Matthew Josefowicz on reports that Aon is in talks to sell its employee benefits outsourcing group.
Some technology trends are just that: trends. Others have the potential to change the landscape of the IT industry landscape. A deep review and understanding of XaaS (“Anything as a Service”) puts the practice on a parallel with similar industry sea changes of the past, like the PC movement of the 80s, the web movement of the 90s, and the sourcing movement in the 00s. Here are our thoughts on what the best practices are for CIOs moving forward with XaaS implementation:
- Review current business processes with a critical eye: Whenever a CIO embarks on replacing any major platform, the first caution is not to recreate what already exists into another system, unless the business is completely satisfied with the current platform which quickly begs the question; why move? Assuming there is a need to move because the existing platform is complex, not scaling appropriately, doesn’t support current compliance requirements, lacking modern security
capabilities, costing too much to maintain, or any other similar reason, the first step should be to review what functions are being supported, what value is behind these functions, and are these functions generic to the industry.
- Define value add processes and align to benefit targets: It is important to define value-add processes and take the step to align benefit targets to each of these processes. This analysis will need to start with a top-level agreement between CIO and COO on value benefits, cost of non-standard process, and success metrics before moving into discussions and process planning.
- Implement Rent vs Buy vs Build model: A very old question that is outlined in just about every IT strategy is the philosophy direction of Buy versus Build. XaaS adds a new dimension of whether the function or service should be rented? In other words, can the company pay per user, pay per customer or pay per policy instead of making the significant investment, to buy or build a platform?
- Prepare for organizational shift, not just technology shift: There is clearly a technology shift in moving to XaaS which includes all the challenges and opportunities with implementing a new platform. One aspect that isn’t as apparent is the need to make an organizational shift from a focus on development and application maintenance to vendor and product management. Specific consideration might include QA focus more on regression testing using business use cases instead of feature testing focus, a shift from focus on intra data center design to inter data center design, and architecture with greater focus on data, data management instead of interconnecting applications within data center.
- Shift primary focus to data and analytics capabilities: Many IT shops spend most their time and resource maintaining, developing, and servicing existing platforms, which leaves little ability to address the huge data frontier. By fully taking advantage of XaaS, IT shops can reallocate resources to focus on unleashing the power of data into the whole enterprise.
Lessons learned and experience from previous sea changes lead us to review XaaS as part of the IT strategy roadmap. XaaS is not simply a new technology but rather a clear move and opportunity that requires a full assimilation into IT shops. At a minimum, adopting XaaS should create the opportunity to bring IT and business teams closer together.
For more on this topic, see my recent CIO Checklist report: http://novarica.com/best-practices-for-xaas-strategy/
We have written previously about the ever increasing importance of data in Insurance. A related area of interest to insurers is the growth of predictive analytics. Modern predictive analytics solutions are capable of providing deep insight into a wide range of business areas such as underwriting risk, product profitability, and financial projections. However, maturity and adoption of predictive analytics solutions vary widely among insurers. As more carriers prioritize data strategy, usage of this potentially disruptive technology will grow rapidly. Data is a major component of Novarica’s “Hot Topics” for insurers, which include social, mobile, analytics, big data, cloud, digital, and Internet of Things/drones. Data is being utilized to speed up underwriting, utilizing external third party data (e.g. prescription information, telematics information for driving), improve actuarial models (e.g. data collected from drones, the National Weather Service), and help to process claims (e.g. data generated from devices, commercial vehicles, health devices). Over 25% of insurers ran big data programs last year in order to gain insights from large volumes of data with high variety (structured and unstructured) and velocity. This article from the New York Times discusses the increasing concern of regulators, mostly in Europe and the UK, that access to large amounts of data may ultimately lead to a decrease in competition by freezing out smaller firms who can’t get at as much data as large firms like Amazon, Google and Facebook. The article mentions the case of IBM, which is combining internal data with customer data in order to train Watson AI software for a wide variety of tasks in fields ranging from medicine to finance. Some insurance carriers are working with IBM’s Watson software to develop underwriting, claims, and actuarial modeling. Data will continue to grow in importance even as it grows in volume. It is inevitable that regulators will start looking more at data and access to it as we move forward into the 2020s.
An interesting article came out over the weekend that delves into the consolidation that has taken place among publicly traded life insurance companies, and contrasts this trend with the relatively stable number of mutual carriers that are in the market today. We are now the better part of two decades past the period when there was a significant demutualization effort which included notable, name-brand, national carriers. In that period, we have weathered multiple recessions, one of them the worst economic downturn since the 1930s, and emerged into a world that has experienced persistent low interest rates. Taken as a whole, these factors have produced a series of economic outcomes which were outside of the planning corridors that many carriers executed against. As the article suggests, carriers face some very interesting challenges going forward. For those with long tail liabilities such as life and annuity contracts, the conflicts associated with quarterly earnings reports and maximizing shareholder value appear to be particularly daunting.
There is more to this story, however, which may suggest some additional advantages for mutual carriers. Almost without exception, life carriers are grappling with aging technology platforms which may date as far back as the Kennedy administration. The blocks of business on these platforms are themselves old, and may be closed to new business. But because they were at the heart of these businesses over multiple decades they have become, through the magic of cost accounting, blocks of business which absorb significant overhead for carriers. For many companies, these platforms represent a significant drag in terms of being able to implement new products and services effectively. At the same time, however, these platforms, if they are walled off, can become quite stable and relatively inexpensive to operate. This can meaningfully influence both operational and financial outcomes for carriers.
We recently unearthed a 1995 chronicle from MIT which provides a fascinating view of the first 35 years of policy administration utilization in North America. The fact that many of the systems that were deemed to be aging in that 22-year-old report are still being used by carriers should give cause for concern to some!
In any case, as carriers plot their technology strategy for the future, addressing these old systems and blocks of business running on them will become increasingly critical. The investments and planning horizon required to make them successful may be easier for mutually owned companies to execute than it will be for their publicly traded competitors given their respective focus on long- versus short-term results.
Even as market competitive threats loom large, it is not just a technology challenge that many life insurance carriers face. There is an accounting and a reporting issue which carriers would be well advised to consider as they put their strategic plans in place.
The major tech players are all betting that smart home automation and digital assistants will be the next big thing for consumers. Grange is taking advantage of this emerging area with their recent announcement that Amazon’s voice-controlled Alexa can now help users learn about Grange insurance or find local agents. It’s clear that the insurance marketplace has not always adapted quickly to improve the customer experience, so this is a great example of an insurer working to serve consumers in whatever way they prefer. It also demonstrates the necessity for insurers to think to the future when they modernize their back-end systems. Will a new core system support future channels? Over the last five to ten years insurers have poured a lot of time and money into building web-based consumer portals. Those that didn’t build for future flexibility had to start from scratch in order to create mobile-ready sites. Will they have to begin again to leverage voice-based home assistants or some as-of-yet unknown customer interaction? Insurers who are thinking in an omni-channel way will instead be architecting agile back-end systems that can support any number of channels and–just as importantly–can support transfers between channels when necessary.
Lemonade got some great press this week with their instant claims payment for a small property loss on a renters policy.
While Lemonade is spinning this a miracle of AI, it’s really more a miracle of intelligently-designed processes. Many insurers do rules-based, auto-adjudication for small property losses, but few have the ability to translate those automated decisions into real time payments.
The other thing that Lemonade has done successfully here is focus on the desired customer experience, and exploit the industry’s lack of willingness to do so.
Now if Lemonade can do the same thing with a $25,000 liability claim on a small renters policy, that’s a different story…
Just before the end of the last calendar year, the New York State Department of Financial Services announced changes to its new cybersecurity regulations, pushing back the date they will take effect to March 2017 from January 2017. In December, we held a working group on the imminent New York State cybersecurity regulations, then due to become effective on January 1, 2017, with no penalties for not complying until July 1, 2017. One of the attendees who had participated in a number of recent AIA calls and an in-person meeting on the law said that New York State was considering an additional 6 month delay beyond the 6 months after the law goes into effect to mandate deployment of multi-factor authentication, which was a huge issue for most carriers. Within that draft, encryption in-transit and at-rest was not going be required to be deployed for 5 years; however compensating controls would be expected in the interim. The conversation covered the cost to comply, how to make decisions on what to deploy vs. what can be skipped, and cloud; does cloud increase or decrease risk. There was a discussion of “accumulation risk” caused by a cloud; a hack of the cloud could automatically trigger a security event for everyone in the cloud. There was a large discussion around the responsibilities of carrier partners, whether they are MGA’s or agents on the distribution side or outsourcers and other service providers on the service side. There was a clear consensus that the carrier is responsible for security if they are manufacturing products that provide coverage (even if someone else has the right to underwrite and bind the policy). We had a good conversation around what will need to be reported to the CEO and Board (a high level dashboard supported by details). There were areas of concern around reporting; it would need to include both successful and unsuccessful security events. Things like attempted phishing attacks through email (even if blocked at the firewall) would have need to be reported under the regulations.
There was also a discussion around European security laws and how they overlap or are different with New York State laws. The revised regulations responded to these types of concerns and include easing some specific timelines and requirements, especially around encrypting data and multi-factor authentication. They also provide more time for compliance, expanding the transition window from six months to as long as two years for most items. The effective date will now be March 1, 2017. Although the easing of the regulations will take some pressure off, the need to do a NIST assessment, and the requirement to put in proper technical solutions, processes, procedures, metrics and reporting all remain.
The potential for wearables in health and life insurance has been hindered over the past few years by lack of standards and slowing adoption by consumers. This week, UnitedHealthcare and Qualcomm announced they have “enhanced and expanded” the employee wellness program UnitedHealthcare Motion. UnitedHealthcare Motion is making progress in wearables use for wellness programs by leveraging the advantages of using the Qualcomm 2net platform, a medical-grade cloud-based infrastructure for medical device applications, with enhanced security and flexibility provided by standardization of end-to-end connectivity for wearables. The ability to quickly integrate in the Fitbit Charge 2, first shipped to consumers in mid-September 2016, shows the advantage of a standard platform that can respond to changing consumer demands and device capabilities. As mentioned in Novarica’s report on “Internet of Things, Wearables and Insurance Customer Experience”, security and standardization as seen with the UnitedHealthcare Motion BYOD capability will enable faster adoption of wearables for use by insurers to improve customer experience.
Cybersecurity is back in the news this week, with Yahoo’s announcement that more than 1 billion user accounts, many of them containing sensitive information, were compromised in a 2013 cyber attack. Recently, Novarica held a Working Group on the new cybersecurity regulations that will go in force on January 1, 2017 in New York State. The law was drafted from the NAIC Cybersecurity Task Force’s Insurance Data Security Model Law but goes further in many cases than the draft law did. The new standards will apply to insurers offering licensed products in New York State. While some proposed requirements stand as general best practices most insurers have already established, others will require carriers to implement significant changes. Although financial and insurance institutions have until June 2017 to comply, carriers are already considering the upcoming shifts in resources and strategies. The regulations will mandate:
- Annual submission of a written statement to the Department certifying compliance, with all supporting data, records and schedules maintained for five years.
- Regular cybersecurity awareness training for all personnel, updated to reflect the annual risk assessment.
- Appointing a Chief Information Security Officer.
- Documentation of “areas, systems, or processes that require material improvement, updating or redesign” along with planned and in-progress efforts toward remediation.
- Employment of cybersecurity personnel who must attend regular update and training sessions.
- Establishing cybersecurity policies to address areas like access controls and identity management, business continuity and disaster recovery, capacity and performance planning, customer data privacy, data governance and classification, incident response, information security, physical security and environmental controls, risk assessment, systems and application development and quality assurance, systems and network monitoring and security, and vendor and third-party service provider management.
- The policies must be reviewed by the board of directors or similar governing body, and approved by a senior officer.
- Establishing and maintaining cybersecurity programs to:
-detect incidents, identify internal and external risks
-to implement defensive infrastructure, policies, and procedures
-to respond to detected or identified incidents to mitigate the impact
-to recover from incidents and restore normal operations
-to fulfill regulatory reporting requirements
Most of the carriers present at the working group focused on the compliance expectations for vendors and third-party service providers. If partners do not comply with the regulations, the carriers manufacturing the products will be liable. We are unsure today if the carriers can get the penalties back from the MGA’s, agents and partners if the security breach was due to that agent’s or partner’s lack of compliance with the law.
Another area of focus was encryption. In the current draft of the legislation, carriers will have up to five years to implement encryption of nonpublic information both in transit and at rest. Many participants saw this as an onerous task, as PII data is already difficult to manage. Although the clause allows for “compensating controls” to stand in place of the encryption leading up to the five-year mark, carriers are already apprehensive of the burdens of such a large feat. In a similar context, multi-factor authentication will be required as well, but an extension of 1 year is being considered.
Some attending carriers with operations in Europe and the UK brought up concerns for how the cybersecurity legislation will affect international relationships. However, while there are some differences between the NYS regulation and the GDPR (General Data Protection Legislation), we don’t expect these difference to drastically impact the carrier’s ongoing technology activities.
Many carriers discussed the security and reliability of Cloud. While some saw Cloud as an additional risk, others saw it as a faster, seamless way to fortify cybersecurity. There was a general concern that because data centers from Cloud providers house different “tenants,” there is a risk of the data being exposed. There was a discussion of “accumulation risk” caused by a cloud which means that a hack of the cloud could automatically trigger a security event for everyone in the cloud. However, other attendees suggested that because it is easier to add a security tool to a Cloud solution, the risk of data exposure is mitigated.
Happy Holidays & Happy New Year!!!!