Tag Archives: AON

When Are CPAs Liable for Cybersecurity?

Cybersecurity attacks are inevitable. That’s the unfortunate reality. In fact, in a special report, Cybersecurity Ventures projects cybercrime’s global cost will exceed $1 trillion between 2017 and 2021.

Safeguarding clients’ nonpublic information from cyber-criminals is a top priority for CPA firms. The latest data breach statistics from the 2017 Identity Theft Resource Center Data Breach Report show an alarming number of exposed consumer records in the U.S.

  • 1,579 reported breaches, exposing 179 million records
  • 55% of all breaches involved businesses
  • 59% of all breaches resulted from hacking by outside sources
  • 53% of all breaches exposed Social Security numbers

Now more than ever, organizations and accounting firms of all sizes need to be vigilant about protecting data and responding to threats.

What’s my liability?

“That’s a big question we hear from firms regardless of whether they’ve been attacked,” said Stan Sterna, vice president and risk control specialist for Aon. “There are actually no uniform federal laws on business cybersecurity. But there is a patchwork of state and federal rules.”

Under certain state laws, CPAs can face liability for cybersecurity breaches that expose personal information. Most states have rules for handling breach notifications and for what remediation measures need to be taken. Breach requirements depend on where the client resides – not where your firm is located. We encourage you to learn the dynamic requirements of states that apply to you.

The Texas data breach notification law has been amended several times since its passage in 2009. It requires notification of affected individuals in the event a data breach results in the disclosure of unencrypted personal information consisting of an individual’s first name or first initial, last name and certain personal information such as Social Security and driver’s license numbers.

Federal rules and law

The Safeguards Rule is enforced by the Federal Trade Commission and applies to all companies defined as financial institutions under the Gramm-Leach-Billey (GLB) Act. Businesses that prepare tax returns fall within this definition. Under the rule, businesses are required to develop a written information security plan that describes their program to protect customer information. There are five additional requirements. Learn about the rule and implement applicable compliance protocols.

Do clients have standing to sue a CPA firm if they did not suffer damages as a result of a data breach?

At the federal level, the circuit courts are split as to what constitutes sufficient standing to sue in cyber breach cases. Some courts hold that companies may be liable for damages if client or employee data is stolen, even if the theft causes no harm; instead, it’s sufficient to merely allege that the information was compromised. This broad interpretation will only further increase the risk of cyber liability claims.

Two recent decisions illustrate these differences:

  • The Sixth Circuit court, citing the defendant’s offer for free credit monitoring as evidence, joined the Seventh and Ninth circuits in holding that a cyber victim’s fear of future harm is real and provides sufficient standing to sue. This particular ruling specifically undermines the defense that if no actual cyber fraud or identity theft occurred, the victim has not been damaged and has no standing to sue.
  • However, in another case, the Fourth Circuit held that a plaintiff must allege and show that their personal information was intentionally targeted for theft in a data breach and that there is evidence of the misuse or accessing of that information by data thieves. The division among the circuit courts as to standing is not likely to be resolved unless the U.S. Supreme Court decides a case on the issue.

New cybersecurity regulation sets the stage for other states to follow

In response to several highly publicized consumer data breaches, in 2017 the New York State Department of Financial Services enacted 23 NYCRR 500, “Cyber Requirements for Financial Services Companies,” with which all affected firms must now comply. These “first-in the-nation” data security regulations establish the steps that covered entities must take to secure customer data. The regulations are designed to combat potential cyber events that have a reasonable likelihood of causing material harm to a covered entity’s normal business operations.

See also: 4 Ways to Boost Cybersecurity  

Specifically, insurers, banks, money services businesses and regulated vital currency operators doing business in New York with 10 or more employees and $5 million or more in revenues must comply with the new rules. Under the provisions, companies must:

  • Conduct a cybersecurity risk assessment, prepare a cybersecurity program subject to annual audit and establish a written policy tailored to the company’s individualized risks that are approved by senior management;
  • Appoint a chief information security officer (CISO) responsible for the cybersecurity program who regularly reports on the integrity, security, policies, procedures, risks and effectiveness of the program and on cybersecurity events;
  • Establish multi-factor authentication for remote access of internal servers;
  • Encrypt nonpublic information (PII) and regularly dispose of any nonpublic information that is no longer necessary for conducting business (unless required to be retained by law).
  • Prepare a written incident response plan that effectively responds to events and immediately provides notice to the superintendent of the New York Department of Financial Services of any breaches where notice is required to be provided to any government body, self-regulatory agency or any other supervisory body or where there is a “reasonable likelihood” of material harm to the normal operations of the business;
  • Implement a written policy addressing security concerns associated with third parties who provide services to the covered entity that contain guidelines for due diligence or contractual protections relating to the provider’s policies for access, encryption, notification of cybersecurity events affecting the covered entity’s nonpublic information and representations addressing the provider’s cybersecurity policies relating to the security of the covered entity’s information systems or nonpublic information;
  • Annually file a statement with the New York Department of Financial Services certifying compliance with the regulations.

Meanwhile, the California Consumer Privacy Act of 2018 (CCPA) goes into effect on Jan. 1, 2020. The CCPA represents a significant expansion of consumer privacy regulation. Its GDPR-like statutory framework gives California consumers the:

  • Right to know what categories of their personal information have been collected
  • Right to know whether their personal information has been sold or disclosed, and to whom
  • Right to require a business to stop selling their personal information upon request
  • Right to access their personal information
  • Right to prevent a business from denying equal service and price if a consumer exercises rights per the statute
  • Right to a private cause of action under the statute

What is the impact of these new regulations on CPA firms?

Whether or not a CPA provides professional services for an entity covered by the New York Department of Financial Services or the CCPA, these new rules are important:

  • Regulation in one state frequently results in regulation in other states; both the New York and California cybersecurity regulations may serve as a template for other states contemplating cyber security legislation.
  • The regulations create a framework for plaintiffs’ attorneys to follow when alleging that a company (regardless of whether it is a New York or California covered entity) should have done more to protect private information, keep consumers informed or prevent a data breach or that a CPA firm should have detected data security issues while providing professional services.

Take preventative action now

“If someone sues your firm because of a data breach, you may have a stronger case if you can show that you’ve taken reasonable measures to help prevent an attack or theft,” Sterna advised. “Setting up systems to assist in prevention is an important aspect of managing cybersecurity risk.”

Here are three tips to get you started:

Start with an assessment. What are your cybercrime defenses? Do you have gaps in your data security procedures? Do you have controls in place? How do you document incidents when they happen? What is your response plan when incidents occur?

“Mapping where you stand today and your vulnerabilities is the best way to understand your next steps,” Sterna said. The AICPA’s cybersecurity risk management reporting framework helps you assess existing risk management programs. The Private Companies Practice Section cybersecurity toolkit can also help you understand the most common cybersecurity threats.

Implement best practices. At a minimum:

  • Use encryption wherever appropriate to protect sensitive data. This includes laptops, desktops and mobile devices. Failing to do so threatens your data and your reputation.
  • Train employees to recognize threats and safeguard equipment and data.
  • Develop and practice your response plan for various situations such as a ransomware attack, hack or ID theft.
  • Back up your data so you’ll still have access to it if it’s lost or stolen.
  • Keep your equipment physically secure in your office and on the road.

Get an outsider’s perspective. What better way to learn your firm’s vulnerabilities than to hire an expert for penetration testing? Through a penetration test, a third-party consultant will perform a test tailored to your firm’s needs and budget. They’ll provide insights on your firm’s vulnerabilities and educate you about solutions for protecting your practice. A consultant can also help you implement regular drills that test your firm’s response in the case of various attack scenarios.

See also: Cybersecurity for the Insurance Industry  

Legal and insurance considerations

CPA firms should consult with their legal counsel to assess the firm’s risk of first/third party data security claims and assess vendor data security coverage. The existence and adequacy of data security used by third-party vendors (including contract tax return preparers) is often overlooked.

CPA firms also should consult with their insurance agent or broker to review their current cyber policy to ascertain the adequacy of coverage.

This article is provided for general informational purposes only and is not intended to provide individualized business, insurance or legal advice.  You should discuss your individual circumstances thoroughly with your legal and other advisers before taking any action with regard to the subject matter of this article. Only the relevant insurance policy provides actual terms, coverages, amounts, conditions and exclusions for an insured.

Handling Transition to a Public Company

In any given year, many private companies are evaluating the potential transition from private to public ownership. An initial public offering (IPO) comes with a myriad of financial and operational concerns, ranging from public disclosure requirements to additional regulatory/compliance infrastructure, to confidentiality and trade secret concerns. One potentially under-appreciated area for consideration, for those companies considering an IPO, is directors’ and officers’ liability insurance (D&O). Recent claims trends and the March 2018 U.S. Supreme Court’s decision in Cyan emphasize the need to approach the D&O insurance topic with great diligence, and to obtain maximum protection for a company and its key executives. In our experience at Aon, key D&O topics for careful review include the following:

Beginning at the “all hands” initial kick-off meeting and through the road show, company executives are making decisions and representations that could create liability exposures. The private company D&O policy, which almost certainly excludes public securities claims, should not be so restrictive as to exclude pre-IPO preparatory and “road show” activity. Additionally, pre-IPO private company policies should contain carve-out language for “failure to launch” claims. The transition to a public company will also require clear policy language that determines how pre- and post-IPO allegations are addressed. Detailed negotiations of the “tail coverage” and “prior acts” coverage are critical to providing the appropriate protections for both the respective former private company and new public company boards and executives. IPO candidates should confirm that their current private company D&O program, with regard to terms, structure and limits, provides comprehensive pre-IPO coverage to provide a seamless transition to public company status.

Coverage Terms

Ensuring breadth of policy terms is perhaps the most critical component to a public company D&O insurance program placement. Maximizing coverage in the event of a claim is rooted in contract certainty and broadest and best-in-class terms and conditions. Unfortunately, inexperienced D&O practitioners can lead to debilitating coverage gaps and exclusions. It takes an IPO-experienced and detail-oriented brokerage tactician to obtain critical coverage enhancements. Coverage topics such as straddle claims, definition of loss and E&O exclusions can be the difference between maximizing policy proceeds and an outright claim denial. The D&O program coverage negotiations are multifaceted – the negotiations are not limited to the primary layer of insurance but, rather, involve numerous layers of negotiations with your excess insurers, including importantly your Side A insurers. IPO candidates should partner with detail-focused D&O professionals (which can include both brokers and outside counsel), to obtain maximum coverage.

See also: Why Small Firms Need Cyber Coverage  

Policy Structure

Public company D&O insurance can be markedly different in structure than private company D&O insurance. Two very common examples include the separation of limits (i.e., the D&O is no longer tied to other management liability coverages, such as employment practices and crime) and the addition of dedicated Side A difference in conditions (“DIC”) insurance. Additional structural considerations, such as entity investigative coverage, the inclusion of DIC limits within the “A/B/C” tower and the decision to run-off prior coverage or maintain continuity of a program are all structural items of critical importance to review prior to an IPO. IPO candidates should weigh the pros/cons of each approach and select a program structure that aligns with their unique risk factors and corporate purchasing philosophy.

Limits

Limits selection is not a “one-size-fits-all” question and can be influenced by various factors, including: expected offering size/market cap, industry risk factors, historical claims activity, merger/acquisition exposure, bankruptcy risk, a company’s risk retention capacity, limits availability relative to budget and board directives. Aon has several proprietary tools to assist clients in making informed decisions around the appropriate limits to purchase at the time of your offering.

Pricing

Undoubtedly, many insureds experience sticker shock when contemplating the potential cost of a post-IPO D&O program. This is particularly true in the post-Cyan world as D&O insurers consider separate state court retentions and pricing commensurate with increased ’33 Act state court exposures. This environment has led to 2018 D&O pricing (for IPOs) that, in some cases, is more than twice comparable deals in 2018. IPO candidates should prepare senior management and the board to anticipate a meaningful change as compared with the private company program with regard to D&O premium. Candidates should also work closely with their broker to align strategies to maximize the return on this premium. These strategies can include meetings with key national decision-makers at leading D&O insurers, risk/retention analyses regarding potential retention levels and competition via access to national and international D&O insurers. Partnering with a broker that has a proven ability to “make a market” for competitive D&O pricing is crucial to maximizing the marketing opportunity and obtaining competitive pricing results.

International

While this topic is germane to both public and private companies, the IPO process can be a catalyst to review broad D&O topics, including the need for locally admitted policies. In many countries, non-admitted insurance is problematic and would not be permitted to respond in the event of a claim in such a country. Particularly for D&O insurance, which is intended to help protect individuals’ personal assets, the certainty of available coverage within problematic countries is critical. All companies, particularly IPO candidates, should consider their international exposures and implement locally admitted policies as needed.

See also: The Fallacy About International Claims  

An IPO is an exciting but challenging time, for corporate issuers and their leaders. Partnership with subject matter leaders across several disciplines, such as accounting, finance, legal and insurance, can help a company execute a successful transition to public equity.

All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy. If you have questions about your specific coverage, or are interested in obtaining coverage, please contact your broker.

Future of Insurance to Address Cyber Perils

Standalone cyber insurance can successfully address a subset of privacy and security costs related to personally identifiable information, personal health information, payment card industry losses and increasingly some business interruption. However, outside of four industries (retail, hospitality, healthcare and financial institutions) generally no single insurance policy adequately covers cyber perils that result in funds transfers/crypto losses, bodily injury or tangible property damage-type losses. Organizations of all sizes, geographies and industries increasing rely on data analytics and technology, such as cloud computing, Internet of Things and artificial intelligence. These advancements add new and unique cyber exposures. Modeling of worst-case cyber scenarios compared with a review of the scope and exclusions of the base forms of multiple lines of insurance reveals potential material gaps in cyber coverage.

The number of cyber incidents with losses greater than $1 million (through early September 2018)

Recognize Financial Statement Impact

According to the Risk and Insurance Management Society, organizations’ total cost of risk declined for the fourth year in a row in 2017, but cyber costs moved in the opposite direction, rising 33%. Most boards of directors and management now include cyber perils and solutions in corporate governance discussions as they learn more regarding the potential financial statement impact of high-profile cyber incidents. Yet, organizations only insure a relatively small portion of their intangible assets compared with insurance coverage for legacy tangible assets.

Prudent organizations will spend the appropriate amount of time and resources on the risk management areas that are likely to have the greatest return on investment. For example, a disproportionate amount of attention is focused on cryptocurrency exposures, which affects a relatively small proportion of the corporate insurance buying population and related monetary losses. These are generally excluded from standalone cyber insurance policies.

See also: The New Cyber Insurance Paradigm  

Almost every large organization and most middle-size organizations will have some reliance on distributed ledger technology within the next few years – either directly or via one of their third-party suppliers, distributors, vendors, partners or customers. It is important for organizations to educate and prepare themselves:

1. Understand the intended scope of standalone cyber and professional liability insurance policies

Typical standalone cyber insurance policies specifically exclude funds transfers, crypto transfers and other cash and securities monetary losses. Crime policies are intended to address fund losses under specified circumstances. Similarly, payment diversion fraud coverage for “spoofing,” “phishing” and other social engineering incidents is generally excluded under cyber policies but possibly covered under crime policies.

However, two federal appellate courts recently ruled that policyholders are entitled to crime insurance coverage for losses arising from social engineering schemes.

  • July 2018: Facebook investors filed two different securities lawsuits: (1) the first based on the Cambridge Analytica user data incident; and (2) the second following Facebook’s lower-than-expected quarterly earnings release due to lower growth rate caused in part by allegedly unanticipated expenses and difficulties in complying with the European Union General Data Protection Regulation (“GDPR”).
  • Aug. 8, 2018: Securities class action litigation against a publicly reporting media performance ratings company disclosed in its quarterly earnings release that GDPR-related changes affected the company’s growth rate, pressured the company’s partners and clients and disrupted the company’s advertising “ecosystem.”

Typical professional liability and cyber policies also specifically exclude shareholder derivative securities and similar fiduciary liability litigation. A well-crafted directors and officers insurance policy is recommended to provide certain defense and indemnity coverage for such claims.

Absent extensive policy wording customization, the typical cyber insurance policy specifically excludes all bodily injuries and tangible property damage – both first-party tangible property damage (the insured’s own property) and third-party tangible property damage (property owned by someone other than the insured).

2. Silent and affirmative cyber coverage under other lines of insurance

When cyber exposure losses first emerged, insurers had not priced cyber risks into their broadly worded legacy policies, such as property and general liability. However, absent specific cyber exclusions, such as the CL 380 Cyber Exclusion, it is possible that legacy property, general liability, environmental, product recall, marine and aviation could inadvertently cover unintended cyber perils, thus the so-called silent cyber insurance coverage.

After making the first unintended cyber claims payment, some insurers, but not yet all, either exclude or sub-limit cyber risk from new standard policies and renewals. Granting affirmative full cyber limits coverage for an additional premium in such legacy policies is rare and slow to develop. Silent cyber coverage remains. In fact, according to multiple large insurance companies, the 2017 total amount of cyber-related business interruption claims payments were greater under property insurance policies than under standalone cyber policies.

Furthermore, aggregated/correlated/systemic cyber exposures have the potential to cause damages that are multiples of any loss seen to date (i.e. 10,000 customers of a cloud provider or energy/power/utilities). Catastrophe modeling for aggregated/correlated/systemic cyber risk is in its infancy. Innovative approaches for assisting insurers concerned about aggregated, clash incidents – or two different policies covering the same cyber peril – and silent cyber exposures are starting to emerge.

See also: Cyber: Black Hole or Huge Opportunity?  

To achieve cyber resiliency, consider cyber as a peril rather than as a standalone insurance policy. Assess, test, improve, quantify, transfer and respond to the larger cyber risk management issues based on a cost-benefit analysis of resource allocation. Insurance is complementary to a robust cyber resiliency risk management approach. Each organization should identify and protect its critical intangible assets and balance sheet by aligning the cyber enterprise risk management strategy with corporate culture and risk tolerance.

All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy. If you have any questions about your specific coverage or are interested in obtaining coverage, please contact your Aon broker. For general questions about cyber insurance, contact: Stephanie Snyder at stephanie.snyder@aon.com.

In Age of Disruption, What Is Insurance?

“Somehow we have created a monster, and it’s time to turn it on its head for our customers and think about providing some certainty of protection.” – Inga Beale, CEO, Lloyds of London

In an early-morning plenary session at this year’s InsureTech Connect in Las Vegas, Rick Chavez, partner and head of digital strategy acceleration at Oliver Wyman, described the disruption landscape in insurance succinctly: while the first phase of disruption was about digitization, the next phase will be about people. In his words, “digitization has shifted the balance of power to people,” forcing the insurance industry to radically reorient itself away from solving its own problems toward solving the problems of its customer. It’s about time.

For the 6,000-plus attendees at InsureTech Connect 2018, disruption in insurance has long been described in terms of technology. Chavez rightly urged the audience to expand its definition of disruption and instead conceive of disruption not just as a shift in technology but as a “collision of megatrends”–technological, behavioral and societal–that is reordering the world in which we live, work and operate as businesses. In this new world order, businesses and whole industries are being refashioned in ways that look entirely unfamiliar, insurance included.

This kind of disruption requires that insurance undergo far more than modernization, but a true metamorphosis, not simply shedding its skin of bureaucracy, paper applications and legacy systems but being reborn as an entirely new animal, focused on customers and digitally enabled by continuing technological transformation.

In the new age of disruption …

1. Insurance is data

“Soon each one of us will be generating millions of data sets every day – insurance can be the biggest beneficiary of that” – Vishal Gondal, GOQUii

While Amazon disrupted the way we shop, and Netflix disrupted the way we watch movies, at the end of the day (as Andy G. Simpson pointed out in his Insurance Journal recap of the conference) movies are still movies, and the dish soap, vinyl records and dog food we buy maintain their inherent properties, whether we buy them on Amazon or elsewhere. Insurance, not simply as an industry but as a product, on the other hand is being fundamentally altered by big data.

At its core, “insurance is about using statistics to price risk, which is why data, properly collected and used, can transform the core of the product,” said Daniel Schreiber, CEO of Lemonade, during his plenary session on day 2 of the conference. As copious amounts of data about each and every one of us become ever more available, insurance at the product level– at the dish soap/dog food level–is changing.

While the auto insurance industry has been ahead of the curve in its use of IoT-generated data to underwrite auto policies, some of the most exciting change happening today is in life insurance, as life products are being reconceived by a boon of health data generated by FitBits, genetic testing data, epigenetics, health gamification and other fitness apps. In a panel discussion titled “On the Bleeding Edge: At the Intersection of Life & Health,” JJ Carroll of Swiss RE discussed the imperative of figuring out how to integrate new data sources into underwriting and how doing so will lead to a paradigm shift in how life insurance is bought and sold. “Right now, we underwrite at a single point in time and treat everyone equally going forward,” she explained. With new data sources influencing underwriting, life insurance has the potential to become a dynamic product that uses health and behavior data to adjust premiums over time, personalize products and service offerings and expand coverage to traditionally riskier populations.

Vishal Gandal of GOQuii, a “personalized wellness engine” that is partnering with Max Bupa Insurance and Swiss Re to offer health coaching and health-management tools to customers, believes that integrating data like that generated by GOQuii will “open up new risk pools and provide products to people who couldn’t be covered before.” While some express concern that access to more data, especially epigenetic and genetic data, may exclude people from coverage, Carroll remains confident that it is not insurers who will benefit the most from data sharing, but customers themselves.

See also: Is Insurance Really Ripe for Disruption?  

2. Insurance is in the background

“In the future, insurance will buy itself automatically” – Jay Bergman

Some of the most standout sessions of this year’s InsureTech Connect were not from insurance companies at all, but from businesses either partnering with insurance companies or using insurance-related data to educate their customers about or sell insurance to their customers as a means of delivering more value.

Before unveiling a new car insurance portal that allows customers to monitor their car-related records and access a quote with little to no data entry, Credit Karma CEO Ken Lin began his talk with a conversation around how Credit Karma is “more than just free credit scores,” elucidating all of the additional services they have layered on top of their core product to deliver more value to their customers. Beyond simply announcing a product launch, Lin’s talk was gospel to insurance carriers, demonstrating how a company with a fairly basic core offering (free credit scores) can build a service layer on top to deepen engagement with customers. It’s a concept that touches on what was surely one of the most profound themes of the conference–that, like free credit scores, insurance only need be a small piece of a company’s larger offering. This may mean embedding insurance into the purchase of other products or services (i.e., how travel insurance is often sold) or it may mean doing what Credit Karma has done and layering on a service offering to deepen engagement with customers and make products stickier.

Assaf Wand, CEO of the home insurance company Hippo, spoke to both of these models in his discussion with David Weschler of Comcast about how their two companies are partnering to make insurance smarter and smart homes safer. When asked about what the future of insurance looks like, Wand put it plainly when he said: “Home insurance won’t be sold as insurance. It will be an embedded feature of the smart home.” Jillian Slyfield, who heads the digital economy practice at Aon, a company that is already partnering with companies like Uber and Clutch to insure the next generation of drivers, agrees: “We are embedding insurance into these products today.”

Until this vision is fully realized, companies like Hippo are doing their part to make their insurance products fade into the background as the companies offer additional services for homeowners, “Can I bring you value that you really care about?” Wand asked, “Wintering your home, raking leaves, these are the kinds of things that matter to homeowners.”

3. Insurance is first and foremost a customer experience

“The insurance industry has to redefine our processes… go in reverse, starting with the customer and re-streamlining our processes around them” – Koichi Nagasaki, Sompo

To many outside the insurance industry, the idea of good customer experience may seem unremarkable, but for an industry that has for so long been enamored by the ever-increasing complexity of its own products, redefining processes around customers is like learning a foreign language as a middle-aged adult. It’s hard, and it takes a long time, and a lot of people aren’t up to the task.

The insurance industry has been talking about the need for customer-centricity for a while now, but many companies continue to drag their feet. But customer-centricity is and remains more than a differentiator. It’s now table stakes. How this plays out for the industry will look different for different companies. Some will turn to partnerships with insurtechs and other startups to embed their products into what are already customer-centric experiences and companies. Chavez of Oliver Wyman would rather see the industry “disrupt itself,” as he believes it’s critical that companies maintain the customer relationship. In his plenary sessions, he cited the German energy company Enercity as a company that disrupted itself. Operating in a similarly regulated industry, rather than becoming just a supplier of energy, the company invested heavily in its own digital strategy to become a thought leader in the energy space, to be a trusted adviser to its customer and to deliver an exceptional digital experience that, among other things, leverages blockchain technology to accept bitcoin payments from customers. For Chavez, insurtech is already a bubble, and, “If you want to succeed and thrive in a bubble, make yourself indispensable.” The only way to do this, he believes, is to maintain ownership over the customer experience, because, in today’s digital economy, the customer experience is the product.

But to own the customer experience and succeed will require insurance companies to completely reorient their business practices and processes – to start with the customer and the experience and work backward toward capabilities. In the words of Han Wang of Paladin Cyber, who spoke on a panel about moving from selling products to selling services, “It’s always a questions of what does the customer want? How do they define the problem? And what is the solution?”

4. Insurance is trust

“The world runs on trust. When we live in a society where we have lots of trust, everyone benefits. When this trust goes away, everyone loses.” – Dan Ariely, Lemonade

During a faceoff between incumbents and insurtechs during one conference session, Dylan Bourguignon, CEO of so-sure cinched the debate with a single comment, calling out large insurance carriers: “You want to engage with customers, yet you don’t have their trust. And it’s not like you haven’t had time to earn it.” This, Bourguignon believes, is ultimately why insurtechs will beat the incumbents.

Indeed, the insurtech Lemonade spent a fair amount of stage time preaching the gospel of trust. Dan Ariely, behavioral economist and chief behavior officer at Lemonade, delivered a plenary session entirely devoted to the topic of trust. He spoke about trust from a behavioral standpoint, explaining how trust creates equilibrium in society and how, when trust is violated, the equilibrium is thrown off. Case in point: insurance.

Insurance, he explained, has violated consumer trust and has thrown off the equilibrium–the industry doesn’t trust consumers, and consumers don’t trust the industry, a vulnerability that has left the insurance industry open to the kind of disruption a company like Lemonade poses. As an industry, insurance has incentives not to do the thing it has promised to do, which is to pay out your claims. And while trust is scarcely more important in any industry as it is in insurance, save in an industry like healthcare, the insurance industry is notoriously plagued by two-way distrust.

What makes Lemonade stand out is that it has devised a system that removes the conflict of interest germane to most insurance companies – as a company, it has no incentives to not pay out customer claims. In theory, profits are entirely derived by taking a percentage of the premium; anything left over that does not go to pay out a claim is then donated to charity. The result: If customers are cheating, they aren’t cheating a company, they are cheating a charity. Ariely described several instances where customer even tried to return their claims payments after finding misplaced items they thought had been stolen. “How often does this happen in your companies?” he asked the audience. Silence.

And it’s not just new business models that will remedy the trust issues plaguing insurance. It’s new technology, too. In a panel titled “Blockchain: Building Trust in Insurance,” executives from IBM, Salesforce, Marsh and AAIS discussed how blockchain technology has the capacity to deepen trust across the industry, among customers, carriers, solutions providers and underwriters by providing what Jeff To of Salesforce calls an “immutable source of truth that is trusted among all parties.” Being able to easily access and trust data will have a trickle down effect that will affect everyone, including customers, employees and the larger business as a whole–reducing inefficiencies, increasing application and quote-to-bind speed, eliminating all the hours and money that go into data reconciliation and ultimately making it easier for carriers to deliver a quality customer experience to their customers.

See also: Disruption of Rate-Modeling Process  

While the progress in blockchain has been incremental, the conference panel demoed some promising use cases in which blockchain is already delivering results for customers, one example being acquiring proof of insurance for small businesses or contractors through Marsh’s platform. With blockchain, a process that used to span several days has been reduced to less than a minute. Experiences like these–simple, seamless and instantaneous – are laying the groundwork for carriers to begin the long road to earning back customer trust. Blockchain will likely play an integral role this process.

5. Insurance is a social good

“We need insurance. It is one of the most important products for financial security.” – Dan Ariely, Lemonade

For all of the the naysaying regarding state of the industry that took place at InsureTech Connect, there were plenty of opportunities for the industry to remind itself that it’s not all bad, and its core insurance is something that is incredibly important to the stability of people across the globe. Lemonade’s Schreiber called it a social good, while Ariely told his audience, “We need insurance. It is one of the most important products for financial security.” Similar sentiments were expressed across stages throughout the conference.

In fact, in today’s society, income disparity is at one of the highest points in recent history, stagnating wages are plaguing and diminishing the middle class, more people in the U.S. are living in poverty now than at any point since the Great Depression, the social safety net is shrinking by the minute and more than 40% of Americans don’t have enough money in savings to cover a $400 emergency, so insurance is more important than ever.

For Inga Beale, CEO of Lloyds of London, insurance has a critical role to play in society, “It goes beyond insurance–it’s about giving people money and financial independence,” she said during a fireside chat. She went on to describe findings from recent research conducted by Lloyds, which determined that, by the end of their lives, men in the U.K. are six times better off financially than women. When designed as a tool to provide financial independence and equality for everyone, insurance can play an important role in addressing this disparity. While this has been a focus in emerging markets, financial stability and independence is often assumed in more developed markets, like the U.S. and Europe. In reality, it is a problem facing all markets, and increasingly so. Ace Callwood, CEO of Painless1099, a bank account for freelancers that helps them save money for taxes, agrees that insurance has an important role to play. “It’s our job to get people to a place where they can afford to buy the products we are trying to sell,” he said.

You can find the article originally published here.

What Blackjack Teaches on Analytics

During Aon’s Analytics Insights Conference, we focused on the variety of analytics software and solutions touching our industry. The conference was themed: “blending old and new: data and analytics in the modern era.” It will come as no surprise that terms such as blockchain, AI and machine learning might appear to be the holy grail of our industry. But there are other keys to making good data-driven decisions.

Blackjack happens to be the perfect Petri dish to remind ourselves about making better decisions. Data is easy to get, and systems never change. At this year’s conference, Jeffrey Ma, former VP of analytics and data science at Twitter and kingpin of the famous MIT blackjack team, shared his thoughts on the future of some of the new capabilities in analytics, arguing that “the biggest misconception is that AI is like magic and solves everything. In reality, it’s only going to be as good as the problems you point out and the data set that’s available to you.”

Tracy Hatlestad, chief operating officer – analytics within Aon’s reinsurance solutions business, sat down with Jeffrey to find out more.

Q:  In an industry like insurance where success with data and analytics is a clear differentiator, what are a few key things you think people need to remember about making data-driven decisions?

A: Quite a few things come to mind, but here are some that seem pertinent to the crowd today. The first is omission bias, or the idea of favoring inaction over action. In blackjack, there’s static math that helps override these biases that is harder to discern in insurance, but the logic still applies. The second is the fallacy of the gut result, or the idea that you can be a better predictor than science or math. The third, and potentially the most dangerous for  the financial industry, is the idea of right decision vs. right outcome. In blackjack, an incorrect decision can still lead to one-off wins, and, in those scenarios, undue credence can be given to those decisions or decision makers in the future.

See also: 3-Step Approach to Big Data Analytics  

Q: You talked about three levels of analytics – data, analysis and implementation. What are a few keys to success with those levels?

With level one

A: It’s imperative to remember that data is the building block for any analytical framework and any advantage that you can create. The adage, “garbage in, garbage out,” still applies. In many industries, there are a number of barriers that stand in the way of quality data, such as:

  • Data curation problems, often driven by legacy systems
  • Lack of commitment to data quality
  • Input by non-analytics professionals
  • The gathering of data well in advance of the ability to use it for strategic advantage

With level two

I really think of it more like science than analysis. The real skill is the ability to hypothesize. In fact, this has led me to hire people with advanced skillsets in economics, social sciences and physics. Simple data science is a commodity, and companies should be looking for people with the ability to ask questions, not just look for big patterns in data.

With level three

This is when you get to implementation. It separates successful companies from the rest. You’re moving into experimentation and always measuring the impact to see the outcome. It’s important to remember that you need the buy-in from everyone – sales, marketing, underwriting, etc. Without that, the ability to implement data-driven decisions gets lost. But when you find successes, you have the ability to operationalize those results with machine learning or artificial intelligence.

Q: Building on your comments about artificial intelligence, what’s a misconception about the power of artificial intelligence or machine learning?

A: The biggest misconception is that it’s magic and solves everything. In reality, machine learning or artificial intelligence is only going to be as good as the problems you point out and the data set that’s available. Artificial intelligence does not have the ability to explore outside the dataset. It can learn from that dataset, but, if it is not given the right questions or a skewed set of data, you can easily become misinformed.

Q:  That makes sense, and yet it still seems like something people might overlook. Are there other mistakes you see companies making in the artificial intelligence space?

A: Lately, I’ve heard a few companies talk about separating data science from machine learning and artificial intelligence. They believe that data science is closer to the data and analytics field or business applications while machine learning is more around computers and programming, infrastructure, etc. The reality is they need to act in concert because the data scientists are going to be the ones who come up with the heuristics that help inform an artificial intelligence or machine learning model. The best case is when business leaders are working collaboratively with data scientists to develop a hypothesis that can be tested. Without that, you’re not going to get the best return on your investment in terms of your talent and what they are doing.

Q:  What advice would you give senior leaders in insurance on implementing artificial intelligence or machine learning into their organization?

A: In any evolving field, it’s important to remember that the candidates that might have the best outcome can come from diverse backgrounds. There isn’t a typical hire when finding the best resources in these fields. Unlike long-time industry practitioners who can help you solve problems and create solutions with current methods, there’s going to be people who see the problem differently and really understand the possibilities. It’s also important for leaders to recognize that these people are likely some of the smartest in the building, but they need the business context to end up with the right results. You can’t treat them like the back-office number crunchers.

See also: Predictive Analytics: Now You See It….  

Q:  We touched on it a bit earlier, but let’s get back to why insurance is more difficult than blackjack?

A: There are a lot of things in this world that will test your belief in analytics. Belief in analytics for blackjack is a little easier because it’s already solved and understood. The rules and data don’t change, and there are known outcomes. I talked about a situation where I lost $100,000 through mathematically correct decisions, and it would be hard to stick with the decisions if you did not fully understand the game. That’s even more difficult when you introduce additional variability and unconditional probabilities in areas like insurance where data is not stationary. In these cases, when you have negative results in a short-term sample, it can be even harder to trust the process or model. The fascinating thing is that, because it’s more difficult, there are many more opportunities to differentiate and win on a bigger scale.