The New Year Brings New Cybersecurity Regulations

Mitch Wein

Cybersecurity is back in the news this week, with Yahoo’s announcement that more than 1 billion user accounts, many of them containing sensitive information, were compromised in a 2013 cyber attack. Recently, Novarica held a Working Group on the new cybersecurity regulations that will go in force on January 1, 2017 in New York State. The law was drafted from the NAIC Cybersecurity Task Force’s Insurance Data Security Model Law but goes further in many cases than the draft law did. The new standards will apply to insurers offering licensed products in New York State. While some proposed requirements stand as general best practices most insurers have already established, others will require carriers to implement significant changes. Although financial and insurance institutions have until June 2017 to comply, carriers are already considering the upcoming shifts in resources and strategies. The regulations will mandate:

  • Annual submission of a written statement to the Department certifying compliance, with all supporting data, records and schedules maintained for five years.
  • Regular cybersecurity awareness training for all personnel, updated to reflect the annual risk assessment.
  • Appointing a Chief Information Security Officer.
  • Documentation of “areas, systems, or processes that require material improvement, updating or redesign” along with planned and in-progress efforts toward remediation.
  • Employment of cybersecurity personnel who must attend regular update and training sessions.
  • Establishing cybersecurity policies to address areas like access controls and identity management, business continuity and disaster recovery, capacity and performance planning, customer data privacy, data governance and classification, incident response, information security, physical security and environmental controls, risk assessment, systems and application development and quality assurance, systems and network monitoring and security, and vendor and third-party service provider management.
  • The policies must be reviewed by the board of directors or similar governing body, and approved by a senior officer.
  • Establishing and maintaining cybersecurity programs to:
    -detect incidents, identify internal and external risks
    -to implement defensive infrastructure, policies, and procedures
    -to respond to detected or identified incidents to mitigate the impact
    -to recover from incidents and restore normal operations
    -to fulfill regulatory reporting requirements

Most of the carriers present at the working group focused on the compliance expectations for vendors and third-party service providers. If partners do not comply with the regulations, the carriers manufacturing the products will be liable. We are unsure today if the carriers can get the penalties back from the MGA’s, agents and partners if the security breach was due to that agent’s or partner’s lack of compliance with the law.

Another area of focus was encryption. In the current draft of the legislation, carriers will have up to five years to implement encryption of nonpublic information both in transit and at rest. Many participants saw this as an onerous task, as PII data is already difficult to manage. Although the clause allows for “compensating controls” to stand in place of the encryption leading up to the five-year mark, carriers are already apprehensive of the burdens of such a large feat. In a similar context, multi-factor authentication will be required as well, but an extension of 1 year is being considered.

Some attending carriers with operations in Europe and the UK brought up concerns for how the cybersecurity legislation will affect international relationships. However, while there are some differences between the NYS regulation and the GDPR (General Data Protection Legislation), we don’t expect these difference to drastically impact the carrier’s ongoing technology activities.

Many carriers discussed the security and reliability of Cloud. While some saw Cloud as an additional risk, others saw it as a faster, seamless way to fortify cybersecurity. There was a general concern that because data centers from Cloud providers house different “tenants,” there is a risk of the data being exposed. There was a discussion of “accumulation risk” caused by a cloud which means that a hack of the cloud could automatically trigger a security event for everyone in the cloud. However, other attendees suggested that because it is easier to add a security tool to a Cloud solution, the risk of data exposure is mitigated.

Happy Holidays & Happy New Year!!!!

Agent Acceptance of Core System Changes

Chuck Ruzicka

Carriers should expect some agent skepticism whenever they announce the intent to modernize or replace their core systems, and proactively take steps to improve the acceptance of their proposed changes. Most independent agents have moved books of business to new systems. This movement temporarily causes additional work for the agency and can be very disruptive. Agent acceptance of a modern core PAS system, and the related processes and products, is critical to the success of major transformation projects for those carriers in the independent agent channel. Most carriers expect new business submissions to increase as a result of their transformation project and include this assumption in their cost benefit assumptions.

Discussions with carriers reveal differing success rates that appear to be independent of the solution vendor chosen and the choice of Portal component. Some carriers have been very successful extending a variety of core systems directly to agents, and some modern Portal implementations have been unsuccessful. Results can be mixed with the same solution provider, with one carrier getting very positive feedback from agents and other carriers getting negative feedback. Clearly in this case, there are other factors impacting acceptance rates than the choice of core system. So what are the most important factors in determining agent acceptance of a business transformation solution?

Here’s what we recommend:

Separate disruption caused by product and underwriting changes from the impact of new work flows and systems. A company that can’t implement product changes due to legacy system limitations often has a book which reflects adverse selection. A good example might be the average credit scores for a given customer’s base when compared to the average population. Incorporating credit into underwriting guidelines for the first time to address loss ratio concerns will be disruptive from an agent’s perspective regardless of what system it is implemented on. Carriers may consider easing in new factors to reduce disruption rather than fully taking all the required rate indicated by actuarial analysis. Proactive communication of product changes separate from system announcements, as well as clarifying market appetite and offering new products, helps to offset this disruption.

Focus on user experience from an Agent perspective. Engage user experience experts in design and review of the critical functions within a core suite solution. Small companies have demonstrated the effectiveness of just having one or two people designated as having this responsibility or focus. Outside services are readily available. Minimize the number of questions asked during application process by leveraging third party data sources and challenging the value of each and every question asked. Involve Selected agents or customer service representatives (who will actually use the system) in prioritizing functionality and review of early designs and business process.

Don’t communicate unrealistic or premature target dates. Agents often put pressure on carriers to deliver new products quickly. However, they would much rather have a quality implementation and smooth conversion than deal with customer or performance issues. Agents do not like uncertainty. Planning to move business only to have it delayed undermines credibility and irritates the agents.

Pilot all implementations with subset of the targeted population. Pilots should be actively monitored and support teams should be fully engaged in responding to feedback. Too often firms conduct pilots without having a mechanism for obtaining feedback or allowing adequate time to respond to suggested changes. Listen and respond without rushing changes to production. Changes must be implemented with quality and reflect the opinions of a broad audience, not just one user.

Execute. In addition to configuring functionality correctly, carriers must allow adequate time for testing of both the external facing capabilities of the new system as well as the processes for supporting and responding to questions and submissions. Testers should have various levels of technical knowledge and should utilize multiple browsers and access functionality from multiple points within the system.

Create communication plans stressing the benefits of the new system from an agent’s perspective. Ease-of-use, Real time policy issuance, shorter underwritings cycles, and limiting agent entry before knock out rules are invoked all benefit the agent.

Make sure that the project team understands the importance of agent acceptance, defining scope of releases and prioritizing features with this in mind.

Make the above items part of your culture. Once a base Portal or external facing functionality is implemented, keep the focus on User experience, implement incremental changes and pilot changes using A/B testing techniques.

Applying these principles will improve agent acceptance and will benefit the agent, the consumer and the carrier.

News and Views: Startups, the Future of Driving, Apple Watches, Metromile and CoverHound

Steven Kaye

Steve Kaye on how more startups might follow Nexar Limited’s example in working with municipal governments.

Chuck Ruzicka

Chuck Ruzicka on why carriers need to keep an eye on the present when it comes to self-driving cars and AR technology.

Tom Benton

Tom Benton on Vitality giving life insurance policyholders reduced-cost Apple Watches in exchange for their becoming less sedentary.

Jeff Goldberg

Jeff Goldberg on what the news Metromile/CoverHound partnership tells us about innovation in insurance.

News and Views: Core in the Cloud, Self-Driving Trucks, Claims Satisfaction, and Blockchain Consortium

Tom Benton

Tom Benton on the first successful self-driving truck delivery from Uber’s Otto.

Chuck Ruzicka

Chuck Ruzicka on a new study from J.D. Power on what customers want out of their insurance company’s digital services.

Rob McIsaac

Rob McIsaac on Liberty Mutual Benefits’ move into using cloud computing.

Mitch Wein

Mitch Wein on the new consortium of European reinsurers piloting blockchain.

On the Internet, No One Knows You’re a Small Insurer

Tom Benton

Recently, Chuck, Thuy and I attended the IASA Boot Camp in Hilton Head Island, SC. The event was started a few years ago by IASA to provide vendors with education and training on the industry, as well as networking and discussing IASA’s events and opportunities. This year’s sessions focused on learning more about how to better engage insurers and understanding their processes for vendor selection and solution purchase decisions. I had the opportunity to speak to the attendees about the challenges facing small carrier technology leaders.

Smaller insurers, typically with less than 25 IT staff and with net premium in the low $100M’s, face the same challenges as their larger peers: modernizing aging core systems, improving customer experience and finding ways to better leverage analytics. These and other concerns are more difficult for smaller carriers since they have fewer resources to dedicate to solutions. As vendors have matured their products and implementations in recent years, they are looking for ways to better meet the needs of smaller insurers.

The Boot Camp also featured presentations on how carriers make purchasing decisions, and on the second day there were lively roundtable discussions on topics that included RFI (Request for Information) and POC (Proof of Concept) processes, and how to better approach the sales process, including demos. I was part of an interesting session that included consultants that have coordinated RFI and POC processes, including me at Novarica, and vendors who have been through various processes from carrier-led to consultant-led. The key takeaway was that frequent and focused communication plays a key role in the success of the process, in particular when the process is used to prepare both vendor and carrier for a partnering relationship.

If you’re interested in learning more about our work with smaller insurers, please feel free to contact me directly

The Future is in Better Products and Service: Thoughts from the Bay Area InsurTech Meetup

Steven Kaye

I recently attended a Bay Area InsurTech meetup, sponsored by AXA Lab, with the theme of “Millennials, mobile and the future of Insurance.”

The session started with an overview of findings from an AXA-Alpha UX survey. Notably, Millennials’ preferred method of interaction with insurers is in-person, and they view insurance as important for safety but not engaging; expensive, but necessary.

Next, speakers from three startups, moderated by Tuan Pham from Silicon Valley Bank, discussed both the survey findings and a broad range of issues ranging from how to design products to appeal to Millennials to establishing brands.

Automatic ( offers an adapter that plugs into car’s ODBII ports, plus an app that displays info on your car and your driving habits. They offer everything from vehicle diagnostics to real-time driving feedback to finding where you parked your car to exporting data for T&E and taxes.

One Financial (really, their investment Bee: reaches out to the unbanked, and has lower customer acquisition costs than banks because of use of kiosks. The company is building presence at farmers’ markets. Vinay Patel, One Financial’s CEO and co-founder, realizes banks can copy what he does, but by that time he’ll have built up a nice business.

Sure ( offers what they call episodic insurance, which right now means being able to buy flight insurance on-demand from your phone. Wayne Slavin, the CEO and co-founder, discussed the importance of transparency, bundling opportunities, and the potential for outsourcing some function such as claims handling.

I was surprised at how conservative discussion ran, compared to invocations of disruption and touting of Uber and Zenefits at other locations. For example, there was a discussion on the importance of following regulations. Connected cars, UBI, and driverless vehicles were seen as transformative, but the real impact would not hit for twenty years or so.

A takeaway was that there was plenty of room for innovation in products and in engaging and serving Millennials, without startups seeking to be insurers in their own right.

To all Life insurers: I’m a target customer. How do you educate me about your products?

Thuy Osman

Even though I work in the insurance industry, I was never interested in buying life insurance. I always thought it was so morbid; like if you thought about death and plan for death, death will come. Of course we all know it comes eventually for everyone. But, is there something to be said about being prepared financially for it? I must admit, the thought never crossed my mind until I became a parent and the responsibility of someone’s life was placed in my hands.

Being a millennial, the first place I looked for information on life insurance was online. However, what I found on various websites was not useful, or compelling enough to get me to start the application process.

As a last resort, I called the agent who sold me my auto and home insurance (something I had never done before). In 15 minutes, the agent explained to me the various life insurance products, the cost and coverage of each, and the benefits of each, based on the goals I was trying to achieve with this product. He even did a sample illustration to show me the different options offered by various carriers.

Although the phone conversation was extremely helpful, I kept wondering: Why didn’t the agent call me to tell me about life insurance? He knows that I just moved, bought a house, and have kids. Why didn’t he try to sell me another product?

I’m sure there are many more 30 something year olds out there thinking about life insurance to protect their families, but not knowing where to start. If this group is a target market for life carriers, carriers need to think about what they are doing to reach out to this group to educate them on the products they offer, asap.

COLI / BOLI Special Interest Group Meeting Previews New Research

Rob McIsaac

On March 1, Novarica hosted our most recent special interest group meeting for insurance technology senior leaders focused on specific lines of business. The sessions, which provide an opportunity to share recent targeted research, also create an environment for significant networking between carriers, many of which are dealing with strikingly similar issues as they look to address both business and technology issues in very competitive environments. This week’s session was focused on COLI / BOLI, a niche space that is the domain of a small number of carriers offering highly specialized services which support the use of life insurance as an investment vehicle for funding specific types of benefits programs.

Complex Product Requiring “White Glove” Service

As became clear immediately in our discussions, these are complex vehicles that can generate notable top line premium volume, coming from a group of specialized and highly demanding producers. There is a notable amount of plan customization, generally with the degree of customization being highly correlated with the size of the individual cases. A number of the participating carriers noted that this is a “white glove” business that is characterized as a concierge oriented set of programs and business processes where relationships between the carrier and producer communities (as well as servicing TPA’s) are particularly critical for success.

Legacy Systems and Lack of Customer Intimacy Impeding Speed to Market

We also previewed an upcoming report which will be published in May through our Research Partners Program. From a technology platform perspective, this research highlighted the age of core systems (average PAS platform: 19 years old with a number now at 30+), which is creating both flexibility and speed to market issues.

While the number of truly new products in this space is sharply lower than it might be for consumer products lines such as personal lines P&C, these carriers face a truly interesting challenge. Since they have little or no direct interaction with plan sponsors, they take their market research queues from top selling producers and TPA’s. That makes modern analytics of generally limited value on the marketing and product development fronts and requires that product development investment decisions be based on relationships and “market feel.” With inherent inflexibility in systems, the recovery time for reading a market wrong can be substantially elongated.

Different Needs to Support Today’s Channel and Attract Tomorrow’s

With producers in this space also aging (note the average agent is now 59+) carriers face an interesting challenge. The self-service/digitally-enabled capabilities that may be of limited value to top producers today could quickly become table-stakes for attracting and retaining production capacity in the future. Our discussions generally confirmed the research which said that this is an important near term planning consideration for carriers looking to maintain or extend their position in this space. One of the key items that came from these discussions was the need to start to truly think bi-modally with respect to distributor support. In other words, continuing to cater to the needs of top producing (and more mature) agents may be an important near-term tactical mandate, finding ways to also engage younger and more digitally savvy producers who expect easy information access and mobility as the basis for considering the placement of business with a carrier may become a critical strategic capability in a surprisingly short timeframe. Some notable examples are now emerging of life carriers starting to mimic the experience of banking IT organizations which have them developing “mobile applications first.”

Security Even MORE Important Given Customer Profile

Another area of considerable concern for carriers is security. While security is generally a “hot topic” for carriers across all lines of business, and other research done by Novarica has highlighted this blossoming as a Board level consideration, the issue is magnified in this space. Particularly in the case of BOLI, with banks as customers, the security gauntlet is elevated given that banks are both particularly tuned into risks (given the nature and frequency of their transactions) as well as the oversight of their own industry regulators. These security concern elements lead to a direct impact on carriers looking to support BOLI business for these institutions.

This led to another fascinating discussion about handling suppliers that carriers may use for key functionality who do not, themselves, pass the security tests required by BOLI plan sponsors. We explore a range of remediation options that may exist for carriers concerned about both viability and liability.

More Special Interest Group Discussions at Novarica Council Annual Meeting

These sessions provide for a terrific exchange of information, both in terms of new research, and practical experiences as shared directly by carriers. We plan additional Special Interest Group sessions in the near future, with our Annual Research Council Meeting in Providence, RI on April 20-21 providing an opportunity for us to explore Individual Life, Group Life, Annuities, Workers Compensation, Personal Lines P&C and Commercial Lines P&C in more detail. In addition, we are planning a stand-alone session focused on Disability Insurance products that will be scheduled in Q3-2016.

In many ways, 2015 was the year that the future arrived. For carriers, 2016 is the beginning of what carriers need to do in order to respond effectively to a brave, new, transparent world.

Technology’s Changing Role for Group and Voluntary Benefits

Rob McIsaac

Today’s group insurance arena is a hyper-competitive sector, with technology playing an ever larger role in attracting, retaining, and profitably serving clients. Technology is also playing a pivotal role in allowing carriers to make the significant transition from the traditional group benefits model to one that requires the ability to concurrently support both group and voluntary benefits, allowing them to react to both an evolving regulatory environment and to fundamental changes in the demographics of the current labor force. To address these key considerations, carriers are moving to seek out more modern systems that can better support rapid product development and adapt to changes in products and pricing. Modern systems are also key to attracting and retaining top producer talent, given the need to provide increased transparency around key business processes as well as more real time access to self-service functionality.

Carriers in the group and voluntary benefits space often use technology platforms that are chronologically newer than the core systems in the individual insurance market. This actually masks issues with aging technologies, however, since many current group solutions tend to have their origins in legacy client/server and web-based systems. Ironically, these systems can actually have greater inherent risks than much older mainframe-based platforms, given that the technologies used to develop them had substantially shorter useful lives, which has a very direct connection with challenges in finding the talent to support them.

Many carriers are now looking to investment in technology replacement plans to solve this problem. Rather than pursuing wholesale conversion of monolithic existing platforms, carriers increasingly see replacements of individual legacy system components as a less-risky path forward. This creates an environment which allows IT organizations supporting these lines of business to build organizational “muscle” for these longer term transformation efforts by starting with key components outside of the core PAS platform. Underwriting, Billing and Claims are three examples of logical starting points on a measured multi-year journey to position carriers for long term success.

For carriers in the segment, there’s a growing competitive urgency for making key systems investments. While there is a very logical transition that carriers can make from group to voluntary benefit offerings, this is not a domain that is preserved for group life carriers alone. Facing changes in their own traditional markers, both individual life and group health carriers increasingly see the voluntary benefits space as offering an attractive component to their own growth strategies.

In our new Business & Technology Trends report, we explore these issues in more detail and offer examples of how group carriers are positioning their technology investments to support future growth plans.

Related Reports:

  • Business and Technology Trends: Group Life/Annuity/Voluntary Benefits
  • The Parallel Paths of Data Strategy

    Jeff Goldberg

    Data strategy at an organization follows multiple paths:

    > Data Governance and Definitions
    > Data Process, Quality, and Augmentation
    > Data Warehousing
    > Reports, Dashboards, and BI
    > Predictive Analytics
    > Big Data and External Data Sources

    When I talk to insurers about their data strategy, I like to assess how far along they’ve progressed on the above paths. The exact breakdown (or naming) of these data strategy paths can vary from company to company depending on priorities and opinion. But the key is that they all matter and, just as importantly, that they happen in parallel rather than in series.

    There are two problems I find when diving into the strategy details. Either (a) some of the critical paths of data strategy have been ignored or, the opposite issue, (b) some of the incomplete paths are being treated like roadblocks to other progress.

    The first problem is pretty easy to understand. If an insurer focuses on just data warehousing and reporting (one of the most common scenarios) the data will never really represent a single-source-of-the-truth, the reports and other BI will always be in contention, and there will be lots of greater values left on the table. For another example, if an insurer puts all their effort into predictive modeling, those models will never be as deep or precise as they could be with better data for analysis. It’s not a surprise, though, that this kind of uneven approach happens all the time; a balanced data strategy is difficult and few insurers have the resources or skill in all areas. The different paths require various technological expertise, while still others require political will.

    The second problem, on the other hand, requires rethinking how these different data strategy paths interact. Up above I’ve lined them up in what seems like a natural order: first you need to have some kind of governance group that agrees on what the data means, then you need to have a process to clean and flow the data through the different systems, then you aggregate the data into a warehouse, then you report on it, then you analyze it and build predictive models, and only then do you think about bringing in big data to the picture. It makes logical sense. But it’s also wrong.

    The reality is that an insurer can work on all of those paths in any order and/or simultaneously. You don’t need a perfect data warehouse before you start thinking about predictive modeling (in fact, there are plenty of third-party vendors who help you skip right to the predictive models by using industry data). You can run reports directly off your claims system even if it’s data in isolation. Nowhere is there more proof of this than the fact that most insurers hardly have any data governance in place but have still moved forward in other aspects of their data strategy. That doesn’t mean a company should ignore the other paths (that leads to the first problem), but it does mean progress can be made in multiple areas at once.

    What’s important to understand is that all these different data strategy paths enhance each other. The further an insurer is down all of them, the stronger each one will be, leading to the best decision making and data-driven actions.

    So it’s always good to step back and take a look at the data across an organization, assessing each of these paths individually and seeing what can be done to move each forward. A good data strategy has a plan to advance each path, but also recognizes that no path needs to block another depending on current priorities.