The impact of drones in multiple industry sectors, including insurance, has been the subject of increasing interest. Market research is making a forceful case that drones are a technology that insurers cannot afford to ignore–drone uptake globally and their growing capabilities present multiple opportunities for insurers. A recent Goldman Sachs report forecast that drones will create a $100 billion global market opportunity by 2020. The fastest growth, the report predicts, will come in commercial and civil government uses of drones. The banking group expects governments and businesses to spend $13 billion on drones between now and 2020 and consumers to spend $17 billion. This will create a $1.4 billion market for drone insurance, the report predicts. PwC is even more bullish. A report released in May calculates the global market for the commercial application of drones at more than $127 billion and predicts that drones will generate $6.8 billion in value for the insurance industry. See also: Drones Reducing Accidents on Job   The growing value of the global drone industry and the growing capabilities of individual drones both present important opportunities to insurers.

• The provision of drone insurance will become a growing business as these machines are used in greater and greater numbers. This will give insurers the chance to grow their core business.
• Drones themselves can be useful tools for improving insurance operations. They will give insurers the opportunity to innovate.
• The use of drones across industry segments will affect risk, and how it is insured.

See also: The Many Questions Raised by Drones   In my next three posts in this series, I look at the use of drones in insurance applications, the imperative for drones to be insured and the potential impact of cyber threats.

One thing we know for sure is that the “train has left the station” when it comes to healthcare reform. No matter what party you follow, or policy you like to support or ignore, the healthcare industry MUST change to a value-based platform. What that means is that, while the financial infrastructure of receiving healthcare used to be a pay per visit/test/hospital stay, etc., it is moving to a payment system based on outcomes -- or "value," as we like to brand it, because it sounds better. What that means is a radical change for any associated industry, including, foremost, insurance companies, the ultimate risk bearers. All insurance executives rejoice, right? The idea of offsetting the risk to the providers responsible for the care of the patient sounds like one heck of a business strategy. Is it, and what does this mean to the insurtech conversation? My point of view: A LOT. Keep reading. I promise I’ll keep it short…who has time for long articles? My goal is to get your thoughts charged around how this affects you and give you an idea or two It may be relevant to know that I am a long-term provider advocate, having been the chief administrator of a large OB/GYN group while I cut my teeth in healthcare and having served 10 years as the CEO of the then-largest and most prestigious primary care/internal medicine group in the region. I can tell you that this movement is the RIGHT thing to do, and I can also tell you that it is complex, expensive and overwhelming. See also: U.S. Healthcare: No Simple Insurtech Fix   The days of small practices with time to actually spend with the patient and not face the computer (and be buried in endless paperwork burdens, digital or not) are seemingly gone due to the demands of the system. If you have been to a medical facility as an actual patient in the last year, (and I hope you have been for at least your annual physical), I am confident that you saw this first-hand. Your experience likely included witnessing every staff member from the front desk to the clinical team inputting data of all sorts into the computer, and perhaps not having enough time asking you how you “really” were. (READ: COULD THIS BE A RISK ISSUE?) What you may have also noticed is that you probably had to pay more than you expected. Gone are the days of the $10 co-pay. The movement to high-deductible plans has changed the game completely. So what does this mean to you? In the March 2017 article by Sam Evans, “The 10 Trends at the Heart of the Insurtech Revolution” #1 was that “Insurance will be bought differently,” (also sold, underwritten, etc.) The demands of the medical community and the patient are under attack with what seems like an endless need to capture and understand data, learn, develop new payment infrastructures and oh, by the way, be transparent so everyone knows exactly what is going down. Dr. Halee Fischer-Wright (the CEO of the national Medical Group Management Association and a physician) rants in her new book, "Back to Balance," about this early and often. She says that “according to the MGMA study, it costs the average practice $40,069 per physician per year to just manage and report quality measures. For a relatively small practice of 10 doctors, that’s more than $400,000 per year. Not to improve on measures--just to report.” WOW- She continues with story after story and urges us to consider how to get a better balance and to put the patient at the front of the conversation. It’s a good read, and I’d recommend it if you have clients in the healthcare space. Three key points to digest:

1. Value-based healthcare is here to stay: It changes everything for every healthcare-related client you have. If you are on the risk side of the business, understanding how the new systems are creating learning opportunities, barriers and downright sinkholes that your clients may fall into is mission-critical. (I didn’t get into it, but clearly the issues with technology and the added complexity of detailed health information is the patient privacy/hacking issues… oh, yes… another policy that healthcare providers need to buy or buy more of to protect their patient information.)
2. The pure cost of healthcare is increasing due to many competing factors, and most of that cost is SHIFTING to the patient. This means insurance is being bought differently. This means that new insurance alternatives are popping up, (concierge, direct primary care, employer-sponsored, etc.) and that there are NEW customers for you to understand and educate on the role that insurtech plays in their world. Many of these are NEW AND INNOVATIVE companies that need deep knowledge on these matters.
3. Anyone who has physician/hospital clients should be VERY AWARE AND EDUCATED on every aspect from risk assignment, to education, how technology affects patient care and ultimately malpractice, financial pressures- I would say EVERYTHING is up for review and understanding.

See also: Healthcare: Need for Transparency If as an industry, we are to be the BEST PARTNERS for our clients, then we must do more than have a cursory understanding of the multiple issues with value-based care. If anyone needs a tutorial, I am up for helping out!

As more insurers consider moving some of their core systems to the cloud, many want to know how secure their data and applications will be.

There are four major security considerations for cloud-based core systems: application risks, data risks, intellectual property risks and physical risks.

See also: Why the Cloud Makes It All Happen  

There are two basic models for how an insurer can use core systems in the cloud.

• Model One: An insurer licenses core systems from a core system vendor, and then the insurer or an integration partner deploys and uses those core systems in the cloud.
• Model Two: A core system vendor deploys its core systems in the cloud, and then makes those core systems available to an insurer on a subscription basis.

Leading cloud providers create and maintain a set of services and capabilities to provide security for infrastructure and platform cloud elements. The breadth and depth of these tools and capabilities are generally equal to, and often better than, those utilized by individual insurers that deploy core systems on their own premises.

When properly addressed, security considerations should not be a barrier to an insurer using and realizing the benefits of cloud-based core systems.

See also: How Can Insurers Leverage the Cloud?   For access to the full report, please click here.

This article will be a 15-minute read. If you work for an insurtech startup that wants to get a deal done with an insurance carrier, it will be a very valuable 15 minutes. If you know somebody like that, please forward it to them.

Imagine this: You are the founder of an insurtech startup. You’ve got a great solution that could deliver meaningful results for any insurance carrier that brings you on. You’ve been through an accelerator (or two), have received initial funding and have your advisory board in place. You may even have a couple of pilots under your belt. Now, it’s time to really start cranking up your sales/partnerships.

As you roll out sales strategies for the year, I thought it would be useful to provide a guide for startups to consider when preparing to meet with their next prospective carrier. Collaboration between startups and carriers is a topic near and dear to my heart. While the focus is primarily for B2B startups, many of the same principles outlined below apply to D2C startups, which are looking to partner with an insurance carrier for distribution purposes.

The framework for this guide is as follows:

1. Know your value
2. Know your customer
3. Find out who holds profit and loss (P&L)
4. Help them understand how you’ll bring value to them
5. Sign a letter of intent (LOI) and agree on a pilot
6. Focus on both the art and science of the sale

Know your value

Startups, if you are reading this, please keep the following question in mind when you are reading the rest of the article. Is your solution going to help a carrier save costs or increase revenue? Have a clear value proposition and give tangible examples of what you do (i.e., use cases where it is already working). For example:

• Saving costs – DO YOU remove the need for manual/high cost processes? Identify opportunities to improve lapse rates, persistency ratios, loss ratios? Provide the carrier with new data sets for better and more accurate modeling? Etc.
• Driving revenue – DO YOU increase a carrier's number of prospects? Increase conversion rate? Increase sales volume because of a new niche product capturing a new market? Etc.

If you can not answer this question, you may want to focus on this first before reading the rest of this article. At the very least, have that question answered before you follow the advice provided in this article.

Know your customer

You know what value you provide to carriers.  Now, it’s time to go meet with them. Wrong. Before you meet with a carrier, do your homework and be specific about which carriers you want to target.

See also: Insurtech vs. Legacy Insurance Carriers  

Information you should know about the carriers you are targeting:

• What is their organizational direction?
• Who is their main competition, and what has their competition been doing when it comes to innovation?
• Who are the key players within the organization? (See next section)
• Has the carrier done anything really meaningful in the market recently?

The more you know about a company when you walk in, the better. Don’t you feel good when someone knows a bit about your solution when you first meet the person?

There are plenty of ways to get this information. Read about the company and research whatever is publicly available online. Use LinkedIn and your network to find out more if you can’t find it online. Once you’ve done your homework and know who you are going to target, work on getting in the door. LinkedIn and your network will be powerful here, too.

However, before you meet with a carrier, it’s important to know who in the organization you will and need to meet with. The below is a basic, high-level organizational chart of an insurance carrier (this will vary depending on the organization): A few notes on this chart:

CIO = Chief IT officer

CDO = Chief distribution officer

Chief actuary can either report to CFO or directly to the CEO (I have seen both)

Innovation can sometimes be labeled as transformation or digital strategy (I have seen either or all three)

Experience and service – relates to customer (i.e. customer experience and customer service)

I have not included HR in this diagram (they are a very integral part to any company, but usually not involved in insurtech initiatives)

Now, it’s time to meet with the carrier. So, who do you target?

Find out who holds the profit and loss (P&L)

Ultimately, any initiative that an insurance carrier undergoes must have some sort of return on it. As such, as part of the approvals process for an insurance carrier, the people who have the most say as to whether or not to bring a solution on board will be the ones who hold a P&L. Why are those who hold a P&L important? Because they will be the ones who are ultimately measured on the success of an initiative and the people you will have to convince to buy your solution.

Others are important, too, so you need to know who all the players are and what motivates them, as all will have different and important roles throughout the whole sales cycle.

Who are the players? While you read directly below, keep in mind what your solution is offering and who the person is who you are ultimately going to need to get the most buy-in from.

The top  CEO – This one should self-explanatory

The control functions  – these are people who may not be a user of your insurtech solution but will want to analyze it to the nth degree to make sure it’s good for the organization as a whole.

CFO – The CFO monitors/controls the P&L, so, yeah, he or she is important. The CFO may even be one of the most important, as, in some cases, the CEO will only sign off on a project once the CFO has endorsed it. That question I asked before (save cost or increase revenue) is of utmost importance to this person. Expect the answer to that question to get scrutinized, too.

Chief actuary/appointed actuary – As mentioned before, I’ve seen this position report directly to a CEO and to a CFO. Regardless, the person in the position will ask questions of a financial nature. If you have a solution that claims to improve lapse rates, increase persistency or anything else that touches pricing, be ready for some detailed questions from this department.

CRO – I’ve seen variations of this, but, for the most part, risk will encompass compliance, risk and legal. These are three very important departments of the business:

• Compliance – compliance will look at things from a regulatory perspective.
• Risk – enterprise risk management is an interesting concept for insurance and could encompass a lot. Here is a useful article on it. Effectively, risk functions will look at a variety of risks – from market/macro risks to conduct risks to credit risks.
• Legal – this one should be self-explanatory.

The profit centers – these are the ones who will likely use your insurtech solution and the ones who will ultimately get measured on the effectiveness of your solution (i.e. P&L).

Chief distribution officer – This position will vary depending on the organization; its primary goals are to grow revenue (i.e. sales, business development, commercial). If your solution has anything to do with any part of the sales value chain, then buy-in from the chief distribution officer will be key.

COO – Operations departments have a variety of functions under them – from underwriting to customer service to claims. If your solution has anything to do with back-office operations or the customer, then this is another key stakeholder for you.

Both of these definitions are wide for a purpose. These two departments have the most interaction with a customer/policyholder and will be very particular about anything that is going to affect that relationship. They will need to be convinced that the solution being implemented does not disrupt that relationship.

Many insurtech solutions are targeted at improving the customer experience. However, these two departments have the experience in actually doing it for their existing customers and will feel very particular about saying what can be done to improve that relationship. Be mindful of this when you start engaging with people from these departments.

Lastly, the aim of many carriers is to make more prominent the role of the chief customer officer or a customer experience department. For the moment, I put that position into the advocate category below, unless the person specifically holds a P&L.

The advocates – these are typically the ones you will meet with first and the ones who will be very important in convincing the the profit center category that your solution should be taken on board.

CMO – I debated as to whether to put this person in the profit center category, but I feel they belong more so in the advocates column. The reason is that a lot of the solutions brought on by the marketing team are then provided to the distribution team to help with their sales. In some cases, where the carrier has a D2C solution, it may fall directly under the CMO/product team. If the CMO holds a P&L, you may want to consider this person/department a key stakeholder rather than an advocate.

CIO – This is where you will see the titles of innovation, transformation or digital strategy. The IT department is obviously an important one for you, as you will have to work with when it comes to implementation of your solution. IT departments are seen as an enabler to the rest of the business. This means that, while you need to convince this team that your solution is technically sound, IT will not make a call on your solution from a business needs standpoint.

Note: I put corporate strategy under the CFO office in the org chart above, as sometimes there are two or more different strategy departments in an organization. Sometimes this is a completely separate department that reports directly to the CEO. Regardless of which department it is in, I would label any strategy department as advocates.

My labels above are the traditional ones, but some organizations may have people who are more powerful than others. Try to find this out through the power of your network.

Help them understand how you’ll bring value to them

The first meeting will likely be with one/some of the advocates. These may be of the manager/senior manager level, who are knowledgeable enough to do the first round of vetting for their more senior managers/key stakeholders in the organization. This session is an opportunity for the carrier to get a high-level understanding of what is being proposed to see if it should bring this solution forward. You will need to at least demonstrate the answer to that key question during this session.

After a few of these sessions, assuming the carrier is interested, more senior management/other key stakeholders will join in to get their view. If you start seeing more senior personnel in your meetings or people who fall into the profit center bucket, then you are on the right track. If you keep only meeting with advocates, it may be time to start questioning whether you are making progress.

See also: Rise of the Machines in Insurance  

It’s also fair to ask the carrier who will be held accountable for the success or failure of the solution being implemented. It will help to get those people involved and excited early on. Getting people excited and on board is half the battle. It feels like the deal is done. Then, the red tape comes in.

Queue the approvals process.  

Approvals to undergo a new initiative for an insurance carrier can be cumbersome. The person who is leading the project will need to do a write-up of the solution for the rest of the organization to evaluate (this will include some combination of people from the control function, profit center and advocates). This write-up will include:

• Why the carrier should do this project (qualitative and quantitative analysis that will include costs/benefits/KPIs)
• The technical architecture of the solution
• Risks associated with the solution, with mitigating controls (technical and non technical)
• Regulatory/legal implications
• And more

This may be seem like a lot, but multibillion-dollar corporations need to ensure they have a paper trail for initiatives. (Side note – you should always have an audit trail yourselves!) For a startup, the more you can help with this report and prepare yourselves for these questions, the better. Think of ones that are specific to your solution. You will save time if you address these early on.

The carrier will also want to assess your solution against three or four others in the market. Hence, it is important to know your competition and how you stack up. Again, if you have this upfront, you will save time later. You will want to constantly communicate with your key contact(s) at the carrier throughout the approvals process, helping them and being with them to answer any questions that may come up. Once approval comes in, they will want to start work, so you had better be ready.

Sign an LOI and agree on a pilot

Once all the approvals are done, get your LOI signed and agree on a pilot. An insurance carrier typically will not do this until it has done all of the internal approvals.

Focus on both the art and science of the sale

Sales is an art and a science. The science is a lot of what I mentioned above; know your prospect, have a sales pitch down and close. The art is things that you learn through more practice, such as non-verbal queues and cultural nuances. If you are doing cross-border collaboration (i.e., an American startup going to Asia or vice versa), there are a ton of nonverbal queues and cultural nuances to be mindful of. Some practices that are OK in some markets may not be in others. I own a book called Kiss, Bow, or Shake Hands. I bought this when I first moved overseas, and it has been most helpful to me in this respect.

Lastly, I’ll repeat some advice that I mentioned in my ITC review from Benoît Claveranne, group chief transformation officer of AXA:

• When a startup approaches an incumbent, they should make clear what they are looking for – to be invested in, bought out or partnered with. A lot of time is wasted on this during early engagement, and it will help move the conversation along if it is clear early on.
• For startups – make a call after one to two meetings to see if the incumbent is serious about doing business. Do they have a budget and a team to develop it? If not, it may be time to move on to the next client.

Summary

During my financial advising days, I read Dale Carnegie’s "How to Win Friends and Influence People." The one principle from that book that has always stuck with me is "make the other person feel important." By making people feel important, you let them know that you genuinely understand and care about their needs first and that you are not just trying to sell them something, but instead, providing them with a solution that meets that specific need.

The above is is a high-level guide for you, the insurtech founder, to help make an insurance carrier and the people you are pitching feel important by, ultimately, understanding their needs and how you can help them.

Creating partnerships between insurtech startups and insurance carriers is something I am passionate about and spend time doing every day. I am inspired when I hear stories from the field and new ideas on how to better this process.

I would love to hear your thoughts and feedback on this topic.

This article first appeared at Daily Fintech.

I recently sat with Nick Gerhart to discuss the regulatory environment for U.S. insurance carriers. Nick offers a broad perspective on regulation based on his experience: after roles at two different carriers, Nick served as Iowa insurance commissioner and currently is chief administrative officer at Farm Bureau Financial Services. Nick is recognized as a thought leader for innovation and is regularly called on to speak and moderate at insurtech conferences and events. During our discussion, Nick described the foundation for the state-based regulatory environment, the advantages and challenges of decentralized oversight and how the system is adapting in light of innovation. This is the last installment of a three-part series. The first focused on the regulatory framework insurers face (link). In the second part (link), Nick provided the regulator’s perspective, with a focus on the goals and tactics of the commissioner’s office. Here we discuss the best practices of the insurers in compliance reporting as well as future trends in compliance reporting. From my experience in speaking with carriers, I’ve been struck by the challenges of reporting data in various different reports to so many different entities. A lot of carriers struggle just with the process, and the quality of the data reported suffers. So, to dive into the quality of the filings for a moment, what are you looking for? Garbage in, garbage out, obviously. The most obvious issues start with the outliers. And it would come back to the state catching the company filing some bad data. So, for instance, on the life and annuity side, how you define “replacement” can trigger a percentage up or down that maybe you shouldn’t have in there. If you think about it, from the company side, a lot of MCAS data is probably gathered on an Excel spreadsheet, or in Sharepoint, or a shared drive, and it’s someone’s job to pull the data. And, he or she is often not the subject expert of the report to be filed. Overall, companies make a commendable effort in terms of timeliness and accurate data. But, to the extent that a carrier does not pay close attention to what’s going into the file, it can be a problem. You really don’t see the output very well from a 30,000-foot view; a carrier is far more likely to have issues unless it has a really solid data entry process in place or someone who owns it on the executive team who actually knows what is going into the report. Any examples you can share? One that comes to mind was a company that reported an unbelievably high replacement ratio. And when we dove into it, we realized they had pulled the wrong file to calculate the rate. Now, it worked itself out, and the ratio was actually much lower, which is a good thing, but again I think companies need to pay more attention to how they are filing this data and where they’re pulling it from. And that’s where every company could do a little bit better job. I’ve had roles in three insurance companies now, and you can look at something as a check-the-box exercise, or hey-let’s-do-it-right. In my view, if you’re a bigger company, all of this does build into your ORSA filing in some respect. See also: Why Risk Management Certifications Matter   Your Own Risk and Solvency Assessment is just a picture of where you are on a risk basis. But a lot of your risks are related to market issues. Every company can probably do a little bit better job of making sure the data you submit is timely, relevant and the right data. And, when you’re looking at specific data with a report, the replacement rate within MCAS, for instance, how do you come up with that benchmark data? Are you looking at trending analysis in the context of industry benchmark data or trending within the company? That’s a really good question. It’s more art than science; there isn’t one right way to do it. If you had a 75% replacement ratio, but you only sold four annuities, that may or may not mean anything. If you have a 75% replacement ratio, and you sold 25,000, that’s a different issue. You start to look at it from a benchmarking of industry, a standard across the industry. Whether you can get that data from LOMA, LIMRA or WINK. Regulators have all of those same data points and benchmark studies, so you have a gut feel for what is an industry number. Then beyond that, to your point, you’d have to dig down for context. For example, Transamerica sells a lot more life insurance and annuities than EMC National Life. A benchmark is a benchmark, but it doesn’t differentiate from a small mutual carrier or small stock carrier. This is why context is really important. If you see a disturbing relationship or ratio develop on complaints, you have to look at the line of business, how much business they write, whether or not it’s an agent issue, or a producer issue, or home office issue, or a misunderstanding issue. You really have to dig in. Benchmarking is a start, and it’s certainly helpful. Iowa has 216 carriers, and the vast majority are small or midsize, sometimes just county mutual carriers. You have to look at each carrier on its own, as well. The benchmark helps, but it’s not the end all and be all. Did you look at consistency of data? For instance, premiums written is a component, in some form, of the financial reporting, market conduct and premium tax filings. Certainly. Our team would look for consistency of data across filings. Our biggest bureau at the division was on the financial side. And that’s really where I spent a lot of my time to develop staff. If we start to realize that a premium tax number doesn’t line up with premiums written, they start to ask questions. And sometimes there are good answers, and, other times, it’s a miss. And so, again, it’s data consistency and quality across all the reporting to make sure we have a clear picture. Because oftentimes, it’s something we didn’t understand, or the carrier filed but didn’t pull the right number. The sophistication of the models that the companies use – as well as the sophistication of the reporting – varies greatly from small carriers to big carriers. Some have home-grown systems; some have ad hoc processes. It’s all done differently. Do you have a sense – both from your time in industry as well as your role as insurance commissioner – how feasible it is to have a meaningful review process? To put this question in concrete terms: If you’re the CFO, you’re signing off on a lot of reports. Based on the volume of reports you’re signing, are you truly reviewing the data that’s being reported? That’s a great question. You’ve got reporting requirements for Sarbanes-Oxley if you’re public. You’ve got other reporting requirements under corporate governance at the state level. It’s impossible to dig into every single report for every single data point. So, you do have to rely on your staff, on your auditors and your chief accounting officer. And that’s why you have those controls in place leading up the reporting structure of those organizations. That being said, a CFO would want to have a clear picture from a benchmarking dashboard. There are a lot of tools for people in the C-Suite for tracking and visualizing data that call out for attention when a metric is out of place or not reported. The CFO relies on the team and the controls in place for the data to be correct in order to sign off. But, having a snapshot that showed what is filed, and when, and different data points and sources would be of immense help. What are the consequences, from a regulator’s standpoint, of poor quality or inconsistent data? Is it reputational? Does it add to question marks around a company? There are several things. Yes, it’s possibly reputational. But that’s in the longer term. Most immediately, the carrier is going to have to commit resources to resolve the issue. If a commissioner’s officer is asking questions, he or she has found something. You’ve got to commit resources to adjudicate and resolve the issue. And, it could very well lead to a targeted exam, which, in turn, could end up as a full-blown market conduct exam. It could also create a number of other issues during the triennial exam or the five-year deeper dive exam, which would require additional resources. These exams can cost quite a bit of money. And so, that’s a hard dollar cost. But, there is also the soft dollar cost of staff time, resources expended and opportunity cost in that it kept the carrier from have done something more productive. How does this work in practice? I can think of when I was commissioner once or twice when we had targeted exams based on filings that ultimately led us to say, “Okay, there is a problem here.” Both times were out-of-state companies. To your point earlier, you can call an exam on any company that is doing business in your state, certainly on the market side. On the financial side, you’re going to have more deference. But, on the market side, every commissioner’s office is reviewing the data, as well. Often for us, we would start with the complaints that are coming in, and then identify a trend with a carrier. And if you start to see a number of complaints, then you pull the data. Some insurers have a cynical view of regulators, particularly in some states. I’ve heard them refer to this as “the cost of doing business.” They feel that, if you’re going to write policies in some states, you’re going to get fined from time to time. And then, if you get fined by one state, then you’re going to see fines from other states as well. How does this work in practice? A carrier has an obligation to report a fine in all states in which it’s licensed. On top of that, there is this thing called the internet. When a state issues a fine – Commissioner Jones or Director Huff was famous for this – it would be followed by a press release, as well. So, there is some truth to the idea that if an insurer has trouble in one state, it might have it in multiple states. But there is some right to have a level of cynicism. There are some states where you’re much more prone be fined. Whether this is a cost of doing business, that’s a decision for that management team. But, if there is a fine in one state, the chances that of it in multiple states is high Our view of the world, in the Iowa division, was not necessarily to gang tackle but rather how to resolve the issue in our state. If there was a problem, we asked, “Did you make customers whole?” I would look at a systems issue with billing differently from an issue in which someone was ripped off. We tried to use judgment and look at the issues based on the facts and circumstances. Currently, data flows from carriers to commissioners in a defined cadence. What do you think of the promises of regtech – the concept that software and system automation will allow for data to flow to regulators seamlessly, in real time and without the need for insurers to prepare and curate data for filings? Right now the NAIC is the hub of a lot of this. And the idea that a state would get this directly from the insurer is a stretch. What about through the NAIC? Through the NAIC, I could see it happening. They’ll go to a cloud-based system, I’m guessing. As they make that shift, could that happen? Possibly. I always joke that for the state of Iowa, and most states, you have the best technology from 1985. Some states are ‘95. It is a stretch to think that this could happen without the NAIC leading. See also: The Current State of Risk Management   The NAIC really is the hub. If you’ve been to Kansas City, you’ve seen how impressive their system is, and their folks are. NIPR, for instance, I would always joke, is a technology firm. It’s not a producer licensing firm. The NAIC has tremendous resources. Their CTO has ideas on how to streamline it further. I could see this happening in 10 years or less. The reality is that a state could never do this. So, a state has to rely on the NAIC. Going back to why this system works, well it works because you have an association - the NAIC - that has the ability to upgrade and transform quicker than any state ever could. Is it possible that the states could innovate on their own, outside the NAIC? It would be hard, at best. If you think about the state-based system, if Iowa doesn’t transform as quickly as California, or Montana as Wyoming, that starts to be a problem. The NAIC can take care of that in one fell swoop and we, as state regulators, all benefit from that work. I could see data delivery and reporting being quicker, more meaningful, real-time. I could even see, down the road, machine learning processes put in place to help on policy review form, financial review form. I think you could get there. I don’t know if it’ll be five years, 10 years or 15 years, but it will certainly happen in my career, where it’s going to be a continuously improving process. The NAIC is the best way that regulators keep up with the demands that are happening, through leveraging the NAIC tech and personnel.

While we often emphasize that we're about thought leadership, not news, this week I'll focus on two items in the news.

The first is about an investment in and partnership involving...ITL. We don't often look for headlines about ourselves, but we hope this partnership will turn out to be the most important thing we've done since our founding.

We are announcing today that The Institutes have made an investment in ITL as part of a strategic relationship. I trust you're all familiar with The Institutes' continuing education courses and their offerings of professional designations, including the CPCU. I hope you also know about their RiskBlock consortium, which is leading the way for the industry on developing blockchain applications in insurance. If not, you should—assuming you would benefit from blockchain in your future.

We will help The Institutes broaden the creation and distribution of thought leadership on innovation and technology, supporting the industry's transformation goals. At the same time, they will help us spread our wings among their members, both in terms of ITL and in terms of our Innovator's Edge platform for tracking insurtechs and our Innovator's Studio strategy coaching services.

As you might imagine, we're in the very early days of coordinating the new relationship, but there will be plenty more to say both from our vantage point and theirs in the coming weeks and months. Stay tuned.

Second news item is the story about Spectre, Meltdown and the flaw in Intel microprocessors that opens up a whole new attack vector that the bad guys can use to get to information they shouldn't have. The issue reads like rocket science—a whole series of illicit commands can be slipped into the work stream of the processor, but only if they are timed to the billionth of a second—and it just so happens that we have a rocket scientist on staff: Joe Estes, our Chief Technology Officer, who is a veteran of the NASA Jet Propulsion Lab. 

Joe has written an article that I want to call to your attention because it provides a timely explanation on a complex but important topic. (I feel smarter already.) The article also draws on research in our Innovator's Edge platform, where we are tracking 250 insurtech startups focused on cyber issues. Joe lays out the three main approaches that insurtechs are making and recommends a few to check out. I recommend the piece highly. 

Cheers,

Paul Carroll,
Editor in Chief

With Meltdown and Spectre very much in the news, raising the possibility of major data breaches, here are answers to some common questions about the flaws that can be exploited, about what the vulnerabilities are and about how insurers can use insurtechs to protect themselves. Meltdown and Spectre relate to a 20-year-old design flaw in Intel microprocessors, the sorts of chips that function as the brains for laptops, mobile phones and just about every other electronics product these days. It’s now clear that other microprocessors likely have similar flaws, but the Intel flaw has drawn attention both because Intel chips are so widely used and because Meltdown and Spectre have shown exactly how the Intel issue can be exploited. The vulnerability has been known for months by Intel and the largest tech companies, but, despite the knowledge of the vulnerability and the recent scramble to patch it, there is still much uncertainty about the precise implications. Who Discovered the Flaw? An engineer with Project Zero, a team at Google that looks for flaws that cyber criminals can exploit, found the vulnerability in the Intel microprocessors. Jann Horn discovered the problem while developing a processor-specific application that required deep access into the chip hardware. Since then, several other researchers discovered the flaw from a different angle, while looking at a technique where, to increase efficiency, processor operations are run out of order. Research papers were published in the microprocessor community about this technique and the possible implications. Several groups created simulations and discovered the obscure flaw in the Intel chip. One prominent group of researchers out of Graz University of Technology in Austria reported the flaw to Intel. Intel had already known for seven months at that point, but the discovery was now breaking news and came to light last week. How Does the Flaw Work? A computer’s processor executes code out of order to circumvent bottlenecks and speed the work. The CPU doesn’t just read code like a book, from front cover to back cover. The process is more like preparing a complicated recipe, where parts of the process need to be started at different times to keep the work moving smoothly. This technique is referred to as “speculative execution” – the CPU is taking its best guess about what work needs to be started when. Speculative execution has been used for 20 years. Spectre exploits the technique. Developed by Horn to show the Intel flaw, Spectre intervenes in the speculative execution to have an application store sensitive or private data in the processor’s cache – the memory that is built into the processor itself. (As fast as the speed of light is, a processor simply takes too long if it has to grab all its information from separate memory chips, even inches away, rather than from elsewhere on the processor chip.) Spectre has the private data stored in particular places in the cache where an attacker can retrieve it later. Data can be accessible within several nanoseconds (billionths of a second). Meltdown is the process of retrieving the sensitive data. Meltdown uses incredibly precise timing – remember, we’re operating in billionths of a second here – to grab the sensitive data. Meltdown does so in between the processor’s reads and writes – in other words, between the times the processor is reading data from cache and the times it is writing, or storing, data in cache. The operating system kernel provides the clock that allows events to be coordinated with such precision. See also: Cyber: The Spectre of Uninsurable Risk?   The particularly alarming aspect of this vulnerability is that it can be exploited from front-end Javascript code, which is used just about everywhere. This means that browsing web pages is one of the attack vectors that could be used to extract otherwise-secret data from your session. What Is Being Done? Spectre and Meltdown work hand in hand, so browser companies have removed application access to interfaces that measure precise timing intervals. FireFox has published steps to limit and remove access to the timing function. However, removing access is only a temporary fix. The underlying flaw still exists. A fundamental change in chip design is required for a truly secure solution. Companies like Amazon, Google and Microsoft have recently been rebooting so-called virtual machines (VMs) to clear the cache. VMs act like separate pieces of equipment as far as customers are concerned but, in fact, share hardware with other customers. (Software defines the boundaries of the “machine” within the physical piece of equipment. VMs make data centers far more efficient: Machines no longer sit idle simply because a particular customer doesn’t have work to do at that moment; someone else grabs the CPU time.) Sharing of physical hardware between customers could mean that your secret data was left in the processor cache, to be extracted through this process of speculative execution and precise timing from another company’s front-end apps. After all, you’re sharing the same physical processor. Who Does It Affect? The chip vulnerability affects all modern microprocessors, including those in desktops, laptops, mobile phones and IoT devices. Speculative execution is a technique used throughout the chip industry. Besides Intel, other chip manufacturers like AMD and Arm Holdings are implementing similar patches that are also focused on limiting access to cache timing. How Does the Insurance Industry Respond? Despite the panic, the insurance industry should stay the course. Providers of insurance services should follow the same cyber security methodologies they follow in times of certain vulnerabilities as they do in times of uncertain vulnerabilities. First, implement all security patches and updates for all hardware in your organization. This should be done with caution because logic in the patches could significantly slow hardware. Second, rely on the products and services of leading cyber security insurtechs. According to ITL’s Innovator’s Edge, there are 250 cyber security insurtechs globally, and many are making good progress. The insurtechs fall into three main categories: Threat Prevention Threat prevention, as the name implies, stops an attack before it occurs. This typically includes services like penetration testing, simulated attacks and system hardening. 30% of the cyber security insurtechs in Innovator’s Edge are assisting insurance providers with these activities. RiskIQ, for example, uses big data, analytics and simulations. The company’s RiskIQ Digital Footprint maps all your IT assets and determines if they are hardened from a security standpoint. Threat Detection Threat detection is the process of being alerted when a breach does occur. Detection is most often made possible by security monitoring. Monitoring varies from conventional network monitoring to sophisticated machine-learning-based monitoring. 42% of cyber security insurtechs tracked by Innovator’s Edge mitigate cyber risk through threat detection. For instance, TesseractGlobal’s Peerlox EDR focuses on detecting targeted cyber attacks through machine learning. The strategy for leveraging artificial intelligence and data analytics is an ideal second line of defense for an organization. See also: Cyber Threats: Big One Is Out There   Threat Management Threat management most often relies on consulting. Threat management is applied when a breach occurs, there is damage done, and there is a mess to clean up. As you can imagine, this is highly specialized work. According to Innovator’s Edge, 14% of the cyber insurtechs have these capabilities. SeraBrynn, for one, assists insurance providers after they have become the victims of a breach. The team consists of industry leaders in cyber security who have assisted the NSA. The combination of the strategies that insurtechs offer can help minimize the reverberations created by something like Spectre and Meltdown. The capabilities are a hedge against the negligence of the technology industry, whose insatiable pursuit of Moore’s law has come at the expense of security. Luckily for the insurance industry, there is an Insurtech for that.

Agents have a crucial role protecting their clients, but not just by providing the right coverages. Do not get me wrong, selling the right coverages is of paramount importance for professional agents (and I don't know what amateur agents are even supposed to do). Another key service professional agents can provide clients is protecting them from insurance companies. A great example is reading forms, yes--actually reading forms, to distinguish whether coverage actually exists! I think cyber might be an excellent generic example of verifying true coverage is actually being provided or if true coverage just appears to exist. See also: 5 Predictions for Agents in 2018   Another example, and a great way to prevent E&O claims, is careful policy checking on E&S policies. By and large, surplus lines does not have to provide the coverages promised in their proposals. Neither do they have to notify agents or insureds at renewal if they reduce coverages. This is why they include their disclaimer stating they do not have this responsibility. It is one reason this is surplus lines and not an admitted market. An insured will not know the coverages have been stripped without careful review, and, even then, they may not understand. I know far too many agents who do not understand, so I don’t know why anyone should expect the normal insured to understand. This is a job for professional agents! A third example is provided by a recent court case. Joseph Beith provided the details in his blog (and if you care about insurance companies treating insureds fairly, I highly recommend you subscribe to his blog). A long-term care (LTC) provider included a sentence (used by at least one other carrier, too) that, "Your premiums will never increase because of your age or any changes to your health." My bet is that 95 out of 100 insurance veterans would not recognize the problem with this "guarantee." Beith recognized and pointed out the problem. The guarantee does not prohibit the company from raising rates on a class basis (and, as people age, their class ages). If an agent has a choice of selling two policies, one with this tricky language and another without it, then, all else being equal, even if the policy without this language is more expensive, a professional agent will point out this crucial language issue. Insurance policies are, after all, legal contracts, so policy language matters, A LOT! This is maybe an extreme example of arguably (and it is arguable since it is part of a large lawsuit) crafty language, but important differences exist between carriers' policies in virtually every instance. Whether it is simply a material difference in ordinance and law limits between two homeowners policies or huge contractual liability differences between two policies, professional agents will point out the differences. Doing so is crucial to helping insureds understand that insurance IS NOT a commodity when sold by professionals (again, I don't even know what to call insurance when sold by amateurs other than disasters waiting to happen). Pointing out differences in coverage shows clients you are actually working to help them rather than just working to make a buck. Pointing out differences gives clients the power, and, if they have the power, your relationship will likely be much stronger over time. Conversely, when they feel screwed because they were not educated and given the opportunity to choose, they are more likely to sue you or at least tell everyone they know not to do business with you. See also: 4 Ways to Improve Agent Experience   A problem with LTC and life insurance is that, when the events that trigger a claim occur, the agent may be long gone. P&C policies typically have a shorter lifespan, meaning more ramifications, good and bad, for professional agents. A good professional agent who makes these distinctions with good clients can achieve considerable success. I am not sure about the future of people selling coverages they do not know and do not communicate to clients. The future for absolute professionals is, however, so bright they will need shades.

Could AI be used by regulators to test how committed insurance executives are to building trust with policyholders? Artificial intelligence is transforming the relationship between insurer and insured. And it’s now being used in ways that could transform the relationship between insurer and regulator. It has implications for public trust and executive careers. It has emerged that a large investment management firm has been using an AI-based form of voice analysis to test the confidence of the chief executives of the firms in which the firm has significant holdings. Called "affect analysis," it’s being used to detect any disconnects between what the chief executive is saying and the level of confidence with which she's saying it. The feedback could be used to pinpoint weaknesses around which further questions are raised, or to just automatically adjust an investment or research recommendation. See also: Strategist’s Guide to Artificial Intelligence The idea behind this approach should not be something new to insurers. They’ve been using it for some time to analyze how claimants describe the circumstances of their loss, looking for indicators in their voice of a potential fraudster. I experienced such analysis in 2016 while making a claim for a lightning strike on my home. So what has this to do with the ethics of insurance, then? Well, if an investment manager can analyze the voice of a senior executive in this way, why shouldn’t the regulator do something similar with the same people? The regulator could ask senior executives to talk about their plans, activities and achievements relating to ethical issues like integrity and fairness. Given that senior executives and key decision makers in U.K. insurance will soon be subject to new regulations that emphasize their individual accountability for ethical culture within their firms, this step would simply be taking an established practice within the sector and applying it to new ends. A lot will, of course, depend on the questions you ask. If these focus on belief and commitment, then scores could be quite high, but if they focus on actions and outcomes, then some people might struggle. And remember that U.K. insurers needn’t wait for the regulator on this. The Senior Managers and Certification Regime requires insurers to undertake their own integrity assessment of senior managers and key decision makers. Perhaps affect analysis could form part of that assessment? The results could then be used to configure personal performance plans and learning schedules. I wrote about the rise of panoptic regulation back in 2015 (link), in which regulators access and analyze real-time decision data in a continual stream from insurers. Putting artificial intelligence to use in this way would be a small but significant part of that wider development, providing regulators with critical insight into the tone from the top in a particular firm. See also: Why AI Will Eat Insurance   Perhaps the biggest signal the insurance market could take from developments like this would be that of a regulator becoming more sophisticated, prepared to get more under the skin of those they’re dealing with. Just like insurers are, some might say, in their relationships with policyholders and claimants. One word of warning, though. It is particularly important that the algorithms underlying this branch of artificial intelligence are properly trained. If that training has been carried out on the voices of the white, male executives who have largely dominated the board rooms of insurance firms to date, then this sort of AI-based analysis would turn into a barrier for the various diversity initiatives underway in the insurance sector at the moment.