Where there is growth, there is opportunity; where there is opportunity for one, there is hope for all. The opportunity to create opportunities for communities in need of growth, the opportunity to create jobs for residents of communities in need of work, the opportunity to create communities for a country in need of hope — these opportunities are true and righteous altogether. By offering these opportunities, insurance entrepreneurs do their part to be true to what our forefathers said on paper: coming together to insure domestic tranquility and form a more perfect union. By creating businesses in Opportunity Zones, insurance entrepreneurs can strengthen communities. Because of the tax incentives Opportunity Zones provide, insurance entrepreneurs must use this tool to help underserved communities nationwide.

A product of the Tax Cuts and Jobs Act of 2017, Opportunity Zones provide a tax incentive for investors to reinvest their unrealized capital gains into dedicated Opportunity Zone Funds. An investor may exclude 100% of long-term or short-term capital gains tax by investing in an Opportunity Fund within 180 days of the realization of that gain. 

A long-term commitment on behalf of low-income communities, Opportunity Zones are census tracts in all 50 states as well as American Samoa, Guam, the Northern Mariana Islands, Puerto Rico and the Virgin Islands. The zones allow an investor to defer capital gains taxes for up to five years. After 10 years, all capital gains on the investment in the Opportunity Zones are waived.

To qualify, the Opportunity Fund must invest more than 90% of its assets in a qualified property or business located in an Opportunity Zone. The property must be significantly improved, which means it must be an original use, or the basis of the property must be double the basis of the non-land assets. The business must remain compliant as an Opportunity Zone-qualified company.

States may designate up to 25% of low-income census tracts as Opportunity Zones. To date, there are 8,764 Opportunity Zones in the U.S., many of which have experienced a lack of investment for decades. These tracts are candidates for renewal, not only because of the wrongs of the past but because of the urgency of the present; for the past is present among generations of residents of the same communities, where change is negative, investment nonexistent and existence itself a nightmare of poverty, strife and despair.

Insurance entrepreneurs must bring opportunity to these communities, offering tax-free retirement income strategies and principal-protected insurance contracts, among other more sophisticated risk management solutions.

See also: Time to Try Being an Entrepreneur?

Insurance entrepreneurs must bring economic freedom to communities in Opportunity Zones, because choice is essential to the survival and success of these communities.

The incentives for everyone, whether insurance entrepreneurs or residents, are several and substantial.

Seizing these opportunities is a way to repair the breach and raise up the foundations of many generations, restoring the lives and dignity of our fellow citizens. 

Opportunity Zones are a grant to lift up the world.

The past 18 months have been interesting (to say the least) for anyone involved in technology strategy, planning or implementation. Ideally, a road map with prioritized projects and defined resource allocations directs the activity, and the company stays relatively true to its path. Unfortunately, the pandemic, with all its implications, has wreaked havoc on tech plans. Project priorities have often shifted, sometimes virtually overnight. Digital gaps have been exposed. Customer expectations have dramatically changed. And executives wonder what the new normal will look like.

SMA has conducted a series of market pulse polls throughout the pandemic, starting in April 2020 as the initial economic lockdowns and work-from-home mandates began to take hold. Our latest survey, conducted this May, assessed how plans are being reshaped as commercial lines insurers move forward in the second half of 2021 and formulate plans for early 2022. Whether we are moving toward a post-pandemic era in the U.S. is debatable, but what seems clear from the plans of commercial lines insurers is that tech-related plans are moving ahead full steam.

So, what does the big picture look like?

The commercial lines insurance industry has gone through three distinct phases over the last year and a half. In the early days of the pandemic, there was a tactical response to the lockdowns that affected employees, customers and partners alike. New virtual, digital capabilities became a priority to enable remote work and remote customer interactions. Then, as 2020 proceeded, phase two began. As it became evident that the pandemic would continue for some time, there was some deceleration of some activities or a pause in projects, and some of the more innovative initiatives were tabled until 2021. The third phase began in 2021 with an explosion of activity. It was almost as if someone flipped a switch on Jan. 1. Commercial lines companies began accelerating plans, launching a frenzy of tech-based strategy and implementation activity in the first half of the year.

SMA’s most recently completed survey shows that hardly any companies plan to retrench or pause project activity in the second half. There is a significant amount of rethinking for road maps and project reprioritizations. One exception to the reshuffling of priorities is in core systems. Any companies that had policy, billing or claims systems modernization projects in flight have continued to push forward. These projects are so foundational and have so much urgency and momentum that it would be unwise to pause or reprioritize them.

See also: The Digital Journey in Commercial Lines

So, the stage is set to be very active for the rest of the year as companies double down on technology initiatives. Although 2022 plans have not come into sharp focus just yet, strategy and budget planning are underway at many companies, and the early glimpse indicates that this accelerated digital transformation will not be just a one-year phenomenon. It may just represent the new normal. I personally can’t wait until 2022 to see what is in store for the industry!

For more information on commercial lines plans for technology, see our recent research report, “Commercial Lines Digital Plans and the Post-Pandemic World: SMA Market Pulse Insights.” The report also includes a view for insurers’ expectations for the workforce come January 2022.

My grandchildren are curious, a trait they definitely inherited from me. Whenever they get a cool new toy or technology gadget (yes, even the 1½-year-old loves these!) and have put it through its paces for a while, their attention inevitably turns to trying to figure out how the thing really works. This can result in the destruction of the item to get a glimpse of its guts, to see how the parts all work together to create the engaging experience they just had.

They are the perfect audience for the book series The Way Things Work by David Macaulay. The simple text and detailed, colorful drawings in these books “pull apart” items “from levers to lasers, from cameras to computers” to show curious kids (and their parents) the inventive thinking and innovation that goes into the things that make life easier, engaging and more enjoyable.

If there was an illustration in this book of traditional insurance distribution, what do you think it would look like? Maybe something like a Rube Goldberg contraption? (For those who don’t know the name, he drew cartoons in which Professor Butts solved a simple task in the most complicated, inefficient and hilarious way possible.) Most people studying the diagram of insurance distribution, especially customers, would agree that the process is complicated, confusing and inefficient -- needing an innovative makeover!  

I have previously highlighted the increasing use of ecosystems and partnerships to expand beyond the traditional agent/broker distribution channel. This creates a win-win-win for insurers, their ecosystem partners and most importantly their customers. Insurers and their partners can quickly tap into new markets, and both potential and current customers benefit from more purchase and service options. Distribution ecosystems also help meet customers where and when they want to buy, creating friction-free experiences and evolving insurance from something that had to be sold to something people want to buy.

These ecosystems create a satisfying experience, just like that cool new toy that your kids and grandkids spend time with. 

Embedded Insurance: Creating Innovative and Interesting Partnerships

Distribution options fall across a spectrum of channels, including direct to customer, agent/broker, other insurers, marketplace exchange or platform and embedded. Embedded insurance is among the newest options, and numerous interesting examples of partnerships between insurers and other industries are popping up, including with GM, Ford, Tesla, SoFi, Petco, Airbnb, Uber and Intuit.

Insurance can be “soft” embedded, offered as an opt-in option during the purchase of another item; “hard” embedded, included as an opt-out option with the purchase of another item; or “invisible,” included in the purchase of another product without the option to remove it (e.g., bumper-to-bumper warranty with a new car).

I’m convinced that ecosystems will play a big role in the future of the industry. So, until the next The Way Things Work book adds a chapter on them, let's do our own examination of how embedded insurance can produce a better result for all stakeholders customers, insurers and ecosystem partners.

The Customer Is the Critical Core Component

Majesco has long promoted/used a framework of three macro trends to help explain the forces driving change in the industry: people, technology and market boundaries. Multi- and digi-channel ecosystem/partnership strategies embody all these categories. No innovation in insurance would be possible without all three, but people are the most important. The greatest, most innovative technology or business model will only last if individuals and business owners see the value in it.

Why do people see value in ecosystem/partnership and embedded distribution models? Some clues can be found by looking at three different models of how people think and make decisions especially about insurance.

Jobs to Be Done

The famous business professor Theodore Levitt gets cited often as a pioneer of the Jobs to Be Done (JTBD) concept, with his quote, “People don’t want a quarter-inch drill, they want a quarter-inch hole.” The idea is that customers don’t necessarily think about products the way the businesses selling them do. To customers, products are an input to accomplishing a larger task, while the business is narrowly focused on making the sale. In his book, The Jobs to Be Done Playbook, Jim Kalbach says: “JTBD is not about your product, service or brand. Instead of focusing on your own solution, you must first understand what people want and why it’s important to them. Accordingly, JTBD deliberately avoids mention of particular solutions in order to first comprehend the process that people go through to solve a problem.”

In traditional distribution, the insurer takes a narrow, inside-out view, where the policy purchase is viewed as the beginning and end of the “job.” But, while customers do want to complete the purchase, it’s just one task in a series they need to do to complete their “job,” which could range from being able to drive their car or buy a home, to setting up their financial wellness plan, and more. 

See also: Embedded Insurance — Both Old and New

With embedded distribution, the insurer recognizes that insurance is just one task in the customer’s job and makes it easier for the customer to complete this task by stringing it together with one or more other tasks in the job. This allows the customer to save time and effort by completing several tasks at once instead of dealing with them separately.

System 1 and System 2 Thinking

In his book, Thinking, Fast and Slow, the Nobel Prize-winning behavioral economist Daniel Kahneman described human decision making and thinking as a two-part system. System 1 thinking produces quick (i.e., instantaneous and sub-conscious) reflexive, automatic decisions based on instinct and past learnings… the familiar “gut reaction.” System 2 is slow, deliberate and reason-based and requires cognitive effort.

Good decisions about complex issues like insurance should be based on System 2 thinking. The problem with System 2 is that it’s hard! And our natural preference as humans is to minimize effort. During the traditional research and buying processes, the effort that is needed can lead many customers to seek shortcuts to in-depth research and analysis or delay a decision altogether. Embedded distribution can ease some of the System 2 effort because the insurance offering is viewed in the context of the “job” the customer is currently doing, making it easier to understand how it will be used and what it does (and doesn’t) do.

Fogg Behavior Model

Another very useful framework for understanding people’s decisions and behaviors is the Fogg Behavior Model, developed by BJ Fogg, the director of the Behavior Design Lab at Stanford University that we highlighted in our customer research and that a number of insurtech startups have used in designing their business models. The model translates behavior into a simple formula consisting of just three components: prompts, motivation and ability, all of which must occur in the same moment for a behavior to occur.

This model highlights an inverse relationship between motivation and ability. If someone has low ability for a behavior (i.e., it’s hard to do), a high level of motivation is needed (plus a prompt) to make it happen. Similarly, if someone has low motivation for a behavior, whoever wants them to do it must make it extremely easy (and provide the right prompt). Using this model as a lens for how people make insurance decisions reveals the weaknesses of traditional insurance distribution that ecosystems and embedded insurance can exploit. Let’s take a look at the three components.

Prompts

What triggers people to think about buying insurance? 

There are two basic categories of prompting events that align with mandatory and discretionary insurance. Simple examples of mandatory prompts are auto and homeowners insurance in personal lines or workers compensation in commercial – the customer must buy these to own the car or home or to run a business that has employees.

Discretionary prompts align with other events that cause people to think about protection of the things that are important to them. In our 2020 consumer research on life insurance, we actually found that life events had a stronger impact on younger generations in terms of considering life insurance purchases, as seen in Figure 1, which shows the gaps in the ratings between Gen Z / millennials and Gen X / Boomers.

Figure 1: Gaps between generations in impact of life events on L&A insurance purchase consideration

In the traditional distribution model, insurers need to fight for share of mind so people think of them when one of these prompts occurs. Large personal lines insurers like GEICO, Progressive and State Farm spend millions of dollars on advertising – not to cause people to drop what they’re doing and begin the buying process but to stay top of mind for the times when important events cause people to think about the need to buy or update their insurance.

In the embedded approach, the insurer receives in-the-moment top-of-mind awareness because the offering is placed directly in the path of purchase of another product or service… at the right time and in the right place. This is a great strategy for well-known brands and startups alike. A startup insurer won’t have the same brand equity as one of the major advertisers, but it can get some “rub-off” equity as a featured option by a trusted ecosystem partner from whom the customer is purchasing a product or service, or the startup could be white labeled with the partner’s brand.

Motivation

Motivation, with respect to insurance, is closely related to prompts and has two types I like to call “forced” and “fuzzy” that align with the mandatory and discretionary prompt categories. Mandatory coverages can be highly motivating, but to some people they can carry a negative feeling of being “forced” to buy insurance (of course, most people probably would buy these coverages even if not mandatory). “Fuzzy” motivation is a more emotional feeling about the value and importance of insurance… and it’s vitally important to the purchase of discretionary products like life insurance.  Fortunately, Gen Z / Millennials place high importance on life insurance, even more so than their older counterparts, as we found in our 2020 consumer research.  

Figure 2: Importance of life insurance

In traditional distribution, insurers rely on these two types of motivation to drive customers to their websites, agents or call centers. It’s a strategy based on hope. In embedded insurance, the insurer piggybacks on the motivation that has driven the customer to buy a product or service. This is a strategy based on intimate knowledge of your current and potential customers.

Ability

Most customers do not think of insurance as being “easy to do business with.” In some of our early consumer research, we found that insurance ranked at or near the bottom in terms of being easy to research, buy and service compared with other businesses customers interact with. The life and annuity industry ranked worse than property and casualty. Even cable and mobile phone companies ranked higher in many categories, two industries with traditionally poor customer service.

Since then, many insurers have made great strides in simplifying processes and products with new data sources, digital technologies and cloud-based platforms. However, JD Power’s recent study on customers’ P&C insurance digital experience reveals that insurers are having a hard time keeping up with continually rising expectations for digital capabilities; the study says insurers are “stuck at providing only ‘good enough’ digital user experience.”

In the traditional distribution model, insurers rely on motivated prospects who have been prompted by an important event to reach out to them to research and buy insurance. If the insurer’s processes and products are too complex and exceed the prospect’s abilities (and patience), the insurer loses the business. In the embedded model, motivated customers can add insurance to a product or service during the purchase process, usually with just a few clicks. Easy peasy!

See also: Why Open Insurance Is the Future

Make Multi- and Digi-Channel Distribution Your Strategy

Traditional distribution channels have served the insurance industry well for hundreds of years. They still work and are vitally important. But people, technology and market boundaries have changed dramatically in just the past few years, and insurance distribution must keep up. The new and growing spectrum of channel options now available, especially the exciting opportunities for embedded insurance, will give innovative insurers and their partners tremendous opportunities for growth, with new markets, new offerings, satisfied and loyal customers…and growing books of business.

What is prompting you to adopt a multi- and digi-channel distribution strategy? Are you motivated to take action? Do you have the ability? These are the components that drive decisions and actions…and innovative insurers are deciding to act!

Ratemaking processes using legacy technology and methods are no longer adequate.

A recent McKinsey report, Insurance 2030—The impact of AI on the future of insurance, found that more technologically advanced market entrants have increased pressure on traditional insurance companies to innovate. Furthermore, the pandemic has increased the need for insurers to adopt solutions that enable them to meet consumer expectations for more affordable rates and for products that meet their needs, at the moment of need. 

The answer is dynamic ratemaking, an advanced, AI-driven process that creates product offerings that respond to real-time market changes and align with consumers’ expectations as market conditions shift.

Delivering on Consumer Expectations With Agility

Traditionally, gathering data and building new insurance rate structures has taken several months, because traditional systems are slow to adapt and solutions that operate in a siloed manner rely on multiple approval processes.

Waiting six to 12 months to introduce new insurance products and rates is too long. Many insurers currently use real-time automated ratemaking and product deployment, and consumers are likely to go with those insurers that can provide the most personalized and competitive product offerings.

Personalization as a Competitive Advantage

Consider usage-based insurance (UBI). Some insurance customers now prefer to pay a rate based on their driving habits, as opposed to a one-size-fits-all rate, and dynamic solutions can calculate millions of rates and product options each day – in a personalized way.  

A dynamic solution enables insurers to provide both traditional and UBI options by managing and automating the entire ratemaking process. Agile and sophisticated solutions propel data through the enterprise-wide ratemaking machine to deploy new rates quickly. Once filed and deployed, real-time quotes are provided to the right customer touchpoint. 

See also: Pressure to Innovate Shifts Priorities

Iterative Deployment of a Dynamic Solution

A single, end-to-end solution that combines personalization, ratemaking and deployment capabilities doesn’t necessarily require a complex implementation. Capabilities can be implemented iteratively, enabling insurers to realize ROI faster and safeguard operations.

With increased technology adoption in the insurance industry, the market will become more competitive, and consumers' expectations heightened. Alternatives to traditional ratemaking methods can improve consumer retention and enable insurers to offer competitive options regardless of market conditions. With a dynamic rating solution that combines advanced and traditional statistical methods, insurers can create and deploy new rating structures attuned to market conditions and consumer needs.

Offering advanced digital capabilities to customers is a top priority for many insurers, which are now re-evaluating the core systems they’ve used for decades and looking for alternatives. 

When considering the modern core systems on the market today, carriers need to be aware that not all solutions are created equal. To leverage the full benefits of cloud technology, decision-makers must understand the nuances of cloud-agnostic software models and SaaS platforms. 

The 'Run It Anywhere' Model

Traditional enterprise software companies develop systems designed for insurers to deploy and operate on their own infrastructure. In this model, the insurer controls and operates the infrastructure. 

But the time and cost to design and implement infrastructure is easy to underestimate. Even if the software is easy to deploy, the design, implementation and required maintenance of infrastructure are high-skill and -cost activities, both up front and on a continuing basis. 

Operating the infrastructure also means the insurance carrier is responsible for the security and reliability of the system. This results in even more cost and pulls IT staff attention away from other projects. All security and reliability service-level agreements with the business are underwritten by the carrier’s internal IT team.

The same goes for software support. When the carrier’s employees or customers experience issues with the software, the insurer must investigate to find out whether its own infrastructure is the problem or if blame falls to the software vendor. Overall, this model results in a lot of extra work and cost for the carrier. 

Software companies that follow the “run it anywhere” model are easy to spot by the claims they make. If a software vendor claims to be able to “run on any infrastructure” or be “cloud-agnostic,” it follows this model.

Using Cloud Technology Doesn’t Change This Model

In the traditional model for core systems, insurers use on-premises infrastructure. When we hear "on-premises," we think of the insurer having their own server room in their building. 

But insurers now tend to outsource the physical aspect of managing their data center. “On-premises” now usually refers to servers housed in a commercial data center. Removing the outsourced data center and replacing it with cloud infrastructure (IaaS) can provide many benefits, but it doesn’t change the essence of the model. 

The carrier still takes on all the complexity and cost of designing, implementing, operating and maintaining the infrastructure to run the vendor’s software. If anything, there is even more complexity, because the cloud brings additional security risk compared with the dedicated data center.

See also: The ‘Race to Zero’ in Insurance SaaS

Adding Digital Capabilities Further Strains the 'Run It Anywhere' Model

Any modern core system must support digital service channels and collaboration with the insurer’s ecosystem through application programming interfaces (APIs). 

These connect the carrier’s digital channels like portals, chatbots, contact centers and voice assistants to their real-time core data store. Having a cloud infrastructure enables these digital capabilities and is key to providing fast self-service that is consistent across channels, as well as integrations with ecosystem partners.

But, again, making a core system available to anyone over the internet, even indirectly through a web-based cloud infrastructure, must be handled with care. This is a moving target as hackers continue to up their game. 

Much of the protection insurers need comes from their infrastructure, not from the application. So, with the “run it anywhere” model, a large portion of the complexity, risk and cost is taken on by the insurer.

Insurance carriers have to wonder, is this where they want to focus their IT expertise? Fundamentally, if the carrier can “run it anywhere,” the carrier will be doing the running.

Containers Limit the Benefits of Cloud Technology

One of the enabling technologies of “run it anywhere” is containerization. When software is packaged in containers, it can run almost anywhere – on-premises or in any cloud. Containers are very useful, but they’re not the best for everything. Once an insurer is committed to a cloud provider, other useful technologies like serverless functions and cloud managed services can be leveraged. 

Serverless functions are a way of deploying software without managing infrastructure, allowing software to scale from very low to very high usage without any additional effort, and only paying for what is used. The approach is ideal for peaky workloads like the APIs supporting digital service channels. 

Clouds also offer managed services, large building blocks of capability that reduce the cost of infrastructure while improving security and reliability. Some replace what would otherwise be self-managed infrastructure, including file storage, backup, database management and network management. Others add leading cloud capabilities like business intelligence, machine learning and voice interfaces. 

SaaS Is the True Solution to Reap All the Benefits of Cloud 

Leveraging serverless functions and cloud managed services gives SaaS core systems vendors a great opportunity to embed additional value for the carrier. But because these technologies are not standardized to use across different types of infrastructures, they can’t be leveraged by those “run it anywhere” vendors seeking to be cloud-agnostic.

The goal of a SaaS company is to focus its efforts on creating one system that works extremely well, instead of creating many variations for each individual insurer that may not perform as efficiently. This goal allows the SaaS vendor to provide the most cost-effective, secure, scalable and reliable solution possible for clients.  

Another advantage of SaaS is the benefit of a strong partnership with a single cloud provider. Cloud-agnostic companies that work with multiple cloud providers spread their skills and commercial influence across multiple providers. The companies weaken their internal expertise and reduce their access to support and to key resources from the cloud infrastructure partner.

When moving to cloud-based core systems to modernize their organization, insurance carriers should keep a few points in mind: 

• Look for SaaS core systems to get the full benefits of cloud technology.
• Choose a vendor that allows the carrier to focus its IT resources on differentiating the business, not building and maintaining infrastructure.
• Ask if the SaaS vendor has developed a strong cloud infrastructure partner.
• Expect the SaaS vendor to leverage cloud machine learning and digital communications to help the carrier deliver leading-edge digital capabilities.

Breakthrough for Blockchain? Paul Carroll, Editor-in-Chief of ITL While the enormous potential for blockchain in insurance has been apparent for a while, I’ve been waiting to see a breakout application hit the real world. I think I saw one last week, albeit in a different industry. An article on Quora reported that Amadeus, a global reservation system, has adopted a blockchain-based system for verifying health clearances, such as COVID-19 vaccination records, for travelers. The system will have to adapt as the pandemic continues to unfold and, in particular, as policies on eligibility for travel evolve, so success is by no means guaranteed. But I think this rollout is one to watch, because it’s the first I’ve seen that aims at truly massive scale, of the sort that will need to occur in the insurance industry as blockchain tracks certificates of insurance, manages first notice of loss and so on. continue reading > Majesco Webinar Join this webinar to learn how Group and Voluntary Benefits players have the opportunity to extend their reach through new, broader diversified plays that align to a new generation of employees and employers.   Register Now SIX THINGS Embedded Insurance: The New Hot Topic by Joan Cuscó An InsTech London report forecasts that the embedded insurance market could be $722 billion in gross written premium globally by 2030. Read More Building Telematics Can Mitigate Risk by William Evans Advances in cloud computing, AI and sensors are combining to offer insurers new, better variables to characterize occupancy risk in buildings. Read More How Insurance Can Halt Ransomware by Vishaal Hariprasad As with the hostage-taking crisis of the 1970s, insurers are uniquely positioned to play a leadership role and de-escalate ransomware. Read More Breathing Life Into Life Insurance by Sammy Rubin To meet the needs of modern consumers, life insurers' products must be accessible, user-friendly and valuable to users’ everyday lives. Read More Creating Empathetic Customer Experience by Rhonda Basler Your brand’s empathy matters more than ever to customers who’ve undergone what can only be called an emotional roller coaster. Read More How Blockchain Can Disrupt Insurance by Kunal Sawhney While digitization and technology have always existed in insurance, blockchain has emerged as rocket fuel for transformation. Read More MORE FROM ITL AUGUST FOCUS: Cognitive Technologies This month sponsored by Intellect SEEC Cognitive computing is a funny beast. Every time you hit your target, you find that another pops up off in the distance. When I first saw a demonstration of speech recognition, some 30 years ago, I was mightily impressed that the computer understood a few words. If I had seen what would be possible today, I’d have been stunned. But now? Oh, that’s just Siri or Alexa. And why didn’t auto-correct guess exactly what I wanted to say? Keep Reading Partner with ITL to create expert thought leadership content. Custom Content Promoted Content Display Advertising Custom Webinars Monthly Topic Sponsorships ITL Partner Packages and more Learn more and get the 2021 Media Kit GET INVOLVED Write for Us Our authors are what set Insurance Thought Leadership apart. Get Started SPREAD THE WORD Share Share Tweet Forward SUBSCRIBE TO SIX THINGS

Ransomware cyber insurance policies are perceived as having high deductibles and low ceilings. In other words, costs are seen as misaligned with the risks and coverage needs of insureds.

Many insurance companies have adopted a conservative approach toward ransomware premiums out of fear of a cyber insurance "hurricane" where, due to correlated risks and virtually unlimited liability, insurers could be overwhelmed by claims covering cyber-extortion payments, forensics, recovery and data loss and legal expenses.

Exposure has led to premium increases, and some carriers now sub-limit policies with fixed caps on recompense. Mechanisms such as co-insurance demonstrate a mindset of risk-sharing, but a more efficient cyber insurance marketplace demands a broader understanding of shared risk.

Ransomware attacks are felt beyond the targets, with pain spread across the global economy. Cyber insurance offers financial stability. Brokers, actuaries, auditors and other stakeholders should expect reasonable, documented assurances that insureds are making rational investment decisions concerning risk management.

This requires greater cooperation among insurance companies, policyholders and private industry -- including technology vendors. Disclosure and documentation, internal network and ransomware data resilience controls and information sharing are areas where we can and should work more closely. This is the way to ensure individual pricing suits the size and scale of risk for both insurers and insureds.

Shared responsibility for data resiliency

An aggressive cybersecurity posture must include forward-thinking strategies toward ransomware. It is in the interests of each of us to disrupt the cyber-extortion business model and eliminate its source of profits.

Ransomware variants are not monolithic. A cooperative response requires a joint analysis of both new and emerging threats, as well as the technologies that ensure security controls are in place and effectively applied.

Altogether, technology is shifting the paradigm. It is effective at early ransomware detection, and software can automatically shut down attacks to minimize the damage. However, while historical capital expenditures have been focused on perimeter and endpoint protection, effectiveness has proven incomplete.

See also: Premiums Climb as Ransomware Bites

Data immutability provides a more complete resiliency model. Maintaining clean datasets that are more readily restored, minimizing loss and preserving data probity, means making data resilient to malicious encryption.

Global file systems, as an example, which in advanced applications offer wider unstructured data management capabilities, in some cases use immutable data architectures.

While immutable repositories resist tampering with data contents, that does not necessarily mean that the host platform cannot be compromised separately. Cybercriminals are adept at finding ways to disable data protection software and systems.

Conducting backups on a daily or weekly basis can help organizations better respond to a ransomware strike, but restoring from a backup almost always involves data loss. Strict data-backup procedures do not ensure that files cannot be encrypted, and moving backups offline results in an operational gap.

Additionally, even where backups are readily available, the time that such restoration will take is frequently underestimated. Because backups are a complete and incrementally produced copy of data, the size of the dataset is substantial, and it may take days or even weeks for clean copies to be restored.

Insurers, policyholders and technology makers should be aware that immutable approaches to data storage are particularly effective even in cases where ransomware can lie dormant in an IT environment, leading to backup of files containing malicious code, because they preserve a pristine data set.

Cloud-based immutable storage repositories, such as Panzura on Amazon AWS S3, which operates with an object-lock feature irrespective of whether the data is accessed, may not necessarily prevent an attack but maintain an unadulterated copy of data for use in a restore scenario.

Best practices say that, should a primary object store be attacked through a security vulnerability, insureds should consider a split-write, or cloud mirror, to a second object store to ensure guaranteed data accessibility.

Collectively documenting data resilience

Research by the University of Kent and the Royal United Services Institute for Defence and Security Studies (RUSI) indicates the insurance sector is struggling to collect and share reliable cyber risk data that can inform underwriting. The report posits that more regulatory intervention may be necessary.

While there is a legitimate role for public agencies in the fight against ransomware, the time is now to take collective steps that will avoid the blunt lattice of regulation. Frameworks of agreement and cooperation among private industry are really the best cure.

The cyber-ecosystem is only as strong as its weakest link, and insurers can more thoroughly underwrite cyber insurance if they better understand the precautions that insureds must take to fend off ransomware attacks and back up their data resources.

Providing brokers and underwriters with better information calls for standardized certifications, enabling all parties to have a holistic view of what constitutes secure data. This should be based on a clear mapping of agreed protocols for defense and acceptable recovery parameters.

See also: Cyber Risk Impact of Working From Home

The insurance purchasing process itself requires an inward evaluation of security controls, and results in better understanding of the value and nature of data. For example, Panzura works with customers to provide a Statement of Ransomware Resilience, along with other types of documentation, which insurers can consider when determining premium pricing and coverage limits.

Consensus among insurers and technology vendors is necessary to define the form and function of the documentation. Acceptance should be a basis for negotiating rates that appropriately balance risk with the immutability and resilience of insured data and networks.

Sharing risk more equitably, we can build on responsible efforts by insurers to avoid a cyber insurance "hurricane." Collective action will shield all organizations from infection and mitigate the damage of ransomware on the global economic landscape.

In the current wave of ransomware attacks, large insurance agencies have a bright red target on their backs because they have lots of personally identifiable information (PII) and have the means to pay high ransoms. Smaller insurance agencies are just as vulnerable but might not have the means to secure or reclaim client information. Regardless of size, insurance agencies that do not properly educate their staff are leaving major gaps that can be exploited.

One of the most common ways for agencies to lose valuable information is through insider threats, which occur when employees or people with approved access to your systems take or leak information through sabotage, theft, espionage, fraud or just plain ol' human error.

By preparing agents to be the first line of defense against cybercrime, insurance agencies can change employees from risks to guardians and minimize the chances of an attack that harms their clients, reputation and bottom line.

Improve email security with agency-wide policies and multi-factor authentication

Compromised emails are the entry point for 60% of cyber attacks and create opportunities for criminals to plant ransomware, steal funds and misuse sensitive information. Hackers have access to databases chock full of compromised email accounts. Agencies want to keep employee emails off these lists, but they also need to protect themselves if an agent's accounts find their way there. Criminals can use these accounts to gain access to your agency network like a lily pad, leaping from a personal account to a work account to a company-wide breach.

Here's an example: John Doe is unaware his Facebook credentials are in one of these illicit databases. Hackers have access to his full name, personal email address, password and place of work: ABC Insurance. They learn from the agency website that agents' email format is firstnamelastname@abcinsurance.com. With this information, they can email John and other agents or attempt to log in to his work email. Whether or not he's reused his password, an experienced hacker can get access in a matter of minutes.

See also: 6 Cybersecurity Threats for Insurers

There are multiple steps agencies can take to minimize the chances of compromised emails:

• Don't publish any employee emails on your website. Limit public emails to aliases such as info@abcinsurance.com or use a contact form.
• Don't let your agency's security hinge on another site's vulnerability. Ensure employees don't use their work emails to sign up for other websites.
• Use multi-factor authentication (MFA) for all email log-ins. While text messages are one way to add an authentication factor, SMS channels are vulnerable to hacking. MFA apps are the gold standard and are likely free to use with your agency management system, such as Microsoft 360.

Educate agents about phishing and safe email habits

All agents must be vigilant about phishing emails that steal PII by impersonating another person or organization. Phishing has become sophisticated enough to fool multiple employees within an organization, posing as legitimate emails from systems that criminals know an agency uses. Whether your agents are working on-site or remotely, all it takes is one successful phishing attempt for a bad actor to install malware or steal sensitive information.

Good email habits and open communication can thwart phishing attacks:

• Err on the side of caution when opening links and entering log-in information. Agents should not log into a website directly through a form in an email.
• Verify the domain name/URL of any link opened from an email. Cybercriminals create fake, nearly identical pages that can fool anyone not paying close attention to what website they're really on.
• If your agency uses Slack or a similar platform, you can dedicate a channel to report suspected phishing.

Encourage vigilance in and out of the workplace

A great way to ensure that agents are vigilant is to test employees with a mock-phishing email to see if they catch it. There is software available that can help with this, or you can have a close contact from outside your agency send an email asking agents to reply with a phone number or other piece of PII. If the email sounds urgent enough, many times people will reply with the requested information thinking they are helping in an emergency. Collect the emails that come back to your outsider contact and discuss them with the team as an opportunity for education on cyber security awareness. Once you have a baseline, repeat the test every few months and monitor how your agency's cybersecurity improves (we hope) over time.

It's also a good idea to educate agents on the value of regularly checking their personal account security to prevent a lily pad breach. Websites like Avast and haveibeenpwned inform you if there are PII leaks associated with your email address. Agents can check their personal accounts at these sites and keep on top of their own data security for the security of their agencies.

See also: Hidden Dangers for Cybersecurity

Insurance agents need to treat their emails like they're the keys to the agency vault -- because they are. Increasing email security through these simple methods makes your agency much harder to breach and will ultimately save money and prevent headaches, including lost goodwill among clients.

While the enormous potential for blockchain in insurance has been apparent for a while, I've been waiting to see a breakout application hit the real world. I think I saw one last week, albeit in a different industry.

An article on Quora reported that Amadeus, a global reservation system, has adopted a blockchain-based system for verifying health clearances, such as COVID-19 vaccination records, for travelers.

The system will have to adapt as the pandemic continues to unfold and, in particular, as policies on eligibility for travel evolve, so success is by no means guaranteed. But I think this rollout is one to watch, because it's the first I've seen that aims at truly massive scale, of the sort that will need to occur in the insurance industry as blockchain tracks certificates of insurance, manages first notice of loss and so on.

Initially, the blockchain system, IBM's Digital Health Pass, is being used by just six airlines: Air Europa, Air Corsica, French Bee, Air Caraibes, Air Canada and Norwegian Air Shuttle. But all 474 airlines in Amadeus can activate the capability, and the need is pressing -- the Quora article opens with a description of travelers queued up at London's Heathrow airport for as long as six hours in April while waiting for agents to make sense of the various COVID-19 health clearances.

"Imagine small cards, stamped documents, and digital apps in various languages and formats," the article says. "The lack of standardization was a killer."

With the blockchain system, travelers provide credentials that back-end technology authenticates against the requirements of each country and airline, recording all information in a secure ledger. When travelers approach agents at airports, they have a QR code emailed to them that is then scanned and validates their eligibility for travel. The process is simpler for travelers and far simpler for agents. The process is also adaptable. As travel restrictions change, the electronic systems can sort through all the complexity in the background and still give the agent a binary decision: authorized or not authorized.

The hope is that blockchain could extend well beyond the health pass and supplant much of the other paperwork, including physical passports, that comes with travel, especially across borders. But just having the health pass work at scale would, for me, be plenty of validation for the blockchain concept.

We know from our friends at the Riskstream Collaborative that applications such as for proof of insurance and for first notice of loss are in advanced stages of development. And once one use takes hold -- even if it's in the airline industry -- I think the technology will mature and trust will increase, meaning that progress will happen rapidly from then on.

Cheers,

Paul

Commercial general liability insurers traditionally estimate business risk exposure of similar businesses based on variables like floor area and revenue. Advances in cloud computing and artificial intelligence are combining to offer insurers new, better variables to characterize risk.

Insurers generally understand that liability risk correlates to human presence and movement. A hair salon with twice the foot traffic should present twice the slip-and-fall risk. More expensive haircuts may reflect a business customer’s greater ability to pay but probably do not increase slip-and-fall risk. Indeed, risk should correlate linearly with foot traffic unless (1) traffic is so high that conditions become over-crowded and the risk accelerates, or (2) the building falls unoccupied. Measuring foot traffic and occupancy can also confirm that the insured’s description of its business corresponds to its actual business.

Progressive Insurance introduced new attributes to characterize driving behavior when it pioneered automotive telematics in the late 1990s, an early practice of usage-based insurance (UBI). Rather than insure an automobile based simply on the vehicle’s make/model and age and the driver’s sex and age, insurers could introduce newly observable attributes to better model risk:  distance, speed, time of day, etc.

Twenty-five years later, a similar revolution is stirring in building insurance. Advances in cloud computing, artificial intelligence, semiconductors and the internet of things (IoT) make it practical and inexpensive to measure foot traffic and occupancy. Rather than depending on the policyholder to estimate human presence, a process unlikely to deliver numbers that can be compared across businesses, human presence can be measured objectively and continuously. The information will also deliver an actuarial  basis for risk assessment over time.

Risk engineers are eminently capable of characterizing variables like floor surface, lighting and door placement. However, variables like occupancy that change continuously are effectively impossible to characterize during an annual visit.  

These sensors are not your father’s IoT. IoT that measures temperature, lighting, sound intensity, hail stone size or flood level are all first-generation devices that require negligible processing power, either at the edge or in the cloud. The new generation of IoT requires high-performance, low-power, edge computing devices to predict risk, not simply measure what is empirically evident.

Some insurers think of IoT data as the new FICO (consumer credit) scores for businesses. If a hotel’s ballrooms are always below the limit set by the fire marshal, that implies hotel management is willing to play by the rules. If restaurants and bars do not overcrowd their spaces, they are less likely to obstruct exits or understaff operations. Attention to the rules implies lower risk...and that business may be one the insurer will want to retain with lower premiums.

Foot traffic and occupancy data should be of value to the business owner as well as the insurer -- if for different reasons. A cafeteria may want to use foot traffic data to plan food preparation to minimize food waste. Office tenants can use occupancy data for space planning: Does the business need more, less or different space in the coming year? A restaurant owner might want to compare receipts to foot traffic and customer dwell time to measure the effectiveness of sales staff. Does a business efficiently use its real estate? How does a company compare with its peers? Are there opportunities to use real estate more efficiently?

It is likely that not all policymakers will welcome a technology that measures occupancy -- in the same way not all drivers have welcomed technologies that measure driving behavior. Conversely, businesses that welcome the sensors are likely to self-select as attentive to overcrowding... and reflect a lower risk. And once the sensors are in place, reverse moral hazard suggests that insureds will improve their behavior -- justifying a discount offered in exchange for accepting the sensors.

Insurers can gain market share by identifying lower-risk properties and offering discounts. Higher-risk properties will see higher premiums and will either need to work with their insurers to reduce risk or will need to find new insurers -- probably one that isn’t employing building telematics technology. The outcome of this trend is that overall commercial general liability (CGL) premiums will decline, in part because high-risk properties will be obliged to work to lower their risk profile.

With risk profile information in hand, property insurance may move to the embedded-insurance model, where insurance is provided by the property owner who is equipped to measure occupancy -- and risk -- in real time. If your staff is at home during a pandemic, premiums drop contractually. If you double the number of staff in a space, premiums rise. More tenants pay a fair price for CGL insurance, and more tenants are suitably insured.

Occupancy and foot traffic will not be the last variables to be quietly but accurately measured by Internet of Things sensors. Other attributes that will be able to be measured include the presence of adults versus children; whether persons are running or walking or sitting; the presence of door mats when it has rained.    

As the cost of semiconductors, cloud computing and cellular connectivity continues to decline, sensors will be cheaper to install and manage. At the same time, underwriters and actuaries will be able to accumulate new, invaluable data that more accurately assess risk and reduce the insurance costs of the 75% of customers who, until now, have been subsidizing the other 25% -- now that we finally know who’s who.