Tag Archives: pci

How SMBs Drive Innovation in Cyber

Large organizations have long understood the intrinsic value of customer data. Using it to formulate and execute on key business decisions, enterprises can better meet customer demand, anticipate a buyer’s propensity to purchase and stay ahead of savvy competitors. Because of the substantial amounts of resources required to successfully leverage customer data, and considering its highly confidential nature, large companies have also traditionally led the pack in implementing cyber insurance to protect this crucial business asset.

Despite having fewer human and monetary resources, small and medium-sized businesses (SMBs) have started joining in on the data-driven movement, leveraging their existing customer data to deliver superior customer experiences and, in some cases, successfully compete with large organizations. Protecting that invaluable intelligence, however, has historically been overlooked. Many SMBs assume they aren’t as much of a target as large companies are, or they simply aren’t aware that cybersecurity tools are available to them. Plus, complex buying processes and exorbitant pricing often prohibit even the most knowledgeable SMBs from adequately protecting their assets.

New and Improved SMB Habits

Thankfully, times are changing. As SMBs continue to take advantage of the business benefits that leveraging customer data can provide, they’ve caught on to the merits of defending their customer data with cybersecurity measures such as cyber insurance. In fact, it’s fair to say SMBs will drive the next wave of cyber insurance adoption.

See also: Cyber: Black Hole or Huge Opportunity?  

According to recent research conducted by my company, demand for cyber insurance has skyrocketed among the SMB market as of late, with the highest quarterly growth being 150% and averaging approximately 69% per quarter. In Q2 of 2018 alone, 30% of our commercial insurance shoppers purchased cyber coverage, up from 12% a year ago. First-time cyber insurance shoppers are also on the rise among SMBs, having experienced a quarterly growth of 34% over the last year.

Key Factors Contributing to Cyber Insurance Growth

There are a variety of reasons for SMBs’ increasing enthusiasm for cyber insurance, such as a rise in SMB-targeted cyberattacks and widespread, difficult-to-detect network vulnerabilities. However, after analyzing our digital proprietary data collected from Q1 2017 to Q3 2018, we found the following three factors equally critical in driving SMB cyber insurance adoption:

1. Compliance Requirements

Compliance requirements such as HIPAA, PCI and DCI have contributed significantly to the growth of the SMB cyber insurance marketplace. Recent data privacy regulation rulings such as GDPR and the California Consumer Privacy Act may also be pushing adoption, as the percentage of our shoppers who stated compliance requirements as a motivating factor increased 39% quarter-over-quarter.

2. Contractual Components

In the past, mandating cyber insurance for SMBs was difficult, due to the lack of affordability and accessibility. Today, digital-first insurance providers have drastically reduced distribution costs, allowing organizations to enforce cyber insurance as an essential component of third-party vendor contracts. According to our data, nearly half (46%) of SMBs buying cyber insurance are purchasing due to contractual requirements.

3. Affordable Policies

The price of SMB cyber insurance has declined substantially over the past year, primarily due to carriers’ ability to provide tailored policies designed to meet SMB-specific needs. In April 2017, our data shows the average monthly premium cost for a $1 million cyber insurance policy was $270. By June 2018, however, the average monthly premium cost for a $1 million cyber insurance policy dropped to just $77.

The Future of Cyber Insurance Adoption

Compounding factors will continue to drive the SMB cyber insurance market. From a business perspective, state and federal regulations will likely make cyber insurance a mainstream business priority, and enterprise-level contractual requirements will make cyber insurance a must-have for third-party vendors. On the consumer side, customers will continue to take an increasingly active role in their personal cybersecurity, demanding SMBs effectively secure their personal data through security solutions, including cyber insurance.

See also: How to Create Resilient Cybersecurity Model  

Though our data is still maturing, the steady increase in SMB shopper awareness and overall market readiness indicate that 2018 serves as an inflection point for the mainstream adoption of cyber insurance. Furthermore, with the SMB population in the U.S. expected to exceed 34 million by 2025, cyber insurance will be an essential factor in securing our collective digital world, and we can expect any business with assets to secure, and long-term viability to protect, to make cyber insurance a critical element of their comprehensive cybersecurity plan.

Actuaries Beware: Pricing Cyber Risk Is a Different Ballgame

Growth in the cyber insurance market has recently occurred at warp speed, with more than 60 companies writing in the U.S. alone and with market premiums amounting to approximately $2.5 billion annually. The impressive year-over-year growth is expected to continue into the foreseeable future, with a variety of estimates placing market premium between $7.5 billion and $20 billion by the end of 2020.

This impressive premium growth is because of several factors — perhaps most notably, reporting of the various types of cyber attacks in the news on a regular basis, driving both awareness and fear. Not surprisingly, cyber risk has become a board-level concern in today’s increasingly connected world. Additionally, recent growth of the Internet of Things has given rise to the seemingly infinite number of attack vectors affecting every industry. Individuals and entities of any size, spanning all regions of the world, are potential victims.

The apparent need for new apps and devices that link to one another without focus toward security of those apps or devices gives reason to worry. It also creates an immediate need for a suite of security analytics products that helps insurance companies write cyber insurance more confidently.

State of Data

Actuaries are creative and intelligent problem solvers, but this creativity and intelligence is tested thoroughly when pricing cyber insurance. Actuaries still need the same suite of products used within any other catastrophe-exposed lines of business, but there are many challenges and complications with respect to cyber insurance that make this a particularly difficult task. That is, we still need an underwriting tool, an individual risk-pricing tool and a catastrophe-aggregation model, but certain aspects of these tools vary significantly from what we’ve seen in the past or have grown accustomed to as actuaries.

Data lies at the center of any actuarial project, but data in this space is very limited for a number of reasons. To consider why this is the case, let’s take a step back and consider the wider context. We first want to think about both how to define the cyber peril and what types of attacks are possible.

Risks could lie anywhere between smaller attacks on individuals involving brute-force attempts to steal credentials and conduct identity theft; and state-sponsored attacks on another government entity involving both physical damage and theft of critically sensitive intelligence. We may see malware deployed on a commonly used piece of software or hardware at a massive scale; infrastructures or processes taken down using denial of service; or a breach of a popular database or platform that affects many entities simultaneously.

Many of the attack variants in this hypothetical list have never happened, and some may never happen. Even within those that have happened, information pertaining to the breach — both in terms of the attack specifics used or the actual dollar impact of the attack — is hard to come by.

Several third-party data sources are currently available, but they tend to concentrate primarily on those pieces of data or attack types that are most accessible — particularly data breach and privacy violation claims. This, naturally, is a very small subset of what we need to price for as actuaries.

Unfortunately, there is fairly loose regulation around the reporting of different types of attacks. Even within the data breach family, there exists tremendous lack of standardization across states with respect to reporting. Criteria for whether a report is required may include whether the data is encrypted, how many people were actually affected by the breach and the type of data stolen (PHI, PII, PCI, etc.).

See also: How Actuaries Can Be Faster, More Efficient  

External research can be done on public sources to find the aggregate amount of loss in some cases, but there is little to no incentive for the breached entity to provide more information than is absolutely required. Thus, while we want to price data breach events at a very granular level, it’s often difficult to obtain dollar figures at this level. For instance, a data breach will lead to several costs, both first party and third party. A breached entity, at minimum, will likely have to:

  • Notify affected customers;
  • Offer credit monitoring or identity-theft protection to those affected;
  • Work with credit card companies to issue new credit cards;
  • Foot bills associated with legal liability and regulatory fines; and
  • Endure reputational damage.

It’s impractical to assume that a breached entity would find it attractive to publicize the amount lost to each of these individual buckets.

Worse, other events that either don’t require reporting or have never happened clearly give us even less to work with. In these cases, it’s absolutely critical that we creatively use the best resources available. This approach requires a blend of insurance expertise, industry-specific knowledge and cyber security competence. While regulation will continue to grow and evolve — we may even see standardization across both insurance coverages offered and reporting requirements by state or country — we must assume that in the near future, our data will be imperfect.

Actuarial Challenges

Though many companies have entered the cyber insurance space, very few are backed by comprehensive analytics. Insurers eager to grab market share are placing too much emphasis on the possibility of recent line profitability continuing into the future.

The problem here is obvious: Cyber insurance needs to be priced at a low loss ratio because of catastrophic or aggregation risk. Once the wave of profitability ends, it could do so in dramatic fashion that proves devastating for many market participants. The risk is simply not well understood across the entirety of the market, and big data analytics is not being leveraged enough. In addition to the glaring data and standardization issues already discussed, actuaries face the following eight key challenges:

1. No Geographical Limitation

On the surface, the cyber realm poses threats vastly different from what we’ve seen in other lines of business. Take geography. We are used to thinking about the impact of geography as it pertains to policyholder concentration within a specific region. It’s well understood that, within commercial property insurance, writers should be careful with respect to how much premium they write along the coast of Florida, because a single large hurricane or tropical storm can otherwise have an absolutely devastating effect on a book of business. Within the cyber world, this relationship is a bit more blurry.

We can no longer just look at a map. We may insure an entity whose server in South Africa is linked to an office in Ireland, which, in turn, is linked to an office in San Francisco. As existing threat actors are able to both infiltrate a system and move within that system, the lines drawn on the map have less meaning. Not to say they’re not important — we could have regulatory requirements or data storage requirements that differ by geography in some meaningful way — but “concentration” takes a different meaning, and we need to pay close attention to the networks within a company.

2. Network Risk From an External Perspective

In the cyber insurance line, we need to pay attention to the networks external to an insured company. It’s well documented that Target’s data breach was conducted through an HVAC system. By examining Target’s internal systems alone, no one would have noticed the vulnerability that was exploited.

As underwriters and actuaries, we need to be well aware of the links from one company to another. Which companies does an insured do business with or contract work from? Just as we mentioned above with apps and devices that are linked, the network we are worried about is only as strong as the weakest link. Another example of this is the recent attacks on a Bangladeshi bank. Attackers were able to navigate through the SWIFT system by breaching a weaker-than-average security perimeter and carrying out attacks spanning multiple banks sharing the same financial network.

3. Significance of the Human Element

Another consideration and difference from the way we traditionally price is the addition of the human element. While human error has long been a part of other lines of business, we have rarely considered the impact of an active adversary on insurance prices. The one exception to this would be terrorism insurance, but mitigation of that risk has been largely assisted by TRIA/TRIPRA.

However, whenever we fix a problem simply by imposing limits, we aren’t really solving the larger problem. We are just shifting liability from one group to another; in this case, the liability is being shifted to the government. While we can take a similar approach with cyber insurance, that would mean ultimately shifting the responsibility from the insurers to the reinsurers or just back to the insureds themselves. The value of this, to society, is debatable.

See also: Cyber Insurance: Coming of Age in ’17?  

A predictive model becomes quite complex when you consider the different types of potential attackers, their capabilities and their motivations. It’s a constant game of cat and mouse, where black hat and white hat hackers are racing against each other. The problem here is that insurers and actuaries are typically neither white hat nor black hat hackers and don’t have the necessary cyber expertise to confidently predict loss propensity.

4. Correlation of Attacks

In attempting to model the “randomness” of attacks, it is important to think about how cyber attacks are publicized or reported in the news, about the reactions to those attacks and the implications on future attacks. In other words, we now have the issue of correlation across a number of factors. If Company A is breached by Person B, we have to ask ourselves a few questions. Will Company A be breached by Person C? Will Person B breach another company similar to or different from Company A? Will Person D steal Person B’s algorithm and use it on entirely different entity (after all, we’ve seen similar surge attacks within families such as ransomware)? If you as the reader know the answers to these questions, please email me after reading this paper.

5. Actuarial Paradox

We also have to consider the implications on the security posture of the affected entity itself. Does the attack make the perimeter of the affected company weaker, therefore creating additional vulnerability to future attacks? Or, alternatively, does the affected company enact a very strong counterpunch that makes it less prone to being breached or attacked in the future? If so, this poses an interesting actuarial dilemma.

Specifically, if a company gets breached, and that company has a very strong counterpunch, can we potentially say that a breached company is a better risk going forward? Then, the even-more-direct question, which will surely face resistance, is: Can we charge a lower actuarial premium for companies that have been breached in the past, knowing that their response to past events has actually made them safer risks? This flies directly in the face of everything we’ve done within other lines of business, but it could make intuitive sense depending on incident response efforts put forth by the company in the event of breach or attack.

6. Definition of a Cyber Catastrophe

Even something as simple as the definition of a catastrophe is in play. Within some other lines of insurance business, we’re used to thinking about an aggregate industry dollar threshold that helps determine whether an incident is categorized as a catastrophe. Within cyber, that may not work well. For instance, consider an attack on a single entity that provides a service for many other entities. It’s possible that, in the event of a breach, all of the liability falls on that single affected entity. The global economic impact as it pertains to dollars could be astronomical, but it’s not truly an aggregation event that we need to concern ourselves with from a catastrophe modeling perspective, particularly because policy limits will come into play in this scenario.

We need to focus on those events that affect multiple companies at the same time and, therefore, provide potential aggregation risk across the set of insureds in a given insurance company’s portfolio. This is, ultimately, the most complicated issue we’re trying to solve. Tying together a few of the related challenges: How are the risks in our portfolio connected with each other, now that we can’t purely rely on geography? Having analytical tools available to help diagnose these correlations and the potential impacts of different types of cyber attacks will dramatically help insurers write cyber insurance effectively and confidently, while capturing the human element aspect of the threats posed.

7. Dynamic Technology Evolution

If we can be certain of one thing, it’s that technology will not stop changing. How will modelers keep up with such a dynamic line of business? The specific threats posed change each year, forcing us to ask ourselves whether annual policies even work or how frequently we can update model estimates without annoying insurers. Just as we would write an endorsement in personal auto insurance for a new driver, should we modify premium mid-term to reflect a newly discovered specific risk to an insured? Or should we have shorter policy terms? The dynamic nature of this line forces us to rethink some of the most basic elements that we’ve gotten used to over the years.

8. Silent Coverage

Still, all of the above considerations only help answer the question of what the overall economic impact will be. We also need to consider how insurance terms and conditions, as well as exclusions, apply to inform the total insurable cost by different lines of insurance. Certain types of events are more insurable, some less. We have to consider how waivers of liability will be interpreted judicially, as well as the interplay of multiple lines of business.

It’s safe to assume that insurance policy language written decades ago did not place much emphasis on cyber exposure arising from a given product. In many cases, silent coverage of these types of perils was potentially entirely accidental. Still, insurers are coming to grips with the fact that this is an ever-increasing peril that needs to be specifically addressed and that there exists significant overlap across multiple lines of business. Exclusions or specific policy language can, in some cases, be a bit sloppy, leading to confusion regarding which product a given attack may actually be covered within. This becomes the last, but not least, problem we have to answer.

Conclusion

The emerging trends in cyber insurance raise a number of unique challenges and have forced us to reconsider how we think about underwriting, pricing and aggregation risk. No longer we can pinpoint our insureds on a map and know how an incident will affect the book of business. We need to think about both internal and external connections to an insured entity and about the correlations that exist between event types, threat actors and attack victims. In cases when an entity is attacked, we need to pay particular attention to the response and counterpunch.

As the cyber insurance market continues to grow, we will be better able to determine whether loss dollars tend to fall neatly within an increasing number of standalone cyber offerings or whether insurers will push these cyber coverages into existing lines of business such as general liability, directors and officers, workers’ compensation or other lines.

Actuaries and underwriters will need to overcome the lack of quality historical data by pairing the claims data that does exist with predictive product telemetry data and expert insight spanning insurance, cyber security and industry. Over time, this effort may be assisted as legislation or widely accepted model schema move us toward a world with standardized language and coverage options. Nonetheless, the dynamic nature of the risk with new adversaries, technologies and attack vectors emerging on a regular basis will require monitored approaches.

See also: Another Reason to Consider Cyber Insurance  

In addition, those that create new technology need to realize the importance of security in the rush to get new products to market. White hat hackers will have to work diligently to outpace black hat hackers, while actuaries will use this insight to maintain up-to-date threat actor models with a need for speed unlike any seen before by the traditional insurance market.

Some of these challenges may prove easier than they appear on paper, while some may prove far more complicated. We know actuaries are good problem solvers, but this test will be a serious and very important one that needs to be solved in partnership with individuals from cyber security and insurance industries.

This Is Not Your Father’s Life Insurance

Soon-to-be published editions of dictionaries will list “InsureTech” as one of the newest words. We all own a piece of that new word and all that comes along with it. More than a new word, it is becoming a new world in the insurance industry. We’re on an InsureTech expedition.

Having spent decades of my life developing products, marketing programs and delivery systems in the life insurance vertical, I feel compelled to share some insights into the unique characteristics of the life insurance segment within the InsureTech movement. I will offer a recipe for an end-to-end digital system that bypasses legacy system quagmires and shifts digital life insurance sales into warp speed in both the consumer-direct and agent-broker categories.

But first a few words about what makes life insurance different from other types of insurance, along with some commentary on the state of affairs in today’s market.

Life Insurance Is Optional

Let’s think about the major types of insurance that consumers buy. Auto, home, health and life. We are required by law in all but two states to have auto insurance. If you have a mortgage on your home, you are required by the lender to have homeowners insurance. Federal law now requires that most of us must have a health insurance policy. These types of coverage are not optional. You don’t see articles about a trillion-dollar middle market coverage gap in the auto and homeowners insurance segments.

See also: What’s Next for Life Insurance Industry?  

But there is a trillion-dollar life insurance coverage gap in the middle-market today in the U.S. Why is that?

First, the process of obtaining a life insurance policy for typical middle-market needs is overwhelming, tedious, intimidating and mysterious for consumers. We’re talking about a basic term life policy with coverage of $250,000 or $500,000 or, OK, perhaps a million dollars of coverage in some cases in the middle market. Seems like it should be easy. But, even though we have seen price reductions across the board during the past 20 years for term life, individual life insurance ownership has actually decreased. The buying process is broken.

Second, combine the antiquated buying process with the fact that the purchase of life insurance is optional, and consumers repeatedly push the chore of buying life insurance to the bottom of their to-do lists. To make matters worse, because the fulfillment process for these smallish policies is so expensive for brokers and agents, they cannot make a profit focusing on the middle market. You end up with an unmotivated distribution system and a trillion-dollar coverage gap.

You Also End Up With a Trillion-Dollar Opportunity

I’ve taken it upon myself to write down the recipe for a digital process for capturing a sizable share of that opportunity.

This is what we need to mix together to end up with a complete system that is capable of starting with “Hello” and ending minutes later with a completed transaction: an “in-force” policy for the consumer.

  • User-friendly graphical user interface for both consumers and agents. (You would be surprised.)
  • Easy quote engine — provides all relevant price quotes so you don’t jump back and forth looking at one quote at a time. First thing I notice about most designs is that you have to keep re-entering inputs to see different quotes instead of being able to scan all of them on one screen.
  • Digital life insurance application process. Simple application language. Find just the right balance between just enough questions and not too many questions per screen.
  • Decision time. Consumer-direct or agent-assisted? Both models will become more numerous in the marketplace. Carriers need to understand that many consumers need and want some level of assistance. So, carriers need to be prepared to offer chat and over-the-phone assistance to complete the online process. Perhaps even full-blown call center agent “take over” of the application process when the applicant calls for help. Or some combination of these.
  • Collection of contact information from website visitors who are “just looking” so that carriers can conduct email and phone nurturing campaigns. Carriers need to understand and appreciate the tremendous dollar value of these campaigns and not leave a huge percentage of potential revenue on the table.
  • Compliance with Do Not Call and telecommunications statutes and CAN-SPAM. By the way, CAN-SPAM is widely misunderstood, and many marketers do not understand the generous powers it provides to contact potential customers via email. Email is still the “killer app” it was labeled as many years ago. Text messaging is a first cousin for certain market segments. Special language is needed on website(s) dealing with consumer permissions to use their mobile number.
  • Secure payment gateway to provide PCI-compliant credit card processing and deliver premium payments to the carrier. The ability to accept consumers’ checking or savings account numbers for payment is also necessary. Payment screens need to be seamless, transparent and simple.
  • Secure digital signature interface for consumer-direct and face-to-face sales as well as agent-assisted phone sales. All are slightly different. All are important. Again, seamless, transparent and simple.
  • Behind-the-scenes secure interfaces to the Medical Information Bureau (MIB), motor vehicle records (MVR) provider and pharmacy records (Rx) provider must be built to provide capability for real-time queries and retrieval of third-party data.
  • If the life insurance product being purchased does not require a medical exam (“non-medically underwritten,” which requires no blood or urine tests), then the process can proceed to the next step, which is the underwriting decision engine. If the design and pricing of the life insurance product do require blood and urine testing (“fully underwritten”), then the system will present a screen in the process for an appointment to be scheduled. Many designs are getting away from blood and urine testing, but, to be realistic, these tests will still be needed in many cases for years. This topic deserves to be considered in the system design sessions.
  • Underwriting decision engine that compiles all answers provided by the consumer on the digital application form with the MIB, MVR and Rx data. In real time, the underwriting engine then renders a decision on the application. Some straight-through systems are considering using third party software for this. Others have their own, proprietary engines that afford much faster adjustments to the underwriting engine rules and settings. Controlling the underwriting engine technology also can be the difference between a “go” or a “no go” answer when seeking to add features, change processes, edit code and take other similar actions, which are needed on a continuing basis, and sometimes quickly.
  • As applications are approved, the system must package the approved policy for the state of issue with all the necessary additional pages, such as HIPAA forms, Consent to Do Business Electronically forms and other pages, which can vary from state to state. This policy package must be provided to the new customer, the policyholder, in real time using a secure link for downloading.
  • All data pertaining to the new customer’s file must be transferred to the carrier’s administrative system in real time. A new customer is born.
  • Finally, a deep and broad suite of analytics must be baked into the system’s DNA and designed to manage the business being put on the books on a daily basis. Take this data in real time and reinforce what is working. Correct that which is not. Just this one necessary component alone could be the topic of an article several times the length of this one. We’ll get right on that.

See also: InsurTech Can Help Fix Drop in Life Insurance  

These are the many pieces that I truly believe are necessary to work together perfectly to achieve the kind of disruption that is so necessary. We’re already all over this one.

Top 5 Things PCI Got Wrong on Work Comp

In June, the Property Casualty Insurers Association of America (PCI) published a report titled “Cost Shifting from Workers’ Comp Opt-Out Systems: Lessons from Texas and Oklahoma.” It claims to show how employers in those states are avoiding costs that should be covered by workers’ comp and that are instead paid by workers, their families, private payers and taxpayers. The report is part of a year-long, anti-competitive campaign that has been orchestrated with claimant attorneys who profit under workers’ comp and resist any move away from the traditional approach. The report shows little regard for the facts, applicable law or actual data on performance of alternatives to traditional workers’ compensation.

Here are five of the most significant bits of misinformation and misrepresentation:

1. No relevant data. The PCI cost shifting report boasts of using “verifiable and relevant data” and speaks to “the behavior of opt-out employers.” But the report fails to actually include any Texas or Oklahoma Option claims data, and the truth is that there is no evidence that PCI has even attempted to obtain such claims data.

2. No apples-to-apples comparison. PCI fails to consider the benefit plan payments, supplemental plan payments and negligence liability settlements and awards under Texas Option programs that are not available under workers’ compensation.

See also: 2016 Outlook for Property-Casualty

3. No mention that the majority of Texas workers are covered. PCI fails to acknowledge that the Texas Department of Insurance has determined that more than 95% of Texas’ workers are covered by either workers’ compensation or an injury benefit plan.

Screen Shot 2016-08-09 at 1.26.34 PM

Instead of criticizing responsible Texas and Oklahoma employers who provide injury benefit coverage for their workers, PCI should instead focus on the approximately 14 million — and growing — American workers across all states who have no work injury protection whatsoever.

4. No mention that proposed programs in other states have mandated benefits. PCI extrapolates from Texas to posit a false model for Tennessee and South Carolina. Option programs proposed in those states — unlike Texas — have mandated benefits. No bill has been introduced in either of those states to allow employers to “go bare.”

5. No acknowledgement of option program compliance with Medicare reporting and MSA requirements. Option programs normally pay full benefits before Medicare pays anything. The programs comply with Medicare quarterly, electronic reporting rules on open medical claims and liability settlements. The programs protect Medicare’s primary interest before settling claims with Medicare beneficiaries by setting aside a portion of the settlement funds to pay for future treatment.

Instead of using option programs as a scapegoat and pursuing the fatalistic view that savings by employers equate to cost shifting, perhaps the PCI should expend more energy on how to achieve better medical outcomes for injured workers through communication, employee advocacy, accountability and competition.

Option Program Success in Delivering Better Outcomes Is the Real Story

We will continue to advocate for a more positive discussion on how to achieve better medical outcomes. That should include a sincere discussion of the PCI board’s criteria for an acceptable alternative to workers’ compensation, which was approved in July 2015 and publicly introduced eight months later at the 2016 annual conference of the Workers’ Compensation Research Institute.

See also: Healthcare Reform’s Effects on Workers’ Compensation  

Workers’ comp options in Texas and Oklahoma have disrupted the industry with much-needed innovation and positive change. This has understandably created some dissonance and has rightly generated calls for proof. We welcome a review of real option program data, which amply demonstrates how highly respected industry players and employers are improving the lives of injured workers and reducing costs.

Who could be against that?

The REAL Objection to Opt Out

I have never really understood why the Property Casualty Insurers Association of America has been so vehemently against opt out.

While it seems that opt out returned to the back burner for this year with constitutional defeats in Oklahoma and political stalemate in other states, PCI has reignited the debate with an inflammatory paper.

The basic arguments, which PCI supports with some data, is that opt out results in costs shifting to other systems and that a lack of standards and transparency is detrimental to consumers (i.e. injured workers).

PCI also argues that opt out is all about saving employers money to the detriment of consumers by denying more claims earlier and paying less with capitations and restrictions not found in traditional comp.

I get that alternative work injury systems must meet certain standards and need to be more transparent to consumers — to me, that’s a no-brainer.

But the objections that PCI raises are exactly the same complaints made against traditional workers’ comp: inadequate benefits, unnecessary delays, cost shifting, etc.

See also: Debunking ‘Opt-Out’ Myths (Part 6)  

Each statistic cited by PCI against opt out can be asserted against traditional workers’ comp — just use another study or data source.

For instance, just a couple of years ago, Paul Leigh of University of California at Davis and lead author of the study, Workers’ Compensation Benefits and Shifting Costs for Occupational Injury and Illness, told WorkCompCentral, “We’re all paying higher Medicare and income taxes to help cover [the costs not paid by workers’ compensation].”

That study, published in the April 2012 edition of the Journal of Occupational and Environmental Medicine, found that almost 80% of workers’ compensation costs are being covered outside of workers’ compensation claims systems. That amounts to roughly $198 billion of the estimated $250 billion in annual costs for work-related injuries and illnesses in 2007. Just $51.7 billion, or 21%, of those costs were covered by workers’ compensation, the study said.

Of the $250 billion price tag for work-related injury costs, the Leigh study found $67.09 billion of that came from medical care costs, while $182.54 billion was related to lost productivity.

In terms of the medical costs, $29.86 billion was paid by workers’ compensation, $14.22 billion was picked up by other health insurance, $10.38 billion was covered by the injured workers and their families, $7.16 billion was picked up by Medicare and $5.47 billion was covered by Medicaid.

The study drew criticism from the workers’ comp crowd, which defended its practices, challenged the data and anecdotally attempted to counter argue, with limited success.

If one digs deep enough in the PCI study, I’m sure one could likewise find fault with the data and the reporting on cost shifting — because the truth is that absolutely no one has a fix on that topic.

My good friend Trey Gillespie, PCI assistant vice president of workers’ compensation, told WorkCompCentral that “the fundamental tenets of workers’ compensation [are] protecting injured workers and their families and protecting taxpayers. The general consensus is that the way programs should work is to protect injured workers and taxpayers and avoid cost-shifting.”

Of course! All work injury protection systems should do that.

But they don’t.

See also: What Schrodinger Says on Opt-Out

That’s what the ProPublica and Reveal series of critical articles about workers’ compensation programs across the country tell us, both anecdotally and statistically: Injured workers aren’t protected, costs are shifted onto other programs, and taxpayers are paying an unfair portion of what workers’ comp should be paying.

Indeed, in October, 10 federal lawmakers asked the U.S. Department of Labor for greater oversight of the state-run workers’ compensation system, to counteract “a pattern of detrimental changes to state workers’ compensation laws and the resulting cost shift to public programs.”

I started thinking about the one truism that governs human behavior nearly universally: Every person protects their own interests first. And I thought of PCI’s name: Property and Casualty Insurers Association of America. “Property and casualty.” Ay, there’s the rub!

There’s no room for P&C in opt out! ERISA-based opt out uses only health insurance and disability insurance.

Workers’ comp is the mainstay of the P&C industry, the single biggest commercial line and the gateway to a whole host of much more profitable lines.

If opt out spreads beyond Texas, it is hugely threatening to the interests of the PCI members because they stand to lose considerable business, particularly if opt out migrates to the bigger P&C states.

PCI is protecting its own interests (or those of its members) by objecting to opt out.

And I don’t blame them. Their impression of this threat is real.

Michael Duff, a professor of workers’ compensation law at the University of Wyoming, told WorkCompCentral, “These are interested observers. They’re going to have an agenda. They represent insurers who are in the workers’ comp business.”

Bingo.

“Every commercial actor that participates in traditional workers’ compensation has an interest in seeing traditional workers’ compensation continue,” Duff went on. “But that traditional workers’ compensation imposes costs on employers. There is now a group of employers who would like to pay less, and Bill Minick has developed a commercial product that is in competition with this other conceptual approach to handling things.”

Here’s THE fact: Traditional workers’ compensation and ANY alternative work injury protection plan require vendors pitching wares and services to make the systems work.

Insurance companies are as much a vendor in either scenario as physicians, bill review companies, utilization review companies, attorneys, vocational counselors, etc.

Each and every single one makes a buck off workers’ comp, and each and every one has an interest in maintaining the status quo.

See also: States of Confusion: Workers Comp Extraterritorial Issues

Arguing that one system is better than the other without admitting one’s own special interest is simply hypocrisy.

Workers’ compensation is going through some soul searching right now. Employers leading the debate are asking, “Why stay in a system that facilitates vendors’ interests ahead of employers or workers?”

THAT’s the question that BOTH the P&C industry and the opt out movement need to answer. Further debate about the merits of one over the other is simply sophistry.

This article first appeared at WorkCompCentral.