The recently-launched Argo Risk Tech Solutions looks at common causes and locations of accidents, like slip-and-fall, in the workplace. The idea is to use IoT devices like sensors to communicate to the employees to modify behavior and identify areas of risk like a wet floor, hot soup bowl or items blocking the halls. The IIR article indicates that companies using this technology have seen accidents reduced substantially over a period of time. This positions insurers not just to transfer the cost of risk to them for the cost of premium to an employer, but to actually prevent the risk from ever materializing. This in turn reduces the overall loss experience and allows the premium to be reduced. This approach will be adopted in more and more areas of commercial and personal lines insurance and will be widespread by the 2020s. Over time policy holders that do not deploy these types of sensors will be penalized by being put in different risk pools from those that have the sensors. It will no longer be an option but a requirement. Even further out, the analytics tied to the collection of this data from IoT devices might proactively communicate what to do and when to do it to minimize risk (ex. a commercial truck taking an optimal road to minimize an accident weighed against the time it takes to do the journey). There could be some backlash, however, as people may start to feel the technology is too invasive and not want to provide data or work with a company that does.
We have written previously about the ever increasing importance of data in Insurance. A related area of interest to insurers is the growth of predictive analytics. Modern predictive analytics solutions are capable of providing deep insight into a wide range of business areas such as underwriting risk, product profitability, and financial projections. However, maturity and adoption of predictive analytics solutions vary widely among insurers. As more carriers prioritize data strategy, usage of this potentially disruptive technology will grow rapidly. Data is a major component of Novarica’s “Hot Topics” for insurers, which include social, mobile, analytics, big data, cloud, digital, and Internet of Things/drones. Data is being utilized to speed up underwriting, utilizing external third party data (e.g. prescription information, telematics information for driving), improve actuarial models (e.g. data collected from drones, the National Weather Service), and help to process claims (e.g. data generated from devices, commercial vehicles, health devices). Over 25% of insurers ran big data programs last year in order to gain insights from large volumes of data with high variety (structured and unstructured) and velocity. This article from the New York Times discusses the increasing concern of regulators, mostly in Europe and the UK, that access to large amounts of data may ultimately lead to a decrease in competition by freezing out smaller firms who can’t get at as much data as large firms like Amazon, Google and Facebook. The article mentions the case of IBM, which is combining internal data with customer data in order to train Watson AI software for a wide variety of tasks in fields ranging from medicine to finance. Some insurance carriers are working with IBM’s Watson software to develop underwriting, claims, and actuarial modeling. Data will continue to grow in importance even as it grows in volume. It is inevitable that regulators will start looking more at data and access to it as we move forward into the 2020s.
Just before the end of the last calendar year, the New York State Department of Financial Services announced changes to its new cybersecurity regulations, pushing back the date they will take effect to March 2017 from January 2017. In December, we held a working group on the imminent New York State cybersecurity regulations, then due to become effective on January 1, 2017, with no penalties for not complying until July 1, 2017. One of the attendees who had participated in a number of recent AIA calls and an in-person meeting on the law said that New York State was considering an additional 6 month delay beyond the 6 months after the law goes into effect to mandate deployment of multi-factor authentication, which was a huge issue for most carriers. Within that draft, encryption in-transit and at-rest was not going be required to be deployed for 5 years; however compensating controls would be expected in the interim. The conversation covered the cost to comply, how to make decisions on what to deploy vs. what can be skipped, and cloud; does cloud increase or decrease risk. There was a discussion of “accumulation risk” caused by a cloud; a hack of the cloud could automatically trigger a security event for everyone in the cloud. There was a large discussion around the responsibilities of carrier partners, whether they are MGA’s or agents on the distribution side or outsourcers and other service providers on the service side. There was a clear consensus that the carrier is responsible for security if they are manufacturing products that provide coverage (even if someone else has the right to underwrite and bind the policy). We had a good conversation around what will need to be reported to the CEO and Board (a high level dashboard supported by details). There were areas of concern around reporting; it would need to include both successful and unsuccessful security events. Things like attempted phishing attacks through email (even if blocked at the firewall) would have need to be reported under the regulations.
There was also a discussion around European security laws and how they overlap or are different with New York State laws. The revised regulations responded to these types of concerns and include easing some specific timelines and requirements, especially around encrypting data and multi-factor authentication. They also provide more time for compliance, expanding the transition window from six months to as long as two years for most items. The effective date will now be March 1, 2017. Although the easing of the regulations will take some pressure off, the need to do a NIST assessment, and the requirement to put in proper technical solutions, processes, procedures, metrics and reporting all remain.
Cybersecurity is back in the news this week, with Yahoo’s announcement that more than 1 billion user accounts, many of them containing sensitive information, were compromised in a 2013 cyber attack. Recently, Novarica held a Working Group on the new cybersecurity regulations that will go in force on January 1, 2017 in New York State. The law was drafted from the NAIC Cybersecurity Task Force’s Insurance Data Security Model Law but goes further in many cases than the draft law did. The new standards will apply to insurers offering licensed products in New York State. While some proposed requirements stand as general best practices most insurers have already established, others will require carriers to implement significant changes. Although financial and insurance institutions have until June 2017 to comply, carriers are already considering the upcoming shifts in resources and strategies. The regulations will mandate:
- Annual submission of a written statement to the Department certifying compliance, with all supporting data, records and schedules maintained for five years.
- Regular cybersecurity awareness training for all personnel, updated to reflect the annual risk assessment.
- Appointing a Chief Information Security Officer.
- Documentation of “areas, systems, or processes that require material improvement, updating or redesign” along with planned and in-progress efforts toward remediation.
- Employment of cybersecurity personnel who must attend regular update and training sessions.
- Establishing cybersecurity policies to address areas like access controls and identity management, business continuity and disaster recovery, capacity and performance planning, customer data privacy, data governance and classification, incident response, information security, physical security and environmental controls, risk assessment, systems and application development and quality assurance, systems and network monitoring and security, and vendor and third-party service provider management.
- The policies must be reviewed by the board of directors or similar governing body, and approved by a senior officer.
- Establishing and maintaining cybersecurity programs to:
-detect incidents, identify internal and external risks
-to implement defensive infrastructure, policies, and procedures
-to respond to detected or identified incidents to mitigate the impact
-to recover from incidents and restore normal operations
-to fulfill regulatory reporting requirements
Most of the carriers present at the working group focused on the compliance expectations for vendors and third-party service providers. If partners do not comply with the regulations, the carriers manufacturing the products will be liable. We are unsure today if the carriers can get the penalties back from the MGA’s, agents and partners if the security breach was due to that agent’s or partner’s lack of compliance with the law.
Another area of focus was encryption. In the current draft of the legislation, carriers will have up to five years to implement encryption of nonpublic information both in transit and at rest. Many participants saw this as an onerous task, as PII data is already difficult to manage. Although the clause allows for “compensating controls” to stand in place of the encryption leading up to the five-year mark, carriers are already apprehensive of the burdens of such a large feat. In a similar context, multi-factor authentication will be required as well, but an extension of 1 year is being considered.
Some attending carriers with operations in Europe and the UK brought up concerns for how the cybersecurity legislation will affect international relationships. However, while there are some differences between the NYS regulation and the GDPR (General Data Protection Legislation), we don’t expect these difference to drastically impact the carrier’s ongoing technology activities.
Many carriers discussed the security and reliability of Cloud. While some saw Cloud as an additional risk, others saw it as a faster, seamless way to fortify cybersecurity. There was a general concern that because data centers from Cloud providers house different “tenants,” there is a risk of the data being exposed. There was a discussion of “accumulation risk” caused by a cloud which means that a hack of the cloud could automatically trigger a security event for everyone in the cloud. However, other attendees suggested that because it is easier to add a security tool to a Cloud solution, the risk of data exposure is mitigated.
Happy Holidays & Happy New Year!!!!
The new study highlighted in this article indicates that there will be more extreme weather as time goes on, with generally wetter weather. However, the article points out that there will be regional variations that will cause drought and flash flooding. This is important for P&C insurers, especially as it relates to homeowners and flood insurance on the personal lines side and commercial coverages for catastrophic risk including property damage, business interruption, crop damage, city infrastructure like sewers, and flooding. The bad news is there will be a lot more catastrophic events with higher impacts and related payouts from carriers. The good news is that the new technology coming online now, utilizing big data and drones, will help mitigate the coverage risk and refine pricing. Geolocation and weather data can be analyzed and used to adjust actuarial models and be incorporated into underwriting pricing. This information can be augmented by drones and information generated through IoT-enabled structures, machines and devices. Predictive modeling will allow for actuaries to look forward and not have to depend on historical data, which will not be as helpful moving forward in the 21st-century. However, states may not allow carriers to raise prices based on the new experience or what predictive models indicate. If this happens, the states themselves will have to augment the insurance companies and set up insurance pools to cover risks like windstorms or raise bonds to cover additional losses funded through a surcharge on insurance policies, spreading the cost to all owners of insurance. I guess we will know more by 2030!
We learned this week that Allstate has acquired SquareTrade, which offers mobile device and consumer electronics protection plans, at what looks like a high price on the surface. Yet, if we consider the trends we have written about from The Novarica New Normal 100 research, the acquisition is right in line with what we would expect. SquareTrade brings 25 million protection plans with it, bringing the number of Allstate customers up to 70 million. The SquareTrade business provides a branded experience with a 5 day claims turnaround (2 days for mobile phones). By definition, these consumers are sophisticated, and many of them are millennials. The customer information provided will allow for digital marketing of Allstate’s auto and homeowner products, incorporating customized marketing information delivered on the devices being protected. The data can also be used for analytics-driven market segmentation and targeting, allowing for pre-underwriting for auto and homeowners products in some cases. There’s also a possibility of CRM-driven campaign management sharing info across distribution and underwriting, customer behavior modeling, and campaign management analytics. If someone wants to move forward with an Allstate product, much of the data can be prefilled electronically from the data provided by SquareTrade. Underwriting opportunities exist as well, but this was not a focus of the deal since CNA and Starr already produce the coverage. Look for more of these acquisitions over time, especially by personal lines carriers.
This week, B3i was announced for a consortium of reinsurers in Europe. These carriers will pilot anonymized transaction info and qualitative data to pilot inter-group retrocessions between a network of peers to evolve standards and processes. This is not the first set of carriers to be interested in using blockchain’s distributed ledger for reinsurance. We have heard of other carriers looking at using blockchain for the tracking of negotiations for facultative and treaty arrangements. Reinsurance is a natural use of this technology since a carrier and an insured can obtain transparency around who is keep the risk. However, we know that reinsurance is being disrupted by alternative capital and insurance link securities (ILS) in areas like property catastrophe insurance. The real question is can blockchain take enough cost out of the value chain and create enough efficiency to remain competitive against alternative capital and ILS?
A recent piece from Wharton highlights the growing importance of carrier providing a “delightful experience” to the insured and/or the beneficiaries as well as acting as a trusted advisor throughout the customers’ lifetime, providing continuing value. Novarica has written about how millennials are not just interested in the price and risk transfer characteristics but in the lifetime value of the carrier and the experience the carrier provides. Millennials are much more likely to switch carriers if they have a poor experience. Analytics can help carrier gather metrics around how well carriers are doing and what they need to improve. In particular, on claims an intelligent process facilitate through analytics and workflow and differentiate claims between simple and complex, providing an optimized experience.
The Federal Government started regulating insurance companies after the Great Recession of 2008. Additional regulatory reporting is required of insurers that are deemed to be a Systemically Important Financial Institution (SIFI). MetLife is spinning off some of its pieces so it will no longer be classified SIFI and AIG has had discussions about breaking into three pieces due to its SIFI designation.
In a new development, the Federal Government may regulate Workers Comp if it fails to meet certain standards. This is another departure from the state-based system that has evolved in the US. The claim is being made that the Workers’ Comp benefits are insufficient to prevent workers from falling into poverty in certain states, and that some states like Tennessee and South Carolina are looking to establish opt-out laws or already have created one, like Oklahoma. If this moves forward, look for increased regulatory expense in those states that have Federal regulations triggered, putting pressure on the combined ratio and probably forcing carriers to leave certain states.
Ten members of the Novarica Research Council special interest group for Specialty/Large Commercial met in mid-September, at a meeting hosted by Hiscox in New York City. I moderated the discussion, here’s what we touched on:
Customer Portal: Improvements in customer portals result in uncertainty for some agents in carrier companies. The organization must help to maintain a working relationship between the agent and customer without completely negating the role of the agent. For carriers while customer portals are improving, the challenge has been convincing agents that these changes help facilitate better relationships. By establishing transparency and a high level of engagement from the organization, carriers can help address the needs of both agents and customers.
Digital: Digital has been described as a “fog where only the outlines of the future can be seen.” Throughout the discussions that took place, many carriers focused on the ever-present uncertainty and tension that comes with change. As a whole, agents of the future will have to adapt to digital changes and use the new technology to better enable relationships.
Underwriting and Operational Culture: Most carriers face a dominant underwriting culture. While the attendees acknowledge the need for better collaboration between the two groups, cultural changes face slow adoption. In an industry that is historically resistant to change, support from stakeholders and the leadership team is crucial to successfully implement lasting change.
Usability vs Security: With the increased use of malware and ransomware, insurers have to be prepared to invest in IT security. Although many users note temporary disruption and slower systems as pains to the implementation process, carriers must continue to seek the best system protection.
Distribution Alternatives: Some attendees see the potential for a transition from commission expense to marketing expense when going from agent/broker distribution to direct. Millennials tend to depend less on the advice of agents, driving down the need for professional advice. Although the cohort’s preferences will have an ever-increasing effect on the industry, traditional models are still relevant today.
Innovation: While some insurers are able to support innovation incubation internally, others are unable to gather the budget to encourage the birth of “big ideas.” All attendees noted the need for business sponsorship to drive innovation. Discussions centered on funding, frameworks, testing automation, third-party data, bi-modal IT, and cultural issues that hinder innovation.
Budgets: All attendees reported a budget well below our projected average of 2.6% on IT Spending. Many carriers implement Cloud-based solutions, and in doing so, transition their budgets from CapEx to OpEx.