Ransomware cyber insurance policies are perceived as having high deductibles and low ceilings. In other words, costs are seen as misaligned with the risks and coverage needs of insureds.

Many insurance companies have adopted a conservative approach toward ransomware premiums out of fear of a cyber insurance "hurricane" where, due to correlated risks and virtually unlimited liability, insurers could be overwhelmed by claims covering cyber-extortion payments, forensics, recovery and data loss and legal expenses.

Exposure has led to premium increases, and some carriers now sub-limit policies with fixed caps on recompense. Mechanisms such as co-insurance demonstrate a mindset of risk-sharing, but a more efficient cyber insurance marketplace demands a broader understanding of shared risk.

Ransomware attacks are felt beyond the targets, with pain spread across the global economy. Cyber insurance offers financial stability. Brokers, actuaries, auditors and other stakeholders should expect reasonable, documented assurances that insureds are making rational investment decisions concerning risk management.

This requires greater cooperation among insurance companies, policyholders and private industry -- including technology vendors. Disclosure and documentation, internal network and ransomware data resilience controls and information sharing are areas where we can and should work more closely. This is the way to ensure individual pricing suits the size and scale of risk for both insurers and insureds.

Shared responsibility for data resiliency

An aggressive cybersecurity posture must include forward-thinking strategies toward ransomware. It is in the interests of each of us to disrupt the cyber-extortion business model and eliminate its source of profits.

Ransomware variants are not monolithic. A cooperative response requires a joint analysis of both new and emerging threats, as well as the technologies that ensure security controls are in place and effectively applied.

Altogether, technology is shifting the paradigm. It is effective at early ransomware detection, and software can automatically shut down attacks to minimize the damage. However, while historical capital expenditures have been focused on perimeter and endpoint protection, effectiveness has proven incomplete.

See also: Premiums Climb as Ransomware Bites

Data immutability provides a more complete resiliency model. Maintaining clean datasets that are more readily restored, minimizing loss and preserving data probity, means making data resilient to malicious encryption.

Global file systems, as an example, which in advanced applications offer wider unstructured data management capabilities, in some cases use immutable data architectures.

While immutable repositories resist tampering with data contents, that does not necessarily mean that the host platform cannot be compromised separately. Cybercriminals are adept at finding ways to disable data protection software and systems.

Conducting backups on a daily or weekly basis can help organizations better respond to a ransomware strike, but restoring from a backup almost always involves data loss. Strict data-backup procedures do not ensure that files cannot be encrypted, and moving backups offline results in an operational gap.

Additionally, even where backups are readily available, the time that such restoration will take is frequently underestimated. Because backups are a complete and incrementally produced copy of data, the size of the dataset is substantial, and it may take days or even weeks for clean copies to be restored.

Insurers, policyholders and technology makers should be aware that immutable approaches to data storage are particularly effective even in cases where ransomware can lie dormant in an IT environment, leading to backup of files containing malicious code, because they preserve a pristine data set.

Cloud-based immutable storage repositories, such as Panzura on Amazon AWS S3, which operates with an object-lock feature irrespective of whether the data is accessed, may not necessarily prevent an attack but maintain an unadulterated copy of data for use in a restore scenario.

Best practices say that, should a primary object store be attacked through a security vulnerability, insureds should consider a split-write, or cloud mirror, to a second object store to ensure guaranteed data accessibility.

Collectively documenting data resilience

Research by the University of Kent and the Royal United Services Institute for Defence and Security Studies (RUSI) indicates the insurance sector is struggling to collect and share reliable cyber risk data that can inform underwriting. The report posits that more regulatory intervention may be necessary.

While there is a legitimate role for public agencies in the fight against ransomware, the time is now to take collective steps that will avoid the blunt lattice of regulation. Frameworks of agreement and cooperation among private industry are really the best cure.

The cyber-ecosystem is only as strong as its weakest link, and insurers can more thoroughly underwrite cyber insurance if they better understand the precautions that insureds must take to fend off ransomware attacks and back up their data resources.

Providing brokers and underwriters with better information calls for standardized certifications, enabling all parties to have a holistic view of what constitutes secure data. This should be based on a clear mapping of agreed protocols for defense and acceptable recovery parameters.

See also: Cyber Risk Impact of Working From Home

The insurance purchasing process itself requires an inward evaluation of security controls, and results in better understanding of the value and nature of data. For example, Panzura works with customers to provide a Statement of Ransomware Resilience, along with other types of documentation, which insurers can consider when determining premium pricing and coverage limits.

Consensus among insurers and technology vendors is necessary to define the form and function of the documentation. Acceptance should be a basis for negotiating rates that appropriately balance risk with the immutability and resilience of insured data and networks.

Sharing risk more equitably, we can build on responsible efforts by insurers to avoid a cyber insurance "hurricane." Collective action will shield all organizations from infection and mitigate the damage of ransomware on the global economic landscape.

In the current wave of ransomware attacks, large insurance agencies have a bright red target on their backs because they have lots of personally identifiable information (PII) and have the means to pay high ransoms. Smaller insurance agencies are just as vulnerable but might not have the means to secure or reclaim client information. Regardless of size, insurance agencies that do not properly educate their staff are leaving major gaps that can be exploited.

One of the most common ways for agencies to lose valuable information is through insider threats, which occur when employees or people with approved access to your systems take or leak information through sabotage, theft, espionage, fraud or just plain ol' human error.

By preparing agents to be the first line of defense against cybercrime, insurance agencies can change employees from risks to guardians and minimize the chances of an attack that harms their clients, reputation and bottom line.

Improve email security with agency-wide policies and multi-factor authentication

Compromised emails are the entry point for 60% of cyber attacks and create opportunities for criminals to plant ransomware, steal funds and misuse sensitive information. Hackers have access to databases chock full of compromised email accounts. Agencies want to keep employee emails off these lists, but they also need to protect themselves if an agent's accounts find their way there. Criminals can use these accounts to gain access to your agency network like a lily pad, leaping from a personal account to a work account to a company-wide breach.

Here's an example: John Doe is unaware his Facebook credentials are in one of these illicit databases. Hackers have access to his full name, personal email address, password and place of work: ABC Insurance. They learn from the agency website that agents' email format is firstnamelastname@abcinsurance.com. With this information, they can email John and other agents or attempt to log in to his work email. Whether or not he's reused his password, an experienced hacker can get access in a matter of minutes.

See also: 6 Cybersecurity Threats for Insurers

There are multiple steps agencies can take to minimize the chances of compromised emails:

• Don't publish any employee emails on your website. Limit public emails to aliases such as info@abcinsurance.com or use a contact form.
• Don't let your agency's security hinge on another site's vulnerability. Ensure employees don't use their work emails to sign up for other websites.
• Use multi-factor authentication (MFA) for all email log-ins. While text messages are one way to add an authentication factor, SMS channels are vulnerable to hacking. MFA apps are the gold standard and are likely free to use with your agency management system, such as Microsoft 360.

Educate agents about phishing and safe email habits

All agents must be vigilant about phishing emails that steal PII by impersonating another person or organization. Phishing has become sophisticated enough to fool multiple employees within an organization, posing as legitimate emails from systems that criminals know an agency uses. Whether your agents are working on-site or remotely, all it takes is one successful phishing attempt for a bad actor to install malware or steal sensitive information.

Good email habits and open communication can thwart phishing attacks:

• Err on the side of caution when opening links and entering log-in information. Agents should not log into a website directly through a form in an email.
• Verify the domain name/URL of any link opened from an email. Cybercriminals create fake, nearly identical pages that can fool anyone not paying close attention to what website they're really on.
• If your agency uses Slack or a similar platform, you can dedicate a channel to report suspected phishing.

Encourage vigilance in and out of the workplace

A great way to ensure that agents are vigilant is to test employees with a mock-phishing email to see if they catch it. There is software available that can help with this, or you can have a close contact from outside your agency send an email asking agents to reply with a phone number or other piece of PII. If the email sounds urgent enough, many times people will reply with the requested information thinking they are helping in an emergency. Collect the emails that come back to your outsider contact and discuss them with the team as an opportunity for education on cyber security awareness. Once you have a baseline, repeat the test every few months and monitor how your agency's cybersecurity improves (we hope) over time.

It's also a good idea to educate agents on the value of regularly checking their personal account security to prevent a lily pad breach. Websites like Avast and haveibeenpwned inform you if there are PII leaks associated with your email address. Agents can check their personal accounts at these sites and keep on top of their own data security for the security of their agencies.

See also: Hidden Dangers for Cybersecurity

Insurance agents need to treat their emails like they're the keys to the agency vault -- because they are. Increasing email security through these simple methods makes your agency much harder to breach and will ultimately save money and prevent headaches, including lost goodwill among clients.

While the enormous potential for blockchain in insurance has been apparent for a while, I've been waiting to see a breakout application hit the real world. I think I saw one last week, albeit in a different industry.

An article on Quora reported that Amadeus, a global reservation system, has adopted a blockchain-based system for verifying health clearances, such as COVID-19 vaccination records, for travelers.

The system will have to adapt as the pandemic continues to unfold and, in particular, as policies on eligibility for travel evolve, so success is by no means guaranteed. But I think this rollout is one to watch, because it's the first I've seen that aims at truly massive scale, of the sort that will need to occur in the insurance industry as blockchain tracks certificates of insurance, manages first notice of loss and so on.

Initially, the blockchain system, IBM's Digital Health Pass, is being used by just six airlines: Air Europa, Air Corsica, French Bee, Air Caraibes, Air Canada and Norwegian Air Shuttle. But all 474 airlines in Amadeus can activate the capability, and the need is pressing -- the Quora article opens with a description of travelers queued up at London's Heathrow airport for as long as six hours in April while waiting for agents to make sense of the various COVID-19 health clearances.

"Imagine small cards, stamped documents, and digital apps in various languages and formats," the article says. "The lack of standardization was a killer."

With the blockchain system, travelers provide credentials that back-end technology authenticates against the requirements of each country and airline, recording all information in a secure ledger. When travelers approach agents at airports, they have a QR code emailed to them that is then scanned and validates their eligibility for travel. The process is simpler for travelers and far simpler for agents. The process is also adaptable. As travel restrictions change, the electronic systems can sort through all the complexity in the background and still give the agent a binary decision: authorized or not authorized.

The hope is that blockchain could extend well beyond the health pass and supplant much of the other paperwork, including physical passports, that comes with travel, especially across borders. But just having the health pass work at scale would, for me, be plenty of validation for the blockchain concept.

We know from our friends at the Riskstream Collaborative that applications such as for proof of insurance and for first notice of loss are in advanced stages of development. And once one use takes hold -- even if it's in the airline industry -- I think the technology will mature and trust will increase, meaning that progress will happen rapidly from then on.

Cheers,

Paul

Commercial general liability insurers traditionally estimate business risk exposure of similar businesses based on variables like floor area and revenue. Advances in cloud computing and artificial intelligence are combining to offer insurers new, better variables to characterize risk.

Insurers generally understand that liability risk correlates to human presence and movement. A hair salon with twice the foot traffic should present twice the slip-and-fall risk. More expensive haircuts may reflect a business customer’s greater ability to pay but probably do not increase slip-and-fall risk. Indeed, risk should correlate linearly with foot traffic unless (1) traffic is so high that conditions become over-crowded and the risk accelerates, or (2) the building falls unoccupied. Measuring foot traffic and occupancy can also confirm that the insured’s description of its business corresponds to its actual business.

Progressive Insurance introduced new attributes to characterize driving behavior when it pioneered automotive telematics in the late 1990s, an early practice of usage-based insurance (UBI). Rather than insure an automobile based simply on the vehicle’s make/model and age and the driver’s sex and age, insurers could introduce newly observable attributes to better model risk:  distance, speed, time of day, etc.

Twenty-five years later, a similar revolution is stirring in building insurance. Advances in cloud computing, artificial intelligence, semiconductors and the internet of things (IoT) make it practical and inexpensive to measure foot traffic and occupancy. Rather than depending on the policyholder to estimate human presence, a process unlikely to deliver numbers that can be compared across businesses, human presence can be measured objectively and continuously. The information will also deliver an actuarial  basis for risk assessment over time.

Risk engineers are eminently capable of characterizing variables like floor surface, lighting and door placement. However, variables like occupancy that change continuously are effectively impossible to characterize during an annual visit.  

These sensors are not your father’s IoT. IoT that measures temperature, lighting, sound intensity, hail stone size or flood level are all first-generation devices that require negligible processing power, either at the edge or in the cloud. The new generation of IoT requires high-performance, low-power, edge computing devices to predict risk, not simply measure what is empirically evident.

Some insurers think of IoT data as the new FICO (consumer credit) scores for businesses. If a hotel’s ballrooms are always below the limit set by the fire marshal, that implies hotel management is willing to play by the rules. If restaurants and bars do not overcrowd their spaces, they are less likely to obstruct exits or understaff operations. Attention to the rules implies lower risk...and that business may be one the insurer will want to retain with lower premiums.

Foot traffic and occupancy data should be of value to the business owner as well as the insurer -- if for different reasons. A cafeteria may want to use foot traffic data to plan food preparation to minimize food waste. Office tenants can use occupancy data for space planning: Does the business need more, less or different space in the coming year? A restaurant owner might want to compare receipts to foot traffic and customer dwell time to measure the effectiveness of sales staff. Does a business efficiently use its real estate? How does a company compare with its peers? Are there opportunities to use real estate more efficiently?

It is likely that not all policymakers will welcome a technology that measures occupancy -- in the same way not all drivers have welcomed technologies that measure driving behavior. Conversely, businesses that welcome the sensors are likely to self-select as attentive to overcrowding... and reflect a lower risk. And once the sensors are in place, reverse moral hazard suggests that insureds will improve their behavior -- justifying a discount offered in exchange for accepting the sensors.

Insurers can gain market share by identifying lower-risk properties and offering discounts. Higher-risk properties will see higher premiums and will either need to work with their insurers to reduce risk or will need to find new insurers -- probably one that isn’t employing building telematics technology. The outcome of this trend is that overall commercial general liability (CGL) premiums will decline, in part because high-risk properties will be obliged to work to lower their risk profile.

With risk profile information in hand, property insurance may move to the embedded-insurance model, where insurance is provided by the property owner who is equipped to measure occupancy -- and risk -- in real time. If your staff is at home during a pandemic, premiums drop contractually. If you double the number of staff in a space, premiums rise. More tenants pay a fair price for CGL insurance, and more tenants are suitably insured.

Occupancy and foot traffic will not be the last variables to be quietly but accurately measured by Internet of Things sensors. Other attributes that will be able to be measured include the presence of adults versus children; whether persons are running or walking or sitting; the presence of door mats when it has rained.    

As the cost of semiconductors, cloud computing and cellular connectivity continues to decline, sensors will be cheaper to install and manage. At the same time, underwriters and actuaries will be able to accumulate new, invaluable data that more accurately assess risk and reduce the insurance costs of the 75% of customers who, until now, have been subsidizing the other 25% -- now that we finally know who’s who.

Many in the insurance industry are excited about the potential for embedded insurance, and it’s easy to see why. A recent InsTech London report forecasts that the market could be $722 billion in gross written premium globally by 2030. 

While embedded insurance is already established in the consumer space, the industry has only begun to scratch the surface of its potential. At MAPFRE, we believe it is inevitable that this market will continue to grow. Customers love the ease of it, and it offers significant opportunities for insurers to launch products, attract customers and save on distribution costs. 

What is embedded insurance?

We’re all familiar with embedded insurance in practice. Concert venues offer us cancellation insurance, and airlines offer us travel insurance when we buy tickets. Amazon even offers insurance on higher-value products when we check out. 

Selling add-on insurance at the point of sale is just one piece of this puzzle, however. InsTech London defines embedded insurance as “abstracting insurance functionality into technology in a way that enables any third-party distributor (usually product or service providers in other sectors) to seamlessly integrate insurance products and solutions into their own customer propositions and journeys.”

Looking at the bigger picture, at MAPFRE we see embedded insurance as part of a broader evolution toward offering policies that leverage data to offer real-time pricing in line with the needs of today’s customers – and that includes business customers in the commercial lines space.

Why is it growing so fast?

Today, consumers demand convenience. For certain products, they expect to buy the right protection for specific needs with a couple of clicks on their smartphone. 

Embedded insurance is the natural evolution of other trends that we have been observing in the sector for years, such as micro, on-demand, pay-as-you-drive, pay-how-you-drive and so on. Many clients no longer perceive value in traditional long-term policies, where the price stays fixed regardless of when or how they use it. For customers like these, embedded insurance seems much fairer because it is targeting the customization they are looking for.

See also: Embedded Insurance — Both Old and New

For distributors such as banks, retailers, landlords and car manufacturers, offering insurance as part of a transaction generates extra revenue and increases the perceived value or convenience of their services. With digital ecosystems fast becoming the norm, it is natural for distributors to build on existing insurance partnerships – or seek new ones – to expand the range of insurance products they can offer. 

For insurers, embedded insurance has the potential to reduce distribution costs by integrating products directly into sellers’ platforms. It also offers the chance to win new customers with more flexible, easy-to-buy policies suited to modern lifestyles. 

Smartphones, wearables, IoT sensors, vehicles and countless other sources now generate new sources of data – much of it available in real time – to enable the industry to embed new products. At the same time, cloud-based digital platforms that are mobile and API-enabled make it possible to configure products and services around customer journeys, so firms can offer the right products to customers at the right times. 

The impact of this can be seen in the plethora of insurtechs now offering variations on the theme of embedded insurance. RentSpree is a tenant verification platform that just announced a partnership with Sure to offer renters insurance, for example.  

Insurance distribution opportunities

One way embedded insurance is gaining traction is by offering the opportunity for more companies to become insurance distributors. 

In the home insurance space, the insurance comparison website Young Alfred allows mortgage providers, real estate firms and asset managers to partner with them to sell embedded insurance as part of their propositions. 

When it comes to fleet insurance, U.K.-based MGA and SaaS platform Flock recently announced a partnership with Jaguar’s rental service, THE OUT, to provide usage-based policies for its fleet. In the U.S., Turo has partnered with Liberty Mutual to provide its own insurance product, Rivian has announced embedded products for their recreational vehicles and Outdoorsy works with Assurant to insure its RV rentals.

This shows the market opportunity for such start-ups that enable embedded insurance, as well as for the incumbent insurers that partner with them. 

Yet we see even more potential in the commercial insurance space for insurers and start-ups that are willing to make the leap. According to Swiss Re, the protection gap between the amount of insurance deemed socially and economically beneficial for households and businesses has doubled between 2000 and 2020. As an example, only 0.2% of U.K. SMEs bought business protection insurance in 2019 and 2020. 

According to Swiss Re, this gap has been driven by global trends in digitization, urbanization, climate change and a lack of effective innovation. Another factor for SMEs is that they find existing insurance products hard to understand and time-consuming to buy. Embedding appropriate policies would make the buying process easier and more convenient, helping to bridge this gap, while massively increasing revenues for insurers.

In the commercial lines space, we at MAPFRE see a particular opportunity with cyber insurance, where risks to firms are increasing rapidly but existing policies remain inflexible, hard to understand and potentially incorrectly priced.

In the wake of COVID, commercial buildings cover is likely to be another area of opportunity. With the rise of hybrid working, many businesses may no longer want to insure their premises in the same way, preferring to insure specific key assets instead. 

See also: Designing a Digital Insurance Ecosystem

The potential rewards are great

In short, the potential to leverage businesses as distributors while also offering more bespoke insurance products could unlock huge untapped potential. Where changing consumer needs are driving rapid adoption of embedded insurance in the B2C space, we see the potential for this to happen in the B2B space, too, albeit early days for this.

The more we become used to embedded insurance as consumers, the more business owners and business leaders will come to expect the same convenience and flexibility for their firms. The rewards for those insurers that take the leap will be immense, and, from our perspective, it is not a question of “if” this will happen, but “when.”

In 1975, the Argentina grain exporter Bunge & Born paid $60 million to free a kidnapped executive. That ransom payment remains the largest ever paid for a single person, but his case marked the beginning of the end for high-profile hostage events. The reason? Insurers began offering kidnap and ransom insurance. The policies not only promised to reimburse ransoms but helped corporations with needed resources such as crisis managers and negotiators to get hostages to safety and to keep ransom costs in check.

Today, major multinational corporations stare down a similar, if less physically tangible, threat. Ransomware is not just a form of cybercrime but a malevolent industry unto itself. With malware deployed to infiltrate networks and encrypt files, bad actors can essentially immobilize operations, create reputational damage and even physically harm people. More concerning, the bar has been lowered for entry with ransomware-as-a-service (RaaS). It no longer takes a skilled operator to carry out the attack—just bad intentions and access to a licensed service. 

Just as in the 1970s, criminals have seized an opportunity to exploit corporate wealth, and it will be up to the insurance industry to help modulate a situation that is spiraling out of control. In this new, digital version of the hostage crisis, the insurance industry is uniquely positioned to play a leadership role, de-escalate the panic, and again help global corporations rise above terrorism and fear.

An Evolving Threat Requires an Evolving Defense

Experts predict that a ransomware attack will occur every 11 seconds in 2021, with global damages from ransomware to hit $6 trillion. No sector is immune, which is why leading corporations joined to create The Ransomware Task Force, with Resilience serving as co-chair to help develop policy solutions for this growing scourge.

While public policy certainly has a role to play, cyber insurance can be more instrumental in effecting change on the ground. Cyber insurers have already become one of the most important drivers for cyber security, requiring policy holders to meet standards of care and providing resources that can help both guard against ransomware attacks and respond to them in a timely manner that saves money, protects data and avoids costly regulatory violations and other liabilities.

See also: Premiums Climb as Ransomware Bites

An Unfair Rap

Yet, some want to blame the escalating ransomware crisis on cyber insurance. Last year, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) stated in an official advisory that “companies that facilitate ransomware payments to cyber actors on behalf of victims...encourage future ransomware payment demands.” They included cyber insurance companies in their list of these facilitators and warned that ransom payments may “embolden cyber actors to engage in future attacks.” Instead of buying cyber insurance to manage and transfer the risk of ransomware, OFAC recommended that institutions wait to contact the relevant government agencies in the event of an attack. 

The focus on ransom payment facilitators distracts from the sources of cybercrime, how targets are chosen—rarely targeted for who they are but for their vulnerability—and the reasons these schemes are increasingly profitable. The rise of cryptocurrency, the mounting consequences of data leaks and last year’s sudden shift to work-from-home are all contributing to ransomware’s growth.

There is no evidence that insured firms are more likely to pay out ransoms—and it’s not up to the insurer to make that decision. In fact, victims with good cyber insurance may be less likely to pay ransoms, because insurers provide technical and legal experts to help identify the best method of recovery. And because firms must often prove their security bona fides as a precondition of insurance, a hardening cyber insurance market is slowly raising the bar for cybersecurity across industries. 

Simple Solutions

While making ransomware payments fully illegal sounds great in theory, like most simple solutions it falls apart in practice. It places an outsized amount of blame on the victim and does nothing to protect victims of future attacks. Insurance can put the economic incentives in place to encourage, if not compel, better security practices while providing a safety net in times of need. 

While there are cases where options like secondary data restoration are viable, some ransoms do ultimately need to be paid. Ransomware actors are experts at applying pressure on their victims, including by threatening to release stolen confidential data to the public. Often, the victim doesn’t have the resources to make this judgment call—the victim needs practiced experts to help it through the process and the economic and technological resources to handle the fallout. In other words, the victim needs insurance.

Mitigating Risk—for Everyone

On the micro level, responsible cyber insurance can both insure and secure, transferring and mitigating risk through incentives that keep insureds up to date on an ever-changing threat landscape. 

For enterprise clients, there may be effective in-house cyber security but challenges in budget justification. For SMEs, the resources an insurer can provide are invaluable. For victims of a ransomware attack, those resources can include forensic services, incident response, legal expertise, repairs and recovery cost. Insurance would also cover business interruption loss and other losses that could otherwise be financially devastating. It may also include the ransom payment, but not always.

On a bigger scale, cyber insurers can collect and share data on all cyber events—continuing to insure against ransomware and collectively pool and spread this risk. As we’ve all seen with catastrophic ransomware events in the past year, such as the Colonial Pipeline fuel shutdown, such events can have massive ripple effects. 

See also: What’s Next for Ransomware

Ransomware is not going away on its own, just as the hostage takers in the 1970s were not going to give up on a lucrative criminal opportunity until it became less desirable. It’s up to the cyber insurance industry to give us the key to a decrypted future.

Here’s a radical idea: Life insurance should be about, well, life.

For too many years, life insurance has effectively been death insurance, focused primarily on paying out lump sums on a policyholder’s passing. Reimagining this long-standing approach – and putting the life back into life insurance – starts with harnessing insurance as a tool to enhance policyholders’ physical, mental and financial wellbeing.

How can the industry meet this challenge? 

Well, at YuLife, we’re transforming group life insurance into a suite of wellbeing and insurance products – a paradigm shift toward a model that simultaneously supports members, insurers and employers. Members benefit from improved wellbeing, while insurers gain from an approach that de-risks policyholders via healthy activities and employers gain the esteem of their employees by offering a product that offers tangible value to their lives – making for a happier, healthier, more productive workforce.

At YuLife, which recently completed a £50 million Series B round, policies come with the standard features of group life but add critical illness, income protection, virtual general practitioner (GP) services and employment assistance such as counseling and coaching. Based on the latest behavioral science, artificial intelligence and game mechanics, policyholders are offered discounts and vouchers from leading brands, including Amazon, ASOS and Avios, in exchange for completing everyday wellness activities like walking, cycling, meditation and mindfulness exercises. Many policyholders lead healthier lives while safeguarding their loved ones’ financial future. None of it would be possible without the intelligent, efficient and purposeful use of technology.

See also: Where Does Life Insurance Go Now?

Among the key principles underpinning the transition to a new model of life insurance is gamification, which allows policyholders to reap tangible rewards and “level up” upon completing a given set of tasks. These enjoyable, engaging experiences enable lower premium costs and better physical and mental health while also playing into policyholders’ competitive instincts and our natural love for quests and challenges with our friends and colleagues.

Additionally, AI-driven insights empower employers to tailor their offerings toward individual employees’ needs and identify gaps and opportunities in their wellbeing strategies. The fusion of gamification, app development and data science creates a whole greater than the sum of its parts, with more touchpoints between the insurer and policyholder – making it likelier that policyholders will keep their policies.

Where Technology and Insurance Meet

The last major innovation in life insurance was arguably the introduction of higher premiums for smokers in the 1960s. A lot has changed in the past half century – and for life insurance to meet the needs of modern consumers, the industry must build products that are accessible, user-friendly and valuable to users’ everyday lives.

Insurtech opens a world of exciting possibilities – pointing toward a future where life insurance is actually conducive to a better life.

After more than a year of watching the world change radically, consumers need three things: security, comfort and support. In other words, they need empathy and understanding from brands they trust — and from their insurance providers most of all.

In fact, your insurance brand’s overall empathy matters more than ever to customers who’ve undergone what can only be called an emotional roller coaster. They want to feel that you’re sitting on the same side of the table as they are. And that might require you to change the way you approach your client relationships.

Fueling Customer Loyalty Through Empathy

As McKinsey’s 2020 research shows, customers are looking for incredibly personalized solutions. They want to know how working with your insurance company will help them stay grounded and secure. Consequently, you can’t rely on standard marketing appeals to force bonds with prospects and clients. Instead, you have to lean fully into empathy.

For instance, your agents and service representatives might need to become more active problem solvers for customers. This would require them to listen to clients’ pain points, pay attention to what’s important to the people they serve and learn to connect with grace and transparency.

Although transforming your workplace into a people-driven, empathetic culture will take time, it will also provide you with advantages. According to reporting by Insurance Journal, more than half of all consumers would patronize a different business if it offered an exceptional customer experience. That was before the COVID-19 pandemic. Today, those numbers would likely be higher.

Another benefit of corporate empathy is that it can boost profits. McKinsey determined that insurance providers offering world-class customer service enjoyed higher revenue margins of about 30%. Accordingly, by being laser-focused on your customers’ needs, fears and wants above all else, you can both hit your quarterly numbers and reap public goodwill.

By driving up your empathy, you can drive up retention rates — and maybe snag competitors’ customers in the process. As I’ve written before, I’ve seen how a terrific and empathetic insurance brand reputation can cause customers to migrate from one insurer to another, regardless of price.

See also: 2021: The Great Reset in Insurance

So how do you inch your customer experience protocol toward empathy and away from “business as usual?” Try adopting these measures:

1. Give customers your full attention.

Insurance agents are sometimes surprised when clients leave. Upon reflection, many realize they haven’t spoken with those customers in a long time or weren’t giving each customer their undivided attention during the last interaction. 

Being present can be tough — especially when your days are busy and your workload is heavy. Nevertheless, when you start to see your clients as individuals and not numbers, you open the door to making real connections.

Pull out your calendar. Based on your availability and schedule, design a plan to stay in regular contact with all customers. EY reporting suggests 44% of insurance clients haven’t had any communication with their provider or agent in the past 18 months. Be the insurance agent who gets in touch every few months just to make sure everything’s OK. You’ll set yourself apart instantly and show your empathy.

2. Make clients feel special.

Your customers might assume that you see them as just a record in your CRM system. Prove them wrong by making them feel unique and important through life-event marketing. For example, why not send out birthday cards or emails? The process takes only a little bit of time, but it makes a powerful impact.

Alternatively, you could send out a card reminding customers of their “anniversary” with your insurance company. Or you could call to thank them on that anniversary and use the call to find out if they’ve had any life changes that could affect their insurance needs. 

You’d be amazed at how far a little delight can go toward creating emotional inroads with customers. So, gather your team and brainstorm ways to initiate personal touchpoints throughout the year — not just during the typical year-end holidays.

3. Show your human side.

Establishing real relationships with your customers requires you to enter into a give-and-take relationship. In other words, you need to let them know about you. Don’t worry — you aren’t obligated to become best buddies with your clients. However, you should be willing to take the tone of a friend and share a bit about yourself.

Make no mistake about it: People are craving basic interactions. The more you can drop the veil of the arm's-length salesperson and foster a human touch, the tighter your client bond will be.

Need suggestions? Talk about your kids. Or your awful golf swing. Or even how insurance helped you. If you’re not totally comfortable talking about yourself, you can always coordinate volunteer events and invite clients to participate. That way, you can spend time with customers and make similar memories.

Just two years ago, you could get away with sales efforts focused on standardization and data. Not any more. To hold on to great customers, you need to lead with a dose of old-fashioned empathy. 

With more than 90,000 public entities in the U.S., the Association of Governmental Risk Pools (AGRiP) estimates that at least 80% participate in one or more pools. By pooling their risk—and accountability-- these not-for-profit organizations can economically provide risk management and loss control, underwriting, claims management and a comprehensive package of insurance coverages that typically includes property, casualty and workers’ compensation. This effort supports a pool’s #1 priority: the co-owners of the pool—its members. These members hail from local and state municipalities, including entire fleets of first responders (fire, police), public utilities, school districts, etc., government-run hospitals, public libraries, community colleges, support staff and more. Accordingly, the typical pool must ensure its technology systems can reliably support the needs of its members.

Ensuring uptime is paramount. During COVID, pools — like most private or corporate sector organizations — were forced to adjust how they worked, many prioritizing their IT wish list to maintain operational performance and resiliency. But, unlike most organizations, pools are restrained by outdated legacy systems and a limited, fixed budget. As a result, that wish list remains a wish, not a reality. 

Undoubtedly, budget concerns are one of many issues facing pools: Often, these organizations don’t have a large IT staff and are forced to maintain operations “the way it’s always been done,” cobbling along in the hopes that risks will be minimal. In actuality, the risks facing these organizations are at an all-time maximum.  

This conundrum is complicated by the fact that most pools rely on antiquated databases and Microsoft Office products for the bulk of their day-to-day operations. At a minimum, this reliance opens the door to Outlook phishing, making the pool more vulnerable to cyber criminals. Many may use Excel or other inexpensive spreadsheet programs that make it difficult to access data and almost impossible to regroup on errors. Imagine the time required to backtrack, inspect various versions of the spreadsheet’s values, calculations, source data and file history to correct the error, wreaking havoc with routine financial or regulatory reporting. Some pools use insurance core system software that, with the exception of claims, includes workflows that don’t necessarily match with the pool’s own protocols.  

If all this doesn’t spur you to think differently about how technology is managed, consider the largest, most recent risk affecting pools:  ransomware. Public entities are one of the most targeted sectors yet often have the fewest resources and capabilities to prepare for and respond to ransomware attacks. Consider that 2,400 U.S.-based governments, health-care facilities and schools were victims of ransomware in 2020, according to Council on Foreign Relations blogger Michael Garcia. In 2020, cyberattacks cost government organizations in the U.S. approximately $18.88 billion in downtime and recovery costs, according to a report from consumer tech information company Comparitech. And local governments continue to experience the greatest number of ransomware attacks, according to security company Blackfog.  

SH:  Foundation a Critical Asset

Yes, ransomware is a network issue, and, with ever-evolving ransomware keys and infiltration methods, there’s no way to prevent an attack with 100% certainty. But the rise in cybercrime is spurring pools across the country to wake up to the fact that it’s the pool’s technology foundation that enables them to best respond to their individual public entity members, which makes that foundation more valuable than ever. Without a unifying approach to IT management that includes modernization, pools will continue to struggle to operate efficiently, much less deter, disrupt, prepare for and respond to ransomware events.

See also: Why Open Insurance Is the Future

Let’s revisit the statement about pools and their fixed budgets. As pools work with members on their annual loss control programs, they ask: What is the cost of not modernizing systems that are used to make city payroll, keep utilities up and running, communicate with first responders and even save lives?  If nothing else, the latest wave of ransomware is a learning moment for pools that have been trying to define a path to digital maturity.

That path, which can be undertaken by pools of all sizes, begins by conducting a basic technology assessment, which can be used to identify both known and unknown risks, issues that affect data access, workflow, operational performance and resiliency, network and systems’ vulnerabilities, mobility and, of course, security. 

The good news is that pools that have undertaken tech assessments are finding that their legacy systems can stay put—there are inexpensive ways to modernize and drive immediate front-end results without an overwhelming rip/replace approach. And, there are solutions available that can facilitate a stepped approach to evaluating protocols, optimizing processes, enhancing workflows and improving services. 

Let’s face it: Whether in it for a profit or not, pools want to reduce operational costs, increase policyholder/member satisfaction, offer systems that are attractive to younger IT workers and form a solid and secure foundation for the future. 

Recent events tell us that it’s no longer an option to “just get by” or “wait and see.” The choice pools face today is a calculated one, and it’s important to recognize that their goal—to attain effective integrated risk management--is only as powerful as the technology foundation that supports it.