It’s no secret that cyber attacks have the potential to cause massive business disruption – affecting both financial performance and corporate reputations. But when it comes to C-suite preparedness for cyber attacks, organizational silos are preventing businesses from taking a comprehensive approach. Cybersecurity is a threat that affects the entire C-suite, and managing this emerging risk requires an integrated mindset.
Many senior executives lack full knowledge about how cyber attacks could affect their organization and how to make cybersecurity a C-suite priority. Moreover, across organizations different leaders are addressing different parts of the cybersecurity challenge: where the chief information officer (CIO) and chief information security officer (CISO) are focused on physical and virtual data security, the CFO is concerned about ensuring financial stability in case of an attack. The chief legal officer may be concerned with the potential litigation effect, while the chief marketing officer (CMO) is responsible for mitigating bad PR and preserving the brand. In sophisticated organizations, the chief human resources officer (CHRO) is developing cyber training and awareness programs for employees to address threats that can originate within the company. Cybersecurity is clearly a distributed problem that requires integration across the entire C-suite.
Aon’s latest findings reveal that more than half of companies do not plan to buy cyber insurance even though there is an increased threat of attack. This disconnect exists primarily at the board level — the C-suite knows cybersecurity is an issue, but struggles to define its effect on financial performance. As cyber attacks become more prevalent, organizations will need to take an integrated approach toward preparedness.
Have you experienced the benefits of leadership coaching? Years ago, U.K. business leaders appeared to just see it as an American business fad (for a culture that has also embraced the benefits of therapists and given us great TV like “In Treatment“). However, over the last decade, more and more U.K. businesses have embraced executive coaching, and the academic evidence for efficacy has grown substantially. Even in 2005, 88% of U.K. organizations reported using coaching and, by 2009, 93% of U.S. organizations.
The next revolution in coaching for businesses is the expansion of coaching to a wider leadership population. Once the preserve of CEOs or main board members, leadership coaching is now being expanded at progressive businesses to include all directors, talent pipeline candidates or, in some cases, the wider organization through team coaching. My personal interest is in the benefits of coaching for the rising stars who are today’s customer insight leaders.
There is a growing trend to create customer insight director or chief knowledge officer roles, often for individuals who have never held C-suite responsibilities. Such leaders are ideal candidates for coaching, not because of any deficits, but rather to ensure that they perform as well as possible and achieve the challenging goals for their new strategic focus.
So, what does coaching entail? Very briefly, the term covers a multitude of approaches and has many possible definitions. But experts now agree that executive coaching can be defined as: “a relationship-based intervention. Its focus is on the enhancement of personal performance at work through behavioral, cognitive and motivational interventions used by the coach, which provide change in the client.”
That more academic definition hints at the fact of multiple models or techniques that can be used, where helpful, to facilitate sessions. The qualification that I’m completing on executive coaching includes learning coaching models: goal-oriented; cognitive behavioral; positive psychology; and neurolinguistic programming. My own experience of coaching executives has taught me that different models can be appropriate at different times, with different clients, in different organizational contexts. The most important skill is still genuine active listening, but frameworks to help guide sessions and clear goals to be achieved do both help.
I’m encouraged by the positive messages being given by a number of organizations with regard to the importance of coaching (see “Coaching at Work” magazine). However, I have not yet seen this commitment applied to the customer insight leadership population. I hope that change will come, and I am focusing part of my business on helping to meet that need.
Have you seen the benefits of coaching or mentoring in your leadership role? I’d love to hear more about your experience of this emerging profession.
There is a myth out there that healthcare providers are unwilling to adopt new technology. It’s just not true. In the last few months, I have spoken to dozens of healthcare leaders at hospitals both small and large, and I am amazed at their willingness to understand and adopt technology.
Pretty much every hospital CEO, COO, CMIO or CIO I talk to believes two things:
With growing demand, rising costs and constrained supply, healthcare is facing a crisis unless providers figure out how to “do more with less.”
Technology is a key enabler. There is technology out there to help save more lives, deliver better care, reduce costs and achieve a healthier America. If a technology solution solves a real problem and has a clearly articulated return on investment (ROI), healthcare isn’t that different from any other industry, and the healthcare industry is willing to adopt that technology.
Given my conversations, here are the five biggest IT trends I see in healthcare:
1. Consumerization of the electronic health record (EHR). Love it or hate it, the EHR sits at the center of innovation. Since the passage of the HITECH Act in 2009—a $30 billion effort to transform healthcare delivery through the widespread use of EHRs—the “next generation” EHR is becoming a reality driven by three factors:
Providers feeling the pressure to find innovative ways to cut costs and bring more efficiency to healthcare delivery
The explosion of “machine-generated” healthcare data from mobile apps, wearables and sensors
The “operating terminal” shifting from a desktop to a smartphone/tablet, forcing providers to reimagine how patient care data is produced and consumed
The “next generation” EHR will be built around physicians’ workflows and will make it easier for them to produce and consume data. It will, of course, need to have proper controls in place to make sure data can only be accessed by the right people to ensure privacy and safety. I expect more organizations will adopt the “app store” model Kaiser pioneered so that developers can innovate on their open platform.
2. Interoperability— Lack of system interoperability has made it very hard for providers to adopt new technologies such as data mining, machine learning, image recognition, the Internet of Things and mobile. This is changing fast because:
3. Mobile— With more than 50% of patients using their smartphone to monitor health and more than 50% of physicians using (or wanting to use) their smartphone to monitor patient health, and with seamless data sharing on its way, the way care is delivered will truly change.
Telemedicine is showing significant gains in delivering primary care. We will continue to see more adoption of mobile-enabled services for ambulatory and specialty care in 2016 and beyond for three reasons:
Mobile provides “situational awareness” to all stakeholders so they can know what’s going on with a patient in an instant and can move the right resources quickly with the push of a button.
Mobile-enabled services radically reduce communication overhead, especially when you’re dealing with multiple situations at the same time with urgency and communication is key.
The services can significantly improve the patient experience and reduce operating costs. Studies have shown that remote monitoring and mobile post-discharge care can significantly reduce readmissions and unnecessary admissions.
The key hurdle here is regulatory compliance. For example, auto-dialing 9-1-1 if a phone detects a heart attack can be dangerous if not properly done. As with the EHR, mobile services have to be designed around physician workflows and must comply with regulations.
4. Big data— Healthcare has been slower than verticals such as retail to adopt big data technologies, mainly because the ROI has not been very clear to date. With more wins on both the clinical and operational sides, that’s clearly changing. Of all the technology capabilities, big data can have the greatest near-term impact on the clinical and operational sides for providers, and it will be one of the biggest trends in 2016 and beyond. Successful companies providing big data solutions will do three things right:
Clean up data as needed: There’s lots of data, but it’s not easy to access it, and isn’t not quite primed “or clean” for analysis. There’s only so much you can see, and you spend a lot of time cleansing before you can do any meaningful analysis.
Meaningful results: It’s not always hard to build predictive analytic models, but they have to translate to results that enable evidence-based decision-making.
Deliver ROI: There are a lot of products out there that produce 1% to 2% gains; that doesn’t necessarily justify the investment.
5. Internet of Things— While hospitals have been a bit slow in adopting IoT, three key trends will shape faster adoption:
Innovation in hardware components (smaller, faster CPUs at lower cost) will create cheaper, more advanced medical devices, such as a WiFi-enabled blood pressure monitor connected to the EHR for smoother patient care coordination.
General-purpose sensors are maturing and becoming more reliable for enterprise use.
Devices are becoming smart, but making them all work together is painful. It’s good to have bed sensors that talk to the nursing station, and they will become part of a top level “platform” within the hospital. More sensors also mean more data, and providers will create a “back-end platform” to collect, process and route it to the right place at the right time to can create “holistic” value propositions.
With increased regulatory and financial support, we’re on our way to making healthcare what it should be: smarter, cheaper and more effective. Providers want to do whatever it takes to cut costs and improve patient access and experience, so there are no real barriers.
We didn’t intend to write a series on the symposium that Insurance Thought Leadership hosted at Google last week for C-suite executives of major companies and for regulators, but I want to build on the wonderful post yesterday by Iowa Insurance Commissioner Nick Gerhart, about the insights he picked up there. For me, the symposium underscored a crucial point about the pace of innovation — how it can be faster than we expect at times but can also be slower.
And it’s crucial to get the timing right.
The faster-than-expected part comes from a partner at one of the major Silicon Valley venture capital firms, which we visited as part of the symposium. All these firms track where entrepreneurs are seeing possibilities and where investments are happening, and the partner said that in all of 2014 the firm had been visited by exactly zero people hoping to innovate in insurance. Yet, just in the fourth quarter of 2015, the firm met with 60 companies looking to innovate in insurance.
Even as innovation has surged in fintech, in general, investment in insurtech start-ups has been minimal, about 1% of the total for fintech. But that may now be changing. Start-ups may accelerate the disruption in insurance.
You’ve been warned.
The slower-than-expected (at least for me) part comes from a consensus about driverless cars at the symposium. The group discussions at all five tables reached almost identical conclusions: that fully driverless cars will be feasible technologically in roughly four years but that it will be 10 before they are a major presence on the road.
In Silicon Valley-speak, saying something is 10 years out means it verges on science fiction. After all, 10 years at a pace set by Moore’s Law means that you have some 30 times as much computing power available to you at no increase in cost — if you need that much more power to make something happen, it’s hard to know for sure that it works 10 years ahead of time.
But the concerns of the insurance C-suiters and the regulators were more prosaic. They felt that anyone who might be left behind because of driverless technology would kick up a fuss and that state governments, likely led by the legislatures, could intervene on behalf of constituents to slow the transition.
Perhaps insurance agents would fear the shift of auto insurance from a personal responsibility to a corporate one, shouldered by the manufacturers of the driverless cars or by operators of fleets of the cars — if no person is involved in driving, how can an agent sell personal lines insurance?
Maybe car dealers, already fighting a rear guard action to prevent direct sales by manufacturers to consumers, would fear further loss of their intermediary role — why would a fleet operator need a dealer to purchase of tens of thousands of cars?
Basically, think of anyone who might lose business because of driverless cars and the promised reduction in accidents — parking garages, emergency rooms, whatever — and you can see an obstacle. Not everyone will be explicit about their complaints. It’s hard for an operator of prisons or funeral homes to demand more business. But our discussion groups were sure that opposition would surface in lots of ways and that politicians, always running for reelection, would lend support.
In fact, some technical concerns about driverless cars have surfaced in recent months. It turns out that Google cars have more accidents than human drivers do, albeit only minor accidents thus far and, most importantly, not because of any fault by Google — careless people seem to bump into Google cars a lot at stoplights. Google also acknowledges that the cars would have caused at least some accidents if not for intervention by the highly trained humans sitting in the driver’s seat. So, the technology still has a ways to go.
For me, then, the fundamental question from our symposium is: How do you position yourself for a technology that may be wildly important, yet whose timing is uncertain?
–A line that carries considerable currency in Silicon Valley is: “Never confuse a clear view with a short distance.” Even if you’re sure that something will happen as part of the transition to autonomous vehicles, keep in mind the issue of timing.
–Then think big, start small and learn fast — a dictum that just happens to come from another book Chunka and I wrote, The New Killer Apps: How Large Companies Can Out-Innovate Start-Ups. That means you get in the game now, with as big a vision as you can conjure up for yourself or your company. Then you start experimenting to see what works and what doesn’t — while spending extremely little money. You make sure you can kill the experiments as soon as you gather the needed information — no pilot projects allowed, at least not in the early days, and certainly no grand plans to go to market. And you keep iterating until both you and the market are ready. Then you start cashing checks.
Actually, one more thought: Consider coming to the Global Insurance Symposium that Nick and the fine folks in Des Moines (my dad’s hometown) are putting on in late April. Nick is as forward-thinking a regulator as I’ve met, and there will be lots of people there who can help you on your journey, whether that involves driverless cars or something else entirely. I’ll be there….
Cyber attacks were once on the periphery of American business consciousness. That mindset changed over the past two years. A series of devastating events, including the 2014 cyber attack against Sony, catapulted cyber liability concerns from an IT department issue to a major priority for boardrooms across America. As U.S. government officials concluded that North Korea was behind the attack, many C-suite executives suddenly found themselves asking questions. Is this the start of a cyber war? Could we be the next victim? If we are, how will it affect our operations and our bottom line? Do our insurance policies cover any of these costs?
Today, many insurance buyers look to their cyber insurance policies to fill coverage gaps that often exist in other policies. For example, a property policy may respond to physical damage from a named peril, but it will likely exclude loss for non-tangible assets as a result of a cyber attack. Similarly, a commercial general liability policy will likely provide liability coverage for causing bodily injury because of negligence but exclude coverage for liability because of a failure to secure sensitive data from hackers.
Many policyholders may be unaware that some, though not all, of these cyber policies contain specific terrorism and war exclusions. As a result, gaps in cyber insurance coverage can exist in cases like the Sony breach, where government agencies, like the FBI, conclude that a foreign government or terrorist organization is responsible for the attack.
Is a Cyber Attack “Terrorism” or “War”?
Immediately following the Sony attack, President Obama referred to it by saying, “I don’t think it was an act of war . . . but cyber vandalism.” Then, on April 1, 2015, President Obama signed the Executive Order on Cybersecurity with the goal of protecting the private sector against hackers and thereby bolstering national security. The order seeks to identify and punish individuals behind attacks, but it could also lead some to categorize an apparent hacking event or act of cyber terrorism as an “act of war.”
Changes in government definitions trickle down into coverage disputes because many policies that exclude or include “war,” “terrorism” or “cyber terrorism” either fail to define those terms or define them by referring to standard government definitions.
Government Definitions of Terrorism, Cyber Terrorism and War
THE TERRORISM RISK INSURANCE ACT (TRIA)
“Act of terrorism” is defined as any act certified by the secretary of the Treasury in concurrence with the secretary of State and the attorney general of the U.S. to be:
» an act of terrorism
» a violent act or an act that is dangerous to human life, property or infrastructure
» an act resulting in damage within the United States or Outside (on a U.S.-flagged vessel, aircraft or U.S. mission)
» an act committed by an individual or individuals acting on behalf of any foreign person or foreign interest, as part of an effort to coerce the civilian population, U.S. policy or the U.S. government.
The secretary of the Treasury may not delegate his certification authority, and his decision to certify an act or not is not subject to judicial review.
DEPARTMENT OF DEFENSE (DOD)
The DOD defines “terrorism” as “the unlawful use of violence or threat of violence, often motivated by religious, political or other ideological beliefs, to instill fear and coerce governments or societies in pursuit of goals that are usually political.” The term “act of war” is understood to mean “a use of force [that may] invoke a state’s inherent right to lawful self-defense.”
DEPARTMENT OF JUSTICE (DOJ)/FEDERAL BUREAU OF INVESTIGATION (FBI)
The FBI defines “cyber terrorism” as “the premeditated, politically motivated attack against information, computer systems, computer programs and data [that] results in violence against non-combatant targets by subnational groups or clandestine agents.”
DEPARTMENT OF HOMELAND SECURITY (DHS)
The National Infrastructure Protection Center (NIPC), (formally a branch of DHS), defines “cyber terrorism” as “a criminal act perpetrated through computers resulting in violence, death and/or destruction and creating terror for the purpose of coercing a government to change its policies.”
Cyber Terrorism and the ‘Act of War’ Exclusion
Cyber policies are relatively new and manuscript products; as such, the wording varies significantly. Many policies contain a standard exclusion for “war, invasion, acts of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power, confiscation, nationalization, requisition, or destruction of, or damage to, property by or under the order of any government, public or local authority…” An attack by the Taliban, for example, would probably fit within the exclusion as an act sponsored by a “public or local authority.”
Traditionally, war exclusions were relatively narrow; they required an actual war or, at the very least, “warlike operations”; “for there to be a ‘war,’ a sovereign or quasi-sovereign must engage in hostilities.” Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989, 1005 (2d Cir. 1974) (finding that a Jordanian terrorist group that hijacked a plane was not a de facto government for the purposes of applying the war exception).
However, the events of Sept. 11, 2001, changed the way certain events and groups were perceived and classified, ultimately leading many to label the 2014 cyber attack on Sony an “act of war.”
Litigation surrounding the Sept. 11 attacks led directly to an expanded view of the war exclusion. For one thing, the Second Circuit Court of Appeals ruled that the attacks were an “act of war.” In re Sept. 11 Litig., 931 F. Supp. 2d 496, 512 (S.D.N.Y. 2013), an owner of a building near the site of the World Trade Center attacks sought to recover cleanup and abatement expenses for removing pulverized dust that infiltrated into the owner’s building after the collapse of the Twin Towers. He sued under the Comprehensive Environmental Response, Compensation, and Liability Act [CERCLA], which allows strict liability claims in pollution cases, but the court applied CERCLA’s “act of war” exception to strict liability.
In concluding that the attacks were an act of war, the court commented that “Al Qaeda’s leadership declared war on the United States, and organized a sophisticated, coordinated, and well-financed set of attacks intended to bring down the leading commercial and political institutions of the United States,” id. at 509, and that “as we learned in the twentieth century, and as has been true throughout history, war can take on a formal structure of armies in contrasting uniforms confronting each other on battlefields, and war can persist for years, fought by irregular, insurgent forces and capable of causing extraordinary damage,” id. at 511.
This expansion of the legal definition of “act of war” to include acts by “irregular, insurgent forces and capable of causing extraordinary damage” could lead to attacks by hacktivist groups or foreign intelligence services being considered acts of war and therefore excluded from cyber policies.
Cyber Insurance and TRIA
The Terrorism Risk Insurance Act (TRIA) is a government program designed to provide a backstop for reinsurers in the event of large terrorism-related losses (more than $100 million). There is debate over whether TRIA applies to cyber policies at all. TRIA applies to commercial property and casualty insurance coverage, but some cyber policies are written as another line of coverage, such as professional liability, which is not included in TRIA.
Even assuming that TRIA would apply to cyber insurance, for TRIA coverage to be in effect, (1) there must be losses, resulting from property damage, exceeding $100 million; and (2) they must be caused by a certified terrorism event:
(1) Property Damage: For TRIA to apply, physical property damage must occur, and what constitutes “physical damage” in the context of a cyber attack remains an open question. What we do know is that TRIA will probably not cover business interruption or reductions in business income absent some physical loss or property damage. Many cyber attacks do not involve any physical damage, which would exclude TRIA coverage.
(2) A Certified Terrorism Event: For TRIA to apply to any event, the event would need to be certified as an act of terrorism. This onerous and political certification process requires the secretary of the Treasury, secretary of State and attorney general to agree that an incident was an “act of terrorism.” Many political and economic issues factor into certifying a terrorism event, which can lead to counterintuitive results. For instance, as of the date of this publication, the April 2013 Boston Marathon bombing has not been certified as a terrorist act.
To ensure coverage for cyber terrorism and cyber warfare, buyers of cyber insurance will need to seek out a cyber risk insurance policy that explicitly includes this coverage in the broadest terms possible. As more insurance carriers enter the cyber insurance market, one must be wary that policy terms will vary from one policy form to the next, and some will have coverage terms superior to others.