Why Treating Your Contractors Like Permanent Hires Will Help Your Business

By Russ Banham


Rapid growth in the contingent workforce — a category comprising a wide range of nonsalaried, freelance specialists and independent contractors — is compelling many businesses to rethink how to integrate these individuals into company culture.

Motivating them may be enlightened self-interest.

“Oftentimes, nonsalaried employees — like contract workers — are treated as second-class citizens, which is certainly no way to ensure workforce cohesiveness, engagement and productivity,” said economic anthropologist Cecile Alper-Leroux, vice president of human capital management innovation at Ultimate Software. “Employers must treat all workers with inclusiveness, making them feel they’re as much a part of the organization’s success as their full-time equivalents.”

Today’s Gig Economy

Much has been written about the importance of a company’s culture, mission and value proposition to engaging employees in their tasks. Yet many businesses fail to carry these same messages forward to contingent workers, despite the tremendous growth in the number of these nonsalaried employees.

According to the most recent estimates by the U.S. Government Accountability Office, contingent workers make up 40.4 percent of the domestic workforce . GAO defines this group as independent contractors who provide a service or product; part-time, self-employed or contract company workers; agency temps; and on-demand laborers who rotate in and out of companies as needed.

Companies may hire contingent workers for diverse reasons, such as to staff a short-term project. Or they may want to avoid contributing to Social Security, unemployment insurance and workers’ compensation. They also may want to save money on healthcare, sick leave, overtime and paid vacation time. These expenses can add up to as much as 1.4 times the salary of a full-time employee, according to the MIT Sloan School of Management.

A Unified Workforce

“We used to call this the extended workforce, but that no longer describes the breadth of the phenomenon,” said Josh Bersin, founder and principal of HR consulting firm Bersin by Deloitte.

Over time, contingent workers have come to represent more than 4 in 10 employees. Freelance specialists and contract workers now perform creative tasks, IT jobs, and even sales and marketing responsibilities.

They have been called part of the “total workforce.” But even this moniker falls short.

“A much better description is the unified workforce, as companies today have such an extraordinary diversity of people in their employ, in terms of their racial makeup, sexual preference, gender definition, age and type of employment,” said Alper-Leroux. “They also have younger full-time employees who tend not to stay with the organization for the entirety of their careers.”

Indeed, the median job tenure for workers ages 20 to 24 is shorter than 16 months, according to the Bureau of Labor Statistics. People between the ages of 25 and 34 stick around for nearly three years. And all other full-time employees work around five years or longer.

“With so many people cycling in and out of the organization — both salaried and nonsalaried workers — the line between all types of employees is blurring,” Alper-Leroux said.

Know Thy Neighbor

The lines may be blurring between different types of workers, but not their treatment.

“Many independent contractors get a cursory view of the hiring entity, as opposed to a full-time employee who is brought in for training to learn the company’s history, meet the senior executives, hear about its mission and understand the culture,” Alper-Leroux said.

This differential treatment comes at a cost.

“Each contingent worker touches your product, customers and business processes in some way, with positive or negative effects,” Bersin said. “It is crucial to the organization’s success that business leaders understand how all their workers are treated.”

He described as “positive” the example of a client in the pharmaceutical industry that contracts out 40 percent of its research and development.

“They have days where they bring in [contractors] to share what they’re working on with the full-time employees,” Bersin said. “Everyone gets to know each other better and feel more connected to the company.”

Bridging The Divide

Such efforts are in the minority. Deloitte’s 2016 Global Human Capital Trends report indicates that, in a survey of 7,000 companies, more than 70 percent reported difficulty with integrating various types of workers into a unified workforce.

One reason is murky employment law. The Fair Labor Standards Act doesn’t specify the differences between full-time and part-time employment. Neither do the National Labor Relations Board, the Civil Rights Act, and the Employee Retirement Income Security Act, according to the U.S. Department of Labor. Each of these statutes draws the lines differently between full-time employees and independent contractors. The language is often “vague or circular … leaving them open to a broad range of interpretations,” the department stated.

Much clearer is the liability for employers that misclassify worker types in regard to employee benefits and salaried compensation. A wide range of penalties may be imposed, and the benefit plan may be disqualified.

“It’s great to have an integrated approach to the workforce, but management must also address the employment liability risks,” said Beth Roekle, president of North American operations for the staffing firm Advantage xPO.

“My advice is, if you’re going to invite nonsalaried workers to the company picnic, then pay them to come to the event,” Roekle said. “This way the distinctions are clearer from an employment law standpoint.”

Despite these challenges, Alper-Leroux said an inclusive strategy for all types of workers is simply the right thing to do.

 All people need to be treated with dignity and respect for their contributions ,” she said. “This is what real leadership is about.”

Russ Banham is a veteran business journalist and author who writes frequently about human capital issues.

For Small And Midsize Businesses, What Good Is The Internet Of Things?

By Russ Banham


The internet of things (IoT) was big for many large enterprises in 2016, but only 18 percent of small companies and 13 percent of those in the middle ranks identified it as a top-three priority.

With projections that the IoT market will reach $3.7 billion in 2020, up from $900 million in 2015, and the installed base increasing from 15.4 billion to 30.7 billion devices over this period, are SMBs hurting themselves by not investing in IoT now?

Certainly, there are benefits in making this leap. Manufacturers, for instance, can integrate the data sets that emerge from internet-enabled semiconductors and sensors in machinery with other data sets coming in from across the value chain. Sophisticated algorithms can be applied to the collected information to discern ways to improve productivity, deploy manufacturing capacity more efficiently and shorten time-to-market time frames. Wider profit margins are the outcome.

But these various benefits are a hard sell to SMBs, given the investments required.

“If you’re Southwest Airlines, and you invest in the IoT to lower your gasoline costs by 1 percent, that can add up to savings in the hundreds of millions of dollars,” said Gaurav Dhillon, chairman and CEO of SnapLogic, a platform-as-a-service provider.

But if you’re an SMB, will the benefit of applying IoT technology to your processes be worth the cost?

Dhillon, who previously co-founded and led data integration pioneer Informatica, retold a joke he’d heard in business school to illustrate the conundrum.

“A man had a shoestring investment and doubled its size. He now had two shoestrings,” he said. “But if you double a billion-dollar investment, that’s a heck of a return.”

Gradual Acceptance

SMBs are investing in the IoT, just not to the degree of their larger counterparts. Many retail businesses, for instance, have switched out their 20th-century cash registers for computer tablets that can record consumer purchases with a finger-swipe signature. Others have invested in IoT-enabled thermostats, smoke detectors, surveillance cameras and appliances that reduce energy costs, improve security and allow remote operation.

These investments are just table stakes. Because IoT devices are not fully integrated, the information they generate cannot inform decisions around product and service quality and management processes. It’s a step in the right direction, but there’s a long staircase ahead.

For instance, many midsize manufacturers have implanted IoT-enabled sensors in factory equipment to troubleshoot maintenance issues and ferret out the cause of bottlenecks. But they have yet to connect these machines to supply chains, much less equipment that supports other activities that add business value to a product or service. Without this broader connectivity, data cannot be aggregated and integrated for analysis and action.

Incentives To Invest

What will it take for SMBs to move forward? Anand Rao, innovation lead at PwC Analytics, suggested two potential motivators — tax breaks and insurance premium discounts.

“Both will make investments in the IoT more financially feasible for SMBs, particularly as the cost of the technology decreases,” Rao said.

The latter is indeed the case with IoT-enabled sensors, which have fallen in price from an average $1.30 per sensor in 2004 to a predicted 38 cents in 2020.

But Rao acknowledged that lower cost alone would not make the IoT a priority for SMBs.

“They have to determine the value proposition — a cost-benefit analysis that demonstrates a clear investment return,” he explained. “They need to see what’s in it for them.”

Dhillon has the same perspective, adding that it will take time for SMBs to realize this value. Asked to elaborate why, he described a hardware store in the town where he lives. The store owner, “a wonderful guy named Henry,” he said, could invest in the IoT to reduce his HVAC bills, improve his inventory management and use IoT-enabled heat-mapping technology to electronically track his customers’ behaviors for sales purposes. But Henry can already do all of this without investing in IoT.

He knows when to turn the heat or the air conditioner up and down during the day; knows his inventory inside out; and, in many cases, knows his customers on a first-name basis.

“That’s what’s great about an SMB — the intimacy and friendliness,” Dhillon said. “I go to Home Depot and can’t find my way to what I need, much less a human being to help me.”

A similar scenario applies to other SMBs — the car dealerships, lumberyards, professional services firms and assorted “mom and pop” shops dotting Main Street. “For smaller companies, it’s still the early days of the IoT,” Rao said.

Undoubtedly, the IoT is a big thing for big business. But for smaller companies, investing in it must be carefully considered.

After all, if customer service and efficiency are already top notch, what benefit can the IoT provide?

Russ Banham is a Pulitzer-nominated financial journalist and author of 24 books.

The Best Path Forward: CFOs blend new and old techniques in a quest for capital budgeting solutions that allow more flexibility.

By Russ Banham


“Money is everything,” goes the old saw, and in the current economy, many U.S. companies are swimming in it. The pile of cash held by U.S. corporations is more than $2 trillion and growing, stoked by low-cost bond issues, stringent cost-cutting, and sizable profits. But success brings its own challenges, like the need to profitably allocate capital to meet the market’s elevated expectations for forward earnings, as reflected in healthy share prices. With activist investors, other shareholders, and financial analysts on constant watch, deciding whether an investment is worth funding is not a job for the fainthearted.

The task, of course, lands squarely in the lap of the CFO, who carries the banner for the business-planning process, “stitching together [the company’s] strategic growth plan and fundamental investment model, year after year,” says Mark Partin, finance chief of accounting software firm BlackLine. But in a domestic economy that is potentially overripe and expanding at less than 3% a year, CFOs can’t just stick to standard operating procedure.

They are also confronted by the changing nature of capital investment in the United States, trending away from new machinery, new manufacturing plants, and other “hard” assets to things like research and development, staffing, and software. In many industries, budgets are less about updating old equipment and more about improving customer service, launching new products, securing corporate networks, and bolstering worker efficiency.

As where the cash is going changes, of course, so must the techniques used to screen investment projects. Many CFOs, it turns out, still deploy tried and true capital planningtechniques like net present value (NPV) and internal rate of return (IRR). But others find that they are relying less and less on the old formulas: when speed is of the essence, often a straight return on investment is all that’s needed. So, what methods and models are informing CFOs’ capital investment decisions in the 21st century? How are they making the critical choices that shape their organizations’ futures?

Blurred Lines

Over the past 20 years, capital planning has altered dramatically, says Ken Stillwell, CFO of customer relationship management (CRM) software provider Pegasystems, who was a finance executive at several tech companies over that stretch.

“In the old days, capital expenditures were fixed—you were told ‘here is your capital budget and here is your operating budget,’” says Stillwell. “In my world right now, the lines between the two have blurred. For us and many other software companies, capital planning is all about [deciding what cloud systems to use].”

Partin, BlackLine’s CFO, suggests long-term capex decisions have gone the way of packaged software. Like many tech firms, BlackLine has transitioned into a cloud-based software-as-a-service (SaaS) provider. “Traditional capex has now been concentrated on cloud operations,” says Partin. “I’m making short-term decisions on cloud applications—is this particular solution the right one to help us grow and invest in the right kind of people? Will it give us a return on our investment?”

BlackLine’s capital spend is directed toward cloud applications that enhance brand, marketing, data security, and field-sales capabilities. But the company eschews long-term commitments. Each of BlackLine’s cloud providers is signed up on an annual term basis, allowing for “quick ins and outs if we wanted that,” the CFO says. “We’ve distilled the capital planning process to ask ourselves if this is the right partner and the right investment.”

In handling decisions that way, BlackLine leans toward metrics like a vendor’s net promoter score (NPS), customer testimonials, and reputation instead of old tools like NPV and IRR.

The new metrics assist faster investment decisions, Partin says. “The cycle of innovation in the tech sector is so blisteringly fast and the threats to data so prolific that our investment decisions need to be equally rapid and agile,” says Partin. “Where we house our data, where we put our servers, what we put in them, and the systems we buy—all have to be able to adapt to new products, rapid growth, and new threats.”

Rigorous but Flexible

Speed and agility of decision-making is a common theme in capital budgeting these days. At Centage, a provider of automated budgeting and forecasting software, the process of analyzing capital spending is much easier now that the company has transitioned to a recurring revenue model with a predictable revenue stream, says CFO John Orlando.

The company’s costs for hosting its solutions have to do with capacity planning—figuring out how many servers and how much bandwidth it will need, which is driven off of sales forecasts, says Orlando. Capital decisions are based on revenue expectations—what kind of business Centage hopes to sell and where it will sell it. “If we strategically want to grow 40% this year, we look at the investments we need to make to support that; if we can’t afford the investments, we lower our growth goals,” Orlando says. In making investments in cloud-based applications, there’s no need to take into account each one’s IRR or NPV, Orlando says, “just the ROI.”

An example of such an investment was the adoption of expense reporting solution Concur. Previously, Centage’s consulting team spent 3 to 4 hours per week reconciling their expense reports. Now that the process is automated with Concur, it takes them less than 30 minutes. That equates to savings of 25 hours per week for people billing $250 per hour. Centage’s accounting team also used to spend 10 to 15 hours per month reconciling reports and chasing receipts; now the process consumes no more than 3 hours per month.

Instilling speed in capital budgeting is also key at Power Distribution, a manufacturer of electrical systems for corporate data centers. The company has invested in new product development; product extensions; acquisitions; R&D; factory capacity expansion; and people, its workforce growing 30% over the past five years. CFO David Hensley has to be able to alter this investment mix rapidly when circumstances warrant.

“The biggest challenge for us is how to create a rigid enough due-diligence process at the front end of our planning to make good business decisions, but have the process be flexible enough to allow for swift capital changes,” Hensley says.

Shifting resources quickly can be critical when many projects are fighting for a fixed pool of resources. CareCentrix, a home health-care coordinator, has had, like other services providers in its sector, a relatively flat capex budget for years, says Steven Horowitz, the company’s CFO. For some capital expenses, Centrix has no choice but to greenlight them. For example, it has to invest in projects to comply with health-care regulations, Horowitz explains. “There’s no need to do an ROI; we just try to do what’s needed for the least amount of money,” he says.

But for other projects, CareCentrix uses a fairly rigorous capital planning process that begins with a “project chartering” phase. That phase documents what the project is, the problem it is solving, what it will cost, and the value it will generate. Once a capital decision is reached, finance and the relevant department, function, or line of business review the progress of the project at a series of “gates” to determine whether or not to go forward.

“Before we go too deep, we make sure the assumptions are still correct,” says Horowitz. “We may have to put more money into the pot or pull some out and put it into a new opportunity.”

Horowitz relies primarily on return on investment to make decisions. Operating improvements and efficiency projects undergo a traditional ROI analysis, he says. “Other things, like a customer asking for a new capability, require a different analysis; [in those cases it’s] more about whether or not we should do it and what it would cost,” Horowitz explains.

Timing Matters

For many companies and types of investments, the timing (of both the capital outlay and the return) still matters very much, especially when the expenditure is very large. For example, Pegasystems has approximately half of its operating systems on-premise and the other half in the cloud. The process for choosing one or the other takes into account the timeframe of the anticipated investment return.

“We look at the problem we’re trying to solve and how much variability we have in solving it,” says CFO Stillwell. For example, an ERP system is a 10-year problem that requires an upfront capital investment, he explains. But when investing in a new marketing automation solution, “where I have no clue what [the market] will look like 10 years from now,” Stillwell says, the answer is likely to be a SaaS product.

In making those decisions, Stillwell still performs a 15-year discounted cash flow, an analysis that projects the investment’s free cash flow into the future and then discounts this amount to arrive at a present-value estimate. The company’s financial planning and analysis group built Pegasystems’ DCF model, which requires significant post-calculation deliberations before finance doles out the funds.

Discounted cash flows, of course, are an important part of techniques like NPV and IRR that are used to evaluate new projects. Many CFOs still find substantial value in those formulas for certain kinds of expenses, even in the fast-moving tech space. Hodges-Mace, a provider of cloud-based employee benefits administration software, hinges its capital budgeting considerations to IRR and NPV outcomes, even though the company doesn’t do much in the way of traditional capital projects, says Ron Shah, CFO and chief operating officer.

For example, Hodges-Mace recently invested in a sales team expansion, adding more feet on the street and sales support personnel. “The plan was to grow what were 20 people in those jobs to 40 over the next 12 months,” Shah says. “We wanted to figure out the IRR on the investment before we took the plunge.”

Shah ran multiple scenarios, evaluating the profit potential of adding 10, 20, and 30 people over different time periods. The IRR results indicated the greatest opportunity would come from adding 20 additional sales and support people over a 12-month period, albeit 10 people in the second half of 2018 and the remainder in the first half of 2019. “This way we would see a return on the investment occurring in 2019 from the people that had already come on board in 2018,” he explains.

Another recent sizable investment—doubling the footprint of Hodges-Mace’s Atlanta office—went through a similar exercise. The company plans to lease an additional 15,000 square feet (in its existing building) over the next two years. “Although we won’t fully utilize all this space right off the bat, we learned from the analysis that it would be less expensive from a leasing standpoint to do one large expansion, as opposed to expanding gradually.”

In drawing this conclusion, the analysis took into account several factors, including the real estate market in Atlanta and Hodges-Mace’s expected 10-year growth rate. The projections compared short-term lease rates on a small expansion and long-term lease rates on an immediate, bigger expansion. The second option was more economical. “Plus, we would get an allowance for some tenant improvements to offset construction costs,” Shah says. It was a `no brainer.’”

Tom Liguori, CFO at Advanced Energy Industries, a developer of power and control technologies used in semiconductor manufacture, also uses an IRR model. [In the company’s industry,] “we all seem to have a lot of cash to invest and are looking at how best to deploy it—lining up our projects in a queue,” Liguori says. In analyzing R&D projects, “we’ll look at the technology we’re developing over a five-year opportunity period, insofar as the costs to develop it and the expected revenues [are concerned], and then do an internal rate of return,” Liguori says. “Every quarter we review these analyses to determine which R&D projects should be accelerated, changed, or killed.”

But IRR isn’t right for every situation. Aiming to achieve planning rigor with flexibility at Power Distribution, CFO Hensley relies predominantly on NPV (“our go-to”), since he thinks IRR is less flexible. “It’s harder with IRR to get a true apples-to-apples comparison if you have projects with different discount rates and risk profiles. It gets a bit wonky,” he says.

Hensley offers the following comparison: “Say we buy a piece of automation equipment to go in the factory. The probability of success in the IRR analysis will be really high. On the other hand, if we plan to launch a new product in a new segment outside our space, the probability of success will be the opposite. If you take this to the extreme, all we would ever do is automation projects, and we’d be out of business.” NPV, on the other hand, takes into account the need for “intelligent risk-taking,” Hensley says.

When Math Fails

As Hensley has discovered, the techniques of capital budgeting can be biased toward certain kinds of projects and rarely give CFOs all the answers. In addition, it is often the riskier, hardest-to-measure investments that can be most transformative for a company.

When weighing potential takeover deals, for example, Advanced Energy’s Liguori bases his decision on two hurdle rates—short-term and long-term. The short-term hurdle rate has to be equal to or better than a share repurchase over a five-year horizon. “We’ll compare a $50 million acquisition to a $50 million (stock) buyback, looking at the earnings per share in each case,” Liguori says. The long-term hurdle rate is the IRR on the cash flows generated by the acquisition. But Liguori can’t always go with what his hurdle rate analysis dictates. “We don’t want to be five years down the road and [realize] all we did was buy stock,” he explains.

Pegasystems’ Stillwell faces similar situations: the large, upfront bets can’t always be avoided. “We don’t always pick the project the DCF says makes the most bottom-line sense,” Stillwell explains. “If three potential capital projects break even from a DCF standpoint, meaning we shouldn’t invest in any of them, but one of the projects has considerable strategic upside, we’ll take it on. Even though we know we’ll lose money initially, we have to do it.”

Pegasystems’ April 2016 purchase of OpenSpan, a provider of robotic process automation software, was a case in point. The DCF model told Pegasystems’ management to abandon the deal. “[The model said] it was too risky,” says Stillwell. “But we knew it was critical insofar as where the market in enterprise CRM is going. In that case, quality trumped the math.”

Russ Banham is a veteran financial journalist and author and a longtime contributor to CFO.

Cybersecurity: A new engagement opportunity An AICPA framework enables CPAs with cybersecurity expertise to perform new services for clients.

Russ Banham

Journal of Accountancy

As trusted business advisers, CPAs find ways to help their clients achieve their business objectives. Now, under the AICPA’s recently issued cybersecurity reporting framework, CPAs have an opportunity to expand the services they offer to help clients manage and understand cyber risks. The framework is supported by two distinct but complementary sets of criteria that enable clients to describe their cybersecurity risk management programs and evaluate the effectiveness of controls within those programs. In addition, CPAs can use the framework to evaluate (and in some cases report on) the client-prepared cybersecurity information.

The new cybersecurity risk management framework creates opportunities for:

  • An entity’s management to describe its cyber­security risk management program.
  • CPAs to perform a consulting engagement to help a client’s management develop a description of its cybersecurity risk management program to provide to the board and other internal parties who are interested in that information.
  • CPAs to perform a consulting engagement known as a “readiness assessment” to help a client identify where its cybersecurity processes and controls may need to be shored up.
  • CPAs to perform a System and Organization Controls (SOC) for Cybersecurity examination engagement to assess the client’s cybersecurity risk management program. Either or both of the consulting engagements may be performed as a prelude to the examination service.

The new engagements require specialized expertise, given the evolving nature of cyber risks, the potential for management to fail to identify appropriate risks, and a firm’s potential liability for overlooking or underappreciating a cyber threat in its attestation. Because of the specialized skills required, many firms that lack the appropriate expertise will be unable to offer these services.

Nevertheless, for some firms the benefits of establishing the new practice line may outweigh the challenges. The primary reason is one of demand: Boards of directors and audit committees want greater assurance and transparency that the companies they serve are establishing effective cybersecurity management programs.

“Fast-changing regulations are being published with severe and prescriptive language, such as ‘do this’ and ‘don’t do that,'” explained Rod Smith, CPA, a managing director at Crowe Horwath LLP. “At the same time, there are a lot of different cyber risk frameworks in place today, some of them unique and others overlapping. Companies have to satisfy regulators’ increased expectations, and until now [we] haven’t really had a good vehicle to provide this assurance.”


This “vehicle” is the AICPA’s new voluntary cybersecurity reporting framework, which includes the three elements described in the table “Cybersecurity Reporting Framework.” The two complementary sets of criteria that support the framework are presented in the table “Criteria Supporting the AICPA Cybersecurity Reporting Framework.” The narrative description of the company’s cybersecurity risk management program, which is prepared by management, enables report users to better understand the context in which key security processes and controls operate within the entity’s cybersecurity risk management program.

Use of the description criteria to prepare the description provides companies with a common language to use when providing information about their cybersecurity efforts to interested parties such as boards, investors, and regulators.

Under the framework in the “Cybersecurity Reporting Framework” table, management also makes an assertion about whether the description is presented in accordance with the description criteria, and whether the controls within the program were effective to achieve the entity’s cybersecurity objectives. CPAs can engage to consult to assist management in developing the description and in performing the readiness assessment. CPAs also may be engaged to perform an examination engagement to express an opinion on the description and the effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives, which is the last element of the reporting framework in the “Cybersecurity Reporting Framework” table. The resulting cybersecurity examination report can be provided to report users, including a company’s investors, cyber risk insurers, and users of its products and services. “Although it is voluntary, it nonetheless serves a need in the marketplace that is currently underserved,” Smith said.


Many large public accounting firms already provide their clients with security-controls-related services, ranging from advisory services to examinations (for example, SOC 2 examinations). Firms that provide these services generally have multidisciplinary teams that bring a unique combination of strengths to the table—experience providing examinations of IT security controls performed using the rigorous approach required by professional standards combined with extensive expertise in IT and cybersecurity.

While clients of these firms often are publicly traded companies with large risk profiles and critical business partners, cybersecurity threats are not confined to large entities. Business enterprises of all sizes and in all industries are susceptible to them. Thus, midsize and smaller accounting firms may want to assess their clients’ cybersecurity needs, as well as the competencies necessary to provide cyber services to those clients, when determining whether to enter thisspace.

“Many smaller firms lack the type of expertise needed to draw effective conclusions,” said Mark Burnette, CPA, a shareholder at LBMC PC. “While auditors, by default, are control experts, evaluating cybersecurity requires a unique understanding of the nuances of cybersecurity. Firms can either develop this expertise internally or partner with a firm that already has it.”

He is not alone in this view. “You need such a wide spectrum of skill sets to effectively perform the attestation, given the broad and constantly growing range of cyberattacks,” said Shahryar Shaghaghi, national practice leader and head of international cybersecurity at BDO.

BDO possesses these technical skill sets in-house, Shaghaghi said. But he added that niche providers can provide the attestations by hiring and developing the needed expertise. Niche providers may also align with another firm and jointly provide those services, or hire another firm to use its expertise.

Others agree. “There’s plenty of work to go around, but for many firms it requires additional expertise,” said Jeff Ward, CPA/CITP, CGMA, national managing partner of third-party attestation services at BDO USA. “This is simply a natural progression of financial audit. Firms increased their technical expertise from SOC 1 to SOC 2 to address things like data center risks. The new framework is the next iteration.”

He added, “Since cyber risk affects every business, companies naturally will turn to their current providers first for the attestation.”

Smaller CPA firms must anticipate this possibility and prepare to provide a response. To provide the service, Ward advised they reach out to create partnerships with peer firms in their state societies and form industry alliances, or recruit needed skill sets.

The effort may well be worth it. “Many CPA firms are aware of the demand for these services,” Burnette said. “Board directors and audit committees are asking the firms about the effectiveness of their companies’ cybersecurity practices. They’re looking for an independent attestation, seeing that as more definitive than an internal report by the company’s chief technology officer or the vice president of IT.”


Although businesses are not required to adopt the AICPA’s reporting framework, CPA firms may wish to explain the merits of the new services to clients. Firms can educate their clients on the level of consistency the new framework provides in the context of cybersecurity reporting and related assurance. “It’s up to our profession [for the framework] to gain traction,” Burnette said.

He projected that as more companies engage firms to provide a cybersecurity attestation, their business partners will follow suit, creating a domino effect. “The sooner a CPA firm can establish a qualification in a particular domain, the easier it is to parlay that expertise into additional opportunities, by pointing out the prior experiences and how they have learned from them,” Burnette added. “One of our best marketing strategies when we talk to clients about our cybersecurity attestations is to share what we’ve already seen and learned, and how we’ve adapted our approach and work efforts based on that. That sends a clear message that we’ve got the experience to make the [attestation] as efficient and as minimally invasive as possible.”

Some CPA firms target their cybersecurity services to specific markets or customers. For example, BDO markets its cybersecurity services to highly regulated industries like utilities and health care institutions, which are at significant risk of a cyberattack or disruption. Crowe Horwath has a similar focus on the banking and depository institutions it serves. In both cases, the sectors’ vulnerability to cyberattacks and their related regulatory obligations are likely to make attestations more attractive to their boards and senior management.

Technology companies, such as cloud-based providers that store client data, are also at high risk of cyberattack. Such businesses are open to the idea of a more consistent cyber risk management framework. “Our customers have different levels of maturity in terms of information security and the unique and changing regulatory compliance issues they confront,” said Max Solonski, chief information security officer at BlackLine, a cloud provider of financial and accounting software. “[CPA firm] Moss Adams handles our SOC 1 and SOC 2 reports, and we would certainly be interested in them conducting an independent attestation to further validate the adequacy of our security levels, based on the needs of our clients.”

With regard to pricing the new examination, Smith of Crowe Horwath advised that interested parties calculate the costs of needed resources, particularly new hires and training of existing staff, and factor in the possible need for additional liability insurance protection.

“We’re in deliberations right now trying to figure out what the new engagement means in terms of liability insurance, given the opinion risk,” he explained. “We want to be sure we estimate the effort properly and price it accordingly. And we plan to do plenty of due diligence before accepting a client.”

LBMC is doing the same. “We already have cybersecurity experts who know what it takes to properly assess a client’s security posture, so we should be able to develop an [engagement] plan and make a per-hour estimate of how long it would take for them to perform the procedures necessary for the new cybersecurity risk management program attestation,” Burnette said. “We’ll then plug that into a budgeting tool to calculate the rate per client and adjust our processes and budgets as we perform a few of these engagements and learn from the assessment process. It’s a work in progress.”

BDO, Crowe Horwath, and LBMC all plan to offer the new examination and expect that at some point in future the AICPA framework is likely to become widely adopted.

About the author

Russ Banham (russ@russbanham.com) is a veteran financial journalist based in Los Angeles and is the author of more than two dozen books.


By Russ Banham

Leader’s Edge

Imagine a future where fancy computers handle your tedious administrative tasks while you do better things, such as delving deeply into your clients’ risk exposures on a daily basis.

This blissful scene is not at all farfetched. In fact, technology can take on the monotonous functions of broking, freeing brokers to provide the value-added services their clients crave.

The need for these technologies is dire. “Brokers are awash in information, taking in and passing out an enormous volume of data,” says David Bassi, an executive director in consulting firm EY’s insurance practice. “Automating this exchange of information liberates brokers from having to manually key in all this structured and unstructured data.”

RPA Gateway?

The value and range of new technologies spreads across a wide swath of a broker’s business—more to come on artificial intelligence and the like—but it seems like right now brokerages are more readily focusing on back-office automation, where the administrative work of the business is carried out. Software known as RPA, or robotic process automation, can carry out simpler, more repetitive human tasks (such as data entry) that don’t necessarily take knowledge or insight to perform. Consider the tedious work performed by company accountants to close the books. Using RPA tools, these data can be easily extracted from a brokerage’s myriad systems and applications to ensure accuracy and a faster close.

This is good news for accountants. “Smart accountants get to do what they yearn to do anyway—study the numbers to learn where the firm is growing business or losing it,” says Therese Tucker, founder and CEO of publicly traded BlackLine, a financial and accounting software firm that provides RPA tools. “This important value-added activity is lost if they’re hunkering down in the trenches tallying up the numbers.”

RPA also can be employed to fulfill a broker’s legal and compliance obligations. “We’re seeing growing interest in the technology to make sure a broker’s various contracts, reports and disclosures are correct and compliant from a regulatory standpoint,” says Dimitris Papageorgiou, a principal in EY’s people advisory services practice. “We know that some brokers are in a pilot stage with the tool.”

The back-office opportunities presented by RPA are both strategic and tactical. As human workflows decrease, people are able to work more efficiently, giving them more time to build relationships with clients.

“When these technologies work very well, they take out about 80% of the effort for 20 people, meaning that these 20 people now have 20% of the work left to do,” says David Kuder, the Robotics & Cognitive Automation leader at Deloitte Consulting. “Extrapolating from this metric, this means you need just four people to do the work that 20 people previously did. The additional 16 people can now apply their intellect to more strategic uses, working more closely with clients to identify and reduce their losses.”

Other insurance and technology experts agree this value is hard to ignore. “RPA allows a broker to really optimize and improve the efficiency of its back office, particularly if the firm is interacting with different carriers’ legacy technology,” says Ted Stuckey, head of the global innovation lab at insurer QBE in Sun Prairie, Wisconsin.

Stuckey describes a recent visit to a midsize insurance brokerage in Los Angeles. “I walked through bullpens of people doing mind-numbing data entry tasks,” he says. “They were working with upwards of 20 different carriers’ legacy systems. From a process automation perspective, in addition to an auditability and integrity standpoint, RPA represents a huge opportunity. You’re able to push people to higher-value work, such as dealing with the more complex transactions where brokers shine.”

These many advantages add up to enrich the relationship with clients. “In our industry, who has the best opportunity to improve the relationship with the end customer? The broker, of course,” Stuckey says. “These technologies present a vital opportunity to improve customer engagement. Right now, the book of business for many midsize and larger brokers is so substantial that it’s extremely hard to stay front and center in the customer’s eyes. These tools give brokers the ability to be there when clients need them most.”

To illustrate the point, Stuckey provided the example of another midsize brokerage partner. “The firm had a team of people whose sole job was to make calls to customers prior to the [policy] renewals,” he says. “Most of the calls went to voicemail. Imagine if they used a chatbot tool using natural language processing to simulate conversations with customers? You’ve just freed up that team of salespeople and account executives to be available every minute for customers’ questions and concerns.”

Moving Past Automation

Automation is one thing, but it’s just a start. Many large insurers are investing heavily in cognitive computing, building state-of-the-art solutions internally or purchasing them from the growing ranks of insurtech startups. Cognitive computing is more than just automation. It uses machine learning to perform human tasks in an intelligent way, incorporating things such as natural language processing, text mining and image recognition.

Most insurance brokerages are said to be just nibbling at the edges of these types of opportunities. “Many brokers are still in the very early days of assessing the benefits of cognitive computing,” says Anand Rao, global artificial intelligence lead at consulting firm PwC. “They’re using a few of these tools but have not yet made truly substantial investments.”

Other consultants agree brokerages are comfortable sitting on the fence for now, waiting to see how the market shakes out. “Unlike large global banks and insurers, many insurance brokers are in a proof-of-concept stage with these technologies,” Kuder says. “There’s been a lot of talk and a lot of hype, and a few brokers will say they’re doing this and that. But only 10 to 15% of brokers are doing much of anything.

“No firm wants to be the first headline replacing a ton of labor with robotics or cognitive automation. But everyone is absolutely experimenting with these technologies or has it on their radar screens.”

Time will tell if this experimentation leads to fuller deployment. For now, the pace is slow. According to a recent survey by consulting firm Accenture, 37% of insurance executives say their companies plan to “extensively” invest in machine learning over the next three years, and another 44% predict “moderate” investment. In another study by the IBM Institute for Business Value, 90% of insurance respondents predict cognitive computing will “strongly impact” their revenue models.

“Both insurers and brokers are closely examining artificial intelligence and machine learning, realizing the significant opportunities they present,” says Ashish Umre, a partner on insurer XL Catlin’s Accelerate disruption and innovation team. “The key for brokers is to identify those strategic areas where the technology will make the most difference in adding value for their clients.”

It’s Better Risk Management

While the importance of a strategic, patient approach cannot be overstated, some maintain brokers need to pay attention to what carriers are doing so the playing field does not change around them while they sit on the fence.

“What do all customers large and small want from their broker? They want their risks managed more efficiently and coherently,” says Michael Maicher, head of global broker management at Allianz. “They want convenience, transparency, trust and the knowledge that they are gaining value for the money they’re spending. These technologies help do just that.”

According to Lori Sherer, partner and insurance leader in Bain & Company’s advanced data and analytics practice, “As the carriers collect client risk data in a better format than brokers currently do, they’ll be able to help them better understand these risks, resulting in more accurate and affordable coverages. Brokers are getting paid beaucoup dollars to place the risk today. The more digital this becomes, the less relevant they will be unless they’re investing in the same tools.” Bain & Company’s insurance company clients all have innovation labs and corporate venture arms investing in insurtech startups and have presented the firm with written proposals to use a greater variety of cognitive computing solutions in the future, she says.

Maicher predicts the simple placement of the risk will become less valuable and cheaper. “Consequently,” he says, “brokers need to improve their knowledge of clients’ risks and preferences, accessing relevant data to achieve deeper insights. Clients will pay for this more sophisticated risk advice.”

Insurers are just as vulnerable to these technological forces as brokerages. “Several reinsurers are investing heavily in cognitive computing to do more risk management and loss control with the idea of working closely with the brokers to essentially displace the carriers,” Rao says. “There’s a lot of friction in the marketplace.”

This friction is good for corporate clients, as it ultimately will produce less expensive insurance products with coverages customized to actual needs.

“With lower transactional costs, risk transfer will become more attractive to clients,” says Maicher. “This will result in a higher demand for a greater range of insurance products, increasing the overall size of the market.”

New products also will emerge from the industry, as brokerages and carriers develop a better understanding of client risks. “As more companies leverage the IoT and put their data in the cloud, the related risks are sure to grow,” Sherer says. “The industry is only beginning to understand how to effectively transfer these risks. The opportunities are huge.”

The Labor Question


If brokerages continue to gradually employ more cognitive computing technologies, their actions are unlikely to result in the mass displacement of labor. The tools are intended to free employees from rote tasks so they can provide more personalized services to clients, meaning little labor displacement, if any, for the time being. Even better, the use of these technologies creates a need for new skills in a brokerage’s workforce.

“Since people will be working more directly with technology on a daily basis, the workforce needs to reflect these skills, either through recruitment or training,” Kuder says. “Different people will be doing different things in the future, repurposed to provide value-added activities that lead to better client services.”

These workforce changes are already occurring. “We’re definitely seeing movement in the market for hiring or reskilling individuals in the automation space,” Papageorgiou says. “This demand for talent actually exceeds the supply, which may be a factor in why some brokers are slow to adopt cognitive computing.”

Thanks to cognitive computing technologies, the services provided by the brokers of the future will become more important as the brokers shift toward more sophisticated advice. In this progression, mergers and acquisitions are likely, both among brokerages and with specific insurtech startups.

“These are exciting times for brokers to innovate and experiment,” Kuder says. “There’s a lot more degrees of freedom to choose where and how you want to play.”

Banham is a financial journalist and author. Russ@RussBanham.com

Rating the Cybersecurity Rating Firms: How Accurate Are They?

By Russ Banham

Carrier Management

In just a few years, a growing crop of cybersecurity ratings firms has sprouted to assess the vulnerability of businesses to withstand cyber attacks, scoring them on a scale from good to bad. Key markets for the firms are insurance carriers and brokers, each using the ratings for different reasons.

Consequently, insurers have been wary about underwriting cyber risk policies with broad coverage terms and conditions. The complexity of the threat is so large and unwieldy that insurers struggle in modeling and quantifying potential loss frequency and severity. That’s where the cyber risk rating firms enter the picture.

InsurTech startups like Cyence, BitSight, SecurityScorecard, Cybernance, RiskRecon and others have formed to improve insurers’ understanding, identification and measurement of cyber risks. In scoring their risk assessments, the firms typically provide a simple rating using numbers, letters, or red, yellow and green traffic light symbols.

The ratings firms are not to be confused with cybersecurity consultancies that do a deep dive into a company’s network and systems to posit shortcomings. Rather, the firms provide a non-invasive way to assess a company’s exposures, giving a sense of how it might manifest itself to the hacking community, a group that includes nation-states, terrorist organizations, hactivists and old-time hackers seeking bragging rights.

The firms’ utility is wide-ranging. Carriers, for example, use the ratings in their underwriting deliberations and to determine aggregate cyber risk exposures across the books of business. Some insurers also offer the ratings firms’ benchmarking capabilities to their insureds as a service, helping companies compare their cyber risk preparedness and technical defenses to those of peer competitors. Brokers, on the other hand, leverage the ratings to bolster the argument of why a client needs to buy cyber insurance. The ratings also are useful in advising cybersecurity improvements to earn superior insurance treatment.

This is all well and good, assuming the cybersecurity ratings are accurate. As the recent WannaCry and Petya ransomware attacks demonstrated, hackers are in the business of confounding the world’s best cybersecurity professionals. Assessing a company’s risk exposure with a simple letter grade might serve a purpose, but only if the underlying scoring methodology is robust.

How foolproof are the cyber ratings firms? “They’re able to see a lot of information out there to assess relative degrees of vulnerability, but I’m not sure they’re at a stage where they can make accurate predictions,” said Tracy Dolin-Benguigui, director and insurance sector lead at S&P Global Ratings, which rates insurer credit risk.

She added, “Insurers shouldn’t be overly reliant on the scores as the sole basis for underwriting decisions. They’re just another tool in the toolbox.”

Different Strokes

The cyber risk ratings firms are not cookie-cutter service providers. According to their websites, BitSight and SecurityScorecard are focused on assessing the technical defenses of a company, whereas Cyence is more engaged in quantifying the potential financial outcome of a cyber incident. Some overlap is to be expected.

“We don’t really see ourselves competing with BitSight and SecurityScorecard,” said George Ng, Ph.D. (Economics/UC Irvine), Cyence’s chief technology officer and co-founder. “We’re an economic modeling platform. Customers like insurers can do an individual company analysis, looking at various metrics and assessment indicators focused on the organization’s cyber risk in financial terms—its ultimate economic exposure.” Ng formerly worked as a research scientist at DARPA.

BitSight, the first startup in the cybersecurity ratings market, touts the multiple uses of its scores by insurers. “Our product is being used by the largest insurers to develop much-needed cyber risk policies,” said Samit Shah, BitSight insurance solutions manager. “We also help underwriters write a policy at certain limits, terms and conditions. On the reinsurance side, the ratings help them negotiate better reinsurance terms, unlocking more capacity at better pricing for the market, which is a good thing for insurers and their customers.”

Shah makes a good point. All companies are eager to transfer their cyber risks. The challenge has been the wariness of insurers and reinsurers to absorb their exposures. If the insurance industry can get a better sense of cyber risks, the market potential is staggering. A report by Allianz projects double-digit growth figures on a year-by-year basis reaching more than $20 billion by 2025.

Cyber ratings firms are in business to do just that. Nevertheless, some insurers like Chubb are carefully validating. “We’re still in the exploratory phases and continue to refine our use of cyber ratings solutions to address underwriting, enterprise risk management and data analytics,” said Russ Cohen, Chubb vice president of cyber services.

Nevertheless, the giant property/casualty insurer is partnering with the ratings firms to provide a value-added cybersecurity benchmarking service to customers that buy its cyber insurance policies. “Policyholders can view their security scores and their comparative relationship to other companies in their sector for a period of 12 months,” said Cohen.

This service also allows cyber policyholders to monitor third-party vendors, which can be a pathway for hackers to invade a company’s network and systems. (An HVAC vendor was the entry point for the massive Target data breach in 2014.) Scores on three vendors are delivered for a 12-month period. “The outside-in perspective of these solutions can be a virtual canary in the coalmine, giving policyholders insight into what might be happening on their internal network without them even knowing about it,” Cohen said.

Interest and Intrigue

Chubb did not disclose the name of the cybersecurity rating firm with which it has partnered, considering this confidential information. Several other insurers declined the opportunity to be interviewed for this article. Two insurance brokers using the firms’ scores in different ways agreed to an interview, with one, Lockton, preferring not to divulge the name of the provider for proprietary reasons.

“We have relationships with a couple of the ratings firms for their specialized services, which are valuable to our clients,” said Michael Born, vice president and account executive in broker Lockton’s cyber technology practice.

Asked for an explanation of this value, Born cited the broker’s enhanced ability to help clients understand their cyber risk exposure. “Companies want to know the likelihood of a cyber attack and the financial impact, but the data to provide this information is hard to come by,” he said. “Depending on how deep the assessment goes, the ratings firms can tell us how up-to-date a client’s firewalls are to withstand an attack. This gives us an opportunity to reduce their risk.”

By improving the client’s risk profile, the broker is in a better position to place the company’s business with the insurance markets at optimal terms, conditions and pricing. “Underwriters get a better sense of how attractive the client is from a cyber insurance standpoint,” said Born. “When we go out into the markets, we can assure the best deal.”

Added up, the ratings firms help brokers sell cyber insurance to clients. As Born put it, “We use the scores modeling the client’s exposure from a likelihood and financial impact standpoint to say to the company, ‘Here is the potential cost if you don’t insure, and here is the cost if you do insure.’ They now see the benefits of buying the cyber insurance.”

Broker Marsh has had a relationship with Cyence going back two years to help its clients get a better sense of their cyber attack vulnerability. “The firm mirrors how the outside world sees the company, in terms of where its data is traveling to and from and who it does business with,” said Robert Parisi, Marsh managing director and cyber practice leader.

This outside world is the hacking community. “An analogy is you raise a son and send him out into the world, wishing you could see everywhere he’s going, which you can’t,” said Parisi. “In a cyber risk context, that’s what these firms do.”

Marsh relies on Cyence in several ways. For example, the broker receives the same volume of information on a client’s cyber exposures as the insurance markets receive when viewing the company’s risk profile. “When you apply for a mortgage, it’s good to know what your credit score is before you go to the bank,” Parisi said.

Cyence also can run a report on a client’s cybersecurity practices relative to its peers, whose names are anonymized in the document. For example, a financial institution with $1 billion in annual revenue would be compared to other financial institutions of similar size. The report evaluates the motivation for hackers to attack the company and its resilience in financially surviving the incident.

Asked how Cyence comes up with the assessment, Parisi said he was not at liberty to provide it. “That’s very much an internal discussion,” he said. “You’d need to ask the providers.”

Close to the Vest

We did. Unfortunately, the answers were not all that specific. While the ratings firms collect and analyze large swaths of cybersecurity data to score companies, the particular technology and processes to do this work is proprietary. This caution is understandable, given a need to keep this information from the hacking community. Nevertheless, the lack of transparency in how the firms devise their ratings is troublesome from a trust perspective.

Another concern is whether or not the ratings capture the full cost of a cyber incident. “One of the limitations of these models is whether or not they’re really capturing the contingent business interruption of a ‘cybergeddon’ attack, since this is where the really big losses for companies reside,” Dolin-Benguigui said. “Contingent business interruption is not an insured loss in many cyber risk policies. Consequently, the insured portion of a ‘cybergeddon’ attack would add up to mere basis points. There might be a need to broaden the scope of the tool to capture the economic loss.”

To get a better sense of the ratings firms’ value, we reached out to the chief security officer of a software company outside the insurance industry. Max Solonski is entrusted with overseeing the data security of the thousands of global and midsize customers of BlackLine, a provider of cloud-based financial and accounting software. Solonski was familiar with one of the cyber ratings firms, having researched it on behalf of a customer, and cognizant of the others.

“Here’s what I think—cybersecurity risk management must address so many fast-changing risks, all of them important from an insurer underwriting perspective,” Solonski said. “The cyber ratings firms use complex mathematics in their scoring methodologies to offer a perspective that might have some correlation with actual risk, or might not.”

As an analogy, Solonski pointed to the metrics produced by catastrophe modeling firms: “These firms provide useful information to insurance companies, noting that a particular region has a ‘one-in-100-year’ chance of experiencing a major earthquake. However, this doesn’t mean that once an earthquake hits the area another ‘one-in-100-year’ event won’t happen the following year.”

In other words, just because an insured is given a great cybersecurity score today doesn’t mean the company won’t be hit by another major incident tomorrow, particularly if it is a new type of cyber attack.

Solonski also questions if a rating firm partnered with an insurance company or broker may score a company higher on the risk scale to encourage the business to buy cyber risk insurance. “You know these stores that sell mattresses based on a score that tells you just how hard or soft you like the mattress, then you buy it and take it home and still sleep uncomfortably? Well, that’s how you sell a lot of mattresses,” he said.

Still, he sees some value in the scores as a mechanism to improve a company’s cybersecurity. He advised businesses that receive a score to have its veracity checked by a cyber risk consultancy.

Down the line, Cohen from Lockton believes the cyber ratings firms will prove their merit. “The historic challenge in underwriting cyber risks has been the very small pool of exposure and claims data to draw dependable conclusions,” he said. “These new solutions coming into the marketplace, on average, have about a good three years’ worth of decent data to work off of. In time, there will be much more information out there that they can add to their databases, making their scores vastly more reliable in gauging a company’s cyber risks.”

Investing in the Insurtech Toolbox

By Russ Banham

Risk Management

Just a few years ago, the nascent insurtech sector received scant attention from the insurance industry. But with the number of companies in the space growing exponentially, more insurers, intermediaries and risk managers are being forced to take notice.

Insurtech refers to the subset of technology startups focused on process enhancements in underwriting, claims administration, back-office systems, customer-facing interactions and other insurance activities. To date, most of the work in insurtech has focused on developing more efficient and cost-effective ways of transacting personal and small commercial lines. But these innovations have real implications for corporate risk managers. “Insurers are looking for ways to better understand, manage and price risk, but these same aims are also in play for risk managers,” said Jamie Yoder, leader of PwC’s insurance advisory practice.

For example, many of the same technology solutions designed for insurance can be used by risk managers to better evaluate corporate exposures, determine how much risk the business can bear on its own balance sheet, and decide how best to transfer remaining risk. While such capabilities would theoretically allow risk managers to reduce their reliance on brokers and carriers, their proper application would require risk managers to develop the skills to better take advantage of them.

“The next generation of risk managers will have to be very quantitative and savvy in trying new things out—just like insurance companies are trying new things out today,” said Kabir Syed, founder and CEO of RiskMatch, an early insurtech startup and developer of a platform to organize commercial insurance portfolios. “Otherwise, the sustainability of their roles will be vulnerable.”

Investment Potential

Investment in insurtech is primarily driven by venture capital. According to CB Insights, total funding for these startups in 2016 was $1.69 billion, spread across 173 deals—a 42% increase in deal volume from the prior year (a “deal” represents both new and follow-on rounds of capital provided to the startups). Since 2010, more than $4.74 billion has been invested across 470 deals.

Syed estimated that there are now more than 1,200 startups in various stages of formation, most still at seed stage, others in Series A, B and C rounds of venture capital (VC) financing, and the rest now in business and selling their wares. This broad array of startups is looking to either sell their technology products to insurers and brokers, or compete against them. “Roughly half of insurers fear that up to 20% of their business could be lost to insurtech in the next four or five years,” Yoder said, referring to a recent PwC survey. “The ingenuity in the space is nothing short of remarkable.”

This potential has attracted major interest from VC firms. Last year alone, more than 140 traditional and corporate VC firms invested in an insurtech startup, compared to 55 in 2011, according to CB Insights. Insurers and reinsurers were also major investors in the sector in 2016. More than 20 insurance companies created VC funds to invest in insurtech startups last year, closing more than 100 deals, while reinsurers like Munich Re and Swiss Re engaged in 79 deals.

Among the insurer VC funds is XL Innovate, which was launched by XL Catlin in April 2015 and made nine investments in 2016. “We’re placing our bets on startups that provide data analytics solutions, have developed new operating models, or offer the potential to create a new business,” said Tom Hutton, XL managing director. “In each of these cases, the startup may provide products and/or services to insurers, brokers and risk managers, depending on the focus.”

AXA Strategic Ventures, an insurer-capitalized VC fund backed by AXA, also has its eye on startups with predictive modeling and data analytics solutions. Among the fund’s investments is BioBeats, developer of a biometric machine learning platform that analyzes employee health and wellness data from wearable technologies. “The more information companies have, the better they can manage their risks,” said Manish Agarwal, the fund’s general partner. “Technologies that offer deeper insights are of interest to us.”

The technological innovation at the heart of these new companies offers great promise for managing risk in the future. “The digitization of risk management and insurance is a good thing, making everyone’s lives and business better,” Hutton said. “It may change the nature of how risks are analyzed and how insurance is transacted, but in the long run it should promise enhanced efficiencies and more cost-effective transferring of corporate exposures. At the end of the day, risk managers will have greater visibility into their company’s risks and how to better manage and insure them.”

The Insurtech Toolbox

The focus of most insurtech companies is currently on products for insurers and brokers, but many have risk management applications, or soon will. “The best innovations happening in insurtech are those designed to capture and interpret complex risk information in more refined and reliable ways,” Yoder said. “Eventually, these tools will have great applicability for risk managers to better understand their organization’s risks. In turn, this will inform better risk management practices and more cost-effective use of insurance.”

The following is just a sample of some of the companies and products that may be of particular interest to risk managers:

Understory Weather. The company is creating a network of solar-powered weather stations with proprietary rooftop sensors that detect weather at ground level, in contrast to traditional weather centers that collect data from satellites. The sensors provide information on a location’s humidity, temperature, wind speed and precipitation. Once enough data is collected, Understory hopes to eventually be able to predict the weather for clients in a specific location. Insurers are the primary market, but the technology may also be useful for risk managers in industries like agriculture, special events and construction.

SafetyCulture. The startup has created iAuditor, a smartphone app for employees to detect and prevent workplace accidents. The app is a virtual library of 22,500 safety checklists sourced from companies worldwide. This data has been integrated and analyzed using proprietary algorithms to pinpoint workplace safety risks. Plant safety supervisors are the primary market, but more broadly, risk managers can use the tool to reduce the incidence, severity and cost of workers compensation claims.

SecurityScorecard. Founded by two former cybersecurity leaders and cryptographers, the company has created a cloud-based platform called ThreatMarket to collect and correlate terabytes of proprietary security information from around the world. The platform assesses the strength of an organization’s cybersecurity plans, and benchmarks these plans against those of other companies. Insurers and corporate chief information security officers (CISOs) are the primary market, but risk managers can introduce the software to better understand and transfer their organization’s cyberrisk vulnerabilities as well.

RiskIQ. The startup has developed a digital threat management platform that offers a unified view of an organization’s digital assets and the risks to its data. The tool anonymously monitors employees’ web, mobile and social media activities, using algorithms to assess these actions against different types of attack vectors exploited by hackers. Primary target customers are insurers, CISOs and risk managers.

Cape Analytics. This company has developed a cloud-based platform that incorporates computer vision and machine learning to provide automated property underwriting for insurers. The tool uses satellite photos and other geo-imagery of a home or building to determine the features such as roof type and material, square footage of the structure, and its overall condition. The images are interpreted by data analytics to refine the underwriting and pricing process. Insurers and reinsurers are the primary markets, but risk managers could also use the data to reduce commercial property insurance premiums.

Cyence. This data analytics startup models the financial impact of different types of cyberattacks, helping insurers better understand the related risk probabilities in underwriting cyber insurance products. For now, the primary market is insurers and reinsurers, but the company has expressed interest in rolling out its products to commercial enterprises as well.

Human Condition Safety. This startup manufactures wearable devices with embedded sensors, artificial intelligence and data analytics to prevent or reduce the severity of injuries. The cloud-based product is aimed at industries that have the highest safety risks, such as manufacturing and construction. Among the wearable devices is a smart vest that informs the wearer if he or she is carrying too much weight or bending incorrectly. Risk managers in the target industries may be interested in using the devices to reduce workers compensation claims duration and cost.

DAQRI Smart Helmet. The startup is one of several making safety helmets embedded with sensors that inform the wearer of imminent safety issues, such as venturing too close to a machine or beyond a safety barrier. Connected to a data analytics tool, DAQRI’s visual and thermal sensors provide automated instructions guiding workers on how to perform job tasks more efficiently. While plant supervisors and foremen are the primary market, risk managers can also introduce the helmets to improve workplace safety.


By Russ Banham

Leader’s Edge

A foreign country launches a physical attack by air, sea and land against a large American city, resulting in extraordinary property destruction and the loss of untold lives. Is this war? You bet.

But what if the same country launches a cyber attack against the electric power grid in the same city, radically disrupting the flow of business for tens of thousands of companies over a period of many weeks and contributing to the deaths and injuries of dozens? Is this war? That’s where things get complicated.

Across the globe, there is no statutorily agreed upon definition of cyber war. Neither the Hague Conventions nor the Geneva Convention references the term. The United Nations and NATO also do not define what it is (or isn’t). Even the U.S. Defense Department’s 2015 Law of War Manual—a document defining a broad spectrum of wartime actions—has no mention of “cyber war” or “cyber warfare.”

Why care? Because of the war exclusion found in the vast majority of insurance policies, which determines coverage for losses arising out of war or war-like actions. If a cyber attack were considered war, insurers would be on pretty firm legal ground to exclude any and all insured losses deemed a result of the warlike event. But what if the attack on the power grid is not cyber war? Without a clear definition, the insurance industry must tread carefully to exclude coverage.

At a time when insurance brokers see cyber insurance as a fast-growing business opportunity, the world’s inability to come to a consensus puts brokers in a very uncomfortable position. They are stuck between corporate risk managers concerned about potential uninsured losses and insurance markets still struggling to find their way with emerging cyber-related exposures.

“As risk advisors, we’re in uncharted territory,” says Eric Seyfried, senior vice president and cyber and E&O leader at Aon Risk Solutions. “Since we haven’t seen a nation-state-sponsored defined act of war or terrorism in a cyber context, we don’t know if it would be covered or not.”

“Cyber-security experts have been wrestling for some time to legally define what cyber war is and isn’t,” says David Inserra, a policy analyst at the Heritage Foundation who specializes in homeland security and cyber policy. “It’s a big gray area. Maybe the first time everyone agrees it has happened, the insurance industry will activate the war exclusion and businesses would pay. But businesses can’t keep paying all the time.”

What If the Government Declares It?

The United States hasn’t officially declared war since World War II yet has been involved in numerous other conflicts since then. And when it comes to insurance coverage, many feel that it takes that official declaration to activate the war exclusion.

“There’s the traditional declarative state of war, such as FDR’s declaration of war against imperial Japan following the attack on Pearl Harbor, and then there’s all these other events that may or may not constitute acts of war or hostility,” says Alan Cohn, former assistant secretary for strategy and planning at the Department of Homeland Security and currently of counsel at law firm Steptoe & Johnson. “Unless the president declares something an act of terrorism or an act of cyber war, it’s unclear what the effect would be. Legally, it’s a very muddy area.”

Cohn should know. During his time working for the federal government, discussion arose several times over declaring cyber events to be terrorism or an act of war. “A similar debate is now under way trying to determine the difference between traditional war and the various types of cyber attacks and disruptions we see today,” Cohn says.

“Until an event is analyzed and declared an act of war, it isn’t an act of war,” says Lani Kass, a former senior policy advisor to the chairman of the Joint Chiefs of Staff, where she was responsible for high-level military assessments and analyses of international crises. “The key is the declaration.”

Robert Hartwig, a professor of finance at the University of South Carolina and former president of the Insurance Information Institute, agrees with the importance of the declaration in claims outcomes. “It is almost unavoidable that a declaration of cyber war by the president or Congress would encourage insurers to exclude the related losses, which would result in long-lasting claims disputes and protracted litigation between claimants and insurers,” he says.

The importance of the official declaration was apparent in the 2013 Boston Marathon bombing, when claims were not excluded under terrorism policies. This is because the bombing was not officially declared an act of terror. For the same reason, businesses that had purchased terrorism insurance could not file claims under these policies. Terrorism insurance is backed up financially by the federal government’s Terrorism Risk Insurance Act (TRIA). “TRIA requires a formal declaration of terrorism by the Treasury Department to pay out, which was not in the offing [in the Boston bombing],” Hartwig says. “So an event that certainly looked like a terrorist attack was not covered by terrorism insurance.”

Could Engaging in Armed Conflict Be Enough?

Now, as is clear by the many conflicts that continue to occur around the world, regardless of whether a formal declaration of war is made, countries can still engage in warlike actions. “There does not need to be a formal declaration of war for the laws of armed conflict to apply,” says Jody Westby, CEO of Global Cyber Risk, a provider of cyber risk advisory services to government and businesses.

Westby maintains that insurance companies “may reasonably decide to activate the ‘act of war’ exclusion to claims—even if there has not been a formal declaration of war. If it looks like a duck, acts like a duck and quacks like a duck, insurance companies should not need Congress to say it is a duck,” she says.

With traditional war, the term of art is that an act of war involves another nation’s “use of force or armed conflict,” says Adam Segal, director of the digital and cyber space policy program at the Council on Foreign Relations. “But even in such situations, these things are politically defined by context.” Segal notes that context would also be applied to a determination of cyber war. “I’ve been told by Israeli officials that a cyber attack that shut down traffic lights in Tel Aviv would be considered a potential ‘use of force’ and ‘armed attack’ since the country relies on massive mobilization” of soldiers to battle, he explains. “Traffic is bad enough in Tel Aviv as it is. But it’s unlikely the U.S. would go to war over the same thing.”


Under international laws of armed conflict, force must be limited to accomplishing military objectives, and excessive force is prohibited. Also, certain targets are protected, such as hospitals, religious sites, and transportation of sick or wounded. These provisions are intended to prevent unnecessary suffering and destruction.

The same rights may be granted in the context of specific cyber attacks. “The destruction or incapacitation of critical infrastructure like communications, water systems and utility grids could cause extreme suffering and hardship,” Westby says. “In today’s connected society, these networks should be off limits for cyber attacks.”

Such attacks could constitute an act of war, as the attack would shut down the transportation network, curtail the normal course of business for tens of thousands of companies, and plunge millions of people into darkness without access to food and water. “It would likely fall under the definition of ‘use of force,’ giving insurers some ground upon which to deny claims,” Segal says. “But that doesn’t mean the government would see it that way.”

Attribution May Be the Linchpin

What would it take for insurers to make that determination if not a formal declaration? “The key for carriers to activate the war exclusion is attribution,” says Andy Lea, vice president and head of the media, E&O and cyber practice at CNA. “Without attribution—a nation-state stepping forward to declare it perpetrated the cyber attack—it would be forensically difficult to discern who did what.”

If North Korea were to boast that it had unleashed the WannaCry ransomware attack, would the insurer activate the war exclusion in its insurance policies that were affected by the malware? Lea says yes. “To the extent there is a war exclusion in a property and casualty policy and it could be applied,” he says, “we would apply it.”

Julie Bernard, a principal and insurance sector leader at Deloitte Advisory who heads its cyber-risk services practice, agrees. “Here’s the thing with war—it requires attribution. The same would apply to cyber war. You need to know who did it—was it China, ISIS or some guy in a hoodie in a basement…. The problem with cyber attacks, unlike physical attacks, is that it’s not easy to prove the source.”

A case in point is a nation-state that recruits third-party hackers to launch a devastating cyber attack. The target country would need to demonstrate a clear connection between the two parties, particularly if the nation-state denies involvement. Such links are vastly easier to assert and prove in the context of traditional war. “The laws of armed conflict allow a country to use third-party combatants as soldiers,” Westby says, “but they must have distinctive emblems or uniforms, carry their arms openly, and be directed by a person responsible for subordinates.”

A nation-state that recruits hackers to launch a cyber attack fits none of these criteria, subverting the ability of the target nation to assert attribution. “China and Russia have been known to use third parties for cyber attacks, then deny any knowledge or involvement,” Westby says. “If the third parties are not recognized as a lawful combatant and the U.S. declared an act of war against Russia or China, it could theoretically be in violation of the Geneva Convention.”

Without clear attribution, much less an agreed upon definition of cyber war, it remains uncertain how the United States, or any other country, could respond to what it considers to be an act of cyber war. “It may boil down to whether the attack is of such a size, scope or scale that it triggers a nation’s right to self-defense—in the U.N. Charter sense of the phrase—for a cyber attack to be deemed an act of war,” Cohn says. “As yet, this remains untested.”

Cyber War Manuals

Although there is no universally accepted definition of cyber war, there are plenty of attempts at describing what it could be. For instance, the Institute for Advanced Study of Information Warfare describes cyber war as “any action by a nation-state to attack and attempt to damage another nation’s computers, critical infrastructure, or information networks…to deny, exploit, corrupt, or destroy an adversary’s information, information systems, and computer-based networks.”

The Tallinn Manual on the International Law Applicable to Cyber Warfare offers a deeper analysis of what constitutes cyber war. The 125-page document was developed by cyber-security experts from multiple nations working with NATO’s Cooperative Cyber Defense Center of Excellence, which is based in Tallinn, Estonia, hence its name.

NATO set up the center after North Korea was accused of hacking Sony Corporation in 2014. (Today, there is still doubt as to who was responsible.) Despite the center’s NATO sponsorship, the manual does not have the power of a treaty signed by many nations. It essentially is a working document for analysis and commentary.

In the manual, the experts provide examples of what they consider cyber warfare. One example is a nation that acquires control over enemy weapons through cyber means and uses those weapons to attack that country or another. Another example is the use of a botnet, a collection of Internet-connected devices such as computers or smart phones that are infected and controlled by malware, to conduct a distributed denial of service attack against a target country’s electric power grid. Both are introduced in Rule 41 of the manual.

Rule 42 presents another example of cyber war—the superfluous injury or unnecessary suffering of people harmed in a cyber attack. Rule 71 cites an attack against the computers, computer networks and data of medical units and transports as a warlike event. “Some experts contributing input to the Tallinn Manual take the view that a cyber attack that does not result in injury, death and destruction but produces extremely negative effects can be construed as an act of war,” Inserra says. An example listed in the manual is a crippling attack against a major stock exchange that results in a catastrophic stock market crash. However, Inserra notes, “others take the opposite position.”

Since the manual is not a treaty and does not have the power of international law, these examples are essentially suggestions of how governments may define cyber war. Still, the document is important as debate on the subject proceeds. In some cases, it could serve as the basis for an insurer’s interpretation of a cyber attack as “warlike” and therefore excluded from coverage.

Consider Costs, Confer with Clients

The lack of a clear and certain definition of cyber war is reflected in the wide range of cyber policies and exclusions themselves. “The ambiguity of cyber space makes the demarcation between cyber war and cyber crime unclear,” says Daniel Garrie, executive managing partner at Law & Forensics, a consulting firm focused on forensics and cyber security. “Our read of the dozens of different cyber insurance policies in the marketplace indicates different definitions of what constitutes a cyber attack, much less cyber war. Each appears to vary as to specifics.”

For the tens of thousands of companies that have purchased property insurance absorbing their business interruption expenses, there is no assurance their losses would be covered in the event of an act of cyber war.

Speaking on a Marsh webcast on managing terrorism risk last year, Matthew McCabe, senior vice president of Marsh’s cyber practice, “suggested businesses should be particularly vigilant for language that would apply the exclusion to any act of a foreign nation state,” reported the Claims Journal.

“Cyber has created a vast, untested category of claim that could well fall between the cracks in many commercial insurance programs,” Hartwig says. “Just because the president and members of Congress refer to a specific cyber event as an act of war or an act of terrorism does not necessarily mean it fits the insurance industry’s definition of an act of cyber war. It’s a huge gray area.”

And were it to happen, the cost could be staggering. For example, an attack on a city’s electric grid that shuts down critical infrastructure could have more than $1 trillion in economic impact, according to a 2015 Lloyd’s study on behalf of the city of London. The insurance institution estimates a cyber attack would result in as much as $71.1 billion in claims, assuming they are all paid.

The onus is on insurance carriers now to carefully consider these consequences before they occur and for brokers to confer with clients in the interim.

“Just because there is a broad war exclusion in a property and casualty policy doesn’t mean that an insurance market might not be open to a carveback for certain types of cyber events, including an attack by a nation-state on a company’s network,” Aon’s Seyfried says. “The war exclusion would still apply, but the company would then be covered for losses from the attack. This is definitely something we brokers need to discuss with our clients and the insurance markets.”

Until then, Segal maintains, there has to be more clarity in the insurance industry as to what is covered and what isn’t for different types of cyber attacks. “Insureds and insurers need to figure out where their responsibility begins and ends,” he says. “The ambiguity needs to be narrowed.”

Banham is a Pulitzer Prize-nominated investigative reporter. Russ@RussBanham.com

Encouraging Cross-Mentorship To Bridge The Generational Digital Divide

By Russ Banham


Baby Boomers in the workforce have amassed decades of experience over a lifetime of workplace changes. Meanwhile, Millennials are relatively new to their jobs, but as digital natives they instinctively understand how to use the latest software and applications. Can these odd bedfellows find common ground?

Cross-mentorship may provide the way to bridge this generational divide. While typical mentorship is the means by which a typically older worker advises younger mentees, cross-mentorship applies the same principle in reverse.

The idea is already being applied informally. Millennials who often advise their parents on technology are passing on their knowledge to older colleagues. The quid pro quo is for Boomers to coach younger employees about business specifics.

This knowledge transfer is direly needed. With many Baby Boomers postponing retirement and Millennials now representing the largest labor demographic in the workforce, a generational divide is emerging in many companies. Widening the divide is younger employees’ technological knack.

“Millennials are highly intuitive in their use of technology,” said Gaurav Dhillon, co-founder, chairman and CEO of SnapLogic, a provider of cloud integration solutions. “They’ve grown up in an environment of instant technological gratification, expecting applications and software to load immediately. They’ve brought their self-service expectations to the workplace at a time when older generations of employees still struggle to use the latest technology.”

Older But Seasoned

Unlike Millennials, Baby Boomers and Generation X employees grew up with TVs that had knobs. They had no internet or streaming video, no social networks or smartphones. They were tech industry test subjects, enduring the fits and starts of green-screen computers connected to landline telephones. It’s no wonder they may begrudge tech-savvy Millennials’ ability to navigate a smartphone without instructions.

But older generations have industry sector smarts that were achieved through many years of absorbing the nuances of business. Veteran employees can teach less experienced workers what it’s like to go through multiple up and down economic cycles; how to build meaningful careers over many years; how to laugh at your mistakes and draw useful lessons from them.

The goal of cross-mentorship is to promote cross-learning experiences without disrespecting either person’s knowledge. Otherwise, there is the risk of breeding workplace distrust, envy and disengagement.

“If you tell seasoned employees that they have to sit down with someone in their 20s to learn how to use the latest technology, they may shut down,” said Cecile AlperLeroux, an economic anthropologist who speaks frequently on the challenges confronting the workforce. “Similarly, you don’t want to compel younger people to sit down to learn how their more senior colleagues do something, which might make them feel deficient and less likely to contribute freely. Rather, you want to create shared experiences where people from different generations can interact positively with one another.”

She provided the example of a technology client with an internship program that did not initially appreciate the value of cross-mentorship.

“A 15-year seasoned software architect was told by a senior director that a young engineer right out of college would mentor him on what’s new in the world of technology infrastructures,” said Alper-Leroux. “Not surprisingly, he recoiled. Had he been asked to meet with the individual to share their experiences, the seasoned architect explaining the history of the decisions behind the company’s architecture and the young engineer imparting newer techniques, both individuals come away more informed and respectful of each other’s knowledge.”

Bridging Generations

In these multigenerational interactions, employees should discuss what they have in common first, says Alper-Leroux, vice president of human capital management innovation at Ultimate Software, where she helps business leaders respond to evolving workplace dynamics. “You want to build a foundation of trust and respect, which begins with a sharing of information,” she explained. “Then, the discussion can progress to differences in communication styles — why older generations are comfortable taking notes with a pen and paper, and more recent ones tap them into their smartphones or tablets.”

Both scenarios of note-taking are perfectly fine, yet each generation may view the other’s style as either out of touch or a pretentious display of ability. Many Baby Boomers and Generation Xers still find it rude when Millennials text during a meeting. But this doesn’t faze younger people. More seasoned employees overlook the fact that when they were young, older colleagues begrudged their strong desire to use early personal computers and email.

Generation gaps are nothing new, and the only way to breach the divide is to foster communication and understanding.

“We all have something valuable to offer each other,” Alper-Leroux added.

Russ Banham is a veteran business journalist and author of more than two dozen books.

Life Insurance: Term or Perm

By Russ Banham

Life insurance is one of life’s essentials, with different types of products aimed at different life stages. When young and in the formative years of a career, term life insurance can provide ample financial protection to dependents at a relatively low cost. In later life stages, permanent life insurance may offer, depending on the type of policy, the opportunity to accumulate cash value on a tax-deferred accrual basis, money that can be used for diverse needs.

The question many people deliberate is which type of life insurance is best for them, at which life stage. It’s an important question belying easy answers. Both types of life insurance and their varying options and permutations present unique benefits, designed to address wide-ranging buyer needs and financial considerations.

While term life insurance and permanent life insurance policies provide a death benefit, they differ in many other respects. Permanent life insurance, for instance, offers lifetime protection, a death benefit paid to beneficiaries no matter how long the policyowner lives, assuming the premiums are paid. Term life insurance, on the other hand, provides coverage for a specific period of time, such as 10 years or 20 years. When the policy term concludes, the death benefit ends.

These are just the basic differences. While owners of many term life insurance policies have the right to renew the policy once the period draws to a close, the cost will increase upon renewal, and can be considerable. Permanent life insurance policies (which include whole life insurance and universal life insurance, have the potential to accumulate guaranteed cash value that increases every year. In certain cases, universal life insurance may or may not offer this feature.

From the standpoint of life stages, another key difference between the life insurance types is their cost. The premiums for term life insurance for the same death benefit of a permanent life insurance policy are generally much less, hence its applicability to someone just starting a career and a family.

“Given the death benefit provided, the cost is extremely low,” said Kevin Lynch, an assistant professor of insurance at The American College in Bryn Mawr, Pennsylvania.

Lynch equates the difference between buying term life insurance and permanent life insurance to the difference in renting and buying a home.

“You’re young, starting your career, and living on your own for the first time,” Lynch said. “Do you buy a three-bedroom, two and one-half bath house or do you rent? Typically, you rent. The same (analogy) applies to the decision to buy term life versus permanent life insurance.”

Once people reach a point in life where their income is more substantial and their financial needs have grown, they have the means and the incentive to purchase a house that will build financial value.

“You rent as long as that makes financial sense,” Lynch said. “Once you get to the point where your income (is) rising, and you have new responsibilities like a spouse and dependents, you generally opt for something more permanent like a house with a fixed mortgage. This is exactly how whole life insurance should be looked at. Like a house, it’s yours for life and can generate greater value over time.”

Why Not Stick with Term Insurance?

While there is absolutely nothing wrong with maintaining term life insurance well into one’s middle years and beyond, the cost of the insurance typically rises along with the person’s age on renewal. An annually renewable policy will be priced higher at the time of each renewal; the same applies to renewing a 10-year or 20-year level premium term policy. Term insurance also does not build cash value. Had the individual purchased permanent life insurance, he or she could have access to a potentially significant source of supplemental retirement income in the future (depending on the policy type), while preserving the death benefit in perpetuity (note, however, that the death benefit and cash value of a policy is reduced in the event of a loan or partial surrender, and the chance of lapsing the policy increases).

Similarly, there is nothing wrong with buying permanent life insurance at the beginning of one’s career. The problem is that this may not be feasible for many people, giving the comparatively higher cost of the product. In such cases, term life insurance may be the better choice.

The decision boils down to the person’s needs and financial wherewithal. When young and with dependents, the needs are high but often the financial wherewithal is low.

“If you’re young and making $35,000 a year, you want to ensure that if you died tomorrow your spouse and kids would receive the financial equivalent of 20 to 30 years’ worth of your lifetime income,” Lynch said. “After all, this is the essential purpose of life insurance — to replace the ability to `bring home the check.’”

In the case of a married couple or domestic partners each earning a salary, both can replace the ability of the other to provide a source of ongoing income.  If one spouse or partner is working and the other is staying home to care for children or other family members, life insurance helps absorb the financial impact in the event of one person’s death. In both examples, term life insurance would provide an ample death benefit to the beneficiaries at a much lower cost than permanent life insurance, which may not be within the financial reach of these buyers. However, five to 10 years in the future, the person’s financial means may rise appreciably. If this is indeed the case, permanent life insurance could be more affordable for the individual. (Calculator: How Much Life Insurance Do I Need?)

“The choice between term life or permanent life insurance is not a case of which policy is better; it’s a case of which policy is appropriate for the current period in a person’s life,” Lynch said.

Many people also find that the combination of permanent life and term life insurance can provide the lifetime protection and cash value accumulation they need, at a price they can afford.

Money Matters

Financial professionals agree that both forms of life insurance serve distinctly important purposes, based on an individual’s life stages.

“Term life insurance is very beneficial when you have a limited budget,” said Dean Aita, president of Aita Financial Group Inc., a Washington Depot, Connecticut-based financial advisory firm. “You would never want someone of very modest income to buy a permanent life insurance policy that they couldn’t afford on an ongoing basis. If they fail to pay next year’s premium, the policy can lapse.”

As a person’s income rises, Aita said it makes less sense to continue to buy term life insurance, as the premiums will rise appreciably and don’t accumulate cash value.

“A better alternative may be to purchase a permanent life insurance policy that accrues a cash value,” he explained. “You’ll pay more in premiums, but you gain additional benefits beyond just the death proceeds.”

Some permanent policies are eligible to receive dividends, and although they aren’t guaranteed, they help to increase the cash value and death benefit of the policy.  As the policyowner accumulates cash value inside the policy, the person can access the cash value, through loans or partial surrenders, which can be used for a variety of personal needs, such as quick cash for an emergency or to help supplement retirement income.

“Many permanent policies allow you to apply the dividends to help pay future premiums,” Aita said. “The uses are many and depend on each person’s financial needs.”

While the cash value feature is an attractive option it’s important to remember, though, that tapping into the cash value of a life insurance policy reduces its value and death benefit and increases the chance the policy will lapse. And if a policy lapses with an outstanding loan in excess of the cost basis, it’s taxable.

Twists and Turns

Since life is unpredictable, term insurance often has an added feature: the ability to convert the term policy to permanent coverage within a certain conversion period – for example within the first 10 years of a 20 year policy.

“To buy another term policy requires proof of insurability, basically a medical exam. The individual may not be able to buy a new policy when the person is older. Fortunately, the industry has addressed this possibility.”

He is referring to an important component of some, but not all, term life insurance policies — the ability to convert all or part of the term policy, during the conversion period, into permanent life insurance, irrespective of the policyowner’s health or proof of insurability.

Now or Later

The key question for many term life insurance policyowners is when best to progress (or convert) from term life insurance to permanent life insurance. Each person’s decision in this regard is different, due to unique circumstances.

“The decision depends on the individual’s current and anticipated income stream, number of dependents, a spouse’s income, and the family’s assets and savings, among other factors,” Lynch said. “From a financial standpoint, often the younger you convert to permanent life insurance the better, as the premiums will be less for the policy, whereas the premiums for the term insurance can go up at each renewal.”

He added, “It’s always best to sit down with a financial professional or insurance agent to determine the opportune time to move from one policy to the other or to keep both (types of) policies in place.”

Aita agreed with this perspective. “Affordability is the key,” he said. “Because the premium on permanent life insurance goes up as you age, the earlier you buy the product or convert a term life policy, the lower the initial costs. Also, the cash value will accumulate sooner in certain policies.”

Potential buyers need to perceive the value of permanent life insurance as providing more than just a death benefit, he added. “If premiums are paid properly and the policy is monitored through the years, permanent life can be a very beneficial financial asset that can help supplement  a person’s overall retirement and estate planning,” Aita said. “This is more than a standalone product, given its integral role in overall wealth management.”

Aita said he owns several life insurance policies, which he converted as a younger man. “I’ve had clients for 20 years thank me for advising them to convert from term life to permanent life insurance when they did … The value of the policy can grow significantly,” he said “It’s a very useful planning tool.”

Russ Banham is a Pulitzer-nominated business journalist and author who writes often on insurance consumer issues.