Since the dawn of the smartphone brought convenience to our fingertips, delivering exceptional experiences to your customers has been all but required for companies to succeed. Now, to remain competitive in a constantly evolving, digital-first world, companies are investing in even more creative solutions to meet consumer expectations. The insurance industry, known for being complicated and often confusing, is undergoing a digital revolution of its own in the form of embedded insurance. 

Embedded offerings have been instrumental in the growth of the fintech industry over the past few years, offering ease of use to consumers and additional market opportunities to companies and giving organizations the ability to tailor products and services to individual industries. As embedded offerings continue to evolve and reach new customers, here are my top predictions for what to expect in 2024. 

Embedded insurance is poised for significant growth throughout 2024 and beyond

As traditional and digital insurers continue to make the insurance process more accessible and seamless, the importance and value of embedded insurance offerings and partnerships will continue to grow. In fact, the embedded insurance market was valued at $63.1 billion in 2022 and is expected to grow to over $480 billion by 2032. 

Embedded insurance offerings are nothing new. Travel insurance and services like Apple Care have been around for years. Digital insurance companies were born out of the need to simplify the insurance process for consumers and were designed to quickly adjust to the ever-changing insurance landscape, making them prime contenders to lead the charge into the new age of embedded insurance. 

The growth of the embedded insurance landscape will create a swell of new partnerships and VC investment, but only the strongest will provide long-term value and survive. Embedded insurance partnerships that are created “just because” will not last unless both parties and the consumer benefit from the solutions they offer. 

See also: Embedded Insurance Is Made for SMBs

Partnerships that receive buy in from both parties will survive long-term

In addition to satisfying customers' changing needs, the smooth incorporation of insurance into routine business operations creates opportunities for companies of all sizes. Challenges can always exist, but the advantages of improved customer experiences and a continuously growing market share are too great to pass up. Unlocking the full disruptive potential of these solutions will require a purposeful and cooperative strategy from organizations as they set out to embrace embedded insurance. 

For example, NEXT partners with some of the largest small business software providers in the U.S. to meet a range of small business needs, including purchasing insurance. NEXT's partnerships with Gusto, a payroll workflow platform, Intuit Quickbooks, a full-service accounting platform, and LegalZoom, a legal technology and services company, are all examples of how embedded insurance is providing more value to the small business ecosystem. By offering small business insurance directly through the platforms they are already using, insurers can help entrepreneurs address more of their business needs within a single, integrated platform. These embedded partnerships can continually integrate workflows and be easily updated for efficiency.

Although embedded insurance offerings have simplified the purchasing experience for the customer, some challenges need to be solved. Among these is the intricacy of integrating the current systems of both companies in a partnership. 

Digital insurers will have an advantage because they have the experience and expertise to create the infrastructure for embedded solutions that are not only simple to implement but have the ability to be quickly and easily updated. 

Organizations need to evaluate the traditional standards of financial soundness and underwriting and the technological capabilities of their potential partner, as well as any prior experience with successful embedded solutions. 

The partnerships that will ultimately withstand the test of time are those where both companies are committed to working together to maximize the power of digital offerings. This commitment includes continuous improvement to the servicing and purchasing experience, digitally powered underwriting for fast and accurately priced policies and seamless purchasing within existing user experiences and tailored policies. 

Unlocking the full disruptive potential of these solutions will require a purposeful and cooperative strategy from enterprises as they set out to embrace embedded insurance. 

See also: A New Approach to Embedded Insurance

Embedded insurance is here to stay—it’s not a fad. As consumers continue to expect companies to adapt to meet their ever-changing needs, partnerships that mutually benefit companies and consumers will increase in popularity and value. 

From personal lines of insurance like home and auto to commercial policies like business insurance, embedded solutions are a way of simplifying a traditionally frustrating and time-consuming process. As the number of embedded offerings increases, those that can adapt to the needs of the consumer and have high-level buy-in from all parties involved will break through the noise and not just survive, but thrive. 

Companies that are built in digitally native environments are set up well to claim their place in this embedded landscape, particularly in industries that are primed for disruption, such as restaurants and e-commerce. Embedded solutions help tackle pain points for consumers that have been entrenched for decades, and organizations that can solve these problems quickly and efficiently will lead the charge into the future.

The insurance community is well-versed in the industry’s modernization challenges of the past decade. More and more, we hear stories of carriers that have succeeded by acting fast, liberating themselves from the confines of outdated systems, paper and pencil and other manual processes. We’ve seen this across claims, underwriting, distribution and more. Many core insurance functions are well on the way to keeping pace with the modern consumer. 

Payment is next in line. 

Unfortunately, it is far from keeping pace with evolving consumer preference. According to a recent research study, 40% of insurers fail to provide the payment options that customers prefer. In many cases, insurers are ignoring the elephant in the room.  

It is time for change.

Customers have a wide-ranging preference for payment choice.

There are a few major factors at play here: how consumers prefer to buy insurance, how they prefer to pay for it and how they prefer to receive disbursement--and those preferences change from household to household, from state to state and from country to country. Insurers must sell, collect and disburse to digitally native teens all the way through to older generations who grew up on cash and check. This means a combination of apps, calls, websites, direct mail, in-person and more. On top of that, varying degrees of speed and security required for each individual collection or disbursement, as well. 

This is fluid and evolving in real time. For example, a Duck Creek Technologies Global Consumer Insurance Insights Survey revealed that 52% of consumers felt that buying insurance through an app represented the most secure method, up from just 13% in 2022. That’s a big change. 

Within North American respondents, more than 50% said they are interested in insurance on-demand for short-term rentals. So, the digital movement is well upon us for a growing segment of insurance’s customer base.

See also: What Makes Insurance Invoicing Different

A diverse customer base demands diversity in payment and disbursement options.

Leveraging and connecting to payment services can be a stumbling block for insurers.

If insurers want to have skin in the game, it’s not enough to offer delightful selling experiences and making insurance easy to buy – it must be just as easy, secure and confidence-inspiring to pay or disburse, or customers face a nightmare. 

According to EY, Gen Z leads the way in adopting digital payment methods, preferring quick and easy payment experiences while being less concerned about data and privacy. Furthermore, insurance claim disbursement studies showed that more than 80% of consumers would like to work with organizations that offer quicker disbursement through push-to-card. And when it comes to customer satisfaction, more than 50% of claimants say missed expectations were the result of settlement payments taking longer than they thought they should have. 

That said, it would be a mistake to assume speed rules over all decision making. Because on the other end of the spectrum lie consumers who want a more reliable (whether perceived or true) way to pay or receive disbursement as opposed to in real time. One study found that consumers’ concerns include the fear of funds being deposited into the wrong account (34%), followed by the security of funds, lack of trust in certain payment service providers and the potential for high fees. The result? A third of customers state a preference to not pay extra for or choose the speed of real-time payments. 

Moral of the story: Customers expect (and rightly so) carriers to do it all.

Consumers want to be able to select their payment or disbursement option and have it delivered with speed while also ensuring the security of funds. As the world around us moves, insurers need to be nimble enough to follow where consumer preferences go. 

In today’s cloud-driven insurance technology ecosystem, they can, and they should.

Carriers DO NOT have to go at this alone.

Good news. This task doesn’t have to be daunting. Payment technology providers are entering the insurance space quickly. 

Connecting to payment services has historically been time-consuming and resource-intensive. This meant choice was often limited in favor of simplicity -- and insurers were not maximizing the potential the payments ecosystem had to offer. By leveraging cloud-based payments platforms, carriers will find a faster, simpler, more secure means to offer payment choice. 

Regardless of current IT infrastructure, carriers can quickly and easily connect to the banks, payment technology and payment service providers that their customer base, finance team or geographic compliance demands. Better yet, integrations can take place in minutes, not months.

If not for consumers, carriers should modernize payments for themselves.  

Insurers should also look internally to uncover the benefits of payments technology. In talking with carriers, we see the gaps in payment capabilities seeping into the operational side of the business, as well. Payment complexity trickles into finance, reporting and reconciliation efforts when data is ununified, when formats are unstandardized and when rules for different geographies are unaccounted for. Not only is this confusing, but it is time-consuming and risky, which often leads to financial leak, and the leak can be costly.  

Organizational drivers within insurance include regulation/compliance, operations, growth and innovation. When things get tight, cuts start. Every financial challenge or mismanaged fund or leaked dollar is opportunity lost to innovate for customers and grow the business. 

On top of the obvious loss of funds, plugging holes in payment workflows is expensive. Time lost for finance and IT teams, dollars lost for having to reissue or redo transactions, delays from not collecting on time... and the list goes on. As imperative as it is to meet consumers where they are, the benefits for carrier workflows are arguably even greater.

See also: Enhancing Claims Via Digital Payouts

Where do we end up? 

Carriers want simplified control, visibility and compliance. Consumers want choice, convenience and comfort. Can both sets of goals be met? Yes, and that’s why you’re seeing payment technology penetrate the insurance technology ecosystem. 

It’s time to address the elephant in the room.

Why do drivers switch to electric cars? For most electric vehicle (EV) buyers, it's about money. More specifically, drivers want to save on gas and take advantage of the four-figure tax credits they can claim. 

But some consumers may be overestimating their potential savings. According to one analysis, while insurance for EVs varies a lot by make, EVs still cost around 20% more to insure in 2024 than internal combustion engine (ICE) vehicles do.

While gas prices and federal policies are expected to push millions more drivers toward EV ownership over the next decade, EV enthusiasm has lagged in recent years. Here's how high insurance rates fit into the picture.

See also: We Need to Rethink the Future of Cars

Why are EVs so expensive to insure?

Insuring and managing claims is a fundamentally different process when it comes to electric vehicles versus ICE vehicles. As the EV market and infrastructure for electric vehicles evolves, EV and ICE premiums are likely to find more parity, but for now, expect these obstacles in 2024:

EV pricing

While EV price tags are dropping, electric vehicles still have higher sales prices in general than ICE vehicles, which makes them more expensive to replace after accidents and more costly to insure. Between September 2022 and September 2023, the average price paid for EVs fell from $65,000 to $50,683, but that was still higher than the average price for all new vehicles ($47,899). 

Repairs

EVs are more expensive to repair than ICE vehicles, for a handful of reasons. For starters, the replacement parts market hasn't kept pace with EV growth. There are also fewer repair shops and technicians qualified to work on EVs than on gas-powered cars. So parts cost around 25% more, and labor is more expensive, too. In 2023, EV repairs cost $1,322 more than ICE repairs on average. 

On top of that, EVs have a major battery problem. While the battery in an EV accounts for the majority of the vehicle's value, it's more vulnerable to damage than the battery in an ICE vehicle and more expensive and dangerous to repair. The job can require a specialist. 

EV battery issues are especially complex when it comes to Teslas, because some models have the battery parts glued together and sealed into the car, rendering them difficult to inspect and sometimes impossible to replace.

In 2023, the cost to replace an EV battery ran anywhere from $4,000 to $20,000, not including a labor bill that could be as high as $2,000. So even for an EV with minimal battery damage, a write-off could be more cost-effective. 

The self-driving myth

In late 2023, a LendingTree study found that Tesla drivers had a higher rate of accidents than drivers of any other vehicle brand. While the study didn't pinpoint an explanation, Tesla issued a recall around that same time for nearly every Tesla on the road. The reason? A problem with their autopilot systems was potentially causing crashes. 

Tesla CEO Elon Musk has arguably contributed to the brand's accident proneness. Since 2016, Musk has repeatedly implied that Teslas can drive themselves, and in 2022 some 42% of Tesla Autopilot users believed their vehicles were fully self-driving. Yet the National Highway Traffic Safety Administration (NHTSA) says there is "no vehicle currently available for sale that is fully automated or 'self-driving,'" and in March 2024, the Insurance Institute for Highway Safety (IIHS) gave Tesla's partial driving automation system a "poor" rating. 

Teslas account for more than half of all EVs sold, and Tesla's best seller, the Model Y, is one of the most expensive cars to insure.

Are EV insurance rates holding consumers back from buying EVs?

While the cost of buying EVs is a major deterrent to adoption, most consumers aren't specifically concerned about what they'll pay for insurance. 

In several consumer surveys, including surveys from AAA, Autolist and S&P Global Mobility, respondents have been asked to state their reasons for not wanting to buy an EV. The reasons given in each survey are nearly identical:

1. High purchase price 
2. Limited access to charging stations
3. Lack of confidence in the technology
4. Concerns about mileage range

Based on these results, it's not a stretch to assume that EV buyers don't get an idea of what their insurance will cost until after they're committed to a purchase. 

How to bring down the cost of insuring EVs

Considering how important price is to consumers, a reduction in EV insurance premiums can still be a good driver for new business. Here's how the insurers with the lowest EV premiums are bringing prices down:

Telematics and safe driving discounts

Unsafe driving is a problem for all vehicle types, but it's more likely to result in costly damage with EVs. 

In addition to, or in place of, traditional safe driving discounts, insurers can offer drivers the option to use telematic apps and plug-in devices that collect information about their driving — from hard braking to cell phone use and other hazards. Based on the data, a driver can qualify for a premium discount. For example:

• State Farm, which ValuePenguin found to have the lowest EV premiums on the market, offers safe driver discounts of 30% or more for customers who use their Drive Safe & Save Bluetooth-paired app.
• Tesla's Safety Score (Beta) gives drivers a score from 0 to 100 based on driving behaviors, and the driver's premium can change monthly based on the score. If your average score increases from between 95 and 99 up to 100, you can save over $1,000 per year.

See also: Challenges Facing Tesla Insurance

Bundling incentives

Another way to help EV-drivers reduce their premiums is through bundling discounts, available for customers who buy multiple products or purchase coverage for more than one car. American Family Insurance, another insurer that offers competitive premiums for EVs, gives customers a discount up to 23% for bundling home and auto coverage.

For a more indirect tack, you can also educate customers about the trade-offs involved with EV ownership. While their insurance premiums may be higher after buying an EV, gas savings and potential tax credits can make electric vehicles cheaper to own than similar gas-powered cars, even with insurance prices included.

Businesses always search for ways to drive growth, increase performance and achieve their strategic objectives. One framework that has gained popularity in recent years is Objectives and Key Results (OKRs). They offer a structured approach to setting and measuring goals, enabling organizations to align their efforts and focus on what's most important. But just implementing OKRs is not enough. You need a dedicated and passionate individual to champion the OKR process -- the OKR champion.

The OKR champion plays an essential role in ensuring OKRs are implemented effectively and widely adopted throughout the organization. They act as catalysts for change, driving the cultural shift required to embrace this goal-setting methodology. By promoting OKRs, providing guidance and support, and fostering accountability and transparency, an OKR champion can significantly contribute to an organization's success by cultivating a results-driven culture.

What is an OKR champion?

An OKR champion is an individual who takes on the responsibility of leading and facilitating the implementation and adoption of the OKR framework. They act as a guide, mentor and advocate and are the go-to person for all things related to OKRs.

An OKR champion is a dedicated and passionate person who strongly believes in the power of OKRs to drive organizational success. They have a deep understanding of the OKR framework and are committed to helping their organization effectively adopt and use this goal-setting approach. 

Key characteristics of an effective OKR champion

To become an effective OKR champion, one should possess several key characteristics, including:

1. Strong communication skills

OKR champions must be able to clearly articulate the benefits of OKRs and communicate the framework to employees at all levels.

2. Strategic thinking

They should have the ability to see the big picture and understand how OKRs can be aligned with the organization's overall strategy and objectives.

3. Collaborative mindset

OKR champions must work well with others, fostering a sense of teamwork and collaboration in the pursuit of common goals.

4. Adaptability

As the organization evolves and faces new challenges, OKR champions need to be flexible, adjusting the OKR process as needed to maintain its effectiveness.

5. Patience and persistence

Implementing OKRs can be a gradual process, and OKR champions must be patient and persistent in their efforts to drive adoption and maintain momentum.

See also: 10 Ways Insurers Should Lean on OKRs

The benefits of having an OKR champion

Having a dedicated OKR champion can provide numerous benefits that contribute to the overall success of the organization:

1. Ensuring alignment between teams and organizational goals

The main duty of an OKR champion is to ensure that the OKRs set by different teams and employees are in line with the organization's overall objectives. By guiding and facilitating the setting of OKRs, the champion helps establish a clear connection between day-to-day activities and the company's strategic priorities. This alignment is essential for driving targeted efforts and achieving desired outcomes.

2. Promoting a culture of accountability and transparency

OKR champions play a crucial role in promoting accountability and transparency within an organization. They achieve this by regularly communicating the progress of OKRs, celebrating successes and openly discussing challenges. This approach creates an environment where everyone takes ownership of their goals and understands how their contributions affect the larger picture. Promoting transparency enables better collaboration and problem-solving across teams.

3. Encouraging employee engagement and motivation

When employees have a clear understanding of how their work contributes to the success of their organization, they are more likely to be engaged and motivated. OKR champions play a vital role in creating this clarity by ensuring that OKRs are well-defined, communicated effectively and reviewed regularly. By involving employees in the OKR process and acknowledging their accomplishments, champions can enhance morale and create a sense of purpose and commitment toward the organization's objectives.

4. Facilitating continuous improvement and learning

OKR champions are key in promoting a culture of continuous improvement and learning. They regularly review OKR progress, identify areas that need improvement and facilitate open discussions to help teams and individuals learn from their experiences and adjust their approaches as necessary. This focus on continuous improvement enables the organization to remain agile, innovate and maintain a competitive edge.

5. Driving better performance and results

The efforts of an OKR champion can significantly improve organizational performance and results. By ensuring alignment, promoting accountability, encouraging engagement, and facilitating continuous improvement champions help create an environment where everyone is working together toward common goals and striving for excellence. This focused and collaborative approach can lead to increased productivity, better decision-making and achieving strategic objectives.

Responsibilities of an OKR champion

There are five primary responsibilities that an OKR champion should fulfill:

1. Advocating for OKRs within the organization

As an OKR champion, you must convince your organization's leaders, teams and individual employees about the benefits of OKRs. Your role involves effectively communicating the framework's advantages and building support for the OKR process. It is crucial to articulate how OKRs can help drive focus, alignment and better performance across the organization.

2. Educating and training employees on OKRs

To ensure that OKRs are effectively adopted, the champion is responsible for educating and training employees on the framework. This involves explaining the principles and best practices of OKRs and helping teams understand how to use OKRs to drive their work. 

3. Facilitating the OKR-setting process

This involves collaborating with the leadership team to establish top-level objectives, assisting teams in aligning their OKRs with the organization's goals and ensuring that the OKRs are specific, measurable and challenging yet attainable. Additionally, the champion may guide teams in determining the appropriate frequency for OKR cycles and aid in refining their OKRs as needed.

4. Providing support and guidance to teams and individuals

During the OKR process, the champion plays a crucial role as a resource and support system for both teams and individuals. They are responsible for answering any questions that may arise, providing guidance on how to overcome challenges, and offering advice on how to stay on track and achieve objectives. It is important for the champion to be approachable, knowledgeable and committed to helping others succeed with OKRs.

5. Communicating OKR updates and successes

The OKR champion has the responsibility of communicating any updates and successes related to OKRs across the organization. This involves sharing progress updates regularly, highlighting key achievements and celebrating wins as they occur. By communicating the impact and value of OKRs, the champion helps maintain momentum and engagement and reinforces the importance of the framework in driving organizational success.

See also: How to Optimize Insurance Claims Management

Best practices for OKR champions

As an OKR champion, you need to follow certain best practices to ensure the successful adoption and implementation of OKRs within an organization:

1. Leading by example and setting the right tone

An effective OKR champion should not only promote the usage of OKRs but also use the framework in their own work. By setting challenging OKRs, regularly monitoring progress and openly communicating their own accomplishments and difficulties, the champion can motivate others to adopt OKRs. 

2. Collaborating with leadership and other stakeholders

To ensure that OKRs are successful, the champion needs to work closely with leadership and other key stakeholders in the organization. This involves defining top-level objectives with the executives, integrating OKRs into performance management processes with HR and ensuring alignment with team leaders. By fostering strong partnerships and open communication, the champion can help ensure that there is organization-wide buy-in and support for OKRs.

3. Regularly reviewing and refining the OKR process

Implementing OKRs requires regular review and refinement. The OKR champion should seek feedback from teams and individuals, assess what's working well and what could be improved and make necessary adjustments to the OKR process. This may involve updating templates, refining the cadence of OKR cycles or providing additional training and support. By continuously improving the OKR process, the champion can help ensure its long-term effectiveness and relevance.

4. Celebrating successes and recognizing contributions

When teams and individuals achieve their objectives or make significant progress, the champion should acknowledge and celebrate those wins. This can be done through public recognition, team celebrations or small gestures of appreciation. By highlighting successes, the champion reinforces the value of OKRs and keeps employees motivated and engaged.

5. Continuously learning and staying up-to-date with OKR best practices

To be an effective OKR champion, it's important to continuously learn and stay up-to-date with the latest OKR best practices and trends. This may involve attending workshops and conferences, reading industry blogs and articles and connecting with other OKR practitioners to share insights and experiences. The champion can bring new ideas and approaches to their organization and help drive continuing success for the OKRs.

The wrap

The OKR framework is a powerful tool for organizations looking to achieve their goals. However, the successful adoption and utilization of OKRs requires a dedicated champion who can drive the process, align teams, promote accountability and foster a culture of continuous improvement.

To excel as an OKR champion, it is important to follow best practices such as leading by example, collaborating with leadership and stakeholders, constantly refining the OKR process, celebrating successes and staying up-to-date with industry trends. By embodying these practices and demonstrating a strong commitment to the success of OKRs, champions can make a significant impact.

As organizations encounter new challenges and opportunities, the role of the OKR champion becomes more vital in ensuring teams remain focused, agile and aligned with strategic objectives. By promoting the OKR framework, OKR champions can assist their organizations in not only surviving but also thriving.

Underwriters are busy, and manual processes aren’t helping. However, APIs and automation have been a welcome relief for carriers, from anticipating functions to retrieving data to processing claims faster. I’m betting on 2024 being the “Year of APIs.”

In simple terms, an API (application programming interface) automates tedious tasks. APIs act as digital bridges of code that allow devices, software applications and data servers to communicate with each other. 

As commercial and specialty underwriters grapple with legacy systems and siloed data, APIs emerge as operational steroids, propelling processes forward and optimizing workflows. API integration isn't just about adopting new technology; it's about meeting evolving customer demands. In an increasingly competitive market, speed and efficiency are a top priority. With insurers trying to keep pace with customer demands, sometimes a few hours of slowdown can determine the success or failure of a risk being accepted. By leveraging APIs to trim wasteful practices and optimize workflows, insurers create an ecosystem where everyone thrives, including the customer.

See also: A New Approach to Embedded Insurance

Amid the pricing and product strategies, customers are increasingly seeking quality service. With APIs, customers face less friction in the application processes. APIs can integrate with claims processing systems, enabling faster resolution and improved customer satisfaction. This frees time for underwriting teams, enabling them to focus less on admin and more on the underwriting process.

Imagine an API that retrieves weather records or property information instantly, eliminating the need for manual data entry. This streamlining translates to faster processing times, reduced errors and significant cost savings. An E&S underwriter could then prepare risk data in hours, versus days. 

See also: Making Inroads With Open APIs

However, moving to an API-driven future isn't without its challenges. APIs can be complex and run into compatibility issues with different versions of software, leading to errors and system failures.  

Change is uncomfortable, but it is essential for growth. Insurers today are moving toward a more integrated digital system ecosystem, and they're recognizing how APIs improve speed and decision-making. With APIs as their operational steroids, insurers are poised to gain a competitive edge.

Here's to the year of APIs.

In a recent webinar, titled "The Year of the API," I spoke with industry leaders Ryan Seager from TruStar Underwriting and Matt Carter from Altus Specialty Markets about the transformative potential of API-enabled technology. 

In an era of advancing technology, cyber insurance is a critical defense for organizations against the intricate web of digital threats. With ever-evolving threat actor groups and the increased sophistication of cyber attacks, businesses face unprecedented challenges in safeguarding digital assets, mitigating potential financial losses and maintaining their reputation. Staying ahead of the curve requires a comprehensive understanding of emerging risks and the coverage considerations that accompany them.

State of the Market

Rates for cybersecurity insurance have declined because of an influx of new carriers. The surge in competition has led to greater diversity in offerings and pricing structures, providing businesses with a more robust breadth of options. As of 2024, the cyber insurance market stands at $14 billion and is projected to reach $52 billion by 2030, with an annual growth rate of nearly 25%.

As technology rapidly evolves, carriers are boosting the prevalence of cybersecurity and risk management solutions in insurance policies. 

See also: Insuring Risks Amid AI's Constant Evolution

Current Ransomware Environment

Despite government task forces, law enforcement disruptions and pledges not to pay, ransomware persists as a major threat.. After temporary setbacks from takedowns such as those of LockBit and Alphv, ransomware groups have bounced back. According to a study by Munich Re, ransomware stood out as the primary contributor to cyber insurance losses. The manufacturing sector was the most targeted, followed closely by professional services, retail, healthcare and IT. Financial services were also among the top targeted industries.

Cybercriminals employ increasingly sophisticated tactics, including double extortion schemes and targeted attacks on critical infrastructure. Meanwhile, ransomware-as-a-service (RaaS) models have lowered the barrier to entry for cybercriminals, enabling less technically skilled individuals to launch ransomware attacks. 

Consequently, businesses must adopt a multi-layered defense strategy, including regular data backups, robust endpoint protection and employee awareness training, to mitigate the risk of ransomware infections.

Use of AI in Cyberattacks

The emergence of AI has revolutionized cyberattacks, enabling threat actors to execute highly targeted and convincing phishing campaigns. Deep fake technology, which uses AI to manipulate audio and video recordings, exacerbates the risk by facilitating impersonation and fraud in electronic funds transfer scams. 

A highly publicized example is the multinational corporation that lost $26 million during a Zoom call when the sole authentic (and only human) employee mistakenly transferred the funds, believing the other participants were colleagues, including the CFO.

Instances like these underscore the importance of vigilance and implementing layered cybersecurity measures. Such measures can include AI-powered solutions for threat detection and response and email authentication protocols such as DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent email spoofing and phishing attacks.

See also: Embedded Artificial Intelligence (AI) in Financial Services

Social Engineering Threats

Recent incidents, such as the Scattered Spider attacks on MGM and Caesars casinos, highlight the persistent threat of social engineering tactics. Cybercriminals leverage psychological manipulation techniques to deceive employees and gain unauthorized access to sensitive information or systems.

These measures can help mitigate social engineering attacks:

Prioritize Security Training

74% of all data breaches involve a human element. Because social engineering attacks manipulate human vulnerability, not technology, every employee must be knowledgeable and comfortable with cybersecurity best practices. Regularly provide employee awareness training and phishing simulations to empower your workforce to detect and react to suspicious activities effectively.

Tailor Security Policies to AI Risks

Develop policies and incident response protocols aimed at educating staff on emerging AI threats, with a particular focus on social engineering scams. Encourage cautious social media behavior and prompt verification of requests and define protocols for reporting and responding to potential breaches.

Implement Advanced Cybersecurity Measures

Adopting practices such as zero-trust security (never automatically trusting any entity in or outside the network) and multi-factor authentication (MFA) are two easy and effective ways of thwarting a majority of social engineering attacks. Password managers and open-source intelligence (OSINT) monitoring can also help mitigate vulnerabilities. 

Key Coverage Considerations

When evaluating cybersecurity insurance policies, organizations must carefully assess coverage features to ensure adequate protection against evolving risks. Key considerations include:

• Examine the policy's coverage for exclusions such as acts of cyber war, terrorism or government or regulatory actions. As state consumer privacy laws evolve, so do non-covered perils. 
• Evaluate the extent of coverage for social engineering incidents, ransomware attacks, business interruption losses and regulatory fines and penalties.
• Scrutinize the carrier's obligations under the insuring agreements, distinguishing between the duty to pay and the duty to reimburse, which can significantly affect cash flow management in the event of a cyber incident.
• Review policy limits and sub-limits to ensure they align with the organization's risk profile and potential exposure.

Fortifying Your Digital Defenses

As the digital ecosystem continues to transform, collaboration among insurers, businesses and cybersecurity experts is essential in fortifying cyber resilience and mitigating the impact of cyberattacks. Cyber insurance is a pivotal tool for risk management in today's business sphere, providing invaluable assistance in navigating the financial repercussions of cyber events. 

The perks of securing a cyber policy extend far beyond financial indemnification. Cyber insurance offers access to specialized resources and services to aid businesses in cyber incident response and recovery efforts. From breach notification aid to crisis management assistance, cyber insurance empowers organizations to navigate and mitigate the impacts of cyber incidents, bolstering their resilience against evolving threats. Through investment in cyber insurance, businesses secure tailored coverage designed to confront cyber threats head-on.

Six years ago, my friend Adrian Jones and I published our first deep analysis of the iconic full-stack insurtech carriers (Lemonade, Root and Metromile). Our "Five Dispatches from Insurtech Survival Island" found:

1. Underwriting results have been poor
2. It costs $15 million a year to run a start-up insurtech carrier
3. Customer acquisition costs and back-office expenses (so far) matter more than efficiencies from digitization and the absence of legacy systems
4. Reinsurers are supporting insurtech by losing money, too
5. In recent history, the startup insurers that have won were active in markets not targeted by incumbents
6. 

Personal note: I really miss that 2018 collaboration with Adrian to review the insurtech facts and figures. A week of back-and-forth, integrating the different perspectives and challenging each other, allowed us to extract the best from our accumulated knowledge. Moreover, his analytical rigor and exposure elegance made the first chapters the most precious gems of this six-year-long series. However, it is what it is. I'm continuing to report here my perspective on the insurtech facts and figures. It is an unpolished and instant snapshot of my perspective, written by carving out a few hours on an overnight intercontinental flight. I'm trying to write something interesting each month... but available time and inspiration allows me to do it just eight or nine times a year. I do my best, hope you like it.

In the past months, the current full-stack insurtech trio (Lemonade, Root and Hippo) published their 2023 results, and they were not so bad. The dispatch from Survivor Island says: We are alive, and we may survive! (Metromile, one of the original castaways, didn't and was acquired by Lemonade a couple of years ago.)

Sse also: Tech Secret to a Combined Ratio Below 100%

Let's look at some of the main pieces of evidence from this dispatch:

1. It costs $1 billion to $2 billion to build an insurtech carrier that barely enters the top 30 in personal auto or homeowners
2. Underwriting results have improved but are still poor
3. The carriers are still not efficient
4. 

• Root burned $1.7 billion to build an auto business of almost $800 million in premiums. (The U.S. auto market was $316 billion in 2023, with the 25th player writing $1.3 billion.) The company grew until 2021, shrank in 2022 and rebounded last year. A non-immaterial part of its business comes from embedded insurance.
• Hippo burned $1.2 billion to build an insurance business of $1.1 billion in premiums. An MGA back in the day, Hippo has acquired a carrier that gives underwriting capacity to MGAs (IAAS in the figure below) and is acting also as an agency selling third-party policies (services in the figure below). Without the agency premiums, the written premiums are $800 million. Hippo is an articulated business that has continued to grow over the years, but the original homeowner business sold and underwritten (HHIP) in the figure below) is pretty stagnant at about $300 million (U.S. homeowner multiperil was $152 billion in 2023, with the 25th player writing almost $1 billiion).
• 
• Lemonade burned about $1.1 billion to build an insurance business of slightly more than $700 million in premiums and has reached the milestone of 2 million clients. The main line of business is homeowner multiperil, as for Hippo (but with a predominant presence of renter insurance), with about a quarter of the premiums done by the pet insurance business (inland marine) and with a limited contribution of the auto and international business. Lemonade in renter and pet insurance is probably able to show the most relevant market shares among all the businesses of the trio. Unfortunately, the segments aren't big enought to allow us to talk about any sign of disruption in the market.

See also: The 'I Told You So'​ Moment

Underwriting results have improved but are still poor

All these players have hired seasoned insurance executives over the years and have focused on improving technical profitability. Since the time when they were used to pay out in claims the same or even more than they’ve collected in premiums, there has been (somehow) evidence of significant improvement:

• Root has brought the loss ratio down to 76%, while the personal auto insurance sector was on average almost at 78% 
• Hippo has brought the loss ratio down to 71%. However, the Hippo product (HHIP in the figure above) is still at 103% while the homeowner multiperil line '23 loss ratio was 72%. More than fixing the Hippo original homeowner product, they are writing a good business with Spinnaker as a fronting carrier for other MGAs, and this subsidizes Hippo's loss-making business. 
• Lemonade has brought the loss ratio down to 85%, but that is high for homeowners insurance and extremely high for a mostly renter portfolio. 

Note: All are gross loss ratios and include LAE;  the Root's figure below is about loss ratio without the LAE. 

Root's loss ratio is an outlier and doesn't deserve the headline "poor"; however, I've some doubts if it is more due to their underwriting performance or to the peculiar contingency of the U.S. auto insurance market. Their shareholder letter says, "We recorded an exceptional loss ratio as we benefited from our technology platform’s ability to drive pricing and underwriting improvements," and, "We are still in the early chapters of disrupting the auto insurance industry." 

In 2023, large carriers in many states struggled to obtain regulatory approval for rate changes and, consequently, tightened their underwriting guidelines. It isn't unlikely a small carrier with bloody past technical results has obtained quick approval for rate changes and had room for growth (without investing too much in advertising). 

Before dropping the magic world "disruption" loved by futurologists and black swan hunters, I suggest waiting a few quarters within a more stable auto insurance market landscape. 

See also: Lemonade's 'Synthetic Agent' Nonsense

Still not efficient insurance carriers

All three players have cut their marketing budgets compared with what they were used to; they aren't any longer the pure and brave online direct-to-consumer players you have met at insurtech conferences with colored T-shirts. All of them are also working with independent agents and embedding insurance policies in other incidental channels. Moreover, Hippo's only profitable business is the fronting business with the policies sold by other MGAs.

They have also controlled the cost base at a decent level, all but Lemonade:

• Root: spent in marketing and sales 6% of the premiums, and its administrative costs are 22% of the written premiums;
• Hippo: spent in marketing and sales $56 million (9% of the premiums of the Hippo product and the agency), showing that selling third-party policies at least offsets part of the marketing costs. The other costs represent 17% of the premiums written (thanks to the efficiency of the fronting business);
• Lemonade spent in marketing $102 million (14% of the written premiums), and the other costs added 38 percentage points to the combined ratio.

All these businesses burned a significant amount of cash even in 2023. The cash lost in operating activities was: Root, $34 million; Hippo, $92 million;, and Lemonade, $119 million. All amounts are lower than in the previous years. In the next few days, the Q1 '24 financials will be published, and we will have an update on the trajectory.

Considering the trend of improvement and that there are still significant buffers of cash in their balance sheet, our castaways may survive. 

But there is still no sign of any disruption from the island.

Inflation is a complex phenomenon, its roots intertwined in various economic, political and global factors. This presents unique challenges and opportunities for the investment strategies of insurance companies.

Insurers are still navigating from a terrain marked by prolonged low investment rates and squeezed margins to an unpredictable inflationary environment and balance sheets holding large unrealized losses. This article explores how insurers can adapt their investment strategies to hedge against uncertainties caused by inflation and extended periods of higher interest rates, exploring avenues such as real estate, equities and specialty products, while also incorporating strategic asset allocation and risk management best practices. Conning believes applying more dynamic investment strategies may also benefit insurers over the long term for most economic conditions.

The Impact of Inflation and the Outlook for Interest Rates

Our March 2022 Viewpoint studied the impact of inflation on insurance companies’ financial statements, observing deviations between actual results and projections due to deteriorations in assets and liabilities. We highlighted the extended influence of inflation and some companies’ constraints in implementing protective measures. We also discussed the limited flexibility that many investment portfolios have in dealing with these challenges amid regulatory and rating agency scrutiny. Ultimately, we determined that a thorough portfolio assessment and strategic planning can significantly mitigate these concerns.

The federal funds rate ended 2023 at 5.33%. Despite the U.S. Federal Reserve’s declaration to halt the cycle of increases, the outlook for the next two years remains uncertain (see Figure 1), but there is a strong inclination toward keeping rates higher for an extended period.

Figure 1 - The Fed’s Outlook: Higher Interest Rates for Longer but an Unclear Path

Although the exact timing and sequence of policy adjustments remains uncertain, the implications of maintaining higher interest rates for an extended period are multifaceted.

These are positives for insurance companies: Sustained higher rates present a unique opportunity to recalibrate pricing strategies, innovate by launching products and move their investment portfolios toward higher-yielding investments.

However, higher rates could also lead to elevated borrowing costs for the economy overall, prompting a pullback in business investment and expansion, potentially ushering in a phase of economic deceleration. (The real estate sector’s responses remain uncertain.) Moreover, the capacity of financial companies to manage unrealized losses hinges on their ability to maintain sufficient liquidity, and any disruption in the capital market or broader economy could lead to premature rate cuts, which may initially invigorate growth but also carry the risk of renewing inflationary pressures.

See also: The ABCs of Agency Planning for 2024

Mitigation Strategies for the Risks Ahead

During periods of uncertainties, correlations between asset classes typically shift, as we saw back in 2022 when both equities and bonds underperformed.

Figure 2 models how various sectors within the insurance industry investment universe might perform over a five-year period, both on average and in a tail scenario in which inflation ranges between 3.5% and 9.5%.

Figure 2 - Projected Five-Year Performance During Average and Tail Scenarios

To demonstrate further, we sampled two insurance company portfolios: a life company with a business mix of 50% individual life, 20% group life and 30% individual annuities, and a workers’ compensation insurer. Their investment strategies, both before and after they were modified to adjust to a higher-interest-rate environment, are in Figure 3.

Figure 3 - Sample Portfolios, Current and Altered Strategies

Figure 4 illustrates how total returns for both companies declined 0.4% and .2%, respectively, as a result of tail scenarios (in this case, an environment where inflation remains above target for an extended period) and how modifying the investment strategy can reduce the impact (the decline in returns improved from 0.4% to 0.2% for the life company and from 0.2% to 0.04% for the P&C company).

For both of our sample insurer portfolios, the key to navigating such environments lies in the flexibility and adaptability of their investment strategies. Such strategies might include investments in asset classes with a growth component or a natural inflation hedge or changing duration to better manage interest rate risk and mitigate some of the inflationary pressure.

Figure 4 - Sample Portfolio Projected Performance, Average and Tail Scenarios

We also point out how the modeling illustrates how the alternative strategies may improve portfolio performance in both the average and tail scenarios. While we are seeking to address the immediate concerns of a higher-for-long rate environment, we believe the dynamic nature of the alternative strategies offers significant benefits in other market conditions.

In scenarios in which the financial landscape undergoes meaningful changes, Conning also believes it is necessary to conduct a thorough assessment of a company’s investment portfolio to identify risks, level of diversification and areas for improvement.

The two charts in Figure 5 illustrate how we can adjust the investment portfolio of the workers’ compensation insurer with an optimal asset allocation, resulting in no change to downside risk (as measured by the 95% Value-at-Risk) but improving diversification benefits by 90 basis points.

Figure 5 - Projected Strategy Impact on P&C Portfolio’s Risk, Diversification

See also: 5 Key Mistakes in Long-Term Planning

Measuring Value at the Enterprise Level

When we examine the possible risks to both assets and liabilities, we can help insurers understand the adverse consequences to enterprise metrics such as net income, operating cashflow or surplus. It becomes essential to evaluate how a modified investment strategy can benefit the enterprise value of the company, not only investment yield or total return.

Using Conning’s proprietary modeling software, we’re able to measure the economic impact in each case and for each strategy. With a suitable strategic asset allocation (SAA) analysis, we’re able to assess such risks and adeptly adjust duration and introduce asset classes (such as specialty fixed income, collateralized loan obligations (CLOs), commercial mortgage loans (CMLs), equities, etc.) to help manage periods of uncertainty and market volatility. This helps position the company’s profile (assets and liabilities) to minimize risk exposure, enhance return and diversification and meet financial goals.

Figure 6 demonstrates how the alternative strategy for the workers’ compensation insurer outperforms the existing strategy in a normal steady state and the tail scenario (a period of above- target inflation).

Figure 6 - Projected Strategy Impact on P&C’s Enterprise Value

The negative impact on the company’s economic value was improved by more than $2 million in our example as a result of a timely optimal asset allocation. (Conning uses economic value as a measure of valuation, which reflects the market value of assets minus the discounted value of liabilities plus the value of future operations.)

Expanding to the full distribution of outcomes, Figure 7 illustrates the long-term economic value of the workers’ compensation company projections for both steady state and an environment in which inflation remains above target for some time. Although the alternative strategy introduces additional variations in results (comparing the two floating bar charts), the 99% Value-at-Risk (a measure of downside risk) remains stable (comparing the two strategies across the dotted red line), and economic value under the alternative strategy is higher.

Figure 7 - Projected Distribution of P&C Insurer’s Economic Value by Portfolio Strategy

Swift and Steady Can Win the Race

The ability to respond swiftly to the constantly changing economic environment can be a huge benefit to insurers. While our study focused on addressing higher-for-longer rate concerns, we think a dynamic approach to investment strategy offers rewards in most economic environments.

Whether addressing the intricacies of inflation risk, duration risk or the complexities of elevated correlation risk, strategic reallocation of investments must consider the intricate interplay among assets and liabilities (a nuanced and comprehensive approach) in the prevailing economic environment. Such meticulous assessments and strategic investment realignments are pivotal in mitigating the impacts, thereby optimizing the overall portfolio performance in the face of dynamic market conditions. 

Max Drucker, CEO of Carpe Data, said the quiet part out loud about insurtech last week. 

“Insurtech is never going to be exciting again,” he said. “Insurtech is never going to be a thing again like it was before. Companies like Carpe Data are going to be vendors to insurance carriers. Whether we’re providing data, whether we’re providing software, whether we’re providing services, we’re vendors.”

Some numbers back him up. Gallagher Re reported last week that global insurtech funding totaled just $912.3 million in the first quarter, which was down 17% from the fourth quarter and was the lowest total for a quarter in four years. The HSCM Public InsurTech Index has fizzled, down 55% from its peak in early 2021.

Many of the big storylines for insurtech have fizzled, too. Peer-to-peer models never amassed enough capital. Blockchain, while making progress, isn't going as fast as many hoped. The full-stack companies have been a major disappointment thus far. And Big Tech? Those expectations that Amazon, Google, Apple or some other giant would swoop in and redefine insurance as they have other industries? Nope.

So is Drucker right? Should we just fold up our tents, give up on profound innovation in insurance and go home?

That's a nope, too, in my opinion. But we do have to adjust our thinking some.  

I'll concede Drucker's point that lots of innovation, whether from startups or from incumbents, will go toward operational efficiency — what we used to call Better, Faster, Cheaper during the internet boom of the second half of the '90s. 

As he put it, according to an article in Insurance Innovation Reporter: “'We can do all these great, wonderful things for you' is not a sales pitch that carriers want to hear. It comes down to 'How do we cut costs,... how do we really get control of this business?’” Drucker added that incumbents are thinking: “‘The last thing I’m looking to do is really have to really engage in something big again because the last two years have been pretty rough, and so now we’re really just trying to stabilize.’”

In fact, I've said repeatedly that being an "arms supplier"--another term from the first internet boom --to carriers is the most reliable way for a startup to succeed, while trying to supplant them is a high-wire act. 

But it seems odd to give up on insurtechs right as generative AI is creating so many opportunities for innovation. Many of those, at least in the early days, will be of the Better, Faster, Cheaper variety, and many ideas won't pan out, just as happened with the big ideas from 2015-2020. But there sure is a lot of runway ahead for generative AI.

And not all the big ideas from the first wave of insurtech flamed out. The Internet of Things (IoT), in particular, is spreading sensors throughout homes and businesses in ways that enable a switch from the traditional repair-and-replace model for insurance to a Predict & Prevent approach. There's a lot of runway there, too.

Besides, the U.S. economy seems to have managed a soft landing, and recent softening in hiring means the Fed may finally start lowering interest rates in coming months. While rates were so low that money was almost free for years, rising rates in the past two years have greatly increased the cost of money, constraining new investment and leading to the sort of "profitability now!" environment that Drucker says startups are facing. Lower rates should start to loosen the purse strings, at least a bit.

If AI, IoT and falling interest rates aren't enough to convince you of the bright prospects for innovation in insurance, consider the sorts of opportunities Adrian Jones pointed out in a presentation at InsureTech Connect last November. Jones, who was co-head of a $200 million VC fund at the time and is now chief of staff, international and global markets at Acrisure, cited five insurance companies founded in the past 20 years that have built sustained, multibillion-dollar market capitalizations. (One happens to be Acrisure.)

The key was not breakthrough technology or the "move fast and break things" ethos of Silicon Valley. The key was finding a dislocated market and having an experienced management team that could exploit it — as opposed to the newcomers to insurance who ran many of the early insurtech startups, thinking their technology expertise would buy them time to learn about insurance on the fly. 

His presentation describes the five like this:

• Acrisure consolidated small retail distributors, which tended to be undercapitalized and often were looking for a succession plan. It was cofounded and is run by Greg Williams, who had 23 years of industry experience and had already founded two companies when he started Acrisure in 2005. It last raised capital, in 2022, at a $23 billion valuation.
• Ryan Specialty Group saw an opportunity when the Big 3 were forced to sell their wholesale distributors. It was founded in 2010 by Pat Ryan, who had 48 years of experience and had been CEO of Aon. It has a market cap of more than $6 billion.
• Athene spotted the opening in fixed annuities following the 2008 financial crisis. It was founded in 2009 by James Belardi, who had 23 years of experience and had been CEO of Sun America. It was acquired by a private equity firm in 2022 for $11 billion.
• Kinsale responded to strict regulation in admitted markets by moving into excess and surplus lines, especially for small risks. It was founded in 2009 by Michael Kehoe, who had 15 years of industry experience and had been CEO of James River. It has a market cap of more than $9 billion.
• Essent jumped into the market for mortgage insurance following the housing market collapse in 2008. It was founded by Mark Casale, who had 22 years of experience and had been an executive vice president. It carries a market value of $6 billion. 

"Insurance executives have been the biggest disruptors of insurance," Jones said.

All those companies were started years before the insurtech movement began, in 2015 or so, and they aren't based on technology, but they show the kind of highly profitable innovation that's possible in the industry. Carpe Data may see itself slotting into Better, Faster, Cheaper work at carriers — and loads needs to be done to make the industry more efficient — but other technologies and other types of innovation can still lead to profound improvement.  

Cheers,

Paul

Epidemiologists and virologists know that pathogens often mutate into new strains, forcing our immune systems – and vaccine development – to adapt. A recent cyber attack on a key entity in the healthcare supply chain has shown a disturbing evolution in cyber risk. As a result, healthcare organizations will have to adapt and expand their efforts to mitigate cyber threats.

On February 21, a division of UnitedHealthGroup, Change Healthcare, was struck by a ransomware attack. Change Healthcare is the largest healthcare payment platform in the U.S., acting as a clearinghouse for pharmacy and medical claims and payments. Recovering and reconnecting the platform has taken several weeks, and as of this writing, was continuing.

The attack on a linchpin of the healthcare industry’s payments infrastructure has disrupted patient care as well as provider operations. A large amount of data also was taken during the attack, but it remains unclear whether any records in the breach include protected health information, which is subject to data privacy laws, such as the Healthcare Information Portability and Accountability Act (HIPAA).

The attack is among the most serious in recent history, but it’s far from the only ransomware incident involving healthcare. Healthcare organizations of all sizes are targets for cyber criminals. A 2023 survey of more than 650 U.S. healthcare organizations by the Ponemon Institute found that 88% had experienced at least one cyber attack in the prior 12 months, with an average of 40 attacks per facility.

See also: Cyber's Evolving Threat Landscape

A good time to take action

Amid evolving cyber threats, growth in cybersecurity regulations and a changing insurance marketplace, healthcare organizations should take action now – to strengthen their cyber risk management programs and improve their protection.

Attacks like the one on Change Healthcare are likely to continue. Data breaches in lieu of, or in addition to, data encryption, also are likely. Perpetrators of other ransomware attacks have increased their extortion demands by threatening to release sensitive data on a victim organization’s customers or employees. A high-profile example is MOVEit, a 2023 ransomware attack on a widely used file transfer application. The MOVEit breach involved data breaches from at least 1,000 organizations around the world, including hospitals, universities, government agencies and global corporations.

The healthcare industry continues to attract cyber criminals, for multiple reasons. These include the industry’s dependence on technology systems, volume of sensitive data and the severe consequences of disruption to healthcare facilities. Indeed, healthcare experienced the most cyberattacks of any U.S. industry during the first half of 2023, according to a report on cybersecurity insurance by the National Association of Insurance Commissioners. The NAIC also noted the healthcare and public health sector had the costliest data breaches in 2021, averaging more than $9.2 million per incident. Notably, healthcare experienced the highest average data breach cost for 11 consecutive years, dating back to 2011.

Large data breaches are becoming more frequent for the healthcare industry, according to the federal agency that tracks them. The U.S. Department of Health and Human Services’ Office of Civil Rights found a 93% increase in the number of large breaches overall between 2018 and 2022, and a 278% surge in such breaches involving ransomware during that period. 

The frequency and severity of ransomware attacks in healthcare are concerning. Consider the financial and operational impact of just a few attacks, as noted in the 2023 Hospital Cyber Resilience Initiative Landscape Analysis, conducted by HHS, the Centers for Medicare & Medicaid Services and the Healthcare & Public Health Sector Coordinating Council:

• A California-based nonprofit healthcare company experienced a ransomware attack and data breach in May 2021 that resulted in an estimated $112 million expense from lost revenue, remediation and fines. The company separately paid $3.5 million to settle class-action litigation arising from the data breach, and several of its owned hospitals were forced to turn away patients.
• A university healthcare network in the Northeastern U.S. had a ransomware attack in 2020 that caused at least $21 million in damage. The healthcare network disclosed the impact of the event to warn peers: The ransomware attack shut down 1,300 servers, infected 5,000 endpoints and hundreds of applications and required working without email for 25 days (and without radiology systems for 40 days).

Understanding vulnerabilities

To be sure, hospitals and other healthcare organizations are aware of the risks that cyber events can pose to patient safety and their balance sheets. Yet, a vast number of healthcare entities remain vulnerable because they continue to run antiquated systems. In the Hospital Cyber Resilience Initiative report is a disturbing statistic: 96% of hospitals are using operating systems or software with known vulnerabilities, and that includes medical devices used in delivering patient care.

The report found hospitals have made significant progress in implementing email protection systems, but urgent improvement is needed in various areas, including: endpoint protection systems, identity and access management, network management, vulnerability management and security operation center and incident response. With incidents such as Change Healthcare occurring, hospitals should accelerate their efforts and fix vulnerabilities as soon as possible.

Four ways to enhance cyber protection

Healthcare organizations can take steps now to enhance their level of protection against cyber events. Here are four actions to consider:

1. Analyze your organization’s cyber risks. A cyber attack that encrypts the network and steals patient data, in addition to a ransom demand, can be devastating. Understanding the risks and quantifying vulnerabilities is a critical first step toward resilience, for healthcare and every other industry.
2. Assess risk in your supply chain. As both MOVEit and Change Healthcare demonstrate, the financial impact from a cyber attack on key suppliers and service providers can be severe. How reliant is your healthcare organization on third-party technology providers? What could happen to your organization if one of them was shut down for a week or more by a cyber incident? Answering questions such as these is important to building an effective business continuity plan and minimizing disruption to healthcare operations.
3. Explore options for cyber risk mitigation. Knowing about a vulnerability is only the first step. Next comes deciding on the best ways to mitigate or eliminate the risk. With cyber risk, various cyber security measures can reduce the possibility of loss. With key suppliers, contractual risk transfer and tighter vendor requirements regarding cyber risk management could be useful.
4. Revisit cyber insurance coverage. With the Change Healthcare attack, many healthcare organizations have put their cyber insurance carriers on notice for potential dependent business interruption claims, including net income loss and extra expenses. At the time of this writing, it remains to be seen if the associated data breach will increase these loss amounts. Now is the time to review cyber insurance policy terms to ensure that the limit, retention and breadth of coverage is appropriate.

See also: How to Build a Solid Cybersecurity Program

Cyber insurance market conditions continue to be competitive

Currently, the supply of cyber insurance coverage exceeds demand. As a result, healthcare organizations now have strong opportunities to negotiate more favorable terms and conditions for their cyber insurance policies.

Insurance prices have eased after multiple years of steep increases and tightened capacity due to record levels of ransomware claims in 2020 and 2021. Better underwriting practices and improved insured cyber security controls have attracted new insurance carriers to the market. The additional capacity helped stabilize prices in 2023. Competition has led to an easing of the tight terms and conditions that prevailed in prior years. Exploring the market can pay off in at least three distinct ways:

• Obtaining higher limits. Healthcare organizations may be able to purchase more cyber coverage than in the past given more carrier participation in the market.
• Reducing premiums and retentions. Competition and capacity available in the cyber marketplace mean healthcare organizations can potentially find lower-cost policies and shrink the size of their self-insured retentions, too.
• Removing sublimits, increasing overall coverage. More cyber insurers are willing to remove sublimits on certain coverages if healthcare organizations can demonstrate strong cyber security controls. This can lead to an increase in overall protection for cyber exposures.

Not taking the time to strengthen cyber risk management can lead to other risks for healthcare organizations, the most serious being degradation of patient care. The Ponemon Institute’s 2023 survey found different types of cyber threats directly affected healthcare organizations’ delivery of care. For example, 77% of respondents with supply chain cyber attacks reported the events disrupted patient care, up from 70% in 2022. Similarly, 69% of organizations with a business email compromise (BEC) or spoofing attack reported a care disruption, and 68% reported problems for patient care resulting from ransomware.

Taking advantage of opportunities in the insurance marketplace can strengthen healthcare organizations’ risk management programs, improve resilience and bring certainty in today’s volatile cyber risk environment.