FROM THE EDITOR

Telematics and Trust: The UBI Revolution by Henry Kowal, Matteo Carbone Adoption of auto telematics has increased 28% a year in the U.S. since 2018. Usage-based insurance is no longer a niche. It is a mainstream strategy. Read More Key IoT Trends in 2026 by Marina Zudina From AI-based IoT to digital twins, five transformative technologies are making IoT deployments smarter, faster, and more secure in 2026. Read More

Why Prevention Is the New Protection by Daniel Grimwood-Bird Rather than inferring exposure solely from historical outcomes, commercial auto underwriters can now access leading indicators of attentiveness, distraction, and behavioral discipline. Read More Can Insurtech Fix Homeowners Insurance? by Matteo Carbone Even a 20% gain in operational efficiency doesn't move the needle enough. The real opportunity is in "connect and protect. Read More

Telematics Drives Shift in Commercial Insurance by Shammi Thakur Commercial insurance is evolving from reactive risk transfer to continuous prevention through real-time telematics and behavioral data. Read More Insurance Risks Being Left Behind by Dominique Roudaut Widening protection gaps demand insurers transform from risk transfer to resilience providers or face existential decline. Read More

Paul Carroll

I’m often intrigued by how far back the roots of innovation go. For instance, we know that automobiles trace back to at least the 1770s, because the first auto accident was recorded in 1771; a Frenchman hooked a steam engine to a cart and crashed into a wall. 

As for the Internet of Things, our ITL Focus topic for this month: Some students at Carnegie Mellon rigged a vending machine in 1982 so they could monitor whether it had sodas available and whether they were cold. In 1993, students at the University of Cambridge pointed a camera at a coffee pot and got it to send a live feed to their computers so they could see if coffee was available without having to walk over to the coffee station.

Those IoT examples say something about how clever students can be about being lazy, but I’m more interested in what they say about adoption curves. The IoT is avant garde these days, yet its roots trace back more than four decades.

You’ve become the poster child for the Predict & Prevent model for insurers, based on your innovations with the IoT that led to the Ting sensor that plugs into a wall outlet and detects electrical problems. You’ve done the research and shown that you can prevent so many fires that dozens of major carriers are giving Ting to customers at no cost. But you still face headwinds.

What can you tell us about the headwinds that IoT innovation faces and about how you’re overcoming them?

Bob Marshall

I would probably qualify the notion of headwinds or challenges. We're distributing roughly 50,000 Ting sensors a month, and by many measures that would be considered extraordinarily successful.

We want to go faster—not just for business reasons but because we're trying to have an impact on homes, families, communities, and society. If we can get Ting into tens of millions of homes, we will be able to help prevent electrical fires, protect families and prevent loss at an even greater scale. Still, we’re approaching 1.4 million homes with Ting today. 

What's driven the success, I would say, is the clarity of the mission. Customers worry about fire. They don't want their house and their family to ever have to deal with a fire. When we can communicate Ting’s value proposition to the homeowner, they adopt it enthusiastically.

The challenge when it comes to Ting is that it's a new category. It's a device and a service that nobody's ever had before. 

People recognize that you need multiple smoke detectors in your house, you've got to replace the batteries, and every 10 years you're supposed to replace the smoke detectors. But when we first describe Ting to a customer, it’s not something they know they need. So we have to build that awareness.

When we do a brand awareness survey of the U.S. population and ask if they're familiar with Ting, this thing that can prevent electrical fires in your home, less than 2% of people are going to say they're aware of it.

This year, we're going to make a pretty substantial investment to build brand awareness of Ting. When one of our carrier partners sends an email campaign to their homeowners asking them to get Ting, we want people to be more likely to say, "Oh yeah, I've heard of that, and I want it."  

Paul Carroll

Simplicity is a significant advantage for Whisker Labs. I’ve seen lots of innovations fail because companies assumed that the benefits they delivered were so great that consumers would be willing to jump through a few hoops. They almost never will. But when I got my Ting, I just plugged it into the wall and scanned a QR code to download the Ting app and enable notifications if you ever detect problems. Took me maybe a minute… and I’m technologically challenged.

Bob Marshall

100%. We've been focused on that from day one. The connected home and IoT became very significant about 15 years ago, but a lot of the early IoT sensors required too many devices, too many batteries, and the apps and UX were clunky. Anything that is not simple for the homeowner is not going to scale. It just won't.

If you go back 10 years or so, even if somebody signed up for an IoT device, only maybe 30% of people installed it. The economics were broken. Somebody paid for all that hardware to get shipped, and 70% of devices never got plugged in, so there's little loss prevention.

Batteries are an issue, too. If you power a device with a battery, you have to replace it after a few years. Are people going to remember to replace the battery? If they don't, the economics get all wrecked. We paid for getting hardware in, and the service has stopped.

By contrast, 85% to 90% of Ting sensors get installed, and there's no battery. The sensor will last 15 years or longer without needing anything to be replaced.

Paul Carroll

Where did you get the idea for Whisker Labs?

Bob Marshall

The impetus for the idea came from Earth Networks, where I was a cofounder. We were an IoT sensor company deploying weather and climate sensors, connecting them to the internet, and collecting massive amounts of data. We provided that data to NASA, NOAA, utilities, and insurance companies. We had a lightning detection network.

Then my sister-in-law's house burned down in 2015. They lost their entire house and a pet to an electrical fire. I didn't know anything about electrical fires at the time, but when you research them you learn they start from loose connections and damaged wires that arc and spark.

Lightning is essentially a big spark in the sky, and we had really sophisticated sensors that could measure every lightning strike on the planet. So I challenged our chief scientist, chief technology officer, and lead engineer: Why can't we take that global lightning detection technology, miniaturize it, and detect these tiny sparks that cause home fires?

We started work in 2016. It took us the better part of two years, incubated as a skunkworks project inside the old company. We incorporated Whisker Labs in September 2017 after we'd figured out a technical solution.

This is a life safety product, so it had to be completely proven. We did substantial testing in thousands and thousands of homes before we made Ting available to the public in early 2020.

Paul Carroll 

There’s a seminal book, “Crossing the Chasm,” by Geoffrey Moore, that is still much-read in Silicon Valley even though it came out in the early 1990s. It notes that lots of companies attract early adopters who are fans, maybe even fanatics, but never cross the chasm to a mass market. When you thought about crossing the chasm, did you target insurance companies, go direct to consumers, or do both?

Bob Marshall

Insurance only. There have been a couple of successes that took the direct-to-consumer approach—Nest and Ring—but then you've probably got 100 companies that failed. It takes too much money to market a new product to consumers and get the widespread adoption needed to make the business work.

So we elected to go insurance first, particularly given that fire is an important issue for carriers. It's a big loss category.

Obviously, carriers wouldn't deploy the Ting technology until they had seen full testing of it. So we deployed with a number of insurance companies. We went to employees. We went to agents. We deployed to their labs, and we did a couple years of extensive testing before our insurance carriers would offer it to their actual customers.

Paul Carroll

You've now commissioned research that demonstrates that the savings from fire prevention are significantly greater than the cost of deploying Ting. But in the early days, how did you move beyond test projects with insurance companies?

Bob Marshall

Insurance companies are obviously very conservative by nature, and actuaries understandably want comprehensive historical data before they're comfortable endorsing new technologies. So how do you get there? We were fortunate to have partnerships in place with people who believed in what we were trying to do and the mission. They were very much committed to the mindset of moving toward Predict & Prevent, and they were willing to make the investments to make that happen.

Now we've got ample data to document the performance of the technology. We know that customers love it. We know that customers stay with their insurance carriers longer when they're provided Ting. We cobrand the experience, and we know engagement is high. So we check all the boxes.

And the way we've structured our partnerships—I think this is super important—is something that wasn't done in the earliest days of IoT in insurance. Early on, the business models weren’t aligned. Companies selling prevention technology to insurance carriers were satisfied with selling the hardware. If you got an insurance carrier to buy 100,000 water sensors, that was a big win. The sellers didn't necessarily care whether customers plugged them in or not or prevented any loss.

Our partnership model is solely focused on the service, as opposed to the hardware. We only get paid if the sensors are plugged in and providing the service. It's on us and the partnership to make sure customers are plugging in Ting, it's staying online, it's preventing fires and doing good. 

It's critical to make sure the interests of all parties in our partnership are aligned.

Paul Carroll

How do you get from 1.3 million or 1.4 million homes to the tens of millions you want to reach?

Bob Marshall

We launched the product commercially in March 2020, which was terrible timing, as COVID shut everything down for a year or two, but progress is now pretty steady.

Nationwide is a good example. They were already at 80,000 homes and recently committed to putting Ting in 500,000. That's a sizable percentage of their home book. And that's because they know it works, they know it prevents losses, and their customers love it.

We’re working with almost 40 carriers today, and they probably cover 60 million to 70 million homes in the U.S. If we got every one of our insurance carriers to put Ting in just 25% of their book, that’s at least 15 million homes.

That's why we're investing in marketing to build brand awareness and make it easier for carriers to get their customers to adopt Ting. We're working on incentive programs to engage agents so it's not just the corporate part of the carrier motivated to get it out.

Paul Carroll

Thanks, Bob. I always feel better after we talk.

About Bob Marshall

Robert Marshall is the founder and CEO of Whisker Labs. Whisker Labs, a spinout of Earth Networks, delivers next-generation home energy intelligence technology to realize the full potential of the connected home.

In 1992, Marshall co-founded AWS Convergence Technologies, the company that would become Earth Networks, by pioneering the networking of weather sensors and cameras using the internet. By developing groundbreaking technology to find "signals" — valuable, meaningful intelligence — in big-data "noise," Marshall improves people's lives and protects their livelihoods. 

He has appeared on CNN, BBC World News and ABC Nightly News and has been quoted in major news outlets that include the New York Times, the Washington Post, Nature and Scientific American.

"AI will not replace humans, but humans who use AI will replace those who don't."

Whether or not you agree with that sentiment from Sam Altman, the implication is undeniable: Yet as businesses embrace AI, a precarious gap has opened between its capabilities and the insurance frameworks designed to protect organizations in light of this technology.

The Breakdown of Legacy Tech E&O

The P&C industry has long relied on tech E&O for risk mitigation when it comes to digital services. But these legacy policy forms were largely built for a software era where human error was the main culprit. There was a relatively clear trail of accountability, and a failure typically meant a system crash or a coding bug.

Today, we see autonomous agents making decisions that result in financial loss. Dynamic, self-learning algorithms are making questions of liability much more complex. New rules are being written seemingly in real time.

Take the Air Canada example – perhaps one of the highest-profile instances of AI E&O. Back in 2024, the airline's chatbot hallucinated a policy offering retroactive bereavement refunds. When the passenger tried to claim the refund, Air Canada refused, arguing that the chatbot was a separate legal entity, responsible for its own actions.

A Canadian tribunal rejected this defense, saying that a company is responsible for all information on its website – whether it is delivered by a web page, or an automated agent. "The AI said it" was not a legal defense.

There has been a distinct rise in grey-zone liabilities like this – risks that don't fit neatly into the buckets of a standard data breach or a traditional professional error. Consider issues such as algorithmic bias, data poisoning, and technology-driven discrimination. These risks often fall in the cracks between cyber exclusions and professional liability triggers.

For brokers and insured businesses, this gap creates dangerous exposure to a new class of litigation where policy language simply hasn't kept pace with technology.

Same Regulations, New Litigation

The idea of "cyber risk" itself is evolving thanks to the impact of AI. Where it was largely about data privacy in the past, businesses today also need to think about algorithmic accountability.

One of the most striking examples is how the Americans with Disabilities Act (ADA) is being used as a tool for technology litigation. For example, if an AI-driven hiring tool or a financial services algorithm inadvertently discriminates against a protected group, the resulting legal challenge can be seen as a violation of professional standards and statutory law.

Workday came up against this in 2025, facing a massive class-action lawsuit (Mobley v. Workday) that alleged its AI-based screening tools discriminated against applicants based on race, age, and disability.

This case showed that blaming a technical glitch isn't legally defensible. When technology begins to make decisions that affect human rights and equity, an error is ultimately a failure of governance – it's people that are ultimately liable.

Traditional E&O policies often focus on language such as "failure of technology to perform." This wording doesn't handle socially-driven technical failures.

From Risk Transfer to Integrated Resilience

For the P&C market to remain sustainable and relevant, we can't just be reactive. Digital innovation now happens so fast that by the time a claim is filed, the underlying technology has likely already iterated several times over. New technological uses for AI are emerging every day.

To meet this moment, the insurance industry must pivot to an integrated resilience framework – a ground-up re-engineering of policy language that addresses the reality of modern autonomous systems.

This requires a shift from simple risk transfer to a "predict, prevent, and insure" model. In this new framework, insurance can't be a static document sitting in a folder somewhere. It must include:

• A complete digital risk package that integrates cyber coverage, threat protection, and 24/7 incident response directly into the Tech E&O form.
• Insurer bundles that feature real-time threat intelligence and proactive monitoring.
• Explicit language to avoid exclusions and bridge the gap left by grey-zone liabilities.

By implementing these changes, we can provide incentives for early incident reporting (through motivators like retention waivers for fast action) rather than penalizing it – which ultimately leads to incidents that spiral into larger liabilities. We can create an environment where insurers and businesses are working together to strengthen resilience; rebuilding trust and collaboration.

Restoring Confidence Through Insurance

The ultimate goal of insurance should be to provide businesses with the confidence to innovate. In the early days of digital transformation, that meant protecting against hardware and human failures. Today, it means giving businesses of all sizes – from startups to enterprises – the self-confidence to deploy AI and SaaS solutions without the fear that an unforeseen algorithmic bias or a sophisticated social engineering attack could derail operations.

Simplicity is key here. Both cybersecurity and insurance have a reputation for being unnecessarily opaque. As we face sophisticated AI-related risks, our industry's response shouldn't be to add more jargon and complex exclusions. Instead, we should strive for unambiguous coverage that recognizes how professional services and digital delivery are connected.

Protecting Innovation for the Future

The path forward requires our industry to embrace a more proactive stance. We must move beyond the data breach and embrace a model where insurance is an active participant in a company's security posture. This means not only helping them respond to and recover from incidents faster, but perhaps more importantly, helping them predict and prevent incidents in the first place.

Validation for this approach is growing. We're beginning to see the market move toward all-in-one protection models that combine insurance with active risk management platforms. These platforms provide the tools and training necessary to strengthen controls before an incident occurs.

But the gap between legacy and modern Tech E&O is still growing. We need insurers and coverage models to keep pace with the ever-changing AI landscape.

The AI-fueled gap in Tech E&O is a challenge, but it is also an opportunity to build a more sustainable P&C market. By evolving our products to match the sophistication of the tools our clients use, we can ensure that the digital economy remains a safe space for growth and innovation for everyone.

Insurance has never lacked ambition when it comes to modernization. Most carriers recognize the pressures reshaping the industry. Risk is becoming more volatile, customers expect faster and more personalized experiences, and legacy operating models are making it harder to respond at the pace the market now demands. AI gives insurers an opportunity to close that gap by improving how decisions are made across the insurance journey. The challenge is to turn that intelligence into governed action fast enough to make a difference.

Across climate-exposed regions, carriers are reassessing where they write business, how they renew policies, and what levels of catastrophe exposure they can responsibly carry. In cyber insurance, threat vectors evolve faster than historical loss experience can reliably inform pricing and underwriting. Litigation trends, inflation, geopolitical disruption, supply chain instability, and specialty market complexity are all changing portfolio dynamics in ways that affect pricing adequacy, underwriting appetite, claims severity, capital allocation, and customer behavior at the same time.

In my opinion, the issue is no longer whether insurers recognize the need to adapt. The real challenge is whether their operating models can convert signals, models, rules, and human judgment into production decisions quickly enough to keep up with these changing conditions.

Risk is outrunning episodic decision cycles

Insurance operating models were largely built around periodic adjustment. Rate changes, underwriting rule updates, product modifications, compliance reviews, and distribution decisions often move through sequential processes. Those processes were rational in a market where risk signals developed more slowly and decision cycles could afford to be measured in months, but that environment is fading.

When market conditions shift faster than execution cycles, the consequences become real. Delayed rate action can weaken pricing discipline and expose margin before carriers fully see adverse selection building inside the book. Slow underwriting appetite changes create another form of exposure, especially when business continues to be written against assumptions that no longer reflect the carrier's strategy. Even customer signals lose value when they remain disconnected from pricing, product, and retention logic, leaving profitable relationships exposed.

Legacy systems are part of this tension, although they are not the villain. Policy administration systems, claims platforms, billing systems, and rating infrastructure remain essential systems of record. The problem is that many are being asked to support adaptive decision making work they were never designed to handle. Systems built to store, administer, and transact are now being pushed to sense, decide, govern, and adapt continuously.

The bottleneck is not the model

Boards and executive teams are investing in AI for good reasons. AI can accelerate analysis, automate repetitive tasks, improve modeling precision, and help teams process more complex data than traditional workflows allow. Working with customers, I see why that investment makes sense. The industry needs more speed, more precision, and better use of scarce expertise.

Yet many AI initiatives lose momentum once they move beyond experimentation. A pricing model can sharpen analytical precision without making the enterprise more adaptive if underwriting still moves through disconnected workflows, claims signals never reach product and portfolio decisions, and customer engagement tools improve outreach without connecting to the logic that determines risk, profitability, and retention.

The issue is not just model performance, but the ability to connect data, models, business rules, workflows, governance, and human oversight so AI can support real underwriting, pricing, claims, and customer decisions in production.

Insurance decisions carry financial, regulatory, and social consequences. They must be explainable, auditable, repeatable, and aligned with underwriting discipline and capital management. Horizontal AI tools can improve productivity, but insurance-grade decision making requires domain depth, governance, and operational context from the start.

Decision making needs an operating layer

Many insurers have made real progress inside individual functions, especially in pricing, underwriting, and claims. The problem is that local improvement does not automatically create enterprise agility. A stronger pricing model has limited strategic value if underwriting cannot act on the same intelligence, claims signals do not inform portfolio decisions, and customer engagement remains disconnected from risk and profitability. The deeper issue is not whether intelligence exists inside the business, but whether it can move across the business in time to change the outcome.

Insurers need governed decision making to work above and across existing systems. That layer should allow carriers to preserve operational stability while enabling intelligence to move across pricing, underwriting, claims, compliance, distribution, and customer engagement.

The aim is to reduce the distance between insight and action, giving carriers a more consistent way to test changes, understand likely impacts, govern approvals, deploy updates, and monitor outcomes as AI moves from experimentation to operational capability.

Governance makes speed deployable

Speed only strengthens resilience when it is matched by control. In insurance, faster decisions only create value when they remain explainable, auditable, and aligned with regulatory and business discipline.

This is where governance becomes a deployment advantage. Carriers that cannot explain how decisions are made will struggle to scale AI into production. Teams may trust a model in a pilot environment, but production use requires traceability, bias monitoring, approval workflows, performance monitoring, and clear human accountability.

That does not mean slowing the business down. It means building guardrails into the way intelligence operates. Pricing optimization, underwriting evaluation, portfolio steering, compliance validation, claims triage, and customer retention each require the right form of AI, the right level of automation, and the right degree of human involvement.

The New Operating Discipline for Insurance

Insurers need a new operating standard: one that connects intelligence across the policy lifecycle and gives carriers the speed, adaptability, and control to respond as conditions change.

The next phase of insurance transformation is as much about operating design as it is about AI. AI creates value when it is embedded deeply enough into the business to support faster, more disciplined, and more accountable decisions. That gives carriers a better way to recalibrate pricing, refine underwriting appetite, identify portfolio drift, support compliance, and respond to customer signals before opportunities or exposures have already moved.

AI capability alone will not close the insurance execution gap. The real advantage will belong to carriers that can make intelligence operational, connecting models, data, workflows, rules, and governance into decisions that keep protection available, profitable, and resilient.

When allies of President Trump went on television over the weekend to say that a peace agreement between the U.S. and Iran was 95% complete, I was reminded of a truism among software developers in the 1990s: "The first 80% of a project takes 90% of the time, and the final 20% takes 90% of the time."

Comments on social media noted that even if negotiators had made it through 95% of the issues on their checklists, that progress meant that the U.S. and Iran still had to agree on what to do about Iran's stockpile of enriched uranium, about reopening the Strait of Hormuz and about U.S.-led economic sanctions against Iran. You know, the little stuff.

While there have been more reports today on potential progress, I'm ready to call it. Having covered an international mess or two in my time, I think the situation in Iran has all the markings of a long-term impasse. I'm convinced Iran will be an open wound for many years to come. The best we can hope for, I believe, is the sort of "ceasefire war" occurring in Gaza, where the fighting has officially been ended but the underlying conflict still festers.

Insurers need to prepare themselves. 

I'll still hold out hope that President Trump can achieve the kind of agreement with Iran he's been promising: reopening the Strait of Hormuz to any and all traffic, without tolls, while removing Iran's ability to ever build a nuclear weapon. But I no longer think any such resolution is likely. I don't even think a clean, lasting agreement is possible.

The clincher for me came this morning, when I read a column in the Washington Post by a former colleague of mine from the Wall Street Journal, Karen Elliott House, who is as plugged in to the Middle East as any journalist could possibly be. Karen won a Pulitzer Prize for her coverage of the Middle East in the 1980s and has stayed plugged in to the point that last year she published the definitive biography of Saudi Crown Prince Mohammed bin Salman. 

She wrote: "When the U.S. and Israel unleashed a blistering bombing campaign striking more than 10,000 Iranian targets, and Tehran’s response included attacks on Saudi oil installations and military bases, the Saudi air force initially struck back. But as President Donald Trump tolerated a ceasefire longer than the war itself, and repeatedly threatened to resume hostilities only to back off, the crown prince concluded that he must live with a hostile regime in Tehran. His focus now will be on placating Iran to protect Saudi."

If the Saudis have switched to appeasement — and I believe Karen implicitly — they leave Trump with almost no choice. Even if he felt he could ignore the need for congressional approval of a conflict lasting more than 60 days, under the War Powers Act, or could win approval from a Republican Congress increasingly nervous about an unpopular war as we head into the mid-term elections, Trump isn't going to resume hostilities without support from this major Middle Eastern ally. That means he's left having to negotiate with an extremist, theocratic regime that, by all accounts, thinks it has won the war.

Whatever deal ensues, Trump will surely claim a major victory, but Iran will remain volatile. Having shown the world that it can close the Strait of Hormuz, even while under attack by the world's greatest military power, Iran will keep shippers on edge, thus keep oil markets nervous. Iran will surely retain enough of a pathway to nuclear weapons that there will be the prospect of additional air strikes like the one the U.S. and Israel carried out on Iran last summer. If the U.S. eases economic sanctions, as Iran is demanding, Iran will surely funnel some of that money to its proxies throughout the Middle East as they try to destabilize Israel, Iraq, Lebanon, and Yemen. 

Because the Middle East is so unlikely to return to the conditions before the war, insurers should assume that conditions today will persist for at least many quarters and probably many years.

Shipping patterns will adjust to the higher risks in the Strait of Hormuz, and insurers will have to adjust to those new patterns. Global supply chains for all sorts of goods will change, keeping replacement parts for cars hard to get and limiting access to housing materials, so pressure on premiums will continue. 

Gasoline prices will drop somewhat but remain steep, keeping a lid on traffic and, thus, traffic accidents. People will fly less, in the face of increased air fares, reducing the demand for travel insurance. With gas prices driving inflation, interest rates are likely to stay elevated; the housing market is already a disaster, and sales will stay depressed, reducing opportunities for homeowners insurance companies to attract new customers. 

And so on. 

There will surely be secondary effects, too, though those are obviously harder to predict. The big question, for me, relates to the mid-term elections. With Trump's approval ratings already at record lows, and with Iran looking like a strategic error, the Republican party will almost certainly lose control of the House of Representatives and perhaps even the Senate. All those investigations that the Democrats have talked about wanting to launch into Trump administration actions could become reality next year. Democrats may be a bit cautious because some of the investigations they launched in the lead-up to the 2024 election backfired and let Trump generate support — or they may not. The federal government could pretty much shut down until the 2028 presidential election as Democrats and Republicans scream at each other. Meanwhile, issues that are important to the insurance industry, such as the fates of FEMA and the National Flood Insurance Plan, would be set aside.

My second biggest question relates to Taiwan. Might China decide that now is a good time to try to retake control of the island, with the U.S. looking weak and having used up so much of its weapons stockpile in Iran? What a catastrophe that would be for the whole global economy.

But now I'm getting really speculative. We'll have to wait and see how the secondary and tertiary effects unfold. For now, I really just wanted to note that I don't believe we'll have a clean resolution of the U.S.-Israel conflict with Iran and that we are likely going to be dealing with lingering effects for a long time.

Cheers,

Paul

There's an urgent and slightly uncomfortable conversation happening across the insurance market right now. We talk a lot about growth, distribution, AI, data and digitization, but most of our operating models simply aren't built for the environment they're being asked to perform in.

This was the backdrop to Send’s recent INFUSE webinar, where we explored what it really means to move from a traditional, linear underwriting model to something fit for 2026. My view in one line: The challenge isn't innovation, it's whether our foundations can support it.

Brokers, MGAs and insurtechs are moving quickly. They're building smarter, more connected models, and in some cases, they're becoming more confident in their understanding of risk and pricing than the carriers behind them. Carriers haven't lost their edge, but there is a growing gap between what they have and what they can actually use. When your partners can ingest, process and act on data faster than you can, the balance starts to shift.

We're trying to make old models do new things

Many insurers are still running on legacy systems, fragmented data and manual workflows held together with spreadsheets. Trying to partner with more innovative businesses with that kit underneath you is a bit like putting Formula One parts onto the family car. In theory, it should make you faster. In reality, the underlying vehicle just isn't built for it.

What this is quietly doing to the data underneath doesn't get talked about enough. Carriers have always relied on their own book to set pricing, shape appetite and spot trends. As more of that book gets written by more advanced partners, the picture starts to erode. The partner is collecting richer, more granular data than the carrier ever did, but it doesn't plug neatly back into legacy systems. So, the carrier is left with two bad options: force new, unique data into systems that weren't designed for it, or hold underwriting discipline on a book they can only half see.

Meanwhile the boardroom conversation hasn't caught up. I still see leaders planning with the line, "we did well last year, so let's take that and add 10%," without really understanding how or why they got there. Managers are patting themselves on the back about the growth, while their underwriters are quietly wondering whether the wheels are about to come off. From the top floor it looks like a winning streak. From the underwriter's desk it looks like a book they can't quite see the edges of.

This isn't a technology problem. It's a trust problem.

Whenever the conversation turns to data, we default to the usual list of quality, consistency, standardization and validation. Those things matter, but for me the defining characteristic of good data is simpler. It's trust.

If an underwriter doesn't trust the data, they won't trust the outcome. And if they don't trust the outcome, they'll find a workaround. Spreadsheets sitting alongside core systems, manual overrides, parallel processes. Every one of those is a vote of no confidence in something that was meant to solve the problem.

We still talk about this as if it's a technology issue. It isn't. We know how to cleanse, enrich and validate data. The harder bit, and the one we keep ducking, is getting people to agree on what a data point actually means and how it should be used. That is where transformation programs stall. Not because the tools aren't good enough, but because the alignment isn't there.

Real change starts with asking better questions

We need to stop asking how to force people into the process and start asking why they're working around it. Those workarounds are telling us something. They point to gaps in trust, usability, clarity or alignment. If you don't understand the gap, no amount of new technology will close it in a lasting way.

You need the right driver, not just a better car

The firms moving fastest right now, particularly MGAs and newer entrants, don't just have better technology. They have a different mindset. They're entrepreneurial, closer to the customer, and they design their operating models around outcomes rather than internal constraints. They're still looking outwards.

You can give a business a Formula One car, but if the way it thinks and operates doesn't change, it won't deliver the performance you expect. Technology creates opportunities. It doesn't replace judgement, culture or customer understanding. You need both the right driver and the right vehicle. One without the other is either dangerous or going nowhere.

Looking ahead

I'm often asked where the market will be in three to five years. What I can say is that the organizations winning right now, in insurance and well beyond it, are the ones built around their customers. Netflix, Starling, Octopus Energy. They design around the customer first, and they run small, deliberate experiments so they can respond when things change. They don't bolt new technology onto broken processes and hope for the best.

Insurance isn't there yet. We know we're going to adopt better technology. The real question is whether we can build the operating models, data foundations and trust to actually use it. If we don't, we're just making the same car go a bit faster. And that won't be enough for what's coming next.

A March 2026 security incident involving a tool widely used by developers to purportedly connect applications to large language models marks one of the first large-scale cyber incidents targeting the emerging artificial intelligence (AI) development stack.

For the insurance industry, this incident may be a warning that AI infrastructure risk is rapidly becoming an insurable reality.

AI is increasingly spawning a complicated ecosystem. New AI frameworks, open-source libraries and orchestration tools are drawing organizations into complex third-party supply chains that even they — and their insurers — don't yet fully understand.

Even without this full understanding, many organizations are racing to deploy AI capabilities, often faster than their security practices can manage. As AI adoption accelerates, so may a new category of cyber risk that insurers will be increasingly asked to absorb.

A New Layer in the Digital Supply Chain

The software supply chain is already complex. Now, AI is adding another layer to the complexity.

Modern AI deployments rarely rely on a single platform or vendor. Instead, organizations build applications by combining multiple frameworks, libraries, skills, tools and cloud services. This layered architecture is referred to as the "AI development stack." Tools like the one targeted in the recent incident are designed to serve as a connective tissue. They need access to sensitive data to be useful.

This can introduce risk that's concentrated and exponential. If malicious code is introduced at the top of the stack, it not only exposes the sensitive data within the application but also cascades downstream into potentially upwards of thousands of environments.

Many organizations don't have proper visibility into every component embedded in their AI environments.

For underwriting, this represents a blind spot and rapidly escalating risk. Traditional cyber risk questionnaires don't yet capture the nuances of developing AI stacks, and yet these components now house highly sensitive data and credentials. Beyond attestation, many carriers are not yet ready to require and review evidence of agentic AI oversight and security.

The cyber insurance industry has seen the effects of these supply chain risk dynamics before. What makes the AI stack risk different is the speed of adoption.

Shorting Cybersecurity Basics and Long-Tail Claims

In the rush to integrate AI functionality, some organizations may leave behind basic foundations of security. Automatic software updates are a prime example.

That's what foiled the organizations affected by the March incident. Though the malicious version of the software was only available for a few hours, many systems automatically adopted the new release without a security review. The attackers used an aggressive tactic to trigger the malicious code the moment a system automatically downloaded the update.

Even if an organization took steps to avoid automatic downloads, they could still be compromised if they used another tool that pulled in the malicious software automatically.

The affected software reportedly has millions of daily downloads. Even if a fraction of organizations were affected, attackers still may have gained unauthorized access to thousands or even hundreds of thousands of systems.

Each compromise may represent a potential long-tail claim scenario, in part due to credential management issues — another "cybersecurity basic" that's rapidly becoming more complex. AI applications frequently require access to multiple services, making them valuable targets for threat actors.

When attackers obtain access keys or API tokens, they can move more quietly through cloud environments, often escalating privileges and quietly exfiltrating data.

Because these activities may unfold gradually, the full impact of the resulting claims can emerge over months or even years. Organizations may first discover suspicious activity in one system, only to later uncover deeper compromises across multiple environments.

For insurers, this dynamic introduces uncertainty around the size and scope of potential claims.

Rising Demand for Incident Response and Forensics

Insurers should anticipate increased demand for forensic investigation and breach response services. As soon as an insured becomes aware of even a potential AI stack compromise, they need answers to critical questions:

• Were automated updates enabled?
• Were affected versions deployed?
• Has there been unusual activity from your AI agents?
• Were credentials exposed or exfiltrated?
• Are there signs of data exfiltration?

Answering these questions requires specialized technical expertise, and even organizations with strong internal security teams often need external help. Insurers maintaining robust cyber partner networks can offer incident response services, forensic investigations, breach response coordination, and monitoring and mitigation strategies, and therefore, will be better positioned to support policyholders.

These capabilities are becoming central to the value proposition of cyber insurance. Beyond financial reimbursement, organizations facing emerging AI threats need expertise and coordinated response to properly assess and contain damage.

Immediate Steps for Insurers and Brokers

The recent AI supply chain attack offers a preview of what may come. It raises a central question for insurers of how policyholders are adopting AI technologies.

One immediate step insurers can take is vendor triangulation. Work with policyholders to identify whether they rely on AI development tools that may introduce new supply chain dependencies. Understanding these relationships can help assess potential systemic exposures and concentrated risks.

Now is also the time to begin incorporating AI-specific inquiries into underwriting processes. New considerations should include:

• What AI and orchestration tools are being used?
• How are software updates vetted and implemented?
• How are credentials and API security managed?
• How is the organization monitoring for cloud security threats?
• Does the organization have incident response capabilities specific to AI infrastructure?
• How is the organization analyzing in real-time what their AI agents are doing and if they are properly credentialed?

AI is likely to remain a transformative force across industries. As its adoption accelerates, these questions will become increasingly relevant to making sure underwriting assumptions reflect the evolving threat landscape.

Insurance finance leaders spend considerable effort assessing the financial health of the counterparties they depend on: reinsurers, brokers, MGAs, large commercial clients. Most of that assessment draws on periodic data: annual accounts, credit scores, ratings. What it rarely draws on is how those same counterparties actually behave when an invoice falls due. That behavioral layer exists, it updates continuously, and for the most part it goes unread.

Every accounts receivable team can see how its own customers pay. Almost none can see how those same customers pay everyone else. That asymmetry is the part of the conversation about payment behavior that tends to get skipped, and it is the part that matters most. A single supplier's ledger shows what is happening inside one relationship. Understanding whether that behavior is isolated or part of a wider pattern requires a network-level view. That view has existed for over a decade, built from the aggregated payment experience of millions of buyer-supplier relationships. Most finance teams are still not using it.

Across global invoice data, one figure stands out: 37% of the days-to-pay cycle now occurs after the contractual due date. That is not marginal slippage. It is a structural feature of how credit operates in 2026, and it is the kind of finding no individual enterprise can produce from its own data, however large its book.

Contractual terms describe an agreement. Payment behavior describes the execution. The gap between the two has become large and persistent enough to be read as its own variable, and unlike most inputs that feed periodic financial assessment, it refreshes continuously.

The Terms-to-Behavior Gap

Globally, businesses took an average of 51 days to be paid in 2025: 32 days of contractual terms plus 19 days of delay. The global average matters less than the distribution underneath it. The Netherlands sits near 40 days end-to-end, with only 12 days of delay. India runs to 77 days, with 43 days of delay on top of agreed terms. Two trading partners on similar terms can produce very different cash realities depending on geography, sector discipline, and the operational maturity of the supplier chasing the invoice.

The sector picture is pointed. In the United States, financial services, insurance, and real estate average 57 days-to-pay, with 27 days of delay, among the slowest of any sector in the data. For insurance finance teams, that figure cuts both ways. It describes how the sector pays, and how the sector's counterparties tend to pay. Anyone extending credit, managing broker settlements, or carrying reinsurance receivables within that ecosystem should know where their sector sits and what movement away from that norm looks like.

When Deterioration Looks Sudden But Isn't

Consider a scenario familiar to anyone who has worked a collections book. A buyer's average payment delay stretches from 18 to 30 days across two quarters. The promise-to-pay rate softens. Disputes take longer to resolve. Approvals route through additional layers. Six months later, the relationship is in serious trouble, described internally and externally as sudden.

From the outside, it appeared sudden. Inside the payment ledger, the drift had been measurable for months. Promised dates slip, partial payments creep in, the rhythm of communication shifts. None of it is dramatic on any given day. All of it is observable in aggregate.

Insurance finance teams understand this dynamic in their own reserving cycles: the loss was developing long before it was recognized. Payment behavior follows the same logic. The deterioration is rarely sudden. The visibility of it often is.

Where the Argument Breaks

None of this means payment delay is proof of distress. It very often isn't. Slow payment can reflect approval bottlenecks, ERP changeovers, dispute backlogs, or simply the prevailing discipline of a sector. Read in isolation, the signal generates false positives, and false positives at scale produce worse decisions, not better ones.

Behavioral payment data is useful precisely because it is contextual. Sector, geography, counterparty history, and the rhythm of a specific relationship all matter. Volume without interpretation is noise.

Cadence Is the Real Gap

Most financial assessment processes operate periodically. Payment behavior changes continuously. That gap is where deterioration goes unnoticed.

A supplier can observe that a counterparty is paying more slowly than last quarter. It cannot see whether that same counterparty is paying more slowly across all its relationships, or whether the slowdown is specific to one trading relationship. Those are very different situations, and the data to distinguish them does not exist inside any single company's ledger. It exists at the network level, across the aggregated payment experience of millions of buyer-supplier relationships.

For insurance finance teams managing exposure across brokers, reinsurers, and large commercial accounts, that distinction matters directly. A counterparty paying slowly because of an internal processing issue is a different proposition from one paying slowly everywhere it trades. The former is operational friction. The latter is worth understanding earlier.

The question is not whether this data exists. It does, at scale, and it updates continuously. The question is whether payment behavior is being read as a live operational signal or treated as a byproduct of the collections process. For most organizations today, it is still the latter.

If we could restart many insurance program launches we have worked on or observed over the last decade, we would not begin by hiring more people or buying more technology.

We would begin with a better operating structure.

Insurance startups, MGAs, carriers, wholesalers, and brokers often struggle to launch new programs because the work is not organized clearly. Strategy, underwriting, technology, compliance, vendor management, operations, testing, and distribution move at different speeds, and too often, no one owns the launch end-to-end.

The result is predictable. Decisions stall. Vendors wait for answers. Testing starts late. Carrier requirements are only partly translated into operations. Founders and executives get pulled into work that should sit elsewhere.

Most launch problems are caused not by a lack of talent but by unclear roles, weak project discipline, and too much execution work falling on senior leaders.

If we had to do it over again, we would start with a lean core team, add project management early, build operations alongside product, use technology selectively, and rely on flexible staffing before permanent headcount.

The Problem With Unstructured Launches

Launching an insurance program is complex. A new program has to align underwriting rules, rating, forms, state requirements, claims intake, billing, payments, document generation, reporting, compliance, and customer service. Every part depends on the others.

Without clear ownership, launch work gets spread across people who already have full-time jobs. Underwriting leaders support the new program while managing an existing book. Technology teams juggle configuration, integrations, and internal priorities. Operations teams are often pulled in after major product or system decisions are made.

Invisible delays then become visible problems. UAT credentials are not ready. Vendor tasks remain incomplete. Endorsements, cancellations, reinstatements, and payment processes are not fully documented or tested. Small gaps become launch issues, and senior leaders spend their time solving coordination problems instead of making strategic decisions.

Start With a Lean Core Team

A launch needs a lean core team, but that team should own strategy, not every task. In most cases, the right group includes the CEO or founder, an underwriting lead, a technology lead, and one or two strategic operators.

That team must understand both insurance and implementation. Modern programs depend on systems, data flows, APIs, rating engines, billing workflows, document production, claims processes, compliance controls, and reporting. Insurance knowledge alone is not enough, and technology knowledge without an insurance context is not enough, either.

The core team should own the product and underwriting strategy, carrier and capacity relationships, distribution, vendor selection, financial targets, launch priorities, and major issue resolution. It should not spend its time chasing vendor updates, forwarding credentials, or collecting test results.

Add Project Management Early

The most important execution role in many insurance launches is the project manager, and that role should be added at the beginning, not after the timeline slips.

A strong launch PM understands both insurance and technology and can translate across underwriting, operations, compliance, claims, billing, vendors, and distribution partners.

The PM builds the launch plan, tracks owners and deadlines, manages dependencies, runs status meetings, documents decisions, escalates blockers, coordinates UAT, and keeps vendors accountable. This is not a light administrative job.

Without a dedicated PM, coordination usually happens through side conversations, email threads, and status meetings that generate more noise than progress. The PM gives the launch one operating rhythm.

Build an Operations Function

Project management is not the same as operations design. A launch also needs someone responsible for process detail, usually a business analyst or operations lead.

That person handles workflow design, process documentation, user requirements, operational handoffs, exception handling, billing and payment procedures, cancellation and nonrenewal processes, customer service routines, and claims intake coordination. These may look secondary next to underwriting or technology, but they determine whether the program can function at real volume.

Too many MGAs focus on product and platform configuration first, then discover near launch that service workflows are incomplete. Policy issuance may work while endorsements, claims notices, and payment exceptions do not. Operations has to be a launch workstream from day one.

Use Technology to Reduce Manual Work

Technology should support the operating model, not complicate it. Project management tools should track owners, milestones, dependencies, defects, and decisions. Contract tools and shared repositories should reduce friction and make current materials easy to find.

AI and automation can help with work that is repeatable: drafting process documents, summarizing vendor calls, reviewing checklists for missing items, organizing compliance requirements, and creating first drafts of operational materials.

But every tool needs an owner and a defined workflow. If it does not reduce work, improve quality, or increase visibility, it is probably adding another layer to manage.

Avoid the Headcount Trap

One common startup mistake is hiring too much permanent staff before revenue supports it. A better approach is elastic staffing: use experienced fractional resources for launch coordination, UAT, claims setup, documentation, or LOB or state expansion. The advantages of the elastic staffing model are the ability to fractionalize many positions at once, move the risk to a trusted BPO partner, which then allows you to keep expanding (assuming success) or contract the positions (assuming product failure).

Put the Framework Into Practice

A disciplined launch still needs a written plan, a soft launch, and clear ownership. The lesson is simple: insurance launches need structure before scale. Build the operating model first. Then launch the product.

Across many wine-producing regions, wildfire seasons are increasingly overlapping with key points in the growing and harvest cycle, creating a broader category of risk for wineries and their insurers. A vineyard or winery may avoid direct fire damage and still face critical economic loss if smoke exposure affects grape quality during harvest operations or while harvested fruit is awaiting processing. As a result, smoke exposure is becoming a growing risk issue not only for viticulture and winemaking teams but also for insurance brokers, adjusters, and coverage counsel evaluating when a claimed loss occurred and how the condition of the product can be established.

Wildfire season often overlaps with harvest, which can create a heightened risk of smoke exposure for wineries. When smoke taint is suspected after grapes are picked but before fermentation, first-party property coverage questions tend to revolve around timing, documentation, and the quality of the testing record as much as they do the winemaking science. Wineries can put themselves in a stronger position by keeping their focus on objective facts that show when the fruit was harvested, how it was handled, and what the available data indicates about the condition of the product.

One common issue that often leads to disagreements between a winery and its property insurer is whether smoke taint occurred. A winery may believe smoke exposure or absorption took place after harvest during transport, staging, or short-term storage, while the insurer may contend the impact occurred while grapes were still on the vine. This distinction can matter under many property policies because coverage for growing crops and harvested stock can be treated differently depending on the policy language. The most practical way to reduce timing disputes is to treat post-harvest handling like a chain of custody process and maintain clear records that match how the fruit moved through the winery's system.

Helpful documentation typically includes harvest dates, vineyard block identifiers, bin or tote identifiers, weigh tags, receiving logs, transport routes and times, staging locations and conditions, crush and press schedules, and tank or barrel assignments by lot. Notes about observable conditions, such as smoke density, odors, or ash deposition, can also provide useful context when paired with the operational timeline. The goal is not to turn harvest into a dispute, but to present a coherent lot-specific narrative that reflects the winery's real-world handling and supports a clear understanding of when the condition likely developed.

Another recurring issue is an insurer's position that testing does not support taint. Differences can arise based on what was tested, when it was tested, how representative the samples were, and how results were interpreted in light of varietal and site conditions. Wineries can help by using reputable laboratories, documenting sampling methods, preserving samples where feasible, and combining analytical results with consistent sensory evaluation and controlled comparisons across lots. When results are mixed or early results are non-detect, follow-up testing at later stages may be appropriate because smoke impacts can evolve during fermentation and aging.

In the United States, smoke taint testing historically leaned heavily on guaiacol as a primary marker associated with smoky and ashy aromas. Today, many wineries are increasingly focused on panels that include phenols and, in particular, phenolic glycosides, because smoke compounds can be present in a bound form that may not show up clearly in early volatile testing and may become more apparent later as the wine develops. Another practical reason to avoid relying on guaiacol alone is that it can appear for reasons unrelated to wildfire smoke in certain production contexts, which can complicate interpretation. For wineries, a balanced and practical approach is staged testing tied to how the fruit and lots are handled: test representative samples by block and lot at harvest or receiving, consider additional testing after pressing and during or after fermentation when warranted, and keep the testing record aligned with lot segregation and production decisions. That combination of good science and good records helps the winery make better operational choices and, if an insurance claim arises, supports a clear and fair discussion of what the data shows.

Considering everything above, smoke taint claims are easier to evaluate and resolve when the winery can present a clear timeline, a consistent testing plan, and organized lot-level records that connect the science to real operational decisions. By documenting post-harvest handling with a heightened level of care and by using staged testing that includes both traditional markers and phenolic glycosides when appropriate, wineries can create a straightforward record for any coverage discussion.