Tag Archives: gdpr

4 Trends in Insurance in the New Year

The pace of technical innovation continues to be top of mind in the insurance industry. About 96% of insurance executives say innovation at their companies has increased over the past three years. And global investment in insurtechs hit a record $3.26 billion through the first three quarters of 2019, according to Deloitte.

It’s clear 2020 will see a continuation of technology advancement within the industry. Following are four trends we are seeing on the horizon:

1. User Experience — Carriers, agents and consumers all want the same thing: for the insurance buying process to be fast and easy. Consumers want to research plans, compare options and buy insurance products when they need them on the device(s) they choose, often on their mobile phone (more than half of all search queries in 2019 came from mobile, Google says). And consumers prefer a tailored experience.

According to Accenture, 90% of insurance executives say that integration of customization and real-time delivery is the next big wave and competitive advantage. Additionally, nine out of 10 insurance executives believe a tailored approach will give companies a competitive edge. The firm says the ability to fulfill consumers’ needs at the “speed of now” will be the way to stay competitive, with the world available at consumers’ fingertips via smartphones.

Digital expectations have evolved, and there’s an opportunity to deliver a much better customer experience in the insurance industry. Technology has enabled a world of extreme customized and on-demand experiences. The insurance industry must harness this technology to deliver the superior customer experience that consumers are quickly coming to expect, to stay competitive.

This mobile-first, real-time delivery approach has influenced our marketing, design and development teams to focus on a highly mobile-optimized user experience in every aspect of our operation. We expect a mobile-focused push for the insurance industry in 2020, from both the carrier and broker/agent sides.

See also: Insurance Innovation’s Growth Challenge  

2. Analytics — Data analytics is growing across industries, given its potential to help businesses get ahead. Data-driven organizations are 23 times more likely to acquire customers, six times more likely to retain them and 19 times more likely to be profitable, McKinsey Global Institute says. The insurance industry is no different.

The one constant across all our largest and most successful partners is their obsession with data and reliance on specialized technology. One such example is with customer relationship management (CRM) companies. CRM companies (Salesforce, and others) are developing industry-specific integrations, such as conversion endpoints, to track performance metrics, allowing for more real-time recording of important metrics. Insurance companies that take advantage of these tools have a major competitive advantage over those that do not, due to their ability to accurately measure and track important metrics like customer long-term-value (LTV), conversion rates of lead data and marketing return on investment (ROI).

3. Sales Enablement — Increasingly, carriers and agents are seeking more information, content and tools to engage buyers and help them to move to purchase, as well as address future needs post-purchase. Use of sales-enablement tools is on the rise, with only 20% of organizations reporting using them in 2013 and over 60% using them in 2019, according to CSO Insights. Agents want to understand who the lead is, what the person needs and how agents can best help drive more effective communications and fuel analytics and future programs. Agents also need these systems to work with other technologies—from mobile app, to CRM—to enable access to real-time information and a more seamless process.

4. Compliance — Compliance will and should remain a top priority for the industry. As consumer data protection becomes more of a focus in the media, we can expect to see more states moving toward a more European GDPR type data protection policy. California is one of the first states to adopt such a policy with the recently adopted California Consumer Privacy Act (CCPA), which came into effect Jan. 1, 2020. With more legislation focused on protecting consumers, we expect a stronger push toward industry-standard software to verify a company’s right to contact consumers.

See also: Blurring Boundaries Drive Innovation  

In a world that is moving toward better technology solutions daily, it is important for carriers, brokers and agents to keep up with these changes and constantly look for ways to interact the way that digitally savvy consumers want to interact.

How CCPA Will—and Won’t—Hit Insurance

When the New Year arrives, so, too, will a new standard for privacy. The California Consumer Privacy Act—and its recent amendments and draft regulations—will soon govern how entities around the world are allowed to collect and process data. Although CCPA is limited to the data of California residents, the ultimate impact is much greater than it at first might seem. California represents the world’s fifth-largest economy and the nation’s first state to pass comprehensive privacy legislation. As a result, CCPA will likely influence privacy laws domestically and abroad, and could even begin the push toward federal regulation.

Much of CCPA is based on the European Union’s General Data Protection Regulation, but the two landmark privacy laws differ on an important issue. While GDPR requires individuals to provide consent before their data can be collected, CCPA instead assumes consent and requires it to be revoked if an individual wishes to opt out. In other words, entities can collect the data of California residents as a default, whereas those same entities would need permission before gathering information about EU residents. This key philosophical difference benefits businesses by putting the onus on consumers to manage their privacy preferences—and that’s not the only way the California law is pro-business.

The “financial institution” exemption

Originally drafted as a ballot initiative by real-estate-developer-turned-privacy-activist Alastair Mactaggart, CCPA was designed to protect the privacy of consumers against the financial interests of large technology corporations. CCPA allows individuals to prevent the selling of their data, creates greater transparency in companies’ data-collection practices and increases penalties for improper data-security measures. However, for some industries—such as financial services and insurance—where the collection and processing of personal information is necessary for operation, the law carves out exemptions for specific data types used in those instances.

See also: Vast Implications of the CCPA  

An example is the exemption of data that is considered “personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations,” as referenced in Cal. Civ. Code § 1798.145(e). Referred to as personally identifiable financial information (PIFI), this data is addressed specifically by the Gramm-Leach-Bliley Act (GLBA) and subject to its regulation. CCPA finds the controls laid out in GLBA to be sufficient and therefore allows itself to be superseded by the federal law. PIFI is defined as any information:

  • Provided by a consumer to acquire a financial product or service
  • Used or referenced to perform a financial transaction
  • Gathered during the process of provisioning a financial product or service

As one might gather, data that might qualify as PIFI in one instance is not guaranteed to be considered PIFI in another context. For example, only data collected and directly related to the provision of a product or service constitutes PIFI.

So, if that same data is collected solely for the purpose of marketing or business analytics, it would not be considered PIFI. Any non-PIFI data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” would be subject to CCPA, according to Cal. Civ. Code § 1798.140(o)(1).

As one might imagine, this distinction can become cloudy in some applications and results in considerable gray area. To address this uncertainty, it is recommended that organizations work with their legal teams to review all of the data in their possession and re-evaluate their regulatory compliance obligations under both CCPA and GLBA.

So, what is subject to CCPA?

Within the insurance industry, any type of personal information that does not fall within the parameters of PIFI is subject to CCPA—if the entity collecting it meets the law’s established criteria. According to CCPA, any organization that has a gross annual revenue of over $25 million, processes at least 50,000 California residents’ records for commercial purposes or can attribute half of its revenue to the selling of personal information must follow the requirements of CCPA—or risk facing substantial fines and other penalties. This likely includes most decent-sized insurance companies.

Although much of the information processed by providers is shielded against CCPA, the data possessed by policyholders is not. The total cost of cyber insurance premiums worldwide is projected to increase to $7.5 billion next year, and CCPA is a big reason. Because CCPA gives teeth to fines and other penalties for data breaches, many organizations will be looking to expand their cyber insurance coverage or purchase policies if they don’t have one already.

See also: Where to Turn for Cyber Assistance?

As the privacy landscape continues to shift with the development of new laws domestically and abroad, risk minimization must be prioritized by both insurance companies and their policyholders. Whether you’re concerned about CCPA compliance or preparing for the next wave of privacy regulations, we recommend deploying tokenization as a risk-reducing solution to protect sensitive data. When implemented properly, tokenization can significantly reduce the likelihood of a cyber event and, as a result, a claim. It’s an affordable investment that can better protect data and improve an insurer’s ability to provide reliable coverage.

Vast Implications of the CCPA

The California Department of Finance recently wrote a Standardized Regulatory Impact Assessment (SRIA) of the California Consumer Privacy Act of 2018 (CCPA). The SRIA was prepared for the Department of Justice, the primary regulatory body, whose work is hoped to provide some clarity over what remains a confusing array of obligations for most California businesses. The Department of Finance is required by law to do these assessments when the proposed regulation has an economic impact of over $50 million.

The Department of Finance went to great lengths to separate the cost of compliance with the CCPA as opposed to the costs generated by possible regulations from the Department of Justice. As to the former, per a letter dated Sept. 16 from the Department of Finance to the Department of Justice, “The SRIA estimates that the initial cost of compliance may be up to $55 billion.”

As noted in the report, “Small firms are likely to face a disproportionately higher share of compliance costs relative to larger enterprises.” The definition of small business in the full report appears to be based on an estimate of how many employees would need to generate the revenue necessary to constitute a business as defined in the CCPA. As a result of this calculation, it is estimated that a “small” business would have at least 250 employees.

This analysis, however, does not take into account the impact of the CCPA on a small business that acts as a service provider to a business but does not itself qualify as a business under the CCPA. Using the Finance methodology, this would mean any service provider with fewer than 250 employees that receives personal information from a business. These service providers will need to respond when their business customers start asking for revisions in contracts to meet CCPA obligations, and to show they are otherwise compliant with the obligations of service providers under the act.

See also: Keys to California’s Consumer Privacy Act  

The report also notes, looking to the experience of the European Union (EU) and the General Data Protection Regulation (GDPR): “Conventional wisdom may suggest that stronger privacy regulations will adversely impact large technology firms that derive the majority of their revenue from personal data, however evidence from the EU suggests the opposite may be true. Over a year after the introduction of the GDPR, concerns regarding its impact on larger firms appear to have been overstated, while many smaller firms have struggled to meet compliance costs.”

The Department of Finance makes the assumption there will be a fairly static compliance environment after Jan. 1, 2020. That may not be a correct assumption. Alastair Mactaggart, the father of the California Consumer Privacy Act of 2018 (CCPA), announced recently he will be going back to the ballot in 2020 with the cleverly named California Consumer Privacy Act of 2020. At least part of the motivation behind this, according to Mactaggart, is to keep the legislature from weakening privacy protections – a much more difficult task when a law is enacted as an initiative measure. Following his initial filing with the attorney general on Sept. 25, Mactaggart filed a slightly edited version of the proposal – now titled the California Privacy Rights and Enforcement Act of 2020 (CPREA) – on Oct. 2. The new moniker for this may have something to do with messaging in anticipation of a campaign next fall.

While the business community is attempting to negotiate with Mactaggart and his coalition in an effort to ameliorate the impact of this initiative, in the rapidly changing world of technological innovation nothing is static. The initiative process in California, however, is public process cast in quick-set concrete. Regardless of what is put into this ballot measure regarding future amendments in the legislature, the proponents of this law will invest in themselves the prerogative to decide what is “in furtherance of” their grand scheme. Their self-serving bureaucracy, the California Privacy Protection Agency (CPPA), is an effort to create a semi-autonomous state within but unaccountable to any of the apparatus of state government. While disdainful of the legislative process, this agency would be governed by a decidedly political five-member panel, two appointed by the governor, one by the president pro tem of the Senate, one by the assembly speaker and one by the attorney general.

No mention of the insurance commissioner — just in case you missed that omission.

See also: In Race to AI, Who Guards Our Privacy?  

Regardless of the fate of a ballot measure on privacy, we are now in an environment where multibillion-dollar compliance costs are table stakes. For those who can afford it, it will be business as usual, even if slightly disrupted. For those who cannot, compliance is a death knell to innovation. Promising technologies that are dependent on personal information will be stifled unless Big Tech can grab it and afford the cost of putting such innovations to market. This affects all aspects of California’s economy.

But when Big Government and Big Tech are the only easily identifiable winners in a public policy debate, can we expect anything more?

In Race to AI, Who Guards Our Privacy?

Way back in 1975, geochemist Dr. Wallace Broecker of Columbia University published his article “Climatic Change: Are We on the Brink of a Pronounced Global Warming?” Today, almost 45 years later, the debate has intensified but still rages, even as some believe the clock is running out. The U.N. Intergovernmental Panel on Climate Change warns that we have only 11 years to limit the chances of a climate change catastrophe.

I see very strong parallels between Dr. Broecker’s warnings and those related to our loss of personal data privacy. Society is facing the threat of climate change, which some experts say will reach a tipping point; we may be reaching a similar tipping point with privacy and cyber security.

In their paper presented at the 1965 Fall Joint Computer Conference titled “Some Thoughts About the Social Implications of Accessible Computing,” E. E. David, Jr. of Bell Labs and R. M. Fano of MIT warned that “the same technology which has given us new dimensions in communication has been used to implement eavesdropping equipment.” They went on to say that “the very power of advanced computer systems makes them a serious threat to the privacy of the individual”.

See also: Untapped Potential of Artificial Intelligence  

Just as we continued to contribute to climate change, we continue to surrender personal privacy in exchange for the lure of instant gratification delivered through simple, easily accessible technologies.

Insurance Industry Opportunity

The insurance industry is uniquely positioned to take the lead in safeguarding data privacy; few other industries have the same depth and breadth of personal information or the same level of dependency on the trust and loyalty of their customers.

Many insurers of property, life and health, along with numerous supply chain intermediaries, are employing a wide range of connected digital technologies to gather individual data and store, analyze and use it to train AI and use it to offer new, different and attractive products and services. And, as of now, there is no easy way for customers to reclaim their data. People may consciously understand the trade-offs of using digital services, but few understand how extensively their data is captured, used and shared. And that data exists in digital form and therefore virtually forever, most certainly long after we are gone.

Without applicable data laws, we’re left with a decentralized patchwork system, devoid of human control. Privacy concerns are surfacing almost daily now, but successful, high-profile applications of analytics are drowning out the cautionary voices. Facial recognition, which is not unlike taking your fingerprints without your permission, is being used by China to keep track of all of their citizens and has been deployed by law enforcement agencies all over the world.

Too Little, Too Late

In a relatively small victory for opponents of this rapid adoption, San Francisco recently became the first U.S. city to ban the use of facial recognition by local agencies. And California’s tough new law, the California Consumer Privacy Act, which takes effect in January 2020, will significantly limit how companies handle, store and use consumer data. The law will require businesses to be more transparent, give consumers the ability to delete and download collected data and give them the chance to opt out of the sale of their information. Still, according to a new survey by TrustArc, most companies still aren’t ready to comply.

See also: 3 Steps to Demystify Artificial Intelligence  

Elsewhere, the European Union’s General Data Protection Regulation (GDPR), a set of new privacy laws, went into effect in May 2018. And Hawaii, Massachusetts and Washington are all considering their own state privacy laws, while Brazil passed its own regulations, which will take effect in 2020.

Insurance Industry Call To Action

What we really need, however, is a standardized, global set of rules and regulations on the permissible uses of personal data and a process governing and enforcing them. The global insurance industry would gain much by taking the lead in this effort – and sooner than later.

The Globalization of Risk Management

Globalization is affecting just about every business these days. Even if a company operates only in the U.S., its customers, suppliers and traveling employees may very well be in another country. That means the laws, regulations and cultural differences in those areas are likely affecting the organization.

This increased globalization of businesses means risk managers must have more of a global focus. Managing risk on a multinational basis was one of our “Issues to Watch” for 2019, as many risk managers are looking for ideas and resources. To help us better understand the issue, we had four distinguished experts join us for our most recent Out Front Ideas with Kimberly and Mark webinar:

  • Maggie Biggs, VP of insurance and risk management for VF Corporation
  • Kevin Hoskinson, client executive of global risk management for Marsh
  • Mary Roth, CEO of the Risk & Insurance Management Society
  • David Stills, VP of global risk management for Walmart

Why It Matters

Companies with no physical presence outside the U.S. are nevertheless affected by international regulations around issues such as data privacy. For example, the General Data Protection Regulation (GDPR), a law that regulates how companies protect the personal data of citizens in the European Union, caries stiff penalties for noncompliance. Businesses must be aware of the tenets of the law and adhere to them.

Issues such as the expansion of the GDPR prompted RIMS to address the idea of globalization several years ago. With members in more than 60 countries, the organization was hearing that the risk management culture present in the U.S. was just not the same in other areas of the world.

RIMS identified the Asia Pacific region as the area where it could truly make an impact by bringing in its resources. After surveying its members, the organization set up advisory groups that include people in risk management in the affected markets and is building programs there.

Program Structure

Setting up a risk management program in another part of the world depends on several factors, such as the country and its laws and regulations and the organization. While centralized and decentralized are the two basic models, many companies instead have a hybrid.

A totally centralized model means all decisions are made at the corporate office. These decisions could include factors like the risks to retain in addition to which brokers and other partners to use. The other extreme is all decisions made within each country. Going completely one way or the other may be a mistake. Instead, our panelists said the process should be fluid and allow for changes in leadership.

See also: Why Risk Management Is a Leadership Issue  

A centralized decision-making model may be more balanced and less expensive. On the other hand, local regulations can complicate things.

Communication barriers can also present problems, as one panelist explained. A simple question from a team member in Asia would not reach her desk for 12 hours; then it would go to the broker team and others. It could take a week before there was an answer.

Program enhancements to address such hurdles that our panelists have tried include consolidating broker relationships into a single hub and ensuring the broker has local input to help place insurance with capable companies that meet the business’ needs.

An important consideration in a program’s structure is premium allocations. Regulators and taxing authorities are finding that premium taxes can be a new revenue source. Regulatory officials are looking at what a company has in terms of exposures and requiring the business to justify that the premium is commensurate with the risk.

For example, one panelist noted a situation with a client who sustained a large property loss in France but had not allocated any premiums specifically to that country. While the insurer was happy to pay the claim, it was difficult to determine whether shifting the money paid in the U.S. to a local French subsidiary constituted income or a gift, both of which were taxable.

The issue can be complicated and expensive. Businesses should at least have an idea of how they might handle such a situation.


Addressing cultural differences is one of the most important things a risk manager can do, our panelists said. It’s critical to understand these differences and learn how to work within various cultures. For example, employees in some Asian countries may feel embarrassed or even ashamed to admit, let alone report, their injuries. Implementing safety strategies and incident reporting processes would need to be done in a way that respects that cultural difference.

The typical challenges encountered by any business are that much more complicated because of language barriers, time differences, regulatory disparities and cultural variances. The key to overcoming these hurdles is solid communication and strong relationships with the company’s international partners.

It is important to dispel the idea that the world revolves around the U.S. and how we do things here. That perception creates obstacles for businesses trying to work effectively in other countries. The theme of “Think globally, act locally” was endorsed by several of our panelists. It means adapting to local nuances and practices. Risk tolerance levels, for example, may be different in another country. Instead of dictating how things should work, it is better to get local input.

There are also different applications of law in other countries. Negligence or leases, for example, may not have the same elements as in the U.S. It behooves a company to discover the local laws and how they are applied.

Something as simple as communicating with international partners can be complex. Instead of email, for example, WhatsApp or WeChat may be the more popular mode of messaging.

Risk Management Differences

Companies need to be aware of risk management differences in countries outside of the U.S. Our speakers outlined several examples:

  • Court system differences. There may or may not be a jury system. The class action mechanism may not be available in certain countries, creating a difficult environment for mass claims. The speed of the legal system may be incredibly slow, compared with the U.S.
  • Adequacy of damages. Other countries have different perspectives on what is considered adequate. Some jurisdictions lean toward inflated awards that make no sense to us. Or, a company might not need the level of general liability coverage, for example, that it would need in the U.S.
  • Deductible levels. In some countries, there is a strong preference to have first-dollar insurance. While that may not seem cost-effective, teams in some countries are responsible for their own profits and losses and can be severely affected by a large hit. In some cases, international policies for general liability will have zero-dollar deductibles, while other lines – such as property/casualty and directors and officers liability – have large deductibles globally.

Risk managers are used to reviewing contracts to ensure their company is protected from risks associated with a business arrangement. However, internationally there is a tendency to deal with those risks on a business basis rather than through insurance. Because of this, there may not be adequate insurance in place to cover risks.

As an example, consider a manufacturer and supplier in China that does not buy the product liability coverage limits typically seen in U.S. contracts, but the part it makes is entering the U.S. market. There are situations where there was a large loss on a product in the U.S., and it basically shut down the Chinese company because the insurance coverage was inadequate.

Additional Considerations

Political risk and supply chain are two issues that can have a significant impact on global risk management programs. U.S./China relations of late have generated the risk of tariffs on Chinese-made products imported into the U.S. Likewise, there can be a backlash on U.S. brands sold elsewhere.

A regulatory change could spark political unrest that causes damage or looting to a business. There is also the risk of local governments confiscating properly.

See also: How to Improve ‘Model Risk Management’  

A political uprising or natural disaster could devastate a company. The panel advised businesses to consider, for example, whether remote operations are warranted, or whether backup stock of products is necessary.

Supply chain challenges related to theft can be a major concern for multinational companies, especially products traveling through Mexico and South America. There’s also potential risk to the security of the people moving the products.

Monitoring the political climate of other countries, and lobbying where possible, is invaluable. Some companies do an annual deep dive evaluation of the risks in specific countries. While it may not be possible to manage all the risks, understanding what is happening can go a long way to protecting property and people.

Available Resources

Organizations looking for help to better understand and address global risk management issues can turn to RIMS for help. Since the organization embarked on its globalization efforts several years ago, it has developed a plethora of resources for risk managers. Under the Community section of the RIMS web page, you will find all their global resources. The link is HERE.

To listen to the full Out Front Ideas webinar on Globalization of Risk Management, please click HERE.