing economy. It’s time for them to determine if the opportunity is worth the risk.

To say we struck a nerve in the industry with the Google and Insurance: Far Reaching Implications research is an understatement! It was picked up by all the major industry media – in some cases multiple times. It has set a record for downloaded and purchased SMA research, generating a torrent of follow-up calls and discussions. It has been shared and used by executive teams for discussion and strategic planning. The companion blog for the research had nearly 10,000 views – and continues to be posted, tweeted and retweeted a month and half after it was published! 

So why has there been such a strong interest and reaction in the industry?

Well, one reason might be that there is a fascination and admiration for the competitive drive in Google’s transformation from a search engine to an innovator of technologies and solutions like Android, Google cars, Google glasses, wearable devices and others. And then there is the fact that Google is securing a strong, growing (and enviable) customer loyalty. Don’t overlook the challenge to other innovators like Apple, Amazon and Microsoft – it’s impossible to ignore, just like Google's impressive growth and financial results! But the appeal that underpins all of this is Google’s unwavering vision of making information universally accessible and useful. Having a huge imagination that is spearheading innovation in multidimensional ways doesn’t hurt either! 

As Google drives innovation, offering an integrated and seamless customer experience and making available the use of its ground-breaking technologies to people in their everyday lives, the levels of customer intimacy and loyalty continue to increase. In the opposite direction, the vast amount of data becoming available via some of these technologies concerning individuals and their cars, homes and bodies is breath-taking. The change will be transformative! 

This is why the implications for insurance are so great. Google is bringing an outside-in, customer-driven approach to innovation that is causing insurers to rethink, reimagine and reinvent their visions of a technology-enabled future. Google is organizing data, technology and location around people, creating a level of customer empowerment and -centricity unheralded in any industry, let alone insurance. Not only is this powerful, it is fundamentally changing the business of insurance!   

Innovation is no longer just a nice-to-have initiative. It has become a must-have, strategic, core mandate that will define a new era of winners (and losers). Why? Because the increasingly rapid pace of change is challenging decades of business traditions and assumptions and demanding a response. This is unprecedented in the history of the insurance industry. All the while, the changes just keep coming: new technologies, the mash-up of technologies and new uses for these technologies.

These changes are highly disruptive, but they are also transformational. One industry innovation leader whom we recently spoke to about innovation noted that: “There is an outrageous level of individualism – from devices, data and components that will break the traditional infrastructure, culture and systems of traditional insurers.” Companies like Google, Apple, Uber, Zipcar and others, as well as next-gen and emerging technologies, are intensifying this level of individualism. 

Many insurers, large and small, are struggling to get their heads around a comprehensive view or a full understanding of the impact that these influencers will have on the disruption and transformation of the insurance industry. That is why the Google and Insurance research report has provoked such a response in the industry – because it provides insights and a glimpse of the challenges and opportunities for the industry. It also points to why, as an industry, we need to rethink how we respond to and embrace innovation as the core of a new culture and keystone of a new future. 

Other industries, from retail to books, music and movies, have experienced the same thing the insurance industry is now encountering: the very foundations of their businesses are being challenged, requiring novel thinking, experimentation, innovation and adoption of the new and emerging technologies. As one industry leader and CIO recently commented, “Insurers must build knowledge, a network and an ecosystem of outside-in relationships to reimagine and contribute to their company’s future.”

This persistent and continual disruption will necessitate a new way of embracing change and innovation. It will require a culture and model built around continuing collaboration and ideation that extends outside the traditional insurance organization. This is why an innovation mandate is critical.  

The innovation mandate must track and assess trends and influencers both inside and outside the industry, prepare plans and scenarios, experiment and collaborate to gain competitive advantage. Unfortunately, the day-to-day operational demands, time constraints and shortage of expertise or resources for evaluating the many implications for insurance will find most insurers unprepared or unequipped to respond to this level of disruption. More troubling is the way that many insurers are continuing to operate with the long-standing approach of wait-and-see or being a fast follower. With the accelerating release of next-gen technologies, eager competitors, new influencers and increasing customer demands, failing to adopt a culture of innovation and collaboration could create a potentially unsurmountable risk to survival of the business.

For insurers, the coming years promise unparalleled opportunity to increase their value to their customers. Those that are best able to capitalize on the key technology influencers will reap the most in rewards. In contrast, those that do not prepare for the future will find themselves falling behind, losing both competitive position and financial stability. To capture the full potential, insurers must determine to create and participate in an ecosystem of outside experts and resources; inspire their leadership; and enable their journey of change, transformation and innovation. Why will this be so important? Because the ecosystem will integrate new ideas and thinking from outside the organization, and provide that outside-in perspective needed to break legacy assumptions.  

The innovation journey toward rethinking, reimagining and reinventing the business of insurance has started. Strategy Meets Action has joined the journey. Have you?

As more consumers opt for the flexibility of serving themselves, it has become essential for businesses to deploy strong systems to authenticate identity. The challenge is how to reduce fraud without frustrating consumers or compromising the customer experience.

Biometric technology has been seen increasingly as a solution in industries such as financial services, but is there a useful place in insurance? As technology becomes more convenient --and more secure -- many are saying yes.

What’s What in Biometrics

By identifying individuals through their unique physiological or behavioral patterns, biometrics offers a higher level of security, ensuring that only authorized persons have access to sensitive data. Physiological biometrics include fingerprint, face, iris and hand geometry recognition. Behavioral biometrics identify signature and voice verification, including keystroke kinetics that identify a person’s typing habits.

As consumer-centric channels such as mobile and online applications continue to expand, so will the risk of fraud. And while many industries, including insurance, continue to deploy new technologies to stave off attacks, the reality is that the tools and methods by which professional fraudsters operate are becoming increasingly sophisticated.

“While insurers have applied some preventive measures against fraud, the industry as a whole needs to catch up,” says Steve Cook, director of business development, Facebanx. “They must be forward-thinking and recognize the benefits of biometric technology and how it can help in preventing fraudulent activities.”

Reducing Claim Fraud and Protecting Data

One area where biometrics has begun to take hold is healthcare insurance. A study by the Ponemon Institute found nearly 1.5 million Americans to be victims of medical identity theft. Healthcare fraud is estimated to cost between $70 billion and $255 billion a year, accounting for as much as 10% of total U.S. healthcare costs.

Many insurers are using biometrics to help reduce billing fraud by eliminating the sharing of medical insurance cards between patients, or by making it more difficult for a person to assume another’s identity. For example, as an alternative to paper insurance cards, a biometric iris scan can immediately transport proof of a patient’s physical presence at a healthcare facility.

Biometric technology is also assisting healthcare insurers with compliance and data integrity standards — in particular with those set by the Health Insurance Portability and Accountability Act (HIPAA). For example, in addition to adhering to requirements for automatic logoff and user identification, insurers must implement additional safeguards that include PINs, passwords and some method of biometrics.

Fraud Capabilities in Property and Casualty

According to a report by Aite Group, the war against fraud in property and casualty insurance is also escalating. The group estimates that claim fraud in the U.S. P&C industry alone cost carriers $64 billion in 2012 and will reach $80 billion by 2015. Customer contact centers have been hit particularly hard. While the focus on protecting consumer data has primarily centered on online channels, fraudsters are now targeting the phone channel, as well. Leveraging information obtained through social media networks, thieves are manipulating call center representatives and gathering customer information. 

For this reason, biometrics are being deployed. Representatives can cross-reference incoming calls against a watch list of known fraudsters, identifying unique voice prints. Advanced biometric techniques can also identify fraud patterns based on speech analytics, talk patterns and various “red flag” interactions.

Summary

The insurance industry is just beginning to scratch the surface when it comes to identifying areas of fraud management to which biometric science can be applied. 

“Insurance companies [that] are first to adopt this kind of technology will push the fraudsters over to the competition, because fraudsters don’t want their face or voice on a database that they can’t control,” Cook says.

Making the switch to biometric security measures can mean a substantial investment if done on a large scale. Even so, with the proliferation of online channels, consumer conveniences and ever-shifting tactics of fraudsters, deploying some degree of biometric technology will become a competitive necessity. And, as long as the insurance industry continues to expand consumer services because of e-commerce and m-commerce, no doubt new applications of biometrics will come about.

1.   State law changes establishing clearer standards of care, reporting and tracking of controlled narcotics, bans on abused narcotics, etc.

2.   State and federal agencies aggressively prosecuting individuals who prescribe opioids illegally or  operate “pill mills,” revoking registrations of some pharmacies and compelling healthcare providers and pharmacies to surrender or forfeit their medical licenses to state medical/pharmacy boards

3.   Physician-led education efforts like the Physicians for Responsible Opioid Prescribing

4.   Medical boards actively addressing the inappropriate and illegal dispensing of drugs

5.   Heightened awareness of the neonatal abstinence syndrome crisis in the U.S.

6.   Workers' compensation insurers leveraging advanced analytics, physician education efforts, evidence-based pain diagnoses and utilization reviews to reduce injured worker reliance on addictive prescription drugs

7.   The Food and Drug Administration’s Risk Evaluation and Mitigation Strategy

8.   The issuance of the October 2013 Trust for America’s Health report titled “Prescription Drug Abuse: Strategies to Stop the Epidemic”

9.   Continuing prosecution and sentencing of healthcare providers

10. Efforts by national medical organizations

• CMS determines that he or she has a pattern or practice of prescribing Part D drugs that is abusive and represents a threat to the health and safety of Medicare beneficiaries or otherwise fails to meet Medicare requirements; or

• His or her Drug Enforcement Administration certificate of registration is suspended or revoked; or

• The applicable licensing or administrative body for any state in which a physician or eligible professional practices has suspended or revoked the physician or eligible professional's ability to prescribe drugs.