Download

The Ghost in State Farm's Machine

State Farm's sweeping cuts to agent compensation signal how private equity thinking now shapes even mutual insurers' operating models.

Ghost in the Machine

State Farm just told 19,000 captive agents the deal has changed. Deferred compensation? Gone. Health benefits? Reduced. Renewal commissions? Squeezed in favor of new-business production.

State Farm is a policyholder-owned mutual—the largest in the country—not a private equity play. Yet the announcement reads like it came straight out of a KKR, Apollo, or Blackstone operating playbook.

For decades, State Farm's model rested on a simple premise: a book of business is not self-sustaining. It requires labor. Agents weren't just selling policies; they were maintaining them—fielding calls, resolving issues, retaining customers, spotting risks before they became claims. Renewal commissions weren't a bonus. They were the operating system.

But operating systems get deprecated.

Every generation redraws the line between labor and leverage, between what requires a human and what can be systematized. The real question isn't whether people add value. It's whether they add the same value they once did—and whether that value supports the same cost structure.

Seen through that lens, State Farm's move wasn't surprising. It was inevitable.

Three forces have been quietly closing in.

First, competition. Progressive and GEICO operate without an agent-heavy cost base. They built direct models—leaner, faster, less sentimental. As they gained share—Progressive recently passed State Farm as the top writer of auto policies in the US—State Farm was forced to respond.

Second, management migration. Over the past two decades, executives have moved through private equity portfolio companies, internalizing a shared language—almost a mantra—of efficiency, productivity, and return on capital. What was once distinctive to private equity is becoming simply how management thinks.

Third, AI. Service calls, billing questions, renewals, first notice of loss—tasks that once justified large workforces and long-tail commissions—are increasingly handled by software that doesn't sleep, doesn't churn, and declines in marginal cost over time.

This doesn't make human agents obsolete. It makes legacy compensation models obsolete.

Human value doesn't disappear, it concentrates in complex cases, edge scenarios, trust, judgment—the hard stuff. But the routine? The repeatable? The predictable? That's already slipping out of human hands.

The private equity approach asks a relentless question of every line item: if we were building this today, would we pay for it this way? That question is destabilizing inside legacy models, because once you ask it honestly, a lot of "strategic investments" start to look like habits. And habits, over time, get expensive.

So this isn't a story about private equity taking over State Farm. It's something more consequential: the normalization of a worldview private equity helped industrialize. Nothing is sacred—except the spreadsheet. Every cost is conditional. Yesterday's logic expires faster than anyone wants to admit.

Cost cutting is the easy part. Plenty of companies are doing that—and calling it strategy.

The harder move is what comes next: reinvesting those savings to build something better. Better experiences. Stronger capabilities. New forms of growth that justify the disruption.

In the end, the winners won't be those who simply get leaner. They'll be the ones who get smarter about where humans still matter—and ruthlessly disciplined about where they don't.

That's the real ghost in the machine.


Riv Arthur

Profile picture for user RivArthur

Riv Arthur

Riv Arthur is a business leader and technologist working in insurance, healthcare, and private equity.

It's a Wired, Wired, Wired, Wired World

As sensors have demonstrated during the World Cup, the globe is becoming so wired that it's possible to spot earthquakes, wildfires, and floods in time to mitigate harm.

Image
Early Warning

When Norway won games during the World Cup, so many people jumped up and down that earthquake sensors picked up tremors in Oslo. The same was true when Mexico won games; tremors were detected in Guadalajara and other parts of the country. 

That's some impressive fan support. Vamonos, Mexico! Dra til, Norge!

But detecting the tremors also required some very impressive sensors — of the sort that can help insurers increasingly head off injuries and property damage from earthquakes, wildfires, and floods by giving people advance notice of the impending trouble.

Let's have a look. 

Earthquake sensors are top of mind for me because of the devastating quakes in Venezuela and because of the 5.6-magnitude quake in late June that shook parts of Northern California where I lived until recently. 

Sensors in Google phones managed to alert more than 11.4 million people in Venezuela that a major earthquake was coming, at least several seconds before they felt the impact, according to the New York Times, and as much as two minutes ahead of time. It's not clear how many lives were saved and injuries prevented — and the losses were devastating, with nearly 4,500 deaths confirmed from the 7.2- and 7.5-magnitude earthquakes — but many people surely managed to protect themselves by quickly taking cover. 

What Google is doing is intriguing, and potentially a model for other alert systems. Google has turned all its phones into sensors that take advantage of the fact that earthquakes create two types of waves, as part of a system that is available in nearly 100 countries. One type (P-waves) travels very fast but does little damage. The other (S-waves) does the vast majority of the damage but travels significantly more slowly. Google's phones detect the fast-arriving P-waves as they travel through the ground, and, when Google sees all phones in an area lighting up at once, it knows S-waves and rumbling are coming. 

It's rather like thunder and lightning. Google's phones see the lightning and can tell people that thunder is coming. (The obvious difference being that, in the case of earthquakes, the damage comes after the alert, while lightning is both the alert and the cause of damage.)

The systems don't necessarily provide a lot of warning. P-waves travel at 5-6km/sec, while S-waves spread at 3-4km/sec. So you'd need to be perhaps 20 miles away from the epicenter to get five seconds of warning. People will need to be educated about what to do with those five seconds (drop, cover and hold on) and become accustomed to the idea of alerts, so they don't freeze when the warnings arrive. 

But the sensor network could still get a lot of people away from whatever might fall on them, even with little advance notice, and prevent other damage, too. A woman I know was on an on-ramp for I80 in Berkeley when the Loma Prieta earthquake hit Northern California in 1989. The on-ramp collapsed, dropping her 30 feet onto a pile of rubble. The collapse not only totaled her car, of course, but had her in and out of surgery for years, and left her traumatized from knowing how many people were crushed beneath her. With just five seconds notice, she would have been able to pull off the road and stop short of the elevated roadway. 

In the recent California quake, the governor's office bragged that the state's new early warning system had alerted more than 1 million residents before the shaking started in their area, drawing on feeds from some 600 sensors installed around the state. The system is also available in Oregon and Washington, and Apple offers a similar sort of alert system, drawing on sensors that others have installed.

Insurers don't have a role to play in the development of networks like Google's and don't have to help with the sort of deployment of hard-wired sensors like those in California, but they can certainly assist with the education. Those that do will not only reduce injury claims but will earn good citizen points. At a time when insurers are looking for ways to engage with policyholders more often — not just when collecting premiums or paying claims — offering education about how to protect yourself seems like a promising avenue.

Sensors that can detect wildfires before they get out of control are likewise becoming far more sophisticated and are being deployed on the ground, in the air, and in satellites. Personally, I'm most intrigued by what's happening with satellites, both because they can cover nearly unlimited territory, almost minute by minute, and because I believe in having others do as much work for me as possible. 

Google doesn't sell its phones on the basis that they'll detect earthquakes. People buy the phones for the obvious reasons, then Google adds a bit of software, et voila! A detection network is suddenly deployed. I think the same potential is there to add wildfire detection capabilities to the thousands of low-earth satellites that Elon Musk and others are deploying to facilitate communications. Let them pay for the expensive hardware and the launch, then add a camera and other forms of sensors that can look down and spot even small fires.

Floods, thus far, require dedicated networks of sensors, but there's progress there, too, as Houston is showing. Cities are installing small, inexpensive sensors that monitor water levels constantly, which usually providing hours of warning about developing floods. Cities can also warn motorists in real time to avoid underpasses where water has collected. 

Because these networks of sensors can't just be piggybacked onto other hardware, progress can be slow — adoption remains spotty, for instance, in Central Texas even in the wake of the disastrous flood a year ago that killed 130 people, including 25 young girls and two counselors at a summer camp. But the technology is there and will continue to make inroads.

A rule of thumb I developed some years ago now, as part of what I call the Laws of Zero, is that you can assume that any bit of information you want will be available to you at what looks like zero cost (compared with today) if you look down the road a ways. 

The concept is me looking for areas outside computer chips where the magic of Moore's law can apply. Moore's law — essentially, that the power of a computer processor doubles every year and a half to two years at no increase in cost — means that a unit of computing power that cost a dollar in 2000 costs roughly 1/600th of a penny today. So, free (almost) for anyone making long-range plans in 2000.

I won't go into all seven of the areas I identified, but it's pretty easy to see how sensors fit the Laws of Zero pattern. Moore's law will drive the cost of the computing and any memory toward zero. WiFi and satellite connectivity are becoming ubiquitous, so there's no marginal communication cost. Batteries are also plunging in cost, and many sensors won't even need them, either because they can use solar power (whose cost is heading toward zero) or because they're built into bigger systems such as Google phones or Starlink satellites. 

The Law of Zero about sensors means we will keep seeing progress. Insurers won't even have to pay for that progress. They can just piggyback on what others are doing, then help policyholders understand how to take advantage of the progress — reducing claims while earning good will.

In the meantime, if you aren't watching the France-Spain World Cup semifinal this afternoon, or at least sneaking the occasional peak while at work, I'll bet you'll be able to tell the result if you have access to seismograph readings from Paris and Madrid at 5pm or so Eastern time. 

Cheers,

Paul

 

 

A Founder's Guide to Surviving Investor Rejection

At 66, a cybersecurity veteran trades retirement planning for startup building and learns that success doesn't depend on yeses; it requires "not no"'s. 

Walking a high wire

One of my favorite movie scenes comes from "Volunteers."

Tom Hanks is trying to negotiate with a local warlord. Standing nearby is the warlord's beautiful bodyguard—whose command of English is somewhere between nonexistent and interpretive dance. Tom flashes a grin that suggests he'd be perfectly happy if she happened to be part of the bargain.

The warlord responds with something to the effect of, "If I say yes… and not no…"

I honestly don't remember exactly how the scene ended. What I remember is what popped into my own head.

I'd settle for not no.

At the time, it was just a funny line. Thirty years later, after more investor meetings than I care to count, I finally understand why it stuck with me.

Founders spend years chasing "yes." Investors rarely give you one. Instead they say…

"Interesting."

"Come back after revenue."

"Let's reconnect in six months."

"We'd like to see your next release."

"Keep us posted."

None of those are yes.

But they aren't no.

If you're building a company, you eventually realize that companies aren't built on yes.

They're built on not no.

The High Wire

Being a founder is the proverbial high-wire act. There's no safety net. No guarantee. No instruction manual.

People love talking about entrepreneurial risk. Let me save you some time. It's all risky.

The right decisions.

The wrong decisions.

The crazy decisions.

Sometimes you don't know which one you made until two years later.

Then there are the mornings.

3 a.m.

Every.

Single.

Morning.

Not because the alarm went off. Because your brain did.

There's always one more investor to research.

One more slide to improve.

One more grant proposal to edit.

One more feature to design.

One more email to send before the day job begins.

People think founders work 80-hour weeks. The truth is… founders never really stop working. The company follows you to bed. It wakes up before you do.

And then there's that feeling. If you've ever built a company, you know exactly what I'm talking about. That knot in the pit of your stomach. It never completely goes away. It's there when you wake up. It's there during investor meetings. It's there while you're brushing your teeth. It whispers the same questions over and over.

What did I forget?

Are we going to make it?

Am I asking my family to believe in something impossible?

Is this the dumbest thing I've ever done… or the smartest?

I've come to think of it as the founder's tax. Nobody talks about it. Everybody pays it. Some people call it stress.

Founders call it Tuesday.

Venture Capitalists and Sea Turtles
Venture Capital

One of my favorite startup metaphors comes from Silicon Valley.

Ron LaFlamme, the eccentric attorney, explains venture capital using sea turtles. Sea turtles lay hundreds of eggs because only one or two eventually make it to the ocean.

"That's what Peter Gregory is doing," Ron explains. "Making sure one or two of his compression plays make it to the sea."

The first time I heard that I remember thinking,

"Why not just pick stronger turtles?"

Of course, that's not how venture capital works. They're playing portfolio math. Fund enough companies and one eventually becomes the next Google.

They're not looking for certainty. They're looking for outliers.

Founders don't have that luxury.

Most of us get one turtle.

One company.

One dream.

One shot.

It's amazing how differently you look at risk when you're carrying your only turtle.

Government Grants: The Ultramarathon
Government Grants

If raising venture capital is a marathon… government grants are an ultramarathon.

Uphill.

Into the wind.

Dragging a filing cabinet behind you.

You spend six weeks writing.

Three weeks editing.

Two weeks wondering whether Requirement 3.2.17(b) means exactly what you think it means.

You finally hit "Submit."

Then… absolutely nothing.

Weeks become months.

Months become more months.

Eventually an email arrives.

Your pulse quickens.

Your palms get sweaty.

You open it.

"Thank you for your interest…"

That's government-speak for, "Better luck next time."

The amazing part?

You immediately start writing the next proposal.

Founders are funny that way.

The government didn't invent persistence.

Entrepreneurs did.

Accelerators
Acceleration

I actually like accelerators.

Some of them.

Many provide genuine value.

They introduce founders to investors.

They surround you with experienced entrepreneurs.

They shorten the learning curve.

Some absolutely earn the equity they receive.

Others…

Well…

Let's just say the first image that came to my mind was a skinny kid explaining proper deadlifting technique to a professional bodybuilder.

It made me laugh.

Mostly because I've been there.

Now before anyone gets offended…

No, I don't know everything.

Far from it.

But this ain't Marine Corps boot camp.

I don't need somebody teaching me how to polish my boots. I've spent decades leading soldiers, briefing executives, running cybersecurity organizations, and solving difficult problems. Teach me something I don't know. Introduce me to someone I couldn't otherwise meet. Open a door that's been closed. Challenge my assumptions.

That's acceleration.

Teaching me how to center a title on a PowerPoint slide? Not so much.

Now, to be fair, accelerators usually introduce you to investors. Of course, they don't do it out of the goodness of their hearts. They generally take a slice of your company.

Sometimes it's a reasonable slice.

Sometimes…

It's a fat butcher's slice.

Every founder has to answer the same question.

Was it worth it?

If the answer is yes… great.

If not… that was one expensive PowerPoint lesson.

The Founder's Retirement Plan
Founder's Retirement Plan

Somewhere along this journey I stopped looking at my investment portfolio as retirement.

I see software development.

Advertising.

Patent attorneys.

Trade shows.

Cloud hosting.

Developers.

My financial advisor sees diversification.

I see operating capital.

Retirement?

I'll think about retirement after Version 5.0 ships.

Every now and then I tell Suzanne we're flying first class to the Maldives for a week of scuba diving.

Just as soon as…

well…

just as soon as we can afford a margarita machine.

Fans of "Silicon Valley" will appreciate that reference.

Everyone else probably thinks I've developed an unhealthy obsession with frozen drinks.

They're not entirely wrong.

The funny thing about founders is that we stop measuring wealth the way everyone else does.

A new car?

That's six months of development.

Kitchen remodel?

Marketing budget.

Vacation?

Another developer.

People ask how founders keep funding their companies.

Simple.

We stop thinking about assets.

We start thinking about runway.

Yin and Yang
Yin & Yang

People ask what it's like to build a company with my wife. The answer usually surprises them. We work remarkably well together.

Mostly because we work remarkably well apart.

Ron LaFlamme would probably describe us as yin and yang.

That's us.

I'm the dreamer.

Suzanne is the realist.

I see possibilities.

She sees details.

I chase ideas.

She quietly points out the 17 reasons one of them probably won't work.

She's usually right.

Long before software, we bought a short-term rental.

The number one comment from our guests wasn't the location.

It wasn't the view.

It wasn't the amenities.

It was one word.

"Immaculate."

That's Suzanne.

If NASA hired her, astronauts would dust the launch pad before liftoff.

She has standards that make hotel inspectors nervous.

Thank goodness.

Somebody has to.

Every founder needs someone willing to ask,

"Are you sure?"

Not because they doubt the dream.

Because they want the dream to survive.

People celebrate founders.

They should spend more time celebrating the people who quietly make founders better.

The Turtle on the Fence Post
The Sea Turtle on the Fence Post

There's an old saying: "If you see a turtle on a fence post, you know it didn't get there by itself."

How he got up there is anybody's guess.

Yes…

I'm mixing metaphors.

It's my article.

Besides, if you've ever started a company, you know reality stopped making sense a long time ago.

You stop measuring life normally.

Your retirement account becomes software development.

Vacation becomes cloud hosting.

Credit cards become temporary venture capital.

Your dog starts recognizing the Amazon delivery driver by first name.

Normal people call this insanity.

Founders call it product-market fit.

The truth is, nobody builds a company alone.

Somebody always believed.

Somebody always introduced you to someone.

Somebody always opened a door.

And if you're lucky enough to succeed… maybe someday you'll become the person holding the door open for the next founder trying to get through.

That's a legacy, too.

Why 66?
Route 66

People may someday ask me a simple question.

"Why did it take until you were 66?"

It's a fair question.

The funny thing is…

I don't think I waited until I was 66 to become a founder.

I think I spent 40 years accidentally preparing to become one.

The Army taught me leadership.

It also taught me that no plan survives first contact.

Corporate America taught me patience.

Cybersecurity taught me skepticism.

Attackers adapt.

Technology changes.

Certainty is usually an illusion.

Marriage taught me partnership.

Investors taught me persistence.

Government grants taught me humility.

And rejection…

Rejection taught me that success usually belongs to the person willing to hear "no" one more time than everyone else.

Looking back, every assignment, every promotion, every setback, every impossible deadline, every deployment, every conference room, every board presentation, every sleepless night somehow led here.

Maybe the company wasn't waiting for me.

Maybe I was waiting to become the person capable of building the company.

The Founder Nobody Sees
The Founder Nobody Sees

People see the pitch.

They see the product.

They see the trade show booth.

They see the LinkedIn announcement.

What they don't see… is the founder sitting at the kitchen table at 3 a.m. trying to get two hours of work done before heading to the day job.

They don't see weekends disappear.

They don't see vacations turn into strategy sessions.

They don't see the credit card bill arrive.

They don't see another investor politely explaining why your company isn't quite ready.

They don't see the quiet conversations between spouses.

"Can we keep doing this?"

"How much longer?"

"Are we crazy?"

The answer, by the way… is yes.

Founders are a little crazy.

Thankfully.

If they weren't, most companies would never exist.

Looking Forward Instead of Backward
Looking Forward

At 66, something changes.

You stop asking,

"How much money can I make?"

You start asking,

"What am I going to leave behind?"

Money is nice.

Don't misunderstand me.

I'd love to stop looking at every block of stock in my retirement account as another software release or another attorney.

I'd love to finally buy that margarita machine.

I'd really love to take Suzanne to the Maldives and spend a week underwater instead of under deadlines.

But that's not why I'm doing this.

If our company succeeds, I hope my legacy isn't the software.

I hope it isn't the patent.

I hope it isn't the valuation.

I hope it's the organization that never became tomorrow's headline because somebody finally started looking through the windshield instead of the rearview mirror.

For decades, cybersecurity has become remarkably good at explaining yesterday.

Yesterday's ransomware.

Yesterday's phishing campaign.

Yesterday's breach.

Yesterday's lessons learned.

Those things matter.

But they're history.

I've always believed we could do more.

What if we could help organizations think about tomorrow?

Not with certainty.

Not with magic.

Not with a crystal ball.

Just disciplined analysis.

Patterns.

Trends.

Probabilities.

Enough information to make one better decision before the next attack arrives.

If we accomplish that… then every sleepless night was worth it.

Every rejection.

Every investor meeting.

Every government grant proposal.

Every conference.

Every dollar we invested instead of spending on ourselves.

Worth it.

The Last Word

The funny thing about entrepreneurship is that people think the story ends when an investor finally says yes.

It doesn't.

That's just the next chapter.

The real story is everything that happened before anyone believed.

The three o'clock mornings.

The knot in your stomach.

The day job that funded the dream.

The spouse who quietly kept believing.

The people who opened doors.

The investors who didn't say yes… but thankfully didn't say no, either.

Today we're still building.

Still pitching.

Still applying.

Still hearing,

"Come back later."

We're still looking at retirement accounts and seeing software development.

We're still laughing about margarita machines.

We're still dreaming about the Maldives.

We're still walking the high wire.

And after all these years…

I'd still settle for…

not no.

Because every once in a while…

"not no" becomes "yes."

Epilogue
Keep Plugging Along

Or maybe just the quiet refusal to quit.

Every founder needs something that carries them through the investor meetings, the rejection emails, the three o'clock mornings, and that knot in the pit of the stomach that never quite goes away.

Keep walking.

Keep building.

Keep believing.

Because every once in a while…

one little turtle actually makes it to the sea.

I'm fortunate.

When I need a reminder to keep going, I don't have to look very far.


Timothy O'Neil

Profile picture for user TimothyO'Neil

Timothy O'Neil

Timothy S. O’Neil, CISSP, CEH, is president and founder of AigisPoint Predictive Intelligence

A retired U.S. Army lieutenant colonel with more than 25 years of cybersecurity leadership experience, he has held senior security architecture and information security leadership roles across the healthcare, insurance, telecommunications, and consulting industries. He is the developer of the Strategic Predictive Threat Intelligence (SPTI) platform, designed to help organizations and cyber insurers anticipate emerging cyber threats before they become losses. 

'But the AI Told Me To Do It!'

As AI reshapes decision-making in insurance, the industry faces a critical question: Who holds liability when algorithms influence consequential outcomes?

AI Liability

I once wrote a presentation called: "It wasn't me. AI told me to do it!"

At the time, it was half joke, half warning.

Certainly feels less comical now.

Every organization adopting AI is moving toward the same uncomfortable question. When an AI-assisted decision causes harm, who carries the liability?

Clearly not the model. Models do not sign contracts, settle claims, bind risks, approve suppliers or accept regulatory responsibility. Maybe not the vendor, whose terms will usually say that you, the customer, remain responsible for how outputs are used. Not necessarily the employee, if they were using an approved tool in an approved process. Not necessarily the committee, if it says it relied on the employee's professional judgment.

Everybody, somebody and nobody.

This is not an anti-AI argument. I use AI. Most of us now do. In most cases it is harmless enough: drafting an email, summarizing a meeting, turning scrappy notes into something coherent. No sensible firm should build a heavy governance process around every prompt. That would be maddening and almost unenforceable.

But some uses are different.

If AI helps tidy up a launch invite, nobody cares. If it helps route a claim, draft an underwriting rationale, influence a supplier decision, interpret a compliance obligation or shape a board paper, then we are in different territory. We are talking about authority.

Insurance already understands authority. A junior underwriter cannot bind whatever they like. A claims handler has limits. A TPA works within a delegated claims authority. A coverholder operates within a binder. If something goes wrong, the questions are familiar: who had authority, what was the limit, was the decision escalated, and where is the evidence?

AI does not change those principles. It just makes them harder to see.

Take claims. An AI tool triages first notice of loss, summarizes the facts and recommends settlement within a low-value authority band. A handler reviews the screen and clicks through. Months later, a pattern emerges: the tool has been routing a class of claims too generously, too harshly, or inconsistently with the carrier's authority schedule.

At that point, the question is not simply whether the model was accurate. It is whether the settlement sat within authority, who accepted it, whether the handler actually reviewed it, and whether the firm can produce a record created at the time rather than a reconstruction after the complaint lands.

The same issue appears in delegated underwriting. An MGA uses AI to draft endorsements, referrals or risk summaries. The final document may still pass through a human. But did the output stay within binder authority? Did the right person approve it? Could a coverholder audit see the trail without piecing it together from emails and meeting notes?

These are not exotic technology questions. They are ordinary insurance questions, just wearing new clothes.

The problem for underwriters is that today's AI conversation is still too blunt. A proposal form might ask, "Do you use AI?" The insured says yes. Another insured says yes. Both attach an AI policy. On paper, they look broadly similar.

But they may be completely different risks.

One firm may let staff paste AI-generated analysis straight into consequential decisions with little more than a policy telling them to be careful. Another may classify the decision, check the user's authority, require escalation, capture sign-off and preserve the evidence. Those firms should not be priced as though they are the same.

At the moment, they might be.

This is because a policy is not proof. Training is not proof. A statement that "humans remain accountable" is useful, but only if you can identify the human, the decision, the authority and the record.

The missing artefact is a decision record.

For an AI-assisted decision that matters, an insurer should be able to ask: who requested the output, what was it used for, did the person have authority, was it escalated where needed, who accepted responsibility, and can the firm prove all this without reverse-engineering the story later?

That last part matters. After a loss, everyone becomes a process expert. People remember the governance policy. They remember the meeting. They remember the human in the loop. But insurance does not work on vibes. It works on evidence.

The answer, in my view, is not more slogans about responsible AI. It is the boring stuff insurance has always understood: authority, escalation, sign-off and evidence.

The 95% of routine AI use should stay fast. Let people summarize, draft and explore. But the consequential minority needs a different track. If an output is going to move money, affect a customer, change a risk position, influence a regulatory judgment or commit the firm, someone has to own it. Not in theory. Not in a policy. In the record.

"It wasn't me. AI told me to do it" may work as a joke in a presentation. It will not work in a claim file.

The firms that can show who made the decision, who had authority and what evidence exists will look different from the firms that cannot. At some point, insurers will price that difference.

The only question is whether they do it before the first major AI-accountability claim forces the issue.

A Hidden Issue in New AI Laws

New transparency laws mandate AI content marking by Aug. 2 -- but don't ensure end users see those marks.

New Laws

On Aug. 2, the rules change for anyone who makes or moves digital media.

The European Union's AI Act brings its transparency obligations into force that day. If you build a system that generates images, audio, or video, you have to mark the output in a machine-readable way. A downstream system can then tell synthetic media from a camera original. That marking piece is phasing in across the back half of 2026, but the direction is set. The EU's Code of Practice points to C2PA Content Credentials as an example of the kind of marking it has in mind.

On the same day, California's AI Transparency Act hits its core date. Senate Bill 942, as amended by Assembly Bill 853, requires covered content to carry a disclosure. And the statute went further than most people noticed. It says the mark has to be permanent, or extraordinarily difficult to remove, to the extent technically feasible. The platform and hosting anti-stripping obligations follow on Jan. 1, 2027.

Once you put those two laws side by side, the signal is clear: marking is no longer optional, and it is no longer a branding exercise. It is a legal requirement with a date on it.

That is real progress, and the people who built the marking layer earned the credit for it. C2PA, the Content Authenticity Initiative, the standards work that turned provenance from a conference word into a working specification: that is the reason a law can now point at something concrete and say do this. A decade ago there was nothing to mandate, and as a result of these changes, now there is. Cameras now ship that can sign an image at the shutter. Editing tools record what they changed. Major platforms have begun to read and display those credentials. That is a real foundation and it didn't exist a few years ago.

While everyone races to hit the deadline, there's still something left hanging in the balance. A mark is only worth what survives.

The law can require that a piece of content be marked at the moment it is made. So far, there's no mention of whether it requires that the mark still be there when the content arrives somewhere. Those are not the same event. The ordinary path a file takes from where it was created to the screen where someone finally makes a decision about it is where the media trip can split.

Today, that trip is brutal on metadata. A photo gets uploaded, and the platform re-encodes it and strips what it does not recognize. It gets screenshotted, and the screenshot carries none of the original's history. It moves through a content management system, gets resized for the web, passes through a messaging app that flattens it, ends up in a claims portal that saves its own copy. Every one of those steps is routine. Every one of them can quietly remove the mark the law now requires.

An organization can truthfully say it supports content credentials and still ship media that arrives unverifiable. Supporting the standard at the point of creation is not the same as guaranteeing the credential is intact at the point of use. The first is a checkbox. The second is a promise about everything that happens in between, and almost nobody is making that promise yet.

California clearly saw this coming. That is why the statute does not just say mark it. It says the mark has to be permanent, or extraordinarily difficult to remove, to the extent technically feasible. That is not a marking requirement. That is a durability requirement, written into law. It is the legislature telling the market that applying the label is not enough. The label has to hold.

Here is the catch. A statute can require durability. It cannot manufacture it. Requiring that a mark survive distribution does not make the mark survive distribution. That is an engineering result, and at the moment it is an unfinished one.

Marking, the part the law can point at, is largely solved — but again, there is still a big gap. Survival, the part the law now demands, is not. And survival is the harder half, because it is not a standards problem you can close by agreeing on a format. It is an architecture problem. It asks a different question. Not how do we label origin, but what still holds after the content has been through the tools real people use every day.

None of this is a knock on the marking standards. It is the opposite. The manifest at origin and the continuity of that manifest downstream are different layers solving different parts of one problem. The first tells you where something started and the second tells you what happened to it on the way here.

You need both. The industry built the first. The second is where the work is now.

There is a second failure the law does not touch at all. Both statutes aim at content that an AI system generated. But a large share of the media that decides real outcomes was never born inside any provenance system. The claim photo shot by a policyholder on an unmanaged phone. The eyewitness image from the scene of a news event. These arrive with no credential, not because someone stripped it, but because there was never a device in the loop to apply one.

The law marks the synthetic and says nothing about the authentic. Yet the authentic photo, arriving with nothing to vouch for it, is exactly the one a carrier or a newsroom has to trust. The same architecture that makes a mark survive the trip is the architecture that could give that first mile a credential it never had.

You see the cost clearest where money and trust are on the line.

If we take a look at a typical insurance claim, almost every claim now starts with a photo, taken by a policyholder, on a phone nobody controls, sent in through an app. By the time an adjuster sees it, that image has passed through several systems, any of which may have re-saved it. If the only proof of authenticity lived in metadata, and one system stripped it, the carrier is now making a payout decision on an image it cannot verify. The law was satisfied but the carrier is still guessing.

It's a similar situation for a newsroom. A verification desk can establish where a photograph came from. That is what it is staffed to do — but what it usually cannot establish is whether the proof of origin survived the crops, the resizes, and the re-encodes between the source and the published page. The reader sees a credential, or sees nothing, and has no way to know which steps ate the history.

Courtrooms are struggling with the same problem, because the chain of custody was built for evidence you could hold in your hand and log at every transfer. A digital photograph has nothing binding it to the moment of capture and no unbroken record of what touched it afterward. Courts admit it anyway. The question is shifting from is this real to can you show it held from capture to submission. That is a continuity question, and a mark applied at the source cannot answer it alone.

In all three, the same thing is true. Origin was the easier half. What survives the trip is the half that decides the outcome.

This is not an argument for more law. The regulators did their part. They named the requirement and put a date on it, and California even named the hard version of it. Asking a statute to also spell out how a mark survives a re-encode would be asking the wrong institution to solve an engineering problem. The law can set the bar. Someone still has to clear it.

So what closes the gap? Not another marking format. We have those, and they are good. The fix is architecture: anchoring authenticity at the moment of capture, and verifying its continuity as the content moves, built into the systems that already handle that content instead of bolted on afterward. Not a wall that defeats every possible attack, which no honest engineer would promise. A layer designed to hold through the ordinary trip that breaks things today, and to say so plainly when it has not held.

That layer is infrastructure and it sits underneath the products that newsrooms, carriers, and platforms already run. It completes the provenance work instead of competing with it. And it is the piece the Aug. 2 deadline is about to expose, because a lot of organizations are going to mark their content, check the box, and learn the first time it matters that the mark did not reach the other end.

The deadline is doing something useful. It is forcing a floor. After Aug. 2, marking is table stakes, and that is good.

So if this is the new floor, we're still not at the finish line. The law set the requirement that content be marked and, in California, that the mark endure. The market still has to build the thing that makes endurance real. Whoever builds it first is not just compliant. They are the ones who can still trust what they are looking at after the deadline stops being news. Everyone else will have marked their content, called it done, and gone on guessing with money on the line.

Insurance Doesn’t Have an AI Problem...

...It has a design problem. Insurers risk wasting AI investments by prioritizing technology over understanding the workflows and needs of the people using it.

AI Problem

Every AI conversation in insurance right now seems to start in the same place. Models, platforms, copilots, automation. So it might sound strange to say the industry's AI problem isn't a technology problem. It's a design problem.

I'm the founder and CEO of a design agency that has worked with insurance companies for more than 15 years, and I keep seeing the same pattern. We invest in technology before we understand the people who are supposed to use it. Then, when adoption is low, we blame it on people.

AI is just the latest, highest-stakes version of that same old mistake.

Whether investments in AI pay off won't come down to what model you pick. It'll come down to whether the people you built it for actually use it.

I am a designer by trade: art school, design school, maker through and through. Cake & Arrow did not start in insurance. We began in retail and e-commerce, designing digital experiences for consumer-centric brands. Then, about 15 years ago, a CIO at an insurance company asked us to help reimagine a sales platform for agents.

We came in as outsiders, and that outside view helped us see something people deep inside the business often can't: insurance experiences are too often built around the business, the policy, and the transactional moments—not around the customers, employees, agents, and brokers trying to navigate them.

Investing in Technology Is Not the Same as Progress

The instinct in insurance is often to start with the technology. A new tool shows up, a new capability emerges, and every executive team wants to show progress. I get the pressure. Boards are asking about AI. Everyone wants to move fast.

But buying technology is not the same as making progress.

A powerful AI tool is still worthless if it isn't solving an actual problem for an actual person. The most advanced chatbot, copilot, or automation platform will fail if it gets bolted onto a broken process. That's the actual risk with AI right now. Making the same old mistake, only faster and at greater expense.

When talking to insurers, I often make a distinction between "design" and "Design with a capital D." When I talk about "Design," I'm not talking about colors, fonts, or pretty screens. Design is the research, the strategy, and the deliberate decision-making underneath every product and experience. It's understanding who a tool is for, what its purpose is, where the work breaks down, and how a solution earns its place in someone's day.

And here's the thing: Design is already happening, whether companies acknowledge it or not. Every agent portal, claims experience, policyholder app, and AI workflow is the result of a decision someone made. The real question is: where and with whom did the decision originate? With the person doing the work, or with an executive mandate, business requirement, vendor pitch, or short-term goal? Too often, the decisions made in insurance have little to do with the human beings they impact.

Agents Are Not the Barrier

In our recent report, The Connective Thread: From Agent and Broker Research to a New Design Vision for AI-Enabled Insurance Work, we spoke directly with agents and brokers about how they are using AI today, where they are finding value, and what is still getting in the way. What stood out was not the agents' resistance, but their resourcefulness.

Agents are already experimenting. They're drafting emails, summarizing policies, comparing quotes, prepping for meetings, and translating complex insurance language into something clients can actually understand. Some are quietly building workarounds because the official systems around them do not support how they actually work.

So the problem is not that agents do not want to use AI. It's that the tools too often do not map to the real friction in their work. The industry keeps talking about AI as an automation story. But when you talk to agents, what they want is integration.

They are not asking for another tab, login, or disconnected assistant. They're already moving between agency management systems, CRMs, email, spreadsheets, carrier portals, and rating tools. They're entering the same information over and over, hunting across systems for context and trying to track what changed, what a client needs, and what follow-up might fall through the cracks. That is not a single-task productivity problem. It is a workflow problem.

AI that helps write an email is useful. AI that understands the context behind the email, pulls from the right systems, shows where the information came from, flags what needs review, and keeps the human in control… that's something else entirely. That is where AI becomes connective tissue, instead of one more tool to add to the pile.

Design Around People, Not Around Replacing Them

For decades, the insurance industry has strived for ways to disintermediate agents. AI has only added fuel to that fire. There's a real temptation to see AI as a way to replace human labor, cut costs, and eliminate the messiness of human relationships.

But that framing misses where the value actually lives.

Sure, AI can create efficiencies. It can reduce administrative burden, help agents manage bigger books, and spend less time on repetitive work. But if your starting point is replacement, you'll miss the bigger opportunity to design tools that unlock capacity, judgment, and relationship-building.

The best agents are valuable because they know what matters. They understand their clients, and they understand risk. They can feel when something is off, and they know what to ask next. That's how they turn complexity into confidence. AI should be making more room for that work, not pushing it to the side.

This is where human-centered design stops being a nice-to-have and becomes a business necessity.

If you want agents to adopt AI, you have to understand how they actually work, not how leadership assumes they work. And that requires more than a survey. It means observing real workflows, listening for friction, and noticing the invisible work that quietly holds the system together. Research embedded in the design process points toward solutions.

Adoption Is the Whole Game

One of the biggest misconceptions about AI is that adoption is what happens after the rollout. It's not. Adoption is the whole game.

A tool is only successful if the people it is built for actually want to use it. People want tools that fit into their world, solve problems they recognize, and make their work meaningfully better in a way they can feel.

Insurance has a long history of underestimating this. The industry spends significant money on technology that never lands because it has never fully accounted for the human experience surrounding it. Then, when usage is low, the conclusion is often that people are "resistant to change."

Most of the time, that's the wrong diagnosis.

People are not resistant to change that helps them. They're resistant to tools that make their day harder, add complexity, create risk, ask them to trust outputs they cannot verify, or worse, are designed to replace them.

AI cannot simply generate confident answers. It has to earn trust. Agents need to see where information came from, verify recommendations, correct outputs, and approve what goes to a client. "Trust but verify" is not just a user preference here. It's a design requirement.

What Leaders Should Do Differently

If a carrier, brokerage, or insurtech CEO asked me where to start right now, I'd say this: Catch yourself before you jump to the solution.

The pressure to move fast is real, and speed does matter. But moving fast doesn't mean skipping the work that makes speed useful. Before you decide what AI feature to build or what vendor to buy, sit with these three questions:

  • Who is this for?
  • What problem are we solving?
  • And what outcome are we actually after?

Then go talk to the people who'll use it. Watch how they work, find where the friction really lives, and let that learning shape the AI strategy before the roadmap hardens. A few focused weeks of research and design up front can save you months, or years, of expensive misalignment down the line.

The Opportunity Is Still Enormous

Despite the industry's habit of chasing tech before thinking about people, I remain optimistic. The opportunity to differentiate in insurance is astounding. The bar for better experiences is still too low.

AI can help agents spend less time searching and re-entering the same information. It can help newer employees get up to speed faster. It can preserve institutional knowledge, make complex decisions more transparent, and free up time for the things that actually build loyalty. Advice, empathy, and relationship-building.

But only if it is designed around people.

The companies that get this right understand that technology alone does not create transformation. People do. It comes down to whether they trust the tool enough—and find it valuable enough—to actually use it.

Insurance doesn't need more AI for the sake of AI. It needs AI that solves actual problems for the people doing the work, in the real flow of their day. That's the design challenge. And if the industry takes it seriously, it's also the clearest path to transformation.


Josh Levine

Profile picture for user JoshLevine

Josh Levine

Josh Levine is the founder and CEO of Cake & Arrow, an experience design and product innovation company that works exclusively with insurance companies. 

With a career spanning over 25 years, he has led innovation and design initiatives for more than 40 of the most prominent carriers, distributors, and insurtechs—including MetLife, Travelers, Aflac, Chubb, Aon, Amwins, and Unqork. 

Biggest Threat Yet to Captive Insurance Agents

State Farm's announcement of a tough new compensation structure suggests that the captive model for insurance agents has finally passed a tipping point.

Image
Captive

Back in 2013, when Chunka Mui and I were doing some consulting work on innovation for the CEO of a top-five personal lines insurer, he was trying to rewire the compensation structure for his captive agents. He wanted to encourage them to focus more on growth and less on building a book of business and then servicing it ("coasting," in his words). 

He noted that he wasn't trying to cut the total dollars paid to agents. He just wanted to take two percentage points out of the base commission and pay the money out as incentives. 

"But every time I float the idea," he said, "the agents turn around and kick me in the crotch." (He used a more colorful word.)

Having kept an eye on the issue for more than a dozen years now, I believe that State Farm's announcement of a take-it-or-leave-it, incentive-driven compensation model for its 19,000 captive agents marks a turning point. Change always takes time, but I believe the captive agent business will be very different a few years from now.

Let's have a look. 

A smart piece by David Gritz of InsurTech NY provides the backdrop, showing how the industry has been deemphasizing the traditional captive model for years. Noting that the trend predates the generative AI explosion by many years, he writes:

  • "June 2020: Nationwide ends its captive agent program.
  • "November 2021: Liberty Mutual transitions captive agents to independent agencies.
  • "January 2023: Allstate signals a reduction in captive distribution.
  • "June 2026: State Farm reduces benefits and commissions for captive agents.

"Viewed individually, each decision can be explained by company-specific circumstances. Viewed together, they reveal something larger: carriers are increasingly questioning whether exclusive distribution remains the optimal model for growth."

Gritz also neatly summarizes what, for me, is the core change that is working against captive agents:

"Consumers can purchase insurance through direct channels, comparison platforms, embedded insurance experiences, independent agencies, affinity groups, digital marketplaces, MGAs, and increasingly AI-powered interfaces.

"Carriers want the flexibility to pursue all of these opportunities simultaneously. Exclusive distribution creates natural channel conflict when a carrier wants to experiment with new distribution strategies."

He gets into other reasons, too, but for me the key is that three decades of development of the internet, led by customer service pioneers such as Amazon, have conditioned us to expect to be able to see all our options, and instantly. We don't just look at what clothes Macy's or Nordstrom might offer us; we look at every seller. Even if we've settled on a brand or a specific item, we still look everywhere for the best prices — in seconds. 

In that sort of world, it just doesn't make sense for someone looking for insurance to walk into the office of the local State Farm agent, even if the agent is a smart and lovely person who sponsors the customer's daughter's soccer team. 

It's not clear how quickly the change away from captive agents will happen. A Silicon Valley truism is that you have to make sure you don't confuse a clear view with a short distance. And the reason for that adage is that so many people make that exact mistake all the time — including, well, me.

I predicted the end of car dealerships 25 years ago, because all you really need is a way to test drive a car. You can then order your choice straight from the manufacturer, get it in a couple of weeks, and not have billions of dollars of car inventory sitting on lots around the country, pushing up costs for everybody. But change has been so slow that we're only now starting to see the sorts of effects on dealers that I expected by 2005 or 2010.

Still, the transition away from captive agents is inevitable. Independent agents will keep growing — witness the interest in the HUB International IPO — while captive agents will have to fight a rear guard action. They will be under pressure from both ends. Their carrier employers will demand more growth and more flexibility to explore other distribution channels. Customers will press for lower prices while also insisting on more options.

And I think State Farm, as one of the last big holdouts relying on captive agents, has pushed the transition past the tipping point, so it should only accelerate from here.

Cheers,

Paul

Insurers Must Prepare Now for El Niño Season

With El Niño forecast at 80% and AI-driven fraud rising, carriers must act now before disaster season arrives.

El Nino

Every spring, the forecasts roll in, and every year the insurance industry does the same thing. We brace ourselves.

2026 is no exception. The Climate Prediction Center, part of NOAA, recently raised the odds of an El Niño pattern forming to 80%. Some experts are warning of a "super" El Niño that could hold on for a full year. El Niño brings extreme heat, floods, and the kind of volatile conditions that turn straight into claims — wildfires, floods, severe storms, even hurricanes. Over the next 12 months, carriers could see a real surge.

Here is the part that should give every carrier pause. El Niño usually calms the Atlantic hurricane season. Warmer Pacific waters drive up wind shear, and that wind shear holds down the number and intensity of Atlantic storms. Usually. A couple of years ago, El Niño delivered far less wind shear than expected, and paired with record-high Atlantic surface temperatures, we ended up with more than 20 named storms. The U.S. got lucky on landfalls that year. Luck is not a strategy.

And the weather is only half the story. Reduced federal programs, thinner funding, and fewer emergency response teams all push more weight onto insurers to get aid and boots on the ground after a fire or a storm — to help families and businesses actually start to recover. On top of that, fraudsters have discovered AI. Fake photos. Fabricated video of damage that never happened. The claims floor just got more complicated.

So what do we actually do about it? Glad you asked. Here are four moves carriers can make right now.

Start with education.

Most policyholders read their policy exactly once — the day they buy it. Maybe they skim the claims steps when the welcome packet shows up. But unless someone has recently watched a tree come through their roof, they have no idea what they need or how to file. So tell them. Before storm and wildfire season kicks off, run an education campaign for policyholders in high-risk areas. Remind them to keep insurance documents somewhere they can actually grab them in a hurry — go-bags, emergency kits, the glovebox, their phone. Walk them through how to reach you after a disaster, especially when the cell towers are down and the internet is gone. The worst possible time to learn the claims process is in the middle of losing everything.

Invest in claims management.

When disaster hits several regions at once, you need a claims partner who can staff up fast. That is the whole ballgame. Beyond handling the legitimate claims, carriers now have to catch the fraudulent ones — the AI-generated images and video built to slip past a busy adjuster. AI cuts both ways here. It is genuinely useful for scaling claims processing, but it needs guardrails, so that a real human confirms a real person experienced real damage. AI is not going to replace decades of adjuster expertise. What it can do is make good adjusters faster and good operations sharper. The job is finding a partner who holds that balance.

Build your housing network before you need it.

Wildfires, floods, hailstorms — these used to be local problems. A town, a county, a bad week. Not anymore. They have become recurring, national events, and the displacement they cause stretches longer and wider every year. When a family's home is unlivable or a company's building is unsafe to enter, they need somewhere to go, and they need it fast. But when one region gets hit two or three times in a season, or hundreds of households are displaced at once, hotels and short-term rentals and office space dry up in a hurry. If your book has real exposure to El Niño this summer, line up those relocation partners now. Not after.

The time to prepare is now.

El Niño is not projected to fully arrive until summer, but the extreme weather did not wait for the calendar. Tornado outbreaks have already torn across the Midwest and the South. Nebraska battled the largest wildfire in its history. The West broke heat records in March. If last year taught us anything, even a mild hurricane season leaves plenty of room for a record number of other disasters and billions in damage.

We will never know exactly when or where the next one lands. But predictive AI models have made the forecasts sharper than they have ever been, which means insurers are better positioned to respond than ever before. So let us act like it. Educate policyholders with guidance built for their real risk. Invest in the right mix of technology. Choose a claims partner who can scale when the sky falls. The storms are coming either way. The only thing still undecided is how ready we are when they get here.

Split P&C Market Demands Split Renewal Strategy

Property rates are easing while casualty lines tighten, requiring insureds to tailor renewal strategies by coverage line, not market averages.

Financial Graphs

No, you cannot have a single word answer to the question, "Is the insurance market soft?" The more useful question is: which part of the market, and for which account? Data unlocks the nuance of this market and allows insureds to benefit from places their risk profile coincides with pockets of softness in the market.

Alera Group's 2026 Property and Casualty Market Outlook reports that we're in a mixed market. Preliminary data from our market update (due out in July) validates this result. Property is easing (unless you're in specific CAT zones), while umbrella and excess remain stubbornly constrained for many accounts. That unevenness is where renewal outcomes for the rest of the year will be won or lost.

When the market is hard everywhere, renewal work often collapses into damage control. When conditions start to shift, the work changes. It becomes less about whether you can get a quote and more about whether the account is positioned—through its submission, risk story, and program design—to earn the best terms available.

Treating "P&C" like one market is the biggest risk

The market outlook is based on Alera Group's third-quarter 2025 market survey of insurers, wholesalers, and industry vertical experts. The data is then matched against in-depth interviews with market drivers and experts. The report points to selective moderation in rates across many lines, alongside improving coverage availability and meaningful capacity expansion. At the same time, several casualty-driven segments remain pressured, and the broader environment—including social inflation, regulatory constraints, and catastrophe loss trends—continues to complicate underwriting and buyer expectations.

That mix is exactly why a single renewal playbook can backfire. A team can assume the market is easing, only to run straight into tighter casualty scrutiny or a suddenly almost impossible-to-insure property location. On the other hand, they can assume nothing has changed and miss opportunities created by improving capacity and broader availability.

What the outlook implies for renewal conversations

The outlook projects average decreases in several major lines, but with wide ranges. Commercial Property (including Business Interruption) is projected at -4.6% average (range -20% to +5%). D&O shows projected decreases, as well, -3.8% for private (range -10% to +5%) and -11.7% for public (range -20% to 0%). Workers' Compensation is projected at -5.6% (range -20% to +10%).

At the same time, several lines remain projected to increase, often moderately, but not always. Commercial Auto is projected at +10.6% (range +5% to +15%), General Liability +6.7% (range 0% to +15%), Umbrella and Excess Liability +7.0% (range 0% to +15%), and Medical Malpractice +10% (range +5% to +20%). Cyber is projected at +1.4% average (range -15% to +10%), while Professional Liability is essentially flat (+0.1%).

These are useful directional markers, but they do not remove uncertainty. Account pricing still varies with fundamentals like industry sector, risk quality, and proximity to catastrophe-prone areas. Underwriting decisions are also increasingly shaped by nuanced variables such as highly specialized risk factors applicable to niche business types, local legal and legislative trends, and leverage with vendors with regard to risk transfer. Underwriters have more data than ever, and some are determined to use it—even when its applicability may be unproven or not yet well-calibrated for a specific class of risk.

Capacity is the opening signal that creates real leverage

Capacity is the name of the game this year. In the survey, respondents forecast increased capacity most dramatically in Commercial Property (53% increasing; 47% same; 0% decreasing) and Personal Lines and Private Risk (64% increasing; 18% same; 18% decreasing).

That does not mean every account will suddenly get better outcomes. But it does change what is possible. When capacity expands, you can revisit decisions that were previously "forced" by scarcity. For example, you can rework how a tower is built, how layers are placed, whether limits are efficiently purchased, and whether the structure still reflects the insured's balance sheet and risk appetite, or just last year's constraints.

Underwriting flexibility is not universal, and casualty remains the pressure point

The outlook also suggests underwriting is becoming more flexible in some areas. Commercial Property shows 40% more flexible (60% same; 0% stricter). D&O (public) shows 67% more flexible (33% same; 0% stricter). Workers' Compensation is also trending more flexible (38% more flexible; 62% same; 0% stricter). Personal Lines and Private Risk and Surety show flexibility as well.

But casualty-driven segments remain a different conversation. Umbrella and Excess underwriting is projected as 46% stricter (46% same; 7% more flexible). General Liability is 36% stricter (55% same; 9% more flexible). Commercial Auto is 29% stricter (57% same; 14% more flexible). Medical Malpractice is 33% stricter (67% same; 0% more flexible).

To put it in plain language (and to set expectations internally), some parts of the market are opening, but underwriting is not "relaxing" across the board.

What to do next: separate opportunity work from defensibility work

In a split market, renewal strategy has to split too.

Where property and other areas show improving capacity and more workable options, the work is about earning better outcomes. That means building a submission that matches the sophistication of underwriting today and using improved conditions to revisit program design.

Where umbrella and excess and other casualty-driven segments remain pressured, the work is about defensibility. It means being ready for harder questions, narrower comfort with severity, and heightened scrutiny.

In both cases, the differentiator is execution. The market outlook shows the value of starting early enough to produce a clear and defensible picture of the risk. That includes accurate valuations and exposure schedules, a straightforward explanation of operational changes, and evidence of how the insured's controls reduce the frequency and severity of loss. It also means closing the gap between what the insured believes about their risk and what the data suggests—particularly as underwriting relies more heavily on imagery, analytics, and localized catastrophe modeling.

And finally, 2026 remains a structural year. The market outlook highlights captives, structured programs, and quota-share arrangements as approaches where traditional capacity is restricted or expensive, and points to tools like parametrics to address gaps where traditional policies may not respond as expected. When conditions are changing, structure can be as important as rate.

The takeaway

This is not an "easy" market, but it can be more workable if teams resist the urge to generalize. For leaders, that means planning renewals with line-by-line realism, investing in data discipline and underwriting-ready submissions, and being willing to revisit program structure as capacity returns. As conditions continue to shift, better outcomes will go to the most prepared insureds and the most disciplined teams.


Justin Foa

Profile picture for user JustinFoa

Justin Foa

Justin Foa is leader of Alera Group’s property and casualty (P&C) practice. 

Foa has more than 30 years of insurance industry experience, including more than 10 years with multinational brokerage firms before he joined his family’s firm, Foa & Son, becoming its president in 2006. 

He is a graduate of the Wharton School of Business at the University of Pennsylvania, where he earned his bachelor’s degree in insurance and risk management. 

Cybersecurity Training in Insurance Must Keep Pace

Annual cybersecurity training no longer suffices as AI-powered threats grow more sophisticated, demanding insurers adopt continuous, personalized employee education.

CyberSecurity

Few industries have a greater need for effective cybersecurity training than insurance. Insurers store vast amounts of sensitive information like personal identifiers, financial data, medical records, and Social Security numbers, which makes insurance organizations a prime target for cybercriminals.

To complicate the situation further, artificial intelligence (AI) is helping bad actors create more convincing scams and deploy them at a greater scale. According to Verizon's 2026 Data Breach Investigations Report, 62% of breaches worldwide involve the human element. One thing that has become clear is annual cybersecurity training alone is no longer enough to keep pace with such an ambitious moving target like cyber hygiene. Insurance organizations must rethink how they train employees and adopt more engaging (and frequent) approaches than what regulations mandate.

The Unique Challenges of Cybersecurity Training in Insurance

One of the biggest challenges in cybersecurity training is getting people to care. While insurance regulations mandate cybersecurity training, checking a regulatory box does not create lasting behavioral change. In fact, the word "compliance" often puts employees in a frame of mind that is counter to what the trainer wants, which is an engaged employee.

Cybersecurity professionals spend their days immersed in technical concepts, but most employees do not. A significant portion of the trainer's role involves translating highly technical security measures into practical guidance that employees can understand and apply in their daily work.

That challenge is amplified in insurance because every role interacts with risk differently. Executives, claims adjusters, underwriters, agents, brokers, customer service representatives, actuaries, and policy administrators all face different cybersecurity threats and responsibilities. An annual one-size-fits-all approach rarely works.

The stakes are high because insurers possess information that cybercriminals actively seek. These employees are targeted more frequently because attackers understand the value of the data insurers protect. That means trainers must continuously reinforce strong cyber hygiene habits and help employees recognize evolving threats before they become incidents.

Cybersecurity Trainers Must Think Like Marketers

Many trainers understand their job is to improve cybersecurity awareness. Fewer recognize that they are also competing for attention. Meaningful behavior change requires continuing engagement and repeated touchpoints. That is why cybersecurity trainers should borrow proven principles from marketing. I use my own framework called SURE to reinforce this throughout all my work.

Simple. Communication should be easy to understand. Use shorter words, shorter sentences, and straightforward explanations. Respect employees' time. The faster people can grasp a message, the more likely they are to act on it.

Useful. Content should provide immediate value. Marketers rarely rely on a single content format. They create webinars, blog posts, white papers, videos, newsletters, and social content, often repurposing the same message across multiple channels. Trainers should adopt the same mindset.

Emotionally Resonant. People respond to messages that connect emotionally and feel relevant. Consider the difference between a training titled "Annual Cybersecurity Training Overview" and one called "How to Spot Scams and Protect Sensitive Information." The second emphasizes action and outcomes. It immediately answers the question every employee asks: Why should I care?

Easy to Skim. Content should be easy to skim, with clear hierarchy, thoughtful formatting, and strategic use of bullets, visuals, and spacing. The easier the information is to consume, the more likely employees are to remember it.

These principles may come from marketing, but they are equally valuable in training. Additionally, rather than relying on traditional classroom training alone, organizations should use approaches that help employees stay engaged, retain information, and put their learning into practice.

Using AI to Make Training More Engaging

Leveraging gamification is another way to make learning more interactive. An example of this is conducting monthly phishing simulations. Employees who correctly identify and report suspicious emails can earn points that accumulate toward recognition or rewards. Over time, this creates positive reinforcement and turns cybersecurity awareness into a continuing activity.

Artificial intelligence makes these exercises even more valuable. Instead of sending the same generic phishing email to every employee, AI can help trainers generate realistic scenarios tailored to specific roles. A procurement employee might receive a fake vendor invoice. An executive could receive a spoofed message that appears to come from a board member. New hires and experienced employees can receive different scenarios based on their responsibilities and risk profiles.

This level of personalization matters because attackers are already doing it. Cybercriminals are using AI to create increasingly convincing messages that mirror real business communications. An estimated 3.4 billion phishing emails reach inboxes every day, and approximately 82.6% are now AI-generated. If threat actors are becoming more sophisticated, cybersecurity training must evolve at the same pace.

Leveraging AI and Video for Microlearning

The problem is that this evolution is near impossible to accomplish in an annual seminar. New phishing emails happen every hour. Instead, organizations should embrace microlearning, the practice of delivering information in short, focused, and easily digestible formats. Rather than asking employees to sit through a singular lengthy training session where unique phishing tips might be lost on them by the end, organizations can provide quick learning moments for new individual scams or threat tactics as they happen and reinforce critical concepts. Historically, this would take too much time and bandwidth of a training team (which typically is not large even in a large company). But AI tools are making it easier now.

For example, to make short, quick videos, one approach is to use Camtasia Snagit's step-capture functionality to document a singular process by automatically capturing images of each step. Those images can then be imported into Camtasia.ai and transformed into a short instructional video complete with AI-generated narration and transcription. There are other technologies and means of doing this that help trainers create professional learning content that is easy to update and distribute.

It becomes a lighter lift and the training is more timely, more relevant, and more likely to be consumed by busy employees.

Cyber threats are becoming more sophisticated, personalized, and difficult to detect. As AI continues to reshape the threat landscape, cybersecurity training must evolve as well. Insurance organizations need to evolve training programs from what's mandatory to a continuous, engaging, and tailored approach to the realities employees face every day. That means leveraging AI, embracing microlearning, incorporating gamification, and adopting the communication techniques that marketers have used successfully for years.

The goal is still to make training clear, but it is also to make it memorable. In an industry where one click can lead to a significant breach, creating training that employees actually remember may be one of the most important security investments an insurer can make.