Tag Archives: cyber

CISOs, Risk Managers: Better Together

Not so long ago, many chief information security officers (CISO) and other information-security professionals were offended by suggestions that their organizations should buy cyber insurance. After all, CISOs reasoned, if they did their jobs well, insurance would be unnecessary.

Fast forward to 2021. There probably isn’t a single CISO who believes that their organization is immune to potentially devastating cyberattacks. Recent news of alleged Russian penetration of well-protected government agencies and major corporations is one more reminder that any and every organization is vulnerable. Still, many CISOs are skeptical of insurance’s benefits and often are only tangentially involved in cyber insurance decisions.

CISOs are often concerned about perceived gaps in insurance coverage, about underwriting criteria that are misaligned with an organization’s security policies and procedures and about the willingness of insurers to pay claims. Some concerns are valid. For example, if an organization’s hardware is damaged by a malware attack, not every policy provides “bricking coverage,” which pays to replace impaired equipment. However, many CISOs’ concerns are based on now-outdated policy language and underwriting and claims practices. As cyber insurance has matured, underwriters are offering broader coverage with less burdensome underwriting requirements. Rather than avoiding claims, insurers are often trusted partners in responding to cyber events and managing their consequences.

Cyber insurance coverage may be more expansive now, but insurance buyers must still ensure that the protection they purchase is adequate and appropriate for their organization and its specific risk profile. In most large organizations, the risk manager buys cyber insurance. However, risk managers are rarely experts in network security and may not fully understand their organization’s cyber risk profile and control environment. This may result in purchasing insurance that does not adequately cover significant exposures, while over-insuring low-priority or well-managed risks. To ensure that cyber insurance aligns with the organization’s risk management needs, risk managers need to work with a broker who specializes in this type of coverage offering. Additionally, the risk manager and the broker need to include the CISO in the buying process. 

CISOs and risk managers have a common mission — to protect the assets of their organization. In many organizations, they haven’t effectively collaborated — along with their broker and carrier partners — to achieve their common goals. Even when insurance is recognized as an essential part of the overall cyber risk management strategy, organizational silos, the lack of a common risk vocabulary and differences in risk management frameworks can impede cooperation.

According to a SANS Institute report, Bridging the Insurance/Infosec Gap, “InfoSec and insurance professionals acknowledge they do not speak the same language when defining and quantifying risk, leading to different expectations, actions and justification for outcomes.”

The SANS Institute does not offer a one-size-fits-all solution for closing the gap. Within an organization, successful coordination and cooperation depend on corporate culture, institutional obstacles and how motivated CISOs and risk managers are to cooperate on their common goal.

See also: How Risk Managers Must Adapt to COVID

A coordinated approach is more essential today than ever before. With so many employees working from home during the COVID-19 pandemic, using their personal networks and often their own equipment, IT departments and security professionals struggle to ensure network security. A survey of 250 CISOs by Resilience (named Arceo at the time of the study) found that cloud usage, personal devices usage and unvetted apps or platforms posed the most significant threats during this period of increased telework. 

With so many factors outside the direct control of IT and information-security professionals, insurance becomes essential. But cyber insurance policies can materially vary, and not all insurers offer enough of the right coverage to satisfy an organization’s risk-transfer requirements. Once the corporate risk management and information-security functions are aligned, a broker can help navigate the universe of cyber insurance and help the client understand nuances in policy language to satisfy the organization’s risk-transfer requirements.

The outcome is an integrated program where insurance from secure and knowledgeable carriers is fully aligned with the organization’s risk profile and information-security strategy.

11 Insurtech Predictions for 2021

Despite what we all feared in March, insurtech has continued to flourish, with lots of capital supporting the sector in public and private markets, closer integration between incumbents and startups and promising solutions for longtime needs in SME and cyber. Keeping up the annual tradition, here are my 11 predictions for the insurtech market in 2021.

1. Do you want insurance with that? Insurance will be embedded in every financial and retail transaction

Because no one loves shopping for it, we will see more insurance being sold as part of another transaction, where the user has a high intention to buy. “Embedded” has been a buzzword in fintech for several years, best illustrated by Buy Now Pay Later (BNPL) players like Affirm and Klarna. Embedded insurance started with travel insurance and extended warranties sold at point of sale, like Square Trade and Assurion. Branch Insurance now sells home and auto as part of the mortgage process, and Matic is embedding with mortgage servicers. 2021 will bring opportunities to embed insurance into transactions, with the goal being delivering a seamless experience of product plus protection.

2. 2021 will be the year for Plaid for Insurance

The original Plaid provides infrastructure to connect banks to financial apps like Venmo, which need access to a consumer’s bank account, so the user can take money from a bank and send it via Venmo, to the recipient’s bank. The explosion of financial apps drove dramatic growth at Plaid. Yes, the Department of Justice has sued to block the acquisition of Plaid by Visa. Worst case: Plaid is forced to go public at a valuation way above the $5.3 billion offered by Visa. In 2020, at least seven “Plaid for Human Resources” were funded. Data connections and enablement are critical across life, health and P&C insurance. In 2021, we will only see more pitches for Plaid for Insurance, and some of those pitches will be winners.

3. The robotic uprising: Automation will take over routine processes and improve customer experience

Automation will be used to support and empower the humans who are still in the process, starting with claims. Startups will accelerate the sale of automation to incumbent insurers, leading to improved customer satisfaction. Who wants to call an insurer to check whether the policy includes glass coverage? Consumers prefer to use their cell phones to text or speak, submit the claim and schedule the windshield replacement service. To show how quickly this change is happening: In 2019, State Farm ran ads mocking Lemonade’s bot; in 2020, State Farm led a venture investment in Replicant, which provides Voice AI to support human call centers. Faster, better customer service, which is cheaper for the carrier: Automation is a win-win with unstoppable momentum.

4. Playing for keeps: Deeper partnerships between incumbents and startups, accelerated by the pandemic

At the beginning of the insurtech phenomenon, way back in 2015, insurers responded by creating innovation groups and adding innovation KPIs to employee reviews. Following the law of unintended consequences, the result was incumbents starting a lot of experiments and proofs of concept with startups. It was frustrating all around, and many of those experiments failed. Now, insurers have moved the decision making back to the operating teams, and those teams are choosing partners to last. The pandemic has focused the efforts of incumbents. That focus will only get stronger going forward, as incumbents understand that they depend on startups to deliver the organization’s goals.

5. More startups will go full stack

Insurtechs will continue to take off their MGA training wheels. Following the high-profile IPOs of Lemonade and Root, 2021 will see full-stack carriers multiply. While the managing general agent model has the advantage of being capital-light and enables a startup to get to market quickly, structuring as full stack gives the startup maximum control over its product and customer experience. Capital is available to build a carrier, coming from multiple sources, as evidenced by sizeable fundraises by Pie, Kin, Hippo and several life insurance startups.

6. SME market will finally get the solutions it needs

At the end of 2019, I swore it was the last time I would predict the success of insurance solutions for SME. But there are finally some serious signs of success and traction in this market. Embroker, Vouch and Next Insurance continue to grow. And Bold Penguin has integrated with the flow of existing insurers, delivering value where incumbents could not. Finally, SME will have some good choices in protecting their businesses, thanks to persistent insurtechs!

See also: Has Pandemic Shifted Arc of Insurtech?

7. Achieving scale with coretech

Incumbents are yearning for alternatives to existing core systems, with an average age over 15 years, antiquated programming languages and vendor implementations measured in years. Two trends are providing hope here: no code/low code and coretech, delivering cloud-native core capabilities. The challenges of 2020 encouraged more incumbents and insurers to start limited implementations of no code and coretech. In 2021, we will start seeing a few insurers adopt these new approaches at scale.

8. Cyber insurance will lead the market in delivering dynamic risk protection

There have been many startups in cyber insurance, covering one of the existential threats for companies. Some startups have struggled by aiming at companies that are too small to afford the premium; others have chosen the wrong threat assessment partner and taken unwarranted risk. The whole market continues innovating and growing, which is good news, because cyber threats are also increasing. By combining real-time threat assessment with insurance, startup cyber insurers will deliver dynamic risk protection, enabling their customers to reduce risks as soon as they are identified. That may be a model for future real-time risk coverage in other business lines.

9. Parametric coverage will surge

Insurtechs will tackle claims costs and delays by eliminating the claims process, via parametric solutions. Defining a loss by reference to a standard objective index like rainfall in a specific geography is no longer reserved for markets like drought risk in developing countries. Now, insurtechs are delivering parametric cover for a range of risks, including earthquake, wind and cyber outages in developed countries. One driver is the user experience, where the insured no longer needs to trust the insurer to pay an indemnity claim promptly. Look for more kinds of risks to be covered by parametric solutions in 2021.

10. Record support for insurtechs at all stages

The pace of both early- and later-stage investments in insurtechs proves that investors remain enthusiastic about the market. Valuable business models built in fintech will serve as examples to its younger sibling, insurtech. There is still plenty of insurtech innovation to go around, and abundant capital to support it. We will see new launches and a record amount of capital raised across insurtech in 2021.

11. More big exits

The public market in 2020 has been the story of hot money looking for a home, and eager to pay up for future growth. Insurtech carriers Lemonade and Root went public via IPO, and Hippo is expected to become public either via initial public offering (IPO) or special purpose acquisition company (SPAC). Metromile became the first insurtech carrier to be acquired by an SPAC. These successful exits will drive continued investment in insurtechs that are taking big swings, and we will see more public exits. We can also expect more insurtechs buying insurtechs, like Bold Penguin’s acquisition of Risk Genius and Next Insurance’s purchase of Juniper Labs. The target will be filling a specific strategic need for the acquirer, and buying is faster than building.

In addition to going public, insurtechs will find other options, including strategic exits. Prudential’s 2019 acquisition of Assurance IQ created a lot of hope, but insurers have not yet shown a broad willingness to pay startup valuations. Brokers, always ready to spot the main chance, have made a couple of acquisitions and can be counted on to find deals that deliver focused value to their existing clients. Verisk, Duck Creek, Guidewire all have public currency, and at least the latter two have created long lists of partnerships with startups. There will be multiple insurtech exits in 2021, ranging from additive deals between insurtechs all the way to more IPOs.

6 Questions for Stephen Applebaum

As part of this month’s ITL FOCUS on commercial insurance, we spoke with Stephen Applebaum, managing partner, Insurance Solutions Group, about the future impacts of technology in commercial lines.


What is the biggest change you expect to see in commercial lines in the next 12 months?

COVID-19 related claims, notably first-party property business interruption and third-party liability, will proliferate and create new distractions in commercial insurance once the complete extent of losses is tallied in 2021 and beyond, attracting growing attention from media, regulators and other public watchdog groups, further complicating commercial policy renewals and new business and challenging actuaries, underwriters, agents and brokers. Adoption of policy process automation, including automated underwriting workstations, will accelerate as carriers struggle to regain operating efficiency while managing risk more accurately.

Connected auto, home and business insurance models will begin to see meaningful adoption. Telematics program adoption, featuring innovative partnerships will explode in commercial auto insurance for fleets, especially small business, offering more compelling value propositions focused on driver safety/behavior modification, rewards and fleet and asset management benefits. Commercial property will follow this trend.

In the next five years?

Distribution channels will change and multiply dramatically. Changing customer expectations and behavior will drive insurers to develop more robust multi-channel distribution. New and increasing competition will push insurers to develop new digital models and partnerships designed to make the insurance selection and purchase process fully seamless. While agency writers still hold a ~70% commercial P&C market share, the number of independent agencies will continue to decline as new direct distribution channels and channel consolidation grows, both fueled by expanding private equity and venture capital investment. Many exclusive and captive agencies will convert to independent agencies. Also, carriers and brokers will pursue more cross-border and geographic expansion through M&A and partnerships to drive scale.

An increasing percentage of work will be performed by artificial intelligence technologies, including machine learning and robotics process automation. Consequently, concern and public debate will ensue concerning the issues of bias and ethics in the design and use of AI, and governing standards will begin to emerge.

The demand for commercial cyber risk and liability insurance will continue to grow as digitization and mobility further penetrate communications. Insurers will adopt a variety of  growth strategies, including innovative partnerships, alliances and collaborations, new products and enhancements, as well as M&A to achieve growth and presence in the cyber insurance market. The global cyber insurance market size is projected by industry experts to grow by at least 20% annually from $8 billion in 2020 to well over $20 billion by 2025.

In the next decade?

Consolidation of the North American agent and broker channel, will continue unabated as private equity investors seek attractive returns through deployment of historically high levels of “dry powder” as investment fund sizes continue to break records.

Technology will continue to enable innovation and process transformation through 2030, including;

  • completely digital quoting processes for retail agents and brokers
  • deployment of e-signature solutions that will satisfy all compliance concerns and create a standardized process across all lines of business
  • connected vehicle technologies that will alter the commercial auto insurance landscape and give auto makers an important role in insurance sales, distribution and claims
  • connected home and business technologies that will similarly transform the commercial property landscape
  • the commercial insurance claims process will evolve much as did personal lines claims; claims ecosystems and platforms will form that enable much shorter claims cycle times, better outcomes for carriers and customers and greater visibility into claims vendor performance. 

What are the three technologies you think will play the biggest role in driving change — perhaps one for each of the three time periods?

Technologies driving change over the pre-defined time periods:

NEXT 12 MONTHS

  • Cross-enterprise digitization
  • AI-enabled process automation
  • Emergence of platforms and open ecosystems

 

NEXT 5 YEARS

  • Cross-enterprise digitization
  • AI-enabled process automation
  • Emergence of platforms and open ecosystems
  • Connected sensors/devices in workplaces and buildings enabling risk management and ultimately risk avoidance

 

NEXT DECADE

  • AI-enabled process automation
  • Emergence of platforms and open ecosystems
  • Connected sensors/devices in workplaces and buildings enabling risk management and ultimately risk avoidance
  • Virtualization of everything; workforce, external/internal communications, healthcare, claims reporting and claims management

 

Please pick a technology mentioned and describe in a bit of detail how that will play out.

Digitization will fuel virtualization much like the conversion of data from analog to digital form enabled all of the many information management solutions. As digitization continues to expand across each operating segment of the insurance enterprise, it will spawn innovation of virtual processes to improve upon and replace formerly manual, stubbornly long, costly, complex and inefficient ones. Ultimately, the commercial insurance industry will sell more profitable, lower-cost, innovative protection products and services such as hyper-personal, parametric and variable interval insurance through seamless, direct-to-customer distribution channels. 

Through these technologies, the industry’s primary selling proposition will pivot from insurance products, risk and claims management to protection services, risk and claims avoidance.

What is the one trend you see people talking about today that you think WON’T pan out, at least within a reasonable period?

Expectations for 100% automated and touchless processes without any human involvement will go unrealized well into the future. A subset of non-routine and catastrophic claims will continue to call for expert human, empathetic handling. However, numerous repetitive processes not requiring human support or judgment will be automated using AI technologies, eliminating a significant number of industry positions – but many of the individuals impacted will be offered retraining and upskilling by their employers –  thereby improving their job satisfaction and compensation levels.


We would like to thank Stephen Applebaum for participating in our ITL FOCUS interview series. To learn more about Stephen and read more of his articles, click here.

This interview is a part of the January 2021 ITL FOCUS: Commercial Insurance article. View the full piece here.

How to Fight Rise in Cyber Criminals

Coronavirus is changing how people work and interact every day. Many companies have needed to expand their remote working capacity as a result of the outbreak – and usually at very short notice. To provide as many employees as possible with easy access to operating software and systems quickly, in some cases IT security standards have had to be lowered or suspended, resulting in potential cyber security exposures for companies.

One consequence of potentially laxer security may be that cybercriminals and hackers may find it easier to penetrate previously protected corporate systems, causing data breaches, cyber blackmail intrusions and IT system failures.

According to the Allianz Risk Barometer, an annual survey of more than 2,700 risk management experts around the globe, cyber risk already ranked as the number one threat for businesses in 2020 before the coronavirus outbreak, driven by concerns about data breaches becoming larger and more expensive; ransomware incidents bringing increasing losses and business email compromise (BEC) or spoofing attacks, which typically involve social engineering and phishing emails to dupe employees into revealing confidential or valuable information. BEC attacks have resulted in fraudulent losses in excess of $20 billion since 2016.

Unfortunately, the significant increase in home workers accessing the corporate network with a virtual private network (VPN) connection because of the coronavirus pandemic only exacerbates these risks, providing a perfect opportunity for cyber criminals, as recent events demonstrate only too well.

It is estimated that anywhere between 50% and 90% of data breaches are caused or abetted by employees, be it by simple error or by falling victim of phishing or social engineering. Recent events demonstrate the vulnerability only too well. In April, Google detected and blocked more than 18 million malware and phishing emails and 240 million daily spam messages related to the coronavirus pandemic in a single week. In total, Google blocks more than 100 million phishing emails each day.

See also: Coronavirus Boosts Cyber Risk  

If remote workers fall victim to a cyberattack, it puts their work network at risk. There are several effective security measures businesses can apply to help remote employees combat internet attacks.

Keep Software Up to Date

Check whether you can use current versions of operating systems and installed programs. If possible, use the automatic update feature, which is often the default setting. Otherwise, immediately install security updates for your software, especially for your web browser and operating system.

Use Virus Protection and Firewalls

Check activation of virus protection and firewalls, but keep in mind that this measure can only be effective as an accompanying measure with other security procedures. Its application does not reduce the importance of the other tips in this article.

Create Different User Accounts

Malicious programs have the same rights on the PC as the user account through which they entered the computer. You should, therefore, only work with administrator rights if absolutely necessary.

Be Cautious About Sharing Personal Data

Online fraudsters increase their success rates by addressing their victims individually: Previously spied-on data, such as surfing habits or personal names, are used to inspire confidence. Today, personal data is considered a currency on the internet and is traded in this way. If possible, use a VPN connected to your home network in public wireless local area network (WLAN) hotspots.

Otherwise, unencrypted transmitted data can be read by third parties. At the same time, a VPN also protects against a number of other attacks on the PC and the data stored on it.

Use Up-to-Date Web Browsers

Check whether to disable components and plug-ins in your browser settings. First, enter the addresses for security-critical websites, such as for online banking, manually in the address line of the browser and save the address entered in this way as a bookmark, which you can then use for secure access.

Two-Factor Authentication

Where two-factor authentication is offered, use it to secure access to your account. A password manager can facilitate the handling of different passwords. Do not share your passwords with third parties.

Protect Your Data Through Encryption

Protect your confidential emails with encryption. If a WLAN is used, subject to the information security guidance of your entity, pay attention to the encryption of the wireless network. Subject to higher standards as per individual guidance of the respective individual security officer (ISO), in your router, select the WPA3 encryption standard or, if this is not yet supported, WPA2, until further notice. Choose a complex password of at least 20 characters.

Identify All Participants in Online Sessions

It is particularly easy for unauthorized persons who have obtained the dial-in data to join large online meetings with many participants. That’s why everyone who appears in the meeting needs to briefly identify themselves, especially when discussing sensitive topics and sharing presentations on screen.

Be Extremely Careful With Suspicious E-mails or Attachments, Especially if the Sender Is Unknown

Especially in the familiar environment of your home office, you must be wary of suspicious e-mails. Take your time and check each email thoroughly before you open it.

Please see  CORONAVIRUS: STAYING CYBER-SECURE THROUGH THE PANDEMIC for a complete list of IT security measures.

See also: New Enhancements for Cyber Coverage  

COVID-19 is one of the many crises that hackers and scammers leveraged to exploit vulnerable businesses, and they will find more innovative ways in the future. More than ever, it is vital for organizations to protect themselves from malicious cyberattacks by educating employees about how to identify and prevent cyberattacks and implementing home security policies for remote workers.

10 Tips for Moving Online in COVID World

In the retail industry, O2O “online-to-offline” signifies an online trigger, such as an ad, that prompts consumers to go to a physical location to complete their purchases, but it can also occur in the opposite order.

In the insurance sector, over 100,000 independent agents in the U.S. depend on high-value networking, customer references and direct carrier relationships. For insurance professionals, interacting with customers face-to-face has been vital.  But in the wake of the coronavirus, it is critical to move insurance agencies from an offline to an online model, O2O, where almost all tasks that agents were accustomed to on a day-to-day basis need to be done completely remotely.

This change can offer considerable benefits if executed correctly: higher productivity, greater scale and a high degree of accuracy that allows agents to continue to build trusted relationships. As risk management advisers, agents are responsible now more than ever for equipping policyholders with unbeatable risk transfer strategies. As cyberattacks on small to mid-size businesses (SMBs) continue to escalate, cyber insurance presents an opportunity to rebuild an agency book of business when done right. 

Here are 10 tips on jumpstarting your O2O transformation:

1. Focus your efforts on insurance lines with growth opportunity

Cyber insurance is relatively new, with substantial opportunities for adoption in the SMBs market as cybercriminals exploit people’s vulnerabilities using sophisticated social engineering attacks during COVID-19. In fact, phishing has increased by over 600% since the end of February, according to security provider Barracuda Networks.

2. Prioritize industries for which cyber insurance is vital

Organizations have begun using SaaS applications and operations in an effort to digitize online but will likely be left vulnerable to cyber incidents. Recognize which industries are either required to obtain cyber insurance or are paving the way for digital transformation.

See also: Will COVID-19 Be Digital Tipping Point?

3. Select partners that operate exclusively online

Now is the perfect time to reassess the insurance carriers and programs that you’re working with for capacity to shift online. Today’s technology allows businesses to deliver a vertically integrated insurance solution that ties together insurance requests, risk assessment, underwriting and policy and claims management in one system enabled by a common, relevant dataset. 

4. Search for admitted, standalone programs

This is directly related to your carrier of choice. The shift toward standalone cyber insurance programs is occurring because cyber insurance provided as an endorsement to other intricate coverages only creates more complexity. Standalone cyber programs outline what incidents are and are not covered, and the policy’s aggregate limit and sub-limits for each coverage, along with precise cyber criteria. 

5. Align risk to coverage, as your go-to sales pitch 

Cybersecurity aims to safeguard a business’ use of technology and the web. Each business uses different applications and operates in its own way. In turn, each business has drastically different risks that should be recognized by policies. Policyholders must be able to account for the coverages, aggregate limit, sub-limits and deductibles that best fit their risk assessment. 

6. Learn as much as the customer about the risk, if not more

Cyber risk exposures and attacks are constantly evolving. Evaluating an organization for cyber risk yearly is a risky and obsolete cyber strategy. Being able to regularly reevaluate risks and coverage on a continuing basis is necessary for cyber and shields all parties from coverage gaps.

7. Collaborate with carriers on prospecting

Transform your website to a producing site, not just a lead generation platform. API integration of your website into the carrier’s quoting and underwriting platform is instrumental in delivering a constant stream of potential cyber insurance consumers.

8. Educate policyholders on claims experience and loss control

Your customers should be equipped with security awareness training, generally administered by the carrier. Phishing simulation and basic InfoSec training are key education tools. Regular updates to policyholders on providing their risk insights and remediation guidance provide effective risk mitigation and loss control.

9. Educate yourself on what events activate which coverage

Outline for your policyholders what exactly is covered by the carrier’s insurance program by sharing your claim scenarios. Demand a list of cases for each incident that would activate specific coverage paired with concrete use cases.

See also: COVID-19: Implications for Business Models  

10. Don’t spend more than a few minutes on a submission, application or binding

Moving to an online operation can feel unsettling at first but, if done correctly, will produce real results:

  • Faster and more precise applications
  • Quicker turnaround time on quote and bind when working with a program that is also deployed online
  • Ability to offer additional services to policyholders as part of the online experience – risk assessment, training, notification of critical updates. Consistent communication online boosts customer satisfaction and opens the door to lasting relationships