Tag Archives: cio

IT Security: A Major Threat for Insurers

As the insurance industry changes in response to continued digitalization, IT leaders must continue to maintain and improve their ability to protect confidential data and customer information. While technological advances can streamline processes, they can also open the door for potential risks. Modern digital systems and procedures must be completely secure for agents and insureds to trust them, and to protect the companies from liability.

In a recent Novarica study, we found that insurers are enhancing security capabilities across the board. Nearly half of those we spoke to are enhancing capabilities in intrusion detection, application security and data encryption. Fewer insurers are enhancing their intrusion detection capabilities in 2017 than in 2016, but they remain among the most basic elements of IT security, and a critical component in ensuring a rapid response to any breaches. Most insurers have also already put in place application security measures to prevent security gaps, though this is an area that needs continual investment to stay current against evolving threats. And larger insurers are more likely than mid-sized insurers to be planning enhancements for data encryption capabilities. However, some midsize insurers are planning to pilot and launch encryption capabilities, in part due to encryption requirements within the New York State cybersecurity law and NAIC cybersecurity draft.

See also: 10 Cyber Security Predictions for 2017

Carriers still plan to enhance audits and procedures, but the volume focus has dropped somewhat in this area due to high investment in 2016, when many insurers adopted NIST for the first time. IT security is as much a matter of practices and monitoring as it is of technology. In fact, from a CIO resource perspective, audits and procedures are often more expensive than technology. Processes need to be created to evaluate all aspects of security management and determine the process maturity. These processes need to be independently validated through a combination of sampling, gathering statistics from tools and holding discussions with people responsible for those procedures.

We also see some activity when it comes to security frameworks and regulations. Insurers are preparing for new regulations, with some taking a “wait and see” approach to recently loosened New York State cybersecurity regulations. However, the New York State regulations or the NAIC cybersecurity model law will be replicated across all of the states over the next two to three years. Carriers need to monitor the developments in this area and ensure compliance to minimize fines and reputational damage.

In terms of frameworks, we see a slight increase in the adoption rate for NIST, from 60% to 70%, and a lower rate of 60% for SSE-CMM. NIST is a framework that uses business drivers to guide cybersecurity activities, and supplements activities related to SSE-CMM, as it covers all aspects of an organization’s processes. SSE-CMM assesses an organization’s maturity with regard to secure software development. Many insurers seem to prefer NIST over the SSE-CMM framework, and very few insurers are relying on other formal frameworks like COBIT, ITIL and the NYS regulation framework.

While more insurers choose to adopt NIST over other frameworks, adoption of formal frameworks is growing across the board. To ensure data protection across the enterprise, insurers can rely on frameworks to assess security risks. The organization must ensure that the software it builds or that is built on its behalf is secure and does not open up a security exposure. One good way to determine if the process of software development creates secure applications is to look at the security maturity of that process. The SSE-CMM is the way to assess this, but it does not go far enough. A full risk management framework needs to be applied to the firm to augment its other operational risk assessments. The NIST framework, developed in 2014, is becoming the standard for all insurers to assess digital and operational security risks in a structured way and to develop a road map to improve their cyber-security practices.

See also: Paradigm Shift on Cyber Security  

Most large insurers have a mature IT security function, with a dedicated organization led by a chief information security officer. But for smaller companies, dedicating resources and building competency in this area can be challenging. What is more, IT security is still seen as a lower priority for CIOs and mid-level managers. Less than 10% of an insurer’s IT budget is typically focused on security. In some cases, especially in mid-sized and small carriers, basic capabilities like penetration testing, ethical hacking programs and mandatory security training are lacking. Additionally, many carriers do not have a dedicated security executive like a CISO. Insurers must ensure that they understand their challenges and options, prioritize their investments and plan their responses to security incidents.

Has ‘Data Lake’ Idea Already Dried Up?

Well, that was fast.

Remember all those massive, megabillion-dollar data lakes we all kept hearing about over the past few years? With the exception of the U.S. government, we’ll probably never see their likes again. Many of the large organizations that were pursuing those data lakes (not to mention countless smaller ones) have largely changed course. Why? The answer is actually not so surprising, even if this particular outcome is.

Many of the CIOs I talk to these days are no longer thinking of their insight systems (analytics tools, data lakes, etc.) as separate from the rest of the business, or the enterprise systems that support them. They’re managing these insights systems more as a portfolio of analytics systems — a true play for return on investment (ROI). As a result, large investments are broken into smaller, more agile investments. The technology organization may be shepherding 500 analytics projects rather than just five high-profile initiatives — enabling and supporting 10,000 people, for example, rather than just 100. In that environment, a massive data lake starts to make less sense, even if all those 500 projects tap into it. A data lake is just too resource-intensive.

See also: Why Exactly Does Big Data Matter?  

Meanwhile, the need to tap into a large volume of data isn’t going away. In lieu of a huge, proprietary data lake, what options are there? This is where CIOs are getting creative, creating a network of smaller, more manageable data lakes, for example, supplementing their data with that provided by other organizations.

Checklist for Improving Consumer Experience

Chief information officers (CIOs) are responsible for decisions and implementations that promise to deliver on enterprise goals. A CIO’s job is not only to invest in projects that are going to improve and streamline a company’s internal processes but to keep an eye out for initiatives and capabilities that will keep them ahead of industry shifts — shifts that can potentially challenge the company’s core business. Increasingly, improving customer engagement to promote loyalty and drive growth is becoming important to most insurers.

Understanding the scope of the process, where to begin and how to monitor progress remains problematic, so here’s a quick checklist of things CIOs can focus on today to start improving the consumer experience:

Start from the customer’s perspective —

  • Know who your customers are comparing you against:

Keep in mind (and remind your colleagues, whether they are in senior management or in the mail room) that consumers are not comparing you solely with other insurance companies. They are also comparing you with the other places they do business — and that includes online businesses (Amazon, for example).

  • Understand what their expectations are.

Here is a reality check: No consumer will be thrilled to fax a wet-signed renewal application. Although there are good historical and legacy system justifications for demanding it, this is no longer acceptable for today’s consumers, who rightly demand immediacy.

  • Meet them where they are… or will be.

Online is outdated; mobile is the new norm. You need to be thinking about how even mobile devices will be replaced by something newer and greater. In an age where cars can drive themselves and televisions are ”smart,” how much harder do you think it will be to sell insurance?

See also: Tips on Improving the Customer Experience

Follow up by looking at things from your employees’ point of view.

  • What skills do your product development and marketing teams possess?

They most likely know a whole lot about insurance — its concepts, how to make it work from a business perspective and even how to present it to customers. Chances are, however, they are not versed in software engineering and technical concepts or tools.

  • What tools are employees familiar with and which do they use in their daily work?  

Can tools like Word, spreadsheets, email and interactive shared drives or repositories be leveraged?

  • How much IT engineering goes into translating a product vision into actual products (forms and online/offline interactions, whether direct or through agents and brokers)?

If you are like most carriers, once an insurance offering has been defined on the business side (product, marketing, claims, legal), IT steps in. How much time and money do you spend recreating what was already done in Microsoft Office? Would it not be more efficient if the subject matter experts were able to handle more of the load on their own?

See also: Keen Insights on Customer Experience

Take it all in from a systems and processes perspective.

  • What core systems do you have in place today?

It is a safe bet that you have many systems in place, many of which overlap or are similar in features and purpose.

  • When — and how — are you going to consolidate, upgrade or replace those systems?

Realistically, this will take time. A long time. Probably too long to afford waiting for it to be done.

  • Look for plug-and-play capabilities and opportunities for an enhanced experience that do not force you to throw away all of your investments.

At the end of the day, you have a lot of smart people in your organization. Listen to what your customers are telling you, empower your people by removing extraneous and overly technical steps and look for ways to enhance your company’s communication capabilities without having to start everything over from scratch.


Why to Start Small on Healthcare IT

In a recent article by CIO, the volume of healthcare data at the end of 2013 was estimated at just over 150 exabytes, and it is expected to climb north of 2,300 exabytes by 2020—a growth rate of 1,500% in just seven years.

In response, both healthcare payers and providers are increasing their investments in technology and infrastructure to establish competitive advantages by making sense of the growing pool of data. But key actionable insights—such as how to improve the quality of patient care, increase operational efficiency or refine revenue cycle management—are difficult to find. Core challenges surrounding data analytics (capturing, cleaning, analyzing and reporting) are complex and daunting tasks, both from a technical and subject matter perspective.

It’s no surprise, then, that many healthcare organizations struggle to make sense of this data. While the advent of big data technologies, such as Hadoop, provide the tools to collect and store this data, they aren’t a magic bullet to translate these heaps of information into actionable business insights. To do so, organizations must carefully plan infrastructure, software and human capital to support analysis on this scale, which can quickly prove to be prohibitively expensive and time-consuming.

But, by starting small in the new era of big data, healthcare organizations are able to create an agile and responsive environment to analyze data—without assuming any unnecessary risk. To do so, however, they must be able to answer three questions:

  1. What narrowly tailored problem has a short-term business case we can solve?
  2. How can we reduce the complexity of the analysis without sacrificing results?
  3. Do we truly understand the data? And, if not, what can we learn from the results?

To illustrate the effectiveness of starting small, consider two examples: that of a healthcare services provider looking to prevent unnecessary hospital visits and that of a large healthcare provider looking to universally improve revenue cycle operations after a three-practice merger.

The first example concerns an organization that specializes in care coordination. This particular organization consumes a sizeable volume of claims—often more than five million a month. And to supplement core operations (e.g. patient scheduling and post-visit follow-ups), it sought to answer a question that could carry significant value to both payers and providers: How can we reduce the number of unnecessary hospital visits? By digging even further, there was a more-refined question from payer and provider clients: Can we identify patients who are at a high risk for a return visit to the ER? Last, but not least, the organization eventually asked the key question many such big data projects fail to ask: Is there a short-term business case for solving this problem?

To answer the question, the organization considered all available data. Although the entire patient population would provide a significant sample size, it could potentially be skewed by various factors relating to income, payer mix, etc. So the organization decided to narrow the search to a few geographically grouped facilities and use this sample as a proof of concept. This would not only limit the volume of data analyzed but would also reduce the complexity of the analysis because it does not require more advanced concepts of control groups and population segmentation. The approach may also allow, if necessary, subject matter experts to weigh in from the individual facilities to provide guidance on the analysis.

The results returned from the analysis were simple and actionable. The service provider found that particular discharge diagnoses have comparatively high rates of return visits to the ER, often related to patients not closely following discharge instructions. And by providing the payers and providers this information, the service provider was able to improve the clarity of discharge instructions and drive post-discharge follow-ups to decrease the total number of unnecessary readmissions. The cost of unnecessary admissions was significant enough to grant further momentum to the small data project, allowing the project to expand to other regions.

In the second example (a large, regional healthcare services provider looking to improve revenue cycle operations), a similarly tailored question was posed: How can we improve revenue cycle efficiency by reducing penalties related to patient overpayments? At first glance, this seems to be a relatively small insight for traditional revenue cycle analyses. Questions that could potentially have a larger impact (Who owes me money now? Which payer pays the best rates for procedure XYZ?), could provide a larger payoff, but they would inevitably complicate the task of standardizing and streamlining data and definitions for all three practice groups.

However, the analysis would provide a jumping off point that would improve understanding of the data at a granular level. Not only was this regional provider able to create reports to identify delayed payments and prioritize accounts by the “age” of the delayed payment, it was able to better understand the underlying cause of the delayed payments. It was then able to adjust the billing process to ensure timely payments. Once again, timely payments significantly helped the working capital requirements of the organization by proving a rather short-term and significant business case. As a result, the small data project was expanded to include more complex revenue cycle management problems related to underpayment and claims related to specialty practices.

In both examples, the organizations deliberately started small—both in terms of the amount of data and the complexity of their approach. And by showing restraint and limiting the scope of their analyses, they were able to define a clear business case, derive actionable insights and gain momentum to tackle larger challenges faced by the organization.

chief digital officer

New C-Suite Member: Chief Digital Officer

More than a quarter of the world’s population owns a smartphone. In 2014, global mobile data traffic reached 2.5 billion gigabytes per month, a figure that is 30 times as large as all the traffic on the Internet for the full year 2000. No wonder global companies are moving rapidly to reshape their businesses to meet this new level of connectivity. One way they are doing so is by appointing a new kind of executive, the chief digital officer (CDO). The CDO’s mandate: to equip companies for the digital future. This executive has the dual task of developing an all-inclusive digital experience for customers and the internal capabilities needed to support that experience — while simultaneously managing the considerable investment required. The emergence of the new role to lead the organization’s digital efforts may in part be a reaction to the chronically weak relationships between CIOs and CMOs, which we’ve observed over the last few years.

The number of companies that have hired CDOs remains small — just 6% globally, according to the results of the inaugural Strategy& study of digital leadership at 1,500 of the world’s largest companies. But the number is growing rapidly. Of the 86 CDOs we found, 31 were appointed in 2015. The sectors where the highest proportion of companies have CDOs are travel and tourism, with 31%; entertainment, media, and communications companies, with 13%; and food and beverage companies, with 11%. At the other end of the spectrum, only 1% of mining and metals companies had a CDO; just 2% of those in the automotive, machinery and engineering sectors did; and only 3% in technology and electronics did. One is also more likely to see CDOs in European companies than in their U.S. or Asian counterparts, and CDOs are more likely to appear in large companies than small ones. We suspect that in many cases where a CDO has not been appointed, it is because the related responsibilities are already distributed among other top management roles and are entrenched in all aspects of the company’s culture.

In the past, traditional CIOs and CTOs were focused primarily on their companies’ IT, managing employee desktops and enterprise-wide ERP and CRM systems. The CDO role, although it varies from one company to another, is far more comprehensive. Besides customer experience, the development of digital features in new products and services and the relevant operational changes, the CDO may oversee changes in technical infrastructure and innovations in data collection and analysis. The CDO must also be an agent of cultural change, championing the digital transformation throughout the company and linking it to the development of the distinctive capabilities that form the basis of a company’s strategy.

Here are glimpses of chief digital officers (or people in similar roles) at four major companies, and the ways in which they meet the challenge of digital transformation:

–Jessica Federer is head of digital development at Bayer. “The data piece is actually the easiest,” she says. “Data is data. It’s the people piece that’s the challenge. So we focus first on the people in the organization, and how we connect across synergies, across silos, over platforms and data.”

Soon after she was appointed, Federer created a digital council consisting of the CIOs and CMOs of the relevant divisions at Bayer. Their task was to look at potential synergies. She also fostered a huge network of people involved in some aspect of digital transformation, to which she gave the acronym NERD (Network for Enterprise Readiness and Digital). “They bring together digital marketing with digital product supply with digital R&D,” Federer says. “We used to do this in silos, but now we do it by sharing information.”

–At Renault, CDO Patrick Hoffstetter is creating a centralized digital transformation organization, which he calls the Digital Factory. This is not a literal factory, but a metaphorical center for people throughout the company who already work on digital projects and another group working at about 65 outside suppliers. The factory is the nexus of communications about the digital strategy, and the place where resources and experts come to design the transition to what Hoffstetter calls “the connected employee.” The changes put into place at the Digital Factory will affect how people work, what they expect from the company and what tools they are given.

Balancing the timetable for this complex shift is a key part of the CDO’s role. “One reason most operations in digital strategy and transformation are focused on sales and marketing is that these functions have a direct, quite short-term impact on the business,” Hoffstetter says. “Whereas when it comes to the evolution of internal processes, internal social networks, acceleration of collaborative tools and internal training, it’s much harder to show any payback, and it takes a lot longer.”

–Corinne Avelines, CDO of the decorative paints division of the Dutch chemical company AkzoNobel, says broad support is critical: “Commitment at the top management level to innovation and digitization has made my job considerably easier,” she says. “Senior support is key to ensuring commitment to digital at the company, especially one of this size.”

At the same time, she says, overall strategy must always drive decisions about how and what to digitize. “Gaining a competitive advantage in a fast-digitizing age is a challenge, so CDOs must understand their company’s current position and future strategy — what will make an impact on providing value to the customer — and focus on that. Worry about the other things later.”

–Visa CDO Chris Curtin says that he has learned to participate actively in the creation of the overall business strategy — and lead the process when necessary. “I not only think that the best CDOs are reflective of the business,” he says, “I think that in many respects they are the business.” To that end, he believes that CDOs should “forget about digital. Forget about new media. The business objective has to permeate the thinking and the strategies and the go-to-market approach of the CDO and his and her team. Never make the means the end. A million followers on Twitter is just a means. The end is the business goal.”

The CDOs interviewed for this study all emphasized the importance of working closely with every function of the business. Being part of top management gives them a critical strategic perspective, but they must also be given the power and support they need from functional groups. Otherwise, they may find themselves with a seat at the table but without the strategic and operational input that the digital transformation needs.

Ultimately, the goal of every CDO is to ingrain the digital agenda so deeply and efficiently that it will become a way of life for everyone and every function in the organization, and a priority for every member of its C-suite. Sooner or later, companies may get to a point where a transformation isn’t necessary, because it has already happened. Digital technology will be so well-integrated that it won’t be a separate issue anymore. It will simply be part of the way people work, and the CDO will move to some new type of challenge.

This article was written by:

  • Roman Friedrich, a leading practitioner with Strategy&, PwC’s strategy consulting business, and a partner with PwC Germany. He is based in Düsseldorf and Stockholm.
  • Pierre Péladeau, a thought leader on digital strategy with Strategy& and a  partner with PwC France, based in Paris.
  • Kai Mueller, a specialist with Strategy& and a senior research and knowledge manager with PwC Germany, based in Berlin.