Tag Archives: third party

How to Manage ‘Model Risk’ (and Win)

One of the fastest-growing concerns on insurers’ enterprise risk agenda is managing model risk. From being a phrase that primarily actuaries and other modelers used, “model risk” has become a major focus of regulators and the subject of intense activity and debate at insurers. How model risk management has evolved from ad hoc efforts to its current stage is an interesting story. But more interesting still is what we believe could be its next stage – generating measurable business value.

Generating measurable business value is model risk management’s next developmental stage.

Ad Hoc

Organizing and using experience to predict future claims is core to the business of insurance. Recognizing the importance of models, insurers and industry professionals, particularly actuaries, have long incorporated model reviews into their work.

As new models were introduced or changes made to existing ones – especially if third-party systems were involved – insurers were careful to ensure consistency between old and new models. Additionally, internal and external auditors’ procedures recognized the risk that models entail and incorporated verification and testing in their processes.

See Also: Secret Sauce for New Business Models?

What distinguishes this earliest stage is not that model risk was ignored but rather that model risk management was dispersed and generally informal. Practices differed across the industry, across different types of professional organizations and across different parts and functions within an insurer. Standards for documentation, both of the models and the validation process, were largely absent. Typically, not all models were reviewed. Establishing a comprehensive inventory of all significant models was not the norm. Likewise, it was not common for insurers to follow consistent procedures to validate models across the enterprise.

Reactive

Although a comprehensive guide to help banks mitigate potential risks arising from reliance on models was available as early as 2000, concerted attention to the issue in insurance can be dated to the Great Recession and its aftermath. In reaction to the events of 2008/2009, regulators and insurers themselves revisited their risk management processes and governance.

The U.S. Federal Reserve Board took the lead in promulgating new requirements for the banking sector, including supervisory guidance on model risk management issued in 2011. Many insurers, especially those designated as systematically important financial institutions (SIFIs), have been working to adopt these guidelines. In 2012, the North American CRO Council released its model validation principles for risk and capital models, which included eight core validation principles. For insurers operating in Europe, Solvency II provided the potential to use an internal model to establish their capital requirements. To take advantage of this opportunity, insurers needed to adhere to model validation expectations prescribed by regulators. In the U.S., the ORSA Guidance Manual requires insurers to describe their validation process.

Reacting to the 2008/2009 crisis and regulators’ demands, insurers began to establish the key elements of an enterprisewide model risk management program:

  • Governance and independence policies;
  • An inventory and risk assessment of all significant models; and
  • Documentation and validation standards.

Only after these basic building blocks had been put in place did insurers developed the practical experience to begin their transition to the next, active stage.

Active

The reactive stage and the beginning of the active stage effectively started in 2014. In the early months of that year, PwC conducted a survey of 36 insurers operating in the U.S. The survey provided the opportunity for participants to assess their programs across 10 dimensions characterizing the key elements of a monitoring and reporting mechanism (MRM) process. Modal responses across these dimensions were typically “weak” or “developing.” Almost all insurers admitted they had work to do and indicated that they had plans in place to improve their processes.

In the intervening two years, we have observed a significant investment in MRM capabilities. In the absence of detailed insurance-focused regulatory guidelines, most insurers have shaped their developments to best fit their own circumstances. For example, while there has been a near-uniform increase in resources allocated to MRM, how insurers deploy these resources has differed significantly. Some have formed large centralized model management functions, and others have allocated most of the validation responsibility to business units. How the responsibilities are dispersed across risk, actuarial, compliance and audit functions vary considerably. We expect that most of these differences are attempts to fit the task to the insurer’s existing structure and culture.

Likewise, we have seen insurers, both individually and as a group, more actively develop procedures that better fit the unique circumstances of the insurance sector instead of banking or financial services in general. Three areas in which the insurance sector is increasing its attention are:

  1. Incorporating the unique aspects of actuarial models and the development of standards by actuarial professional organizations;
  2. Emphasizing the process of assumption setting and the governance of this process; and
  3. Emphasizing monitoring and benchmarking necessitated by the long time frame and the lack of market data to measure the performance of many insurance models.

Productive

Recent discussions with forward-thinking insurance company executives and board members leads us to think a fourth stage may be next. The common theme is recognition that an insurer’s key asset is the information it possesses and the models it has developed to turn this information into support for profit-generating decisions. Seen in this light, models are not inconveniences substituting for “real” data. Rather, they are the machinery that insurers use to turn their raw materials (data) into salable, profitable costumer solutions.

See Also: How to Remove Fear in Risk Management

Model risk management then becomes the mechanism to ensure this machinery is performing at its best. This includes the normal activities that one would associate with maintenance, like finding and correcting inadequate performance. But, it also provides a way to determine how better machinery can be developed and brought online.

In many respects, the transition to this stage mirrors the transition that has occurred in risk management in general. Not too long ago, risk management was seen as a strictly defensive activity. It was more about saying “no” than finding the right opportunities to say “yes.” Now, risk management is seen as an important strategic activity that plays a central role in an insurer’s deployment of capital and its selection of growth opportunities.

Putting models and the data that feeds them at the center of an insurer’s value creation engine, instead of at its periphery, provides a new perspective. And, by moving model risk management to the productive stage, insurers can better use this new perspective to address customer expectations in an information-rich environment.

Implications

  • Model risk management is no longer an ad hoc or reactive activity. An active approach is now a necessity to meet internal and external stakeholder demands.
  • Insurers are attempting to develop model risk management practices that fit the needs of their industry. They will need to continually communicate to regulators, standards setters and other stakeholders how the business of insurance has unique characteristics compared with elsewhere in financial services.
  • Models are among insurers’ greatest assets, and the machinery that they use to turn data into salable, profitable costumer solutions. Putting models and the data that feeds them at the center of value creation can provide new perspectives that better address customer expectations. Model risk management becomes the tool to keep this machinery productive.

Digital Insurance, Anyone?

The digital banking conversation is alive and kicking within the FinTech world, focused on discussing the merits, definitions and initiatives around what it means for a bank to become digital across its entire technology and business stacks. I have yet to find the same level of discourse and vibrancy within the insurance world.

Spurred by Yan Ranchere’s latest blog post, I am adding my own thoughts to the insurance narrative or, dare I coin it, the “digital insurance” narrative.

First, let’s frame the discussion by attempting to define the evolution of the insurance model from old to current and future or digital:

Old Insurance Model:  This model is mostly paper-based with an application collected from the customer by the agent and sent to the carrier. The agent quote is not binding and may indeed change once the carrier has reviewed the application. I would qualify this model as carrier-centric. The carrier does all the heavy lifting with data verification and underwriting, with little stimuli from external data feeds in real time; the agent merely serves as a conduit.  As result, underwriting and closing a policy may take several days or even several weeks.

Claims management and customer service are cumbersome. Arguably, this delivers poor service in today’s age of instantaneous expectations. Not only can the old model be considered carrier-centric, I would also venture it is product-centric (in the same way that the old banking model is product-centric). The implications from a technology point of view are the same as in the banking world: a thin front end, shaky middleware and a back end that is silo-driven and that makes it difficult to optimize underwriting or claims.

Current Insurance Model:  The current model optimized the old model and made the transition from carrier-centric to agent-centric, which means that things are less paper-based and more electronic and that there is more process pushed onto the agent to be closer to the customer. In this model, the agent is empowered to issue policies under certain limits and risk frameworks—the carrier is not the gating factor and central node anymore.

Instead of batch-processing policies at the carrier level, the system has moved to exception processing at the carrier level (when concerned with nonstandard data and policies), thereby leveraging the agent. The result is faster quotes and policies signed more quickly, with the time going from days and weeks to hours or just a day. Customer service will go the same route. Claims management will still remain the central concern of the carrier, though.

Digital Insurance Model:  This is the way of the future. It is neither carrier- nor agent-centric, and it certainly is not product-centric any more. This model is truly customer- and data-centric—very similar to what we witness in digital banking. The carrier reaches out to the customer in an omni-channel way. Third-party data sources are readily available, and the technology to process and digest the data is extremely effective and delivers fast and furiously. Machine learning allows for near-instantaneous underwriting at a carrier or agent level, any time, anywhere. The customer can now get a policy in minutes.

Processes after policy-signing follow a similar transformative route. The technology implications are material: new core systems of record, less silo effect, more integration, massive investments in data warehouses and in products and services that act as layers of connection between data repository centers, core systems, claims management platforms, underwriting platforms and omni-channel platforms.

Picture the carrier effectively plugged in to the external world via data sources, plugged in to the customer in myriad ways that were not possible in the past and plugged in to third-party providers, all of this in real (or near-real) time. That means no more of the old linear prosecution of the main insurance processes: customer acquisition, underwriting, claims management. Furthermore, with a fast-changing world and more complex customer needs, delivering a product is not the winning formula any more. Understanding the customer via data in a contextual manner is.

To be fair, insurance carriers have nearly completed massive upgrades to their database architecture and can claim the latest in data warehouse technology. Some carriers have gone the path of renovating their channels and going all-out digital. Others are refining the ways they engage new customers. Most are thinking of going mobile. Still, much remains to be done. These are exciting times.

Boiling down what a digital insurance model means, we can easily see the similarities with digital banking; digital insurance must be transparent, fast, ubiquitous and data-focused, and there must be an understanding that the customer is key and is not a product.

Once you digest this new model, it is easier to sift through the key trends that are reshaping and will reshape the industry. I am listing a few that we followed at R66.  By no means is this an exhaustive list, nor is it ordered by priority, impact or size of opportunity:

1) Distribution channel disruption: There are three sub trends here—a) the consolidation of brokers and agents, b) channels going all-out-digital and disrupting the brick and mortar and c) carriers continuing to go direct and competing with brokers.

2) Insuring the sharing/renting economy: Think about Uber, Airbnb and the many other start-ups that are building the sharing economy. All of them need to or already are creating different types of coverage through their ecosystems. Carriers that focus on the specific risks, navigate the use cases, gather the right data and are forward-thinking will win big. James River is an insurance carrier that comes to mind in this space.

3) Connected data analysis: I do not use the term “big data” any more. Real-time connected data analysis is the right focus. Think of the integration of a series of hardware devices, or think of n+1 data sources. These are powerful, mind-blowing and will affect the trifecta of insurance profits: underwriting, claims management and customer acquisition.

4) Technology stack upgrades:  This means middleware to complement data warehouse investments, new systems of record, software platforms for underwriting (or claims management) and API galore. It’s the same story with banking; there is just a different insurance flavor.

5) Technology externalities: GPS, telematics, AI, machine learning, drones, IoT, wearables, smart sensors, visualization and next-generation risk analysis tools—you name it, these will help insurance companies get better at what they do, if they adopt and understand.

6) Mobile delivery:  How could I not list mobile delivery? Whether it is to improve customer acquisition; policies or claims management; or customer service, we are going mobile, baby.

7) A la carte coverage: Younger generations are approaching ownership in different ways. As a result, a one-size-fits-all insurance policy will not work any more. We are already witnessing a la carte insurance based on car usage, homes or commercial real estate connected via sensors or IoT.

8) Speciality insurance products:  We live in a digital world, baby, which means cyber security, fraud and identity theft.

It should be noted that the above describes changes in the P&C industry and that the terms “carriers” and “reinsurers” can be used interchangeably. Furthermore, I have not focused on health insurance—I know next to nothing in that field.

Any insurance expert is welcome to reach out and educate me. Anyone as clueless as I am is welcome to add their thoughts, too!

This article first appeared on Pascal Bouvier’s blog, here.

What’s in Store for Blockchain?

Blockchain, blockchain, blockchain! What does that mean for insurance? No one knows yet, but that doesn’t stop blockchain from being one of the hottest topics in the insurance industry right now. This week, I take a look at the direction this puck is heading.

Hype or reality?

Last September, the World Economic Forum published a report titled, Deep Shift – Technology Tipping Points and Societal Impact. The report is based on surveys with more than 800 executives and experts about new technologies and innovations. The point of the report is to identify deep shifts in society that result from new technologies. These include areas such as 3D printing, driverless cars, wearables and artificial intelligence.

I was drawn to shift No. 16, simply called “Bitcoin and the blockchain.” By 2025, 58% of these experts and executives believed we would hit the tipping point for Bitcoin and blockchain. This was defined as:

“10% of global gross domestic product will be stored on blockchain technology.”

To put that into context, the total worth of Bitcoin today in the blockchain is about 0.025% of today’s $80 trillion global GDP.

Also of interest, especially given that it looks like Tunisia will be the first country to issue a digital currency on a blockchain, shift No. 18 was called “Governments and the blockchain.” Here, almost three out of four in the survey group expected that “governments would collect tax via a blockchain by 2023.”

It’s a reality then!

It’s certainly looks that way. And $500 million of venture capital money in 2015 can’t be wrong, can it?

The prospect of a seismic shift on a par with the impact of the Internet is compelling. That explains all the attention, predictions and excitement about blockchain. But, if we use the evolution of the Internet as a benchmark, the development of blockchain today for commercial use is equivalent to the Internet in, say, the mid-1990s, at best.

The debates on Bitcoin, on whether private or public blockchains will be used, on Sybase vs Oracle (oops, wrong century) are yet to play out. The ability of the Bitcoin blockchain to scale to handle massive volumes at lightning speed remains unproven.

Now, just as it was in 1995, blockchain technology is at an embryonic stage. Still finding its way, it has yet to prove it is a viable, industrial-strength, large-scale technology capable of solving world hunger.

That is why I am going to focus on the use case for insurance rather than the technology itself. (For one explanation of how blockchain works, go to Wired.)

The smart insurance contract

This is getting the most attention right now. The notion of automating the insurance policy once it is written into a smart contract is compelling. The idea that it will pay out against the insurable event without the policyholder having to a make a claim or the insurer having to administer the claim has significant attractions.

First, the cost of claims processing simply goes away. Second, the opportunity for fraud largely goes away, too. (I hesitate here simply because it is theoretical and not yet proven.) Third, customer satisfaction must go up!

One example being used to illustrate how these might work came from the London Fintech Week Blockchain Hackathon last September. Here, a team called InsurETH built a flight insurance product over a weekend on the Ethereum platform.

The use case is simple. In the 12 months leading up to May 2015, there were 558,000 passengers who did not file claims for delayed or canceled flights in and out of the UK. In fact, fewer than 40% of passengers claimed money from their insurance policy.

InsurETH built a smart contract where the policy conditions were held on blockchain. Using the Oraclize service to connect the blockchain with the Internet, publicly available data is used to trigger the insurance policy.

In this case, a delayed flight is a matter of fact and public record. It does not rely on anyone’s judgement or individual assessment. It is what it is. If a delayed flight occurs, the smart contract gets triggered, and the payout is made, automatically and immediately, with no claims processing costs for the insurer and to the satisfaction of the customer.

Building on this example and applying it to motor, smart contracts offer a solution for insurers to control claims costs after an accident. A trigger that there has been an accident would come to the blockchain via the Internet from a smartphone app or a connected car. Insurers are always frustrated when customers go a more expensive route for repairs, recovery and car hire. So, with a smart contract, insurers could code the policy conditions to only pay out to the designated third parties (see related article by Sia Partners).

So long as the policy conditions are clear and unambiguous and the conditions for paying are objective, insurance can be written in a smart contract. When the conditions are undeniably reached, the smart contract pays. As blockchain startup SmartContract put it, “Any data feed trusted by a counterparty to release payment or simply complete an agreement can power a smart contract.”

To understand this better, I asked Joshua Davis, the technical architect and co-founder at blockchain p2p InsurTech Dynamis, to explain. He said:

“You need well-qualified oracle(s) to establish what ‘conditions’ exist in the real world and when they have been ‘undeniably reached.’  An oracle is a bridge between the blockchain and the current state of places, people and things in the real world.  Without qualified oracles, there can be no insurance that has any relation to the world that we live in.

“As far as oracles go, you can use either a single trusted oracle, who puts up a large escrow that is lost if they feed you misinformation, or many different oracles who don’t rely on the same POV [point of view] or data sources to verify that events occurred.

“In the future, social networks will be the cheapest and most used decentralized data feeds for various different insurance applications.  Our social networks will validate and verify our statements as lies or facts.  We need to be able to reliably contact a large enough segment of a claimant’s social network to obtain the truth.  If the insurance policy can monitor the publishing or notification of our current status to these participants and their responses accurately confirm it, then social networks will make for the cheapest, most reliable oracles for all types of future claims validation efforts.”

Is this simply too good to be true?

Personally, I don’t think it is. Of course, a smart contract doesn’t have to be on the blockchain to deliver this use case.

However, what the blockchain offers is trust. And it offers provenance. The blockchain provides an immutable record and audit trail of an agreement. The policyholder does not have to rely on the insurer’s decision to pay damages because the insurer has broken its promise to keep the client safe from harm. As the WEF report states, this is an “unbreakable escrow.” The insurer will pay before it even knows what happened.

There’s another reason for going with the blockchain: cybersecurity!

With the blockchain sitting outside the corporate firewall and being managed by many different and unconnected parties, the cyber criminal no longer has a single target to attack. As far as I’m aware, blockchain is immune to all of the conventional cyber threats that corporations are scared of.

What happens when you put blockchain and P2P insurance together?

In December, I published a two-part article on Peer 2 Peer Insurance (here are Part 1 and Part 2). When you put the P2P model together with the blockchain, this creates the potential for a near-autonomous, self-regulated insurance business model for managing policy and claims.

Last year, Joshua Davis wrote an interesting white paper called “Peer to Peer Insurance on the Ethereum Blockchain.” He presents the theory behind blockchain and the creation of decentralized autonomous organizations (DAO). These are corporate entities with no human employees.

The DAOs would be created for groups of policyholders, similar to the P2P group model with the likes of Guevara and Friendsurance. No single body or organization would control the DAO; it would be equally “controlled” by policyholders within each group. All premiums paid would create a pool of capital to pay claims.

And because this is a self-governing group with little or no overhead, any float at the end of the year would be distributed back among the policyholders. Arguably, this makes the DAO a non-profit organization and materially increases the capital reserve for claims costs.

The big question mark for this model is regulation. There still is no answer to who will maintain the blockchain code within each DAO when regulations change. But, what does seem a dead certainty is that someone, somewhere is figuring out how to solve this.

Blockchain offers the potential for new products and services in a P2P insurance model. It should also open insurance to new markets, especially those on or near the poverty line.

For now, we must watch to see what comes from the likes of Dynamis, which is using smart contracts to provide supplementary employment insurance cover on Ethereum.

Innovation will come from new players

It has been my belief for some time that, in the main, incumbent insurance firms will not be able to materially innovate from within. As with Fintech, the innovation that will radically change this industry will come from new entrants and start-up players, such as:

Dynamis

SmartContract

Rootstock

Everledger (see previous article on Daily Fintech)

Tradle

Ethereum Frontier

Codius (Ripple Labs) (update: Codius discontinued)

This is particularly true with blockchain in insurance. These new age pioneers are unencumbered by corporate process, finance committees, bureaucracy and organizational resistance to change.

Besides, the incumbent insurance CIOs have heard this all before. For decades, software vendors have promised nirvana with new policy administration, claims and product engines. So, why should they listen to the claims that blockchain is the panacea for their legacy IT issues? But,  that is a subject for another post … watch this space!

‘Gig Economy’ Comes to Claims Handling

Why is this taking so long?!

The challenge I hear echoed throughout the insurance industry is, “How do we speed up the claims process for customers?” Insurance companies often bear the brunt of frustrations from customers stressed out about delays. As we all know, processing claims takes time and patience to gather information, details, photographs and a myriad of other documentation. Getting the right information and accurate documentation takes even longer.

Based on the volume of claims, resources and personnel can become stretched thin quickly. Despite all the efforts within organizations, it’s not uncommon to see claims departments contorting themselves like Gumby to get it all done. Insurance claims are stressful, and relying on customers to reliably and quickly provide information is a challenge — even when it’s to their benefit.

The problem becomes exacerbated following natural disasters or claims in geographic locations where companies have little to no footprint and limited resources to document and gather the information needed. In those situations, companies have to reallocate and sometimes relocate resources, which is expensive, time-consuming and a logistical nightmare.

Saving time and improving data quality and accuracy are all key components to avoiding customer frustration and increasing customer satisfaction and loyalty.

Traditional Challenges Meet Disruptive Solutions

Recently, there’s been a lot of handwringing about the “sharing economy,” the “gig economy” and what it means for traditional lines of business and workers. Will the workplace as we know it change completely? As Tony Canas shared in his Insurance Thought Leadership piece, “What Will Be the Uber of Insurance?,” the gig economy is hardly the end of the world, and the insurance industry is probably due for some disruption.

What a number of traditional lines of business are beginning to discover is that the gig economy presents an opportunity to leverage the power of crowdsourcing to solve challenges, eliminate inefficiencies and even spark innovation within their organizations. Target and Instacart, GM and Lyft, are great examples of how large, traditional verticals are finding ways to integrate the gig economy into new products and services to attract and keep customers while increasing the bottom line.

Now going back to one of insurance’s greatest challenges — saving time and improving accuracy in the claims process, particularly when it comes to getting information such as photographs, records, police reports and inspections. These tasks sometimes feel like they can go on forever with a single claim as companies try to coordinate logistics with policyholders.

What if there was an Uber for insurers? A service that could dispatch an objective third party with a smartphone to quickly take pictures and gather exactly the information needed in the claims process almost immediately?

There is.

Disruption Gets Good for Insurance

Like Uber, WeGoLook is changing the way the gig economy is disrupting B2B by providing inspection and custom tasking services. Building on the strength of the gig economy and using the crowdsourcing model, WeGoLook has built a nationwide network of field agents that provides a nimbleness that is often buried alive in large enterprises.

Here’s how it works at one of the nation’s largest auto insurance companies, where WeGoLook is incorporated into the claims-handling process:

  • A claim handler places an order on a custom dashboard and chooses a service: (1) vehicle photos, (2) scene inspections, (3) salvage retrieval, (4) police record retrieval.
  • A WeGoLook representative calls the onsite contact/policyholder to verify address/item information and schedule an appointment.
  • The “Looker” arrives on-site and captures the data needed for the service/task.
  • Data is submitted via the mobile WeGoLook app and reviewed by internal staff at WGL for quality assurance.
  • The completed report is sent directly to the claim file.

Turning to the gig economy and its on-demand workforce is generating economic benefits and creating true efficiency. We’ve witnessed the process being replicated in companies both large and small and in a variety of categories.

Since starting the company in 2009, I’m continually inspired by the creativity of entrepreneurs and how they’ve found new and inspirational ways to apply crowdsourcing. From crowdfunding, ridesharing, coworking and delivery services to even “pet Airbnb,” the gig economy marketplace is homing in on specific consumer and business needs and delivering.

The Need for a Security Mindset

Keeping antivirus software protection current on all company-owned computing devices has become an essential business practice. That’s not a simple endeavor.

ThirdCertainty recently sat down with Andy Hayter, security evangelist at antivirus vendor G Data Software, to discuss the intricacies of managing antivirus solutions effectively, particularly in small and mid-sized companies. (Answers edited for clarity and length.)

3C: With hackers updating their virus signatures almost minute-to-minute, why do companies still need antivirus protection?

Hayter: One of the myths out there today is that antivirus is dead. But the good news is that antivirus software today isn’t just signature-based. It includes heuristic technology that looks at the characteristics of a piece of software executing on your computer.

So in many cases, even though a particular piece of malware may not necessarily have been identified through a signature, it can easily be identified through the heuristics.

Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends

3C: As a business owner or manager, if I’m implementing my antivirus solution on my own, what should I know?

andy hayter
Andy Hayter, G Data Software security evangelist

Hayter: Having a management interface is important, so that you can manage all devices and deploy the antivirus software out to all your devices and keep it maintained and updated. Your vendor should offer training to your key personnel.

It’s important for them to understand how to manage threats, and understand what’s going on in your network environment from a malicious software perspective.

3C: Is relying on my IT department to take charge of security wise?

Hayter: Most small and mid-sized companies are going to look at the IT department to do this. They are not large enough to have a separate security function. The CEO and CFO still must fully understand the impact malware can have.

3C: What about outsourcing security?

Hayter: Many smaller companies don’t have the time or resources to get someone up to speed and trained, or even multiple people trained, because this is a 24-hour type of situation. So more companies are looking at managed security Service (MSS) providers to take this on for them. This entails a solution that a third party manages remotely through a remote management console.

So it depends on whether the business has the time and the money to train people or wants to outsource this to a professional whose business is security. Either way, you still need to train your IT staff so they know the fundamentals of security and can protect the business in an emergency.

3C: So I can’t just outsource and wash my hands of security?

Hayter: No. You cannot wash your hands of security. Your managed security service provider is there for you, but you still have to understand the basics. You still have to perform the training. And you still are the person on site to talk to your employees about situations that might occur at 8:30 in the morning when they log on their PC and get a strange e-mail.

3C: Establishing a security mind-set for my company is a day-to-day thing?

Hayter: Right. If you do outsource your security, you cannot just forget about it and pray that it’s done completely. You still need to train your employees and help them understand that bad things can happen to them.