Tag Archives: risk assessment

When Are CPAs Liable for Cybersecurity?

Cybersecurity attacks are inevitable. That’s the unfortunate reality. In fact, in a special report, Cybersecurity Ventures projects cybercrime’s global cost will exceed $1 trillion between 2017 and 2021.

Safeguarding clients’ nonpublic information from cyber-criminals is a top priority for CPA firms. The latest data breach statistics from the 2017 Identity Theft Resource Center Data Breach Report show an alarming number of exposed consumer records in the U.S.

  • 1,579 reported breaches, exposing 179 million records
  • 55% of all breaches involved businesses
  • 59% of all breaches resulted from hacking by outside sources
  • 53% of all breaches exposed Social Security numbers

Now more than ever, organizations and accounting firms of all sizes need to be vigilant about protecting data and responding to threats.

What’s my liability?

“That’s a big question we hear from firms regardless of whether they’ve been attacked,” said Stan Sterna, vice president and risk control specialist for Aon. “There are actually no uniform federal laws on business cybersecurity. But there is a patchwork of state and federal rules.”

Under certain state laws, CPAs can face liability for cybersecurity breaches that expose personal information. Most states have rules for handling breach notifications and for what remediation measures need to be taken. Breach requirements depend on where the client resides – not where your firm is located. We encourage you to learn the dynamic requirements of states that apply to you.

The Texas data breach notification law has been amended several times since its passage in 2009. It requires notification of affected individuals in the event a data breach results in the disclosure of unencrypted personal information consisting of an individual’s first name or first initial, last name and certain personal information such as Social Security and driver’s license numbers.

Federal rules and law

The Safeguards Rule is enforced by the Federal Trade Commission and applies to all companies defined as financial institutions under the Gramm-Leach-Billey (GLB) Act. Businesses that prepare tax returns fall within this definition. Under the rule, businesses are required to develop a written information security plan that describes their program to protect customer information. There are five additional requirements. Learn about the rule and implement applicable compliance protocols.

Do clients have standing to sue a CPA firm if they did not suffer damages as a result of a data breach?

At the federal level, the circuit courts are split as to what constitutes sufficient standing to sue in cyber breach cases. Some courts hold that companies may be liable for damages if client or employee data is stolen, even if the theft causes no harm; instead, it’s sufficient to merely allege that the information was compromised. This broad interpretation will only further increase the risk of cyber liability claims.

Two recent decisions illustrate these differences:

  • The Sixth Circuit court, citing the defendant’s offer for free credit monitoring as evidence, joined the Seventh and Ninth circuits in holding that a cyber victim’s fear of future harm is real and provides sufficient standing to sue. This particular ruling specifically undermines the defense that if no actual cyber fraud or identity theft occurred, the victim has not been damaged and has no standing to sue.
  • However, in another case, the Fourth Circuit held that a plaintiff must allege and show that their personal information was intentionally targeted for theft in a data breach and that there is evidence of the misuse or accessing of that information by data thieves. The division among the circuit courts as to standing is not likely to be resolved unless the U.S. Supreme Court decides a case on the issue.

New cybersecurity regulation sets the stage for other states to follow

In response to several highly publicized consumer data breaches, in 2017 the New York State Department of Financial Services enacted 23 NYCRR 500, “Cyber Requirements for Financial Services Companies,” with which all affected firms must now comply. These “first-in the-nation” data security regulations establish the steps that covered entities must take to secure customer data. The regulations are designed to combat potential cyber events that have a reasonable likelihood of causing material harm to a covered entity’s normal business operations.

See also: 4 Ways to Boost Cybersecurity  

Specifically, insurers, banks, money services businesses and regulated vital currency operators doing business in New York with 10 or more employees and $5 million or more in revenues must comply with the new rules. Under the provisions, companies must:

  • Conduct a cybersecurity risk assessment, prepare a cybersecurity program subject to annual audit and establish a written policy tailored to the company’s individualized risks that are approved by senior management;
  • Appoint a chief information security officer (CISO) responsible for the cybersecurity program who regularly reports on the integrity, security, policies, procedures, risks and effectiveness of the program and on cybersecurity events;
  • Establish multi-factor authentication for remote access of internal servers;
  • Encrypt nonpublic information (PII) and regularly dispose of any nonpublic information that is no longer necessary for conducting business (unless required to be retained by law).
  • Prepare a written incident response plan that effectively responds to events and immediately provides notice to the superintendent of the New York Department of Financial Services of any breaches where notice is required to be provided to any government body, self-regulatory agency or any other supervisory body or where there is a “reasonable likelihood” of material harm to the normal operations of the business;
  • Implement a written policy addressing security concerns associated with third parties who provide services to the covered entity that contain guidelines for due diligence or contractual protections relating to the provider’s policies for access, encryption, notification of cybersecurity events affecting the covered entity’s nonpublic information and representations addressing the provider’s cybersecurity policies relating to the security of the covered entity’s information systems or nonpublic information;
  • Annually file a statement with the New York Department of Financial Services certifying compliance with the regulations.

Meanwhile, the California Consumer Privacy Act of 2018 (CCPA) goes into effect on Jan. 1, 2020. The CCPA represents a significant expansion of consumer privacy regulation. Its GDPR-like statutory framework gives California consumers the:

  • Right to know what categories of their personal information have been collected
  • Right to know whether their personal information has been sold or disclosed, and to whom
  • Right to require a business to stop selling their personal information upon request
  • Right to access their personal information
  • Right to prevent a business from denying equal service and price if a consumer exercises rights per the statute
  • Right to a private cause of action under the statute

What is the impact of these new regulations on CPA firms?

Whether or not a CPA provides professional services for an entity covered by the New York Department of Financial Services or the CCPA, these new rules are important:

  • Regulation in one state frequently results in regulation in other states; both the New York and California cybersecurity regulations may serve as a template for other states contemplating cyber security legislation.
  • The regulations create a framework for plaintiffs’ attorneys to follow when alleging that a company (regardless of whether it is a New York or California covered entity) should have done more to protect private information, keep consumers informed or prevent a data breach or that a CPA firm should have detected data security issues while providing professional services.

Take preventative action now

“If someone sues your firm because of a data breach, you may have a stronger case if you can show that you’ve taken reasonable measures to help prevent an attack or theft,” Sterna advised. “Setting up systems to assist in prevention is an important aspect of managing cybersecurity risk.”

Here are three tips to get you started:

Start with an assessment. What are your cybercrime defenses? Do you have gaps in your data security procedures? Do you have controls in place? How do you document incidents when they happen? What is your response plan when incidents occur?

“Mapping where you stand today and your vulnerabilities is the best way to understand your next steps,” Sterna said. The AICPA’s cybersecurity risk management reporting framework helps you assess existing risk management programs. The Private Companies Practice Section cybersecurity toolkit can also help you understand the most common cybersecurity threats.

Implement best practices. At a minimum:

  • Use encryption wherever appropriate to protect sensitive data. This includes laptops, desktops and mobile devices. Failing to do so threatens your data and your reputation.
  • Train employees to recognize threats and safeguard equipment and data.
  • Develop and practice your response plan for various situations such as a ransomware attack, hack or ID theft.
  • Back up your data so you’ll still have access to it if it’s lost or stolen.
  • Keep your equipment physically secure in your office and on the road.

Get an outsider’s perspective. What better way to learn your firm’s vulnerabilities than to hire an expert for penetration testing? Through a penetration test, a third-party consultant will perform a test tailored to your firm’s needs and budget. They’ll provide insights on your firm’s vulnerabilities and educate you about solutions for protecting your practice. A consultant can also help you implement regular drills that test your firm’s response in the case of various attack scenarios.

See also: Cybersecurity for the Insurance Industry  

Legal and insurance considerations

CPA firms should consult with their legal counsel to assess the firm’s risk of first/third party data security claims and assess vendor data security coverage. The existence and adequacy of data security used by third-party vendors (including contract tax return preparers) is often overlooked.

CPA firms also should consult with their insurance agent or broker to review their current cyber policy to ascertain the adequacy of coverage.

This article is provided for general informational purposes only and is not intended to provide individualized business, insurance or legal advice.  You should discuss your individual circumstances thoroughly with your legal and other advisers before taking any action with regard to the subject matter of this article. Only the relevant insurance policy provides actual terms, coverages, amounts, conditions and exclusions for an insured.

4 Steps to Integrate Risk Management

Let me start by saying that integrating risk management into strategic planning is NOT doing a strategic risk assessment or even having a risk conversation at the strategy-setting meeting; it is so much more.

Kevin W. Knight, during his first visit to Russia a few years ago, said, “Risk management is a journey… not a destination.” Risk practitioners are free to start their integration journey at any process or point in time, but I believe that evaluating strategic objectives at risk can be a good starting point. The evaluation is relatively simple to implement yet has an immediate, significant impact on senior management decision making.

Step 1 – Strategic Objectives Decomposition

Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives, it is important to follow the McKinsey MECE principle (ME – mutually exclusive, CE – collectively exhaustive) to avoid unnecessary duplication and overlapping. Most of the time, strategic objectives are already broken down into more tactical KPIs and targets by the strategy department or HR, saving the risk manager a lot of time.

This breakdown is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.

Important note: While it should be management’s responsibility to identify and assess risks, the business reality in your company may be that sometimes the risk manager should take the responsibility for performing risk assessment on strategic objectives and take the lead. 

Example: Risk Management Implementation

VMZ is an airline engine manufacturing business in Russia. The product line consists of relatively old engines, DV30, which are used for the medium-haul airplanes Airliner 100. The production facility is in Samara, Russia. In 2012, a controlling stake (75%) was bought by an investment company, Aviarus.

During the last strategic board meeting, Aviarus decided to maintain the production of the somewhat outdated DV30, although at a reduced volume due to plummeting sales, and, more importantly, to launch a new engine, DV40, for its promising medium-haul aircraft Superliner 300.

See also: What Gets Missed in Risk Management  

The board signed off on a strategic objective to reach an EBT (earnings before tax) of 3,000 million rubles by 2018.

Step 2 – Identifying Factors, Associated With Uncertainty

Once the strategic objectives have been broken down into more tactical, manageable pieces, risk managers need to use the strategy document, financial model, business plan or the budgeting model to determine key assumptions made by management.

Most assumptions are associated with some form of uncertainty and hence require risk analysis. Risk analysis helps to put unrealistic management assumptions under the spotlight. Common criteria for selecting management assumptions for further risk analysis include:

  • Whether the assumption is associated with high uncertainty.
  • Whether the assumption impact is properly reflected in the financial model (for example, it makes no sense to assess foreign exchange risk if in the financial model all foreign currency costs are fixed in local currency and a change in currency insignificantly affects the calculation).
  • Whether the organization has reliable statistics or experts to determine the possible range of values and the possible distribution of values.
  • Whether there are reliable external sources of information to determine the possible range of values and the possible distribution of values.

For example, a large investment company may have the following risky assumptions: the expected rate of return for different types of investment, an asset sale timeframe, timing and the cost of external financing, rate of expected co-investment, exchange rates and so on.

Concurrently, risk managers should perform a classic risk assessment to determine whether all significant risks were captured in the management assumptions analysis. The risk assessment should include a review of existing management and financial reports, industry research, auditors’ reports, insurance and third party inspections and interviews with key employees.

By the end of this step, risk managers should have a list of management assumptions. For every management assumption identified, risk managers should work with the process owners and internal auditors and use internal and external information sources to determine the ranges of possible values and their likely distribution shape.

Example: Risk Management Implementation (Continued)

The assessment would look into:

Macroeconomic assumptions

  • Foreign exchange
  • Inflation
  • Interest rates (rubles)
  • Interest rates (USD)

Materials

  • DV30 materials
  • DV40 materials

Debt

  • Current debt
  • New debt

Engines sales

  • New DV30 sales volume
  • New DV40 sales volume
  • DV30 repairs volume
  • DV40 repairs volume
  • DV30 price
  • DV40 price

Other expenses

  • Current equipment and investments in new
  • Operating personnel
  • General and administrative costs

Based on the management assumptions, VMZ will significantly increase revenue and profitability by 2018. Expected EBT in 2018 is 3,013 million rubles, which means the strategic objective will be achieved.

We will review what will happen to management projections after the risk analysis is performed in the next section.

See also: A New Paradigm for Risk Management?  

Step 3 – Performing Risk Analysis

The next step includes performing a scenario analysis or Monte Carlo simulation to assess the effect of uncertainty on the company’s strategic objectives. Risk modeling may be performed in a dedicated risk model or within the existing financial or budget model. There is a variety of different software options that can be used for risk modeling. All examples in this guide were performed using the Palisade @Risk software package, which extends the basic functionality of MS Excel or MS Project to perform powerful, visual, yet simple risk modeling.

When modeling risks, it is critical to consider the correlations between different assumptions. One of the useful tools for an in-depth risk analysis and identification of interdependencies is a bow-tie diagram. Bow-tie diagrams can be done manually or using the Palisade Big Picture software. Such analysis helps to determine the causes and consequences of each risk and improves the modeling of them as well as identifying the correlations between different management assumptions and events.

The outcome of risk analysis helps to determine the risk-adjusted probability of achieving strategic objectives and the key risks that may negatively or positively affect the achievement of these strategic objectives. The result is strategy@risk.

Example: Risk Management Implementation (Continued)

The risk analysis shows that while the EBT in 2018 is likely to be positive, the probability of achieving or exceeding the strategic objective of 3,000 million rubles is 4.6%. This analysis means:

  • The risks to achieving the strategy are significant and need to be managed
  • Strategic objectives may need to change unless most significant risks can be managed effectively

Further analysis shows that the volatility associated with the price of materials and the uncertainty surrounding the on-time delivery of new equipment have the most impact on the strategic objective.

Management should focus on mitigating these and other risks to improve the likelihood of achieving the strategic objective.

Tornado diagrams and result distributions will soon replace risk maps and risk profiles as they much better show the impact that risks have on objectives.

This simple example shows how management’s decision making process will change with the introduction of basic risk modelling.

Step 4 – Turning Risk Analysis Into Actions 

Risk managers should discuss the outcomes of risk analysis with the executive team to see whether the results are reasonable, realistic and actionable. If indeed the results of risk analysis are significant, then management, with help from the risk manager, may need to:

  • Revise the assumptions used in the strategy.
  • Consider sharing some of the risk with third parties by using hedging, outsourcing or insurance mechanisms.
  • Consider reducing risk by adopting alternative approaches for achieving the same objective or implementing appropriate risk control measures.
  • Accept risk and develop a business continuity/disaster recovery plan to minimize the impact of risks should they eventuate.
  • Change the strategy altogether (the most likely option in our case)

Based on the risk analysis outcomes, it may be required for the management to review or update the entire strategy or just elements of it. This is one of the reasons why it is highly recommended to perform risk analysis before the strategy is finalized.

See also: A Revolution in Risk Management  

At a later stage, the risk manager should work with the internal auditor to determine whether the risks identified during the risk analysis are in fact controlled and the agreed risk mitigations are implemented.

Join our free webinar to find out more (click the link to see available dates and times). Read the full book from which this is adapted. You can download it for free here.

Return to Work Remains a Problem

According to one published report, (WorkCompCentral, March 4, 2016, “$100 Million in Workers Benefits Sits Unused”), only 3,955 checks have been issued to injured workers from the Return to Work (RTW) Fund established in Senate Bill 863. The checks total slightly less than $20 million, leaving an additional $100 million untapped by injured workers. According to regulations of the Department of Industrial Relations (DIR) that administers the fund, workers receive a $5,000 allowance if they have been issued a Supplemental Job Displacement Benefit (SJDB – commonly referred to as a “voucher”). The voucher is issued if the employer at injury fails to make a qualifying offer of employment to the worker.

While the provenance of the RTW Fund has been criticized – largely by those not in the room to witness its birth – there are more fundamental issues with the fund and its administration. First, the RTW Fund really has nothing to do with return to work.

It can be fairly assumed that the use of that particular section of the Labor Code – Section 139.48 – was a legal accommodation because there was existing statutory reference to the RTW Fund in Labor Code Section 62.5 – specifically Sec. 62.5(a)(1)(B). Section 62.5 is the Workers’ Compensation Administration Revolving Fund statute. That reference, in turn, was to the RTW Program that was originally created more than 15 years ago in Assembly Bill 749 as a mechanism to partially subsidize certain employers who brought injured workers back to work. The employer subsidy as originally enacted was for wages and worksite modifications. Later, Senate Bill 899 further revised the RTW Program to limit the reimbursement to worksite modifications and to expend funds on an “as available” basis. The RTW Program sunset on January 1, 2010, but while Labor Code Sec. 139.48 was taken out of the code, the reference to the RTW Fund in Sec. 62.5 remained.

See Also: A Physician’s View of ‘Return to Work’

Once one gets past the title of “Return-to-Work Program,” however, there is no evidence to suggest that Sec. 139.48 has anything to do with returning a worker to employment with the employer at injury – or anyone else for that matter:

“139.48. (a) There is in the department a return-to- work program administered by the director, funded by one hundred twenty million dollars ($120,000,000) annually derived from non-General Funds of the Workers’ Compensation Administration Revolving Fund, for the purpose of making supplemental payments to workers whose permanent disability benefits are disproportionately low in comparison to their earnings loss. Moneys shall remain available for use by the return-to-work program without respect to the fiscal year.

“(b) Eligibility for payments and the amount of payments shall be determined by regulations adopted by the director, based on findings from studies conducted by the director in consultation with the Commission on Health and Safety and Workers’ Compensation. Determinations of the director shall be subject to review at the trial level of the appeals board upon the same grounds as prescribed for petitions for reconsideration.

“(c) This section shall apply only to injuries sustained on or after January 1, 2013.”

The history of Labor Code Sec. 139.48 is also influenced by the Commission on Health & Safety & Workers’ Compensation (CHSWC) publication, “Report on the Return-To-Work Program Established in Labor Code Section 139.48” (2009). The most telling aspect of that report was the “alternative” recommendation to the Legislature: “California may wish to consider eliminating the program. California may wish to consider a program that more directly assists injured workers who are unable to return to their previous jobs.” (p.7) Given that the program sunsetted roughly eight months later, the commission’s recommendation is almost prophetic.

Three years later, as required by SB 863, the DIR conducted an independent study to determine how best to structure the RTW Fund in the new and improved Labor Code Sec. 139.48. That responsibility fell upon the ubiquitous RAND Corporation, whose 2014 report, “Identifying Permanently Disabled Workers with Disproportionate Earnings Losses for Supplemental Payments” is the foundation for the current RTW program. Among its recommendations were to make eligibility for the program dependent on receiving a voucher. According to RAND, approximately 20% of injured workers receiving permanent disability benefits receive a voucher. (p. 12) Under RAND’s scenarios, and anticipating utilization of the RTW fund at the same approximate levels as the vocational rehabilitation program repealed in 2004 by Assembly Bill 227 rather than their observed voucher utilization figures, RAND estimated roughly 24,000 injured workers would access the RTW Fund, thus resulting in about $5,000 per recipient to exhaust the $120 million annual assessment.

So while that explains where we are today, it also raises questions about whether the current RTW program suffers from the same lack of awareness that caused its statutory predecessors to go quietly away. But that also raises the bigger issue: What has happened to re- employment as an objective of the system over the past 20 years?

The history of vocational rehabilitation in California’s workers’ compensation is a long one – culminating in the repeal of the mandatory vocational rehabilitation program in AB 227 and the repeal of vocational rehabilitation as a compensable benefit with the amendment to Labor Code Sec. 3207 in SB 899. Legislative efforts trying to suggest that return to work is still important in the workers’ compensation system have largely been limited to the voucher, an at-best-meager program that is intended to try to put the injured worker on the path toward gaining skills to find new employment. In no way, however, is it as robust as the former vocational rehabilitation program. It is, regrettably, a $6,000 check, with some restrictions, that is intended to finalize the severing of the tie between an injured worker and the employer at injury.

See also: Return to Work Decisions on a Worker’s Comp Claim  

To paraphrase Will Turner in Pirates of the Caribbean, “That’s not good enough!”

As we move forward and discuss a whole host of issues in the workers’ compensation system, such as utilization review, the use and abuse of opioids, prescription drug formularies, independent medical review and permanent disability ratings, perhaps someone, somewhere, likely in either Oakland or Sacramento, should talk about re-employment of disabled workers.

Not some resurrection of vocational rehabilitation and what became its abuses but, rather, simply how to help workers unemployed due to a disabling injury at work to have the same access to re-employment assistance as disabled or otherwise unemployed workers whose access to re-employment assistance is defined by multiple state and federal programs and not by extracting some form of payment from the employer at injury.

There is no shortage of programs that could provide such assistance. And perceived unintended consequences that expanding the scope of re- employment assistance beyond the employer at injury would increase the number of workers unemployed after a workplace injury are unlikely given the protections of the Fair Employment and Housing Act (FEHA), the Americans with Disability Act (ADA) and Labor Code Sec. 132a.

According to the Workers Compensation Insurance Rating Bureau (WCIRB), in calendar year 2014 roughly $29 million was spent on vouchers. Labor Code Sec. 139.48 assesses $120 million annually. One should ask whether that money would be better spent providing access and coordination to the host of re-employment programs offered by the Department of Rehabilitation, the Employment Development Department (CalJOBS), non-profit private companies, such as Goodwill Industries, that offer re-employment assistance, and a host of federal programs, including those offered from the U.S. Department of Labor, Office of Disability Employment Policy and the Social Security Administration’s Plan To Achieve Self-Support (PASS).

In today’s complex world we simply cannot expect the employer at injury – especially the small to medium-sized employer – to provide all the resources necessary to facilitate meaningful re-employment for injured workers who are permanently disabled. Expanding the concept of re-employment and coordinating programs designed to create jobs for the disabled is a logical step forward to address this problem. No amount of vouchers or RTW fund disbursements will ever be a viable substitute for a job.

The sooner we realize this and look to Sacramento and Washington to break down the barriers created by the workers’ compensation system to full access to re- employment resources for disabled workers, the better.

 

How to Capture Data Using Social Media

Insurance carriers looking to better market and manage risks should use social media as a rich component of a robust analytics platform. By augmenting existing big data projects with social media feeds, carriers can identify key information about their insureds that would otherwise be difficult to gather in a timely manner. Social media data analytics can be a competitive advantage leading to greater sales, lower claims and increased customer satisfaction. However, insurers should be careful with the data or risk crossing the “creepy line.”

With more than one billion users on Facebook and two billion total social media users across all platforms, the data shared is immense. The data that can be extracted from social media varies by platform, but in general the information goes far beyond pure text. Social graphs describe connections and relationships; profile updates highlight life change events such as marriage and the birth of children; geolocation tags highlight travel; and continuing communication can be parsed for activities and attitude.

Modern carriers looking to leverage analytics for a competitive advantage should already have a big data capability that pulls data from policy, billing and claims systems, call center logs, portal and app usage, third party enhancement tools such as Dun and Bradstreet and other sources to build a robust picture of each insured. This data can be mined using machine learning and neural networks to identify risks that should be exited, opportunities for cross-selling and best marketing opportunities to insureds and prospects. Social media is not a replacement for this data, rather a rich addition to it. By augmenting known facts with machine processing of social data, insurers can enable a more detailed and nuanced analysis that the same analytics routines can use to further refine analysis.

See also: Should Social Media Have a Place?

Examples of enhanced capabilities with this more robust analysis include:

  • Prescriptive marketing: Asses the marketing mechanisms and messaging that will be most effective in converting the prospect to an insured through analysis of social graphs, profile data and language usage. By parsing the semantics of a user’s language and analyzing their social graph for the type of language they are accustomed to seeing and, importantly, that they have chosen to see, marketing can be best tailored for the prospect.
  • Life event based cross-selling: Identify changes in relationship, location, job or family structure that enable marketing or sales to proactively contact the insured to recommend additional products or services. An example is increasing term life coverage for a new parent. By contacting insureds with relevant products at the moment of a life event, agents can be highly effective at converting new sales.
  • Continuous risk assessment: Continuously assess insureds’ risk profiles by expanding the analysis of an insured beyond their behaviors with the carrier to their behaviors with all other parties as evidenced in their social media communications. Updates about employment, travel, family circumstances or other items can impact how a framework understands the facts of an insureds’ interactions with the carrier. By understanding this, a carrier can better tailor reserve models or reevaluate whether to renew the policy.
  • Claim fraud detection: Identify potential claim fraud activity by monitoring geolocation, language and other data elements to confirm reported stories and check for telling language used in public communications. For example, a claim for workers compensation could be identified for potential challenge if a system identifies geolocation data from a golf course.
  • Customer sentiment: Be proactive with alerts of customer dissatisfaction with claim handling or price adjustments through text mining, allowing for remediation prior to losing a customer. By identifying dissatisfaction, the carrier can take better next steps in communication and outreach to maintain a client’s goodwill and business.

These aspects of insurance sales, risk management and claim management are beneficial for carriers. However, there are risks and challenges associated with social media data:  

  • Language is complex data: Because social media is so dependent on written words, language analysis is a common basis for analysis. Semantic assessment is useful in identifying underlying emotions and intent. However, words have different meanings in different sub-cultures, geographies, friend groups and even in different transmission medium. As such, language parsing should often be used to augment existing analysis, not to serve as a primary source of facts.
  • Usage of social media varies: In general, social media has widely different usage by age group and other demographic segments. Uptake rakes are not the same across all demographic groups, as demographic analysis of Facebook vs. Snapchat bear out and actual usage of the tools varies by group. The amount of data shared by younger users typically, but not always, dwarfs that of their parents. Analytical frameworks need to be configured to account for these differences and not draw unwarranted conclusions from different behavior patterns.  
  • Usage of social media starts and stops: Users of social media will start, stop and potentially resume use many times. Details of usage may also change as users’ needs or privacy concerns change. This requires analytical tools to be flexible in analysis — to understand that lack of data, limited data or infrequent posting is not necessarily an indicator of underlying behaviors of the prospect or insured.
  • Security is tricky: In the post-Snowden era, concerns about data privacy and usage are increasingly spotlighted by the media. Insurers should be cautious about how they collect, how they store and how they take action based on social media information. De-identification and storing only the analysis of the underlying data are potential paths among others. This should be continuously evaluated.

See also: 2 Concepts on Social Media and Analytics

A final note on risks: In 2010, then-Google CEO Eric Schmidt said, “Google policy is to get right up to the creepy line but not cross it.” This brought about much criticism from the public and watchdogs as many took it to mean Google would use the data it had in ways customers were not comfortable with. Insurance is as much about trust as it is about financial contracts. Therefore, insurers should be careful in using data that some may consider private or semi-private rather than public. They should also be cautious in drawing inferences and interpretations from data in a manner which would cause insureds to question them as warranted and justifiable. The use of data to further the carrier’s understanding of its customers must be approached as a relationship that can benefit both parties, and insurers must avoid being seen as “big brother” looking to squeeze extra premium from insureds.

Customers may not embrace the concept of their behaviors being analyzed. However, good analytics programs within insurance companies should be doing that today. By combining the facts of policy, billing and claims systems along with behavior evidenced in call center data, portals, digital apps and through other mechanisms, carriers should be analyzing customers robustly. In this framework, social media data becomes an enhancement layered on top that adds new dimensions and nuances to existing analysis. By leveraging neural networking and other machine learning approaches, carriers can better market, rate and manage risk and claims. These are net positives for insurers and potentially positives for customers. But, there are some substantial risks that must be managed as part of the total analytics strategy. By focusing first on the known facts and actual behaviors and only then expanding into the nuances of social media carriers, insurers can better enable robust and sound analysis that generates a return on investment for all parties.

Obamacare: Where Do We Stand Today?

The healthcare industry is changing – same old headline. Since we’ve been in the industry, the “unsustainable” cost increases have been the talk every year, yet somehow we have not reached a tipping point. So what’s different now? How has ACA affected the healthcare industry, and more specifically the insurance companies?

The drafters of ACA set up a perfect adverse-selection scenario: Come one, come all, with no questions asked. First objective met: 20 million individuals now have coverage.

Next objective: Provide accurate pricing for these newly insured.

Insurance companies have teams of individuals who assess risk, so they can establish an appropriate price for the insurance protection. We experience this underwriting process with every type of insurance – home, life, auto. In fact, we see this process with every financial institution, like banks, mortgage companies and credit card companies. If a financial institution is to serve (and an insurance company is a financial entity), it has to manage risks, e.g., lend money to people who can repay the loan. Without the ability to assess the risk of the 20 million individuals, should we be surprised that one national insurance carrier lost $475 million in 2015, while another lost $657 million on ACA-compliant plans?

If you’re running a business and a specific line has losses, your choices are pretty clear – either clean it up or get out.

See Also: Healthcare Quality and How to Define It

Risk selection is complex. When you add this complexity to the dynamics of network contracting tied to membership scale, there is a reason why numerous companies have decided to get out of health insurance. In 1975, there were more than 2,000 companies selling true health insurance plans, and now there are far fewer selling true health insurance to the commercial population. Among the ones that got out were some big names – MetLife, Prudential, Travelers, NYLife, Equitable, Mutual of Omaha, etc. And now we’re about to be down to a few national carriers, which is consistent with other industries – airline, telecommunications, banking, etc.

Let’s play this one out for the 20 million newly covered individuals. The insurance companies have significant losses on ACA-compliant plans. Their next step – assess the enrolled risk and determine if they can cover the expected costs. For those carriers that decide to continue offering ACA-compliant plans, they will adjust the premiums accordingly. While the first-year enrollees are lulled into the relief of coverage, they then get hit with either a large increase or a notice to find another carrier. In some markets, the newly insured may be down to only one carrier option. The reason most individuals do not opt for medical coverage is that they can’t afford it. If premiums increase 15% or more, how many of the 20 million have to drop coverage because premiums are too expensive? Do we start the uninsured cycle all over again?

Net net, ACA has enabled more people to have health insurance, but at prices that are even less sustainable than before. ACA offers a web of subsidies to low-income people, which simply means each of us, including businesses, will be paying for part or all of their premium through taxes. As companies compete globally, this additional tax burden will affect the cost of services being sold. As our individual taxes increases, we reduce our spending. While ACA has the right intention of expanded coverage, the unintended consequences of the additional cost burden on businesses and individuals will have an impact on job growth.

While it’s hard for anyone to dispute the benefits of insurance for everyone, we first need to address the drivers behind the high cost of healthcare, so we can get the health insurance prices more affordable. Unfortunately, ACA steered us further in the wrong direction. Self-insured employers are the key to lead the way in true reform of the cost and quality of healthcare.