Matthew Josefowicz on reports that Aon is in talks to sell its employee benefits outsourcing group.
Federal regulators gave Tesla some good news this week when they cleared the automaker’s “Autopilot” system of responsibility for a fatal crash in 2016. Instead, the U.S. National Highway Traffic Safety Administration found the driver of a Tesla car that collided with a truck (the article says the car “drove itself into” the truck) ignored warnings by Tesla to keep control of the car at all times. This is certainly a victory for autonomous driving systems — the opposite finding would have been a major setback for Tesla — but not the end of the war.
Like seat belts, autonomous driving vehicles will reduce accidents and fatalities, not eliminate them. And Americans are litigious. Apple is being sued for not doing enough to prevent texting while driving, even though texting while driving is explicitly against the law. Companies with deep pockets, like Tesla, Apple, and Google, will continue to attract litigators, and insurers who provide product liability coverages to autonomous auto industry should not start cutting prices. However, auto insurers should anticipate reduced frequency and severity of accidents as safety features continue to be improved.
All of that being said, this week’s ruling is an indication that our society accepts this research and technology direction. Autonomous cars offer significant benefits to portions of our society that have disabilities and to the elderly who can become riskier drivers, not to mention the potential large-scale benefits of improving traffic flow and reducing air pollution. Lastly, with this decision as precedent, the profit potential for the winners in this space will continue to drive research and innovation.
We have written previously about the ever increasing importance of data in Insurance. A related area of interest to insurers is the growth of predictive analytics. Modern predictive analytics solutions are capable of providing deep insight into a wide range of business areas such as underwriting risk, product profitability, and financial projections. However, maturity and adoption of predictive analytics solutions vary widely among insurers. As more carriers prioritize data strategy, usage of this potentially disruptive technology will grow rapidly. Data is a major component of Novarica’s “Hot Topics” for insurers, which include social, mobile, analytics, big data, cloud, digital, and Internet of Things/drones. Data is being utilized to speed up underwriting, utilizing external third party data (e.g. prescription information, telematics information for driving), improve actuarial models (e.g. data collected from drones, the National Weather Service), and help to process claims (e.g. data generated from devices, commercial vehicles, health devices). Over 25% of insurers ran big data programs last year in order to gain insights from large volumes of data with high variety (structured and unstructured) and velocity. This article from the New York Times discusses the increasing concern of regulators, mostly in Europe and the UK, that access to large amounts of data may ultimately lead to a decrease in competition by freezing out smaller firms who can’t get at as much data as large firms like Amazon, Google and Facebook. The article mentions the case of IBM, which is combining internal data with customer data in order to train Watson AI software for a wide variety of tasks in fields ranging from medicine to finance. Some insurance carriers are working with IBM’s Watson software to develop underwriting, claims, and actuarial modeling. Data will continue to grow in importance even as it grows in volume. It is inevitable that regulators will start looking more at data and access to it as we move forward into the 2020s.
Just before the end of the last calendar year, the New York State Department of Financial Services announced changes to its new cybersecurity regulations, pushing back the date they will take effect to March 2017 from January 2017. In December, we held a working group on the imminent New York State cybersecurity regulations, then due to become effective on January 1, 2017, with no penalties for not complying until July 1, 2017. One of the attendees who had participated in a number of recent AIA calls and an in-person meeting on the law said that New York State was considering an additional 6 month delay beyond the 6 months after the law goes into effect to mandate deployment of multi-factor authentication, which was a huge issue for most carriers. Within that draft, encryption in-transit and at-rest was not going be required to be deployed for 5 years; however compensating controls would be expected in the interim. The conversation covered the cost to comply, how to make decisions on what to deploy vs. what can be skipped, and cloud; does cloud increase or decrease risk. There was a discussion of “accumulation risk” caused by a cloud; a hack of the cloud could automatically trigger a security event for everyone in the cloud. There was a large discussion around the responsibilities of carrier partners, whether they are MGA’s or agents on the distribution side or outsourcers and other service providers on the service side. There was a clear consensus that the carrier is responsible for security if they are manufacturing products that provide coverage (even if someone else has the right to underwrite and bind the policy). We had a good conversation around what will need to be reported to the CEO and Board (a high level dashboard supported by details). There were areas of concern around reporting; it would need to include both successful and unsuccessful security events. Things like attempted phishing attacks through email (even if blocked at the firewall) would have need to be reported under the regulations.
There was also a discussion around European security laws and how they overlap or are different with New York State laws. The revised regulations responded to these types of concerns and include easing some specific timelines and requirements, especially around encrypting data and multi-factor authentication. They also provide more time for compliance, expanding the transition window from six months to as long as two years for most items. The effective date will now be March 1, 2017. Although the easing of the regulations will take some pressure off, the need to do a NIST assessment, and the requirement to put in proper technical solutions, processes, procedures, metrics and reporting all remain.
Cybersecurity is back in the news this week, with Yahoo’s announcement that more than 1 billion user accounts, many of them containing sensitive information, were compromised in a 2013 cyber attack. Recently, Novarica held a Working Group on the new cybersecurity regulations that will go in force on January 1, 2017 in New York State. The law was drafted from the NAIC Cybersecurity Task Force’s Insurance Data Security Model Law but goes further in many cases than the draft law did. The new standards will apply to insurers offering licensed products in New York State. While some proposed requirements stand as general best practices most insurers have already established, others will require carriers to implement significant changes. Although financial and insurance institutions have until June 2017 to comply, carriers are already considering the upcoming shifts in resources and strategies. The regulations will mandate:
- Annual submission of a written statement to the Department certifying compliance, with all supporting data, records and schedules maintained for five years.
- Regular cybersecurity awareness training for all personnel, updated to reflect the annual risk assessment.
- Appointing a Chief Information Security Officer.
- Documentation of “areas, systems, or processes that require material improvement, updating or redesign” along with planned and in-progress efforts toward remediation.
- Employment of cybersecurity personnel who must attend regular update and training sessions.
- Establishing cybersecurity policies to address areas like access controls and identity management, business continuity and disaster recovery, capacity and performance planning, customer data privacy, data governance and classification, incident response, information security, physical security and environmental controls, risk assessment, systems and application development and quality assurance, systems and network monitoring and security, and vendor and third-party service provider management.
- The policies must be reviewed by the board of directors or similar governing body, and approved by a senior officer.
- Establishing and maintaining cybersecurity programs to:
-detect incidents, identify internal and external risks
-to implement defensive infrastructure, policies, and procedures
-to respond to detected or identified incidents to mitigate the impact
-to recover from incidents and restore normal operations
-to fulfill regulatory reporting requirements
Most of the carriers present at the working group focused on the compliance expectations for vendors and third-party service providers. If partners do not comply with the regulations, the carriers manufacturing the products will be liable. We are unsure today if the carriers can get the penalties back from the MGA’s, agents and partners if the security breach was due to that agent’s or partner’s lack of compliance with the law.
Another area of focus was encryption. In the current draft of the legislation, carriers will have up to five years to implement encryption of nonpublic information both in transit and at rest. Many participants saw this as an onerous task, as PII data is already difficult to manage. Although the clause allows for “compensating controls” to stand in place of the encryption leading up to the five-year mark, carriers are already apprehensive of the burdens of such a large feat. In a similar context, multi-factor authentication will be required as well, but an extension of 1 year is being considered.
Some attending carriers with operations in Europe and the UK brought up concerns for how the cybersecurity legislation will affect international relationships. However, while there are some differences between the NYS regulation and the GDPR (General Data Protection Legislation), we don’t expect these difference to drastically impact the carrier’s ongoing technology activities.
Many carriers discussed the security and reliability of Cloud. While some saw Cloud as an additional risk, others saw it as a faster, seamless way to fortify cybersecurity. There was a general concern that because data centers from Cloud providers house different “tenants,” there is a risk of the data being exposed. There was a discussion of “accumulation risk” caused by a cloud which means that a hack of the cloud could automatically trigger a security event for everyone in the cloud. However, other attendees suggested that because it is easier to add a security tool to a Cloud solution, the risk of data exposure is mitigated.
Happy Holidays & Happy New Year!!!!
Tom Benton on DC plan advisors planning to adjust products in the wake of the DOL Ruling
Rob McIsaac on Zenefits launching new products for small business
Mitch Wein on consumers’ increasing interest in customer experience, and not just price
Steve Kaye on recent profitability in workers’ compensation
Jeff Goldberg on Travelers’ use of drones during Hurricane Matthew
As the DOL regulation deadline approaches for 2017, insurance CIOs continue to be concerned about their company’s approach and how to have their distribution compensation and other systems prepared in time. Some insurers will change their product offerings and distribution of offerings in preparation. The report from Ignite Retirement Research (as reported in Retirement Income Journal) outlines how Defined Contribution (DC) plan advisors are also planning to adjust product offerings to meet the regulation. The report’s finding is that 8% will reduce offerings of annuities, with over a quarter expecting index equity mutual funds to increase for DC plans, but it seems likely both numbers will rise as the deadline approaches. The general trend toward indexed annuities and mutual funds means less demand for annuities from DC plans, which will will have a disruptive effect on the market, adding more uncertainty for annuities providers and advisors and concerns for CIOs who need direction from them for system modifications.
Rob McIsaac on MetLife spinning off its retail unit.
Tom Benton on HSB’s recent acquisition of industrial IoT startup Meshify.
Chuck Ruzicka on the recent autonomous vehicle partnership between Allianz, Toyota, and BMW.
Rob McIsaac on Merrill Lynch cutting commissions for IRAs in order to comply with the “client best interest” provision of the DOL ruling.
Mitch Wein on the potential for increased federal oversight of state workers’ compensation in light of a recent DOL report.
The impending implementation of leading aspects of the DOL Fiduciary rules continues to have significant implications across financial services, including insurance and related business. Recently, we noted that Nationwide’s purchase of Jefferson National gave them an important new asset in the fee based product / RIA space. At the same time, Merrill Lynch has announced that they will be cutting (flattening) compensation for IRAs, moving this business toward a fee-based model that is consistent with enduring compliance with the “client best interest” provision of the regulations. This move by the wirehouse is significant both because of the implications for its own business but also for the pattern it may set for other firms. Many have been watching for patterns with the expectation that some major distribution players would drive the path forward. This appears to be an interesting and relevant example of just that.