Smart-television maker Vizio agreed to pay a penalty this month for spying on 11 million customers. According to the Federal Trade Commission, the company captured second-by-second information on what customers viewed, combined it with their gender, age and income and sold it to third parties.
How much was the fine for Vizio, which has sales in excess of $3 billion? It was $2.2 million — barely a slap on the wrist.
These kinds of privacy breaches are increasingly common as billions of devices now become part of the “Internet of Things” (I.o.T.). Whether it be our TV sets, cars, bathroom scales, children’s toys or medical devices, we are already surrounded by everyday objects equipped with sensors and computers. And the companies that make them can get away with being careless with consumer security — and with stealing customer data.
Vizio has been accused of exposing its customers to hackers before. In November 2015, security researchers at Avast demonstrated how easy it was for hackers to gain complete access to the WiFi networks that Vizio’s TVs were connected to and that it recorded customer data even when they explicitly opted out of its terms of service.
On Black Friday in 2015, hackers broke into the servers of Chinese toymaker VTech and lifted personal information on nearly five million parents and more than six million children. The data haul included home addresses, names, birth dates, email addresses and passwords. Worse still, it included photographs and chat logs between parents and their children. VTech paid no fine and changed its terms of service to require that customers acknowledge their private data “may be intercepted or later acquired by unauthorized parties.”
Regulations and consumer protections are desperately needed.
One option would be to hold the manufacturers strictly liable for these hacks, to financially motivate them to improve product security. In the same way that seat belt manufacturers are responsible for the safety of their products, I.o.T. device makers would be presumed to be liable unless they could prove that they had taken all reasonable precautions. The penalties could be high enough to put a company out of business.
But this would be inequitable. One of the factors enabling such hacking is that users don’t use sufficiently complex passwords and thus leave the front door unlocked. It could also stifle innovation, with the big players avoiding the possibility of extreme penalties by becoming averse to innovations, and small players avoiding entering the market because they lack the resources to handle possible litigation.
Duke School of Law researcher Jeremy Muhlfelder says that copyright law has a history of Supreme Court cases that have ruled on this exact principle, of not wanting to curb the “next big thing” by holding innovators liable for their innovations. Innovators themselves wouldn’t, and shouldn’t, be liable for how carelessly their innovations are incorporated into new products. But imposing strict liabilities on manufacturers, because it would lead indirectly to canceling the rewards of innovation, might not be legally realistic either.
A more reasonable solution may be along the lines of what attorney Matt Sherer recommends in a paper on regulating artificial intelligence systems that was published in the Harvard Journal of Law and Technology: Impose strict liability but with the potential for pre-certification that removes the liability. I.o.T. devices would be deemed inherently dangerous, and thus the producer would be strictly liable for faults unless an independent agency certifies the devices as secure. This would be similar to the UL certification provided by Underwriters Laboratories, a government-approved company that carries out testing and certification to ensure products meet safety specifications.
Equipment certification is also one of the recommendations that former Federal Communications Commission chairman Tom Wheeler made in a letter to Sen. Mark R. Warner (D-Va.) regarding the government’s response to the October 2016 attack on the internet. He proposed a public–private partnership that creates a set of best practices for securing devices, the certification or self-certification of products, and labeling requirements to make consumers aware of the risks. Wheeler proposed “market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively.”
As Wheeler also noted, addressing I.o.T. threats is a national imperative and must not be stalled by the transition to a new president. This is beyond politics. It is a matter of national security and consumer safety.
A quarter of a century after the Worldwide Web began to transform the Internet into the indispensable tool we all rely on today, we’re entering a new digital revolution. Over the next four years, the number of connected devices is expected to grow to as many as 50 billion, according to the 2015 Ponemon Global Cyber Impact Report sponsored by Aon. Business is expected to make up a far larger percentage of Internet of Things (IoT) usage than the consumer — IoT is more about smart factories and computer-controlled office systems than shiny gadgets like smart watches and fitness trackers.
The risks are becoming physical. Some of these new devices could cause serious real-world damage. We’ve already seen manufacturing plants seriously damaged by cyber attacks and electricity grids and automobiles shut down by hackers. It’s only a matter of time before such threats become more common and more physically dangerous to both people and property.
With the rise of new technology comes fresh opportunity for business — but also new risk. In the workplace, every new connected device represents a new link in the IT chain. With the age of the Internet of Things upon us, what are the new risks and what do business leaders need to know to be prepared?
Source: 2015 Ponemon Global Cyber Impact Report, sponsored by Aon
New Technology, Big Opportunities
The benefits of Internet connections are hard to overstate. For businesses, the Internet of Things offers the promise of quantified everything. Employers will be able to track productivity and leverage metrics to uncover new efficiencies. With connected sensors underpinning every square inch of an organization’s footprint — once-siloed data sets can be integrated, correlated and cross-referenced — it will become easier to identify new efficiencies and deliver new value.
The benefits are immense – but so, potentially, are the risks.
“As we move into having smart workplaces and offices, you’re really talking about a technology backbone that’s driving an organization,” says Stephanie Snyder Tomlinson, a cyber insurance expert at Aon. “What impact can that have on a business? What are the potential losses to an organization if you have a network security breach that results in property damage or bodily injury?”
Digital Threats Turn Physical
An unfortunate side effect to some of the highest-profile recent cyber breaches is that many people have come to regard cybercrime as solely a privacy issue. It can be far more complex than that.
“If there is a failure of network security or systems,” Snyder Tomlinson warns, “there could be a resultant business income loss. It could be intangible loss in terms of loss of data information assets or, especially as we move into relying more heavily on technology and the Internet of Things, it could be tangible loss, as well.”
You don’t need to look very far to get a sense of the potential risks to property and other physical assets when the Internet of Things begins to help run a workplace. As organizations grow increasingly dependent on technology to run their businesses and offices, the attack surface for cybercriminals increases dramatically. Each new device represents an additional access point for hackers.
The scenarios that could result can sound like something out of a science fiction film:
Does your building have computerized entry or elevator systems, with smartcard keys for access? Hackers could take control and lock down your building, trapping employees and visitors inside.
Computer-controlled electricity or water supplies can be shut down, rendering working impossible.
Connected thermostats are becoming increasingly common and could be taken over — shutting off heating in winter or air conditioning in summer, driving temperatures to unbearable levels and making your office unusable.
Logistics servers managing orders and deliveries could be hacked, with real orders canceled, false orders placed or essential supplies redirected to the wrong locations, disrupting your supply chain.
Factory robots could be set to destroy rather than create your products.
HVAC systems in a company data center could be overridden, causing a rise in temperature that could render network servers inoperable.
Fire alarm systems could be turned off just as real-world arsonists attack.
These may sound far-fetched, but are already reality. A cyber attack on a German steel mill in late 2014 caused immense physical damage after hackers installed malware on the network.
“It caused the blast furnace to be unable to be shut down, leading to massive property loss,” Snyder Tomlinson says. “The property loss arose from a network security breach. It’s a perfect example of the potential risks when you have companies that are relying on technology to run their business.”
Understanding the level of risk
“There’s always going to be some type of access point into a network, in one way, shape or form,” Snyder Tomlinson says. “You can have the best network security possible, but as everybody says, ‘It’s not if, it’s when.’”
Consequently, many companies are revisiting their approach to cyber security. Organizations previously concerned only with safeguarding client privacy and personally identifiable information are suddenly contemplating a broader loss spectrum.
“We’re seeing more interest in cyber insurance from manufacturers and critical infrastructure companies, because they recognize that their exposure isn’t necessarily just about private information or the liability arising out of a breach,” Snyder Tomlinson says. “We’re going to continue to see growth in the breadth of cyber coverage over the next several years, where we’re getting into the true property space, because there is the potential to have a property loss arising out of a network security breach or a systems failure.”
Snyder Tomlinson says this is why businesses need to take a holistic view of their cyber vulnerability — “Cyber risk flows through an entire organization.” A good cyber risk management framework has three key elements, she says:
Preparation – Identify and quantify your cyber risk exposures. Develop a breach response plan and business continuity plan. Consider taking out a cyber insurance policy, which can assist with the potential balance sheet impact of a breach.
Practice – Speed of response can be vital to limit damage in the event of a breach. Identify the key stakeholders within the organization and perform a tabletop scenario exercise to ensure everyone knows the role they need to play should an incident occur.
Execution – Engaging with appropriate vendors is critical to successful execution. An organization should have relationships with defense lawyers, a public relations firm and a computer forensics firm so that a firm can work with it to mitigate loss in the event of a breach.
With the rise of the Internet of Things, cyber crime is no longer simply about loss of information. Increasingly, you need to consider the possibility that cyber could be just as physically disruptive to your business as a natural disaster or a terrorist incident. This is no longer simply a data issue — today, property and, potentially, lives could be at stake.
Selling insurance is complicated. Not impenetrable, but complicated. The sales process is sort of like a tangled piece of string— it’s easy to see the beginning and end but hard to figure out what’s happening in the middle.
When you start untangling, you’ll find prospect lists, telemarketing, direct mail, traditional marketing and web-based lead generators uncovering and enticing potential customers. You’ll also find captive agents, independent agents or brokers, wholesalers, direct telephone sales, the Internet, affiliates, carriers and carrier-like entities selling various products.
Some of these strategies work in coordination or create feedback loops — a customer sees a TV ad, which prompts him to submit a form online, which adds him to a direct mail list, which points him to an online aggregator, which puts him in touch with an independent agent selling insurance on behalf of a managing general agency… as you can see, the number of distribution permutations is considerable.
However, at American Family Ventures, we appreciate simplicity. We classify insurance distribution start-ups using four groupings: lead generation, agency/brokerage, managing general agency (MGA) and carrier.
As pictured above, the primary distinctions between participants in each group arise from the amount of insurance risk they bear and their control over certain aspects of the insurance transaction (for example, the authority to bind and underwrite insurance policies).
However, many other tradeoffs await insurance start-ups navigating among these four groups. If you consider the evolution of digital customer acquisition, including new channels like mobile-first agencies and incidental channels, choosing a niche becomes even more complicated.
In this post, I’ll discuss some of the key attributes of each group, touching on topics relevant for start-ups new to the insurance ecosystem. Please note, in the interest of time and readability, this post is an overview. In addition, any thoughts on regulatory issues are focused on the U.S. and are not legal advice.
Lead generation refers to the marketing process of building and capturing interest in a product to create a sales pipeline. In the insurance context, because of the high-touch sales process, this historically meant passing interested customers to agents or call-center employees. Today, lead-generation operators sell to a variety of third parties, including online agencies and digital sales platforms.
Let’s consider a few key attributes of lead-generation providers:
Revenue model — There are a variety of lead-selling methods, but the most common is “pay per lead,” where the downstream lead buyer (carrier or channel partner) pays a fixed price for each lead received. When pricing leads, quality plays a big role. Things like customer profile, lead content/data, exclusivity, delivery and volume all affect lead quality, which frequently drives the buyer’s price-sensitivity. As a lead-generation provider, you’ll generally make less per customer than others in the distribution chain, but you’ll also assume less responsibility and risk.
Product breadth — With the Internet and enough money, you can generate leads for just about anything. Ask people who buy keywords for class action lawsuits. However, start-ups should consider which insurance products generate leads at acceptable volumes and margins before committing to the lead-generation model. Some products are highly competitive, like auto insurance, and others might be too obscure for the lead model to scale, like alien abduction insurance (which, unbelievably, is a real thing). Start-ups should also consider whether they possess information about customers or have built a trusted relationship with them — the former is often better-suited to lead generation, and the latter can facilitate an easier transition to agency/brokerage.
Required capabilities (partnerships) — Lead-generation providers need companies to buy their data/leads. Their customers are usually the other distribution groups in this post. Sometimes, they sell information to larger data aggregators, like Axciom, that consolidate lead data for larger buyers. Generators need to show lead quality, volume and uniqueness to secure relationships with lead purchasers, but beyond that they don’t typically require any special partnerships or capabilities.
Entities in the agency/brokerage group (also called “producers”) come in a variety of forms, including independent agents, brokers, captive agents and wholesale brokers. Of note, most of these forms exist online and offline.
Independent agents represent a number of insurance carriers and can sell a variety of products. Brokerages are very similar to independent agents in their ability to sell a variety of products, but with a legal distinction — they represent the buyer’s interests, whereas agents represent the carriers they work for. Captive agents, as the name suggests, sell products for only one insurer. While this might seem limiting, captive agents can have increased knowledge of products and the minutiae of policies. Finally, some brokers provide services to other agents/brokers that sell directly to customers. These “wholesale brokers” place business brought to them by “retail agents” with carriers, often specializing in unique or difficult placements.
An important difference between the lead-generation group and the agency/brokerage group is the ability to sell and bind policies. Unlike the former, the latter sells insurance directly to the consumer, and in some cases issue binders — temporary coverage that provides protection as the actual policy is finalized and issued.
Some attributes of agencies and brokerages:
Revenue model — Agencies and brokerages generally make money through commissions paid for both new business and on a recurring basis for renewals. The amount you earn in commissions depends on the volume and variety of insurance products you sell. Commission rates vary by product, typically based on the difficulty of making a sale and the value (profitability) of the risk to the insurance carrier. Start-ups should expect to start on the lower end of many commission scales before they can provide evidence of volume and risk quality. Agents and brokers can also be fee-only (paid for service directly and receive no commission), but that’s rare.
Product breadth — Agencies and brokerages sell a variety of products. As a rule, the more complex the product, the more likely the intermediary will include a person (rather than only software). Start-ups should also consider tradeoffs between volume and specialization. For example, personal auto insurance is a large product line, but carriers looking to appoint agents (more detail below) in this category usually have numerous options, including brick and mortar and online/mobile entities. Contrast this with a smaller line like cyber insurance, where carriers may find fewer, specialist distributors who understand unique customer needs and coverages.
Required capabilities (partnerships) — Agencies and brokerages are appointed by carriers. This process is often challenging, particularly for start-ups, which are non-traditional applicants. Expect the appointment process to take a while if the carrier isn’t familiar with your acquisition strategy or business model. Start-ups trying to accelerate the appointment process can start in smaller product markets (e.g. non-standard auto) or seek appointment as a sub-producer. Sub-producers leverage the existing appointments of a independent agency or wholesaler in exchange for sharing commissions. You could also apply for membership in an agency network or cluster — a group of agents/brokers forming a joint venture or association to create collective volume and buying power.
Regulation — Agencies and carriers need a license to sell insurance. Each state has its own licensing requirements, but most involve some coursework, an exam and an application. As we’ve recently seen with Zenefits, most states have a minimum number of study hours required. There are typically separate licenses for property, casualty, life and health insurance. Once you have a license, many states have a streamlined non-resident licensing process, allowing agencies to scale more quickly.
MANAGING GENERAL AGENCIES (MGAs)
A managing general agent (MGA) is a special type of insurance agent/broker. Unlike traditional agents/brokers, MGAs have underwriting authority. This means that MGAs are (to an extent) allowed to select which parties/risks they will insure. They also can perform other functions ordinarily handled by carriers, like appointing producers/sub-producers and settling claims.
Start-ups often consider setting up an MGA when they possess data or analytical expertise that gives them an underwriting advantage vs. traditional carriers. The MGA structure allows the start-up more control over the underwriting process, participation in the upside of selecting good risks and influence over the entire insurance experience, e.g. service and claims.
We’ve recently witnessed MGAs used for two diverging use cases. The first type of MGA exists for a traditional use case — specialty coverages. They are used by carriers that want to insure a specific risk or entity but don’t own the requisite underwriting expertise. For example, if an insurer saw an opportunity in coverage for assisted living facilities but hadn’t written those policies before, it could partner with an MGA that specializes in that category and deeply understands its exposures and risks. These specialist MGAs often partner closely with the carrier to establish underwriting guidelines and roles in the customer experience. Risk and responsibilities for claims, service, etc. are shared between the two parties.
The second type of MGA is a “quasi-carrier,” set up through a fronting program. In this scenario, an insurance carrier (the fronting partner) offers the MGA access to its regulatory licenses and capital reserves to meet the statutory requirements for selling insurance. In exchange, the fronting partner will often take a fee (percentage of premium) and very little (or no) share of the insurance risk. The MGA often has full responsibility for product design and pricing and looks and feels like a carrier. It underwrites, quotes, binds and services policies up to a specific amount of written authority. These MGAs are often set up when a startup wants to control as much of the insurance experience as possible but doesn’t have the time or capital to establish itself as an admitted carrier.
Some important characteristics:
Revenue model: MGAs often get paid commissions, like standard agencies/brokerages, but also participate in the upside or downside of underwriting profit/loss. Participation can come in the form of direct risk sharing (obligation to pay claims) or profit sharing. This risk sharing functions as “skin in the game,” preventing an MGA from relaxing underwriting standards to increase commissions, which are a function of premiums, at the expense of profitability, which is a function of risk quality.
Product breadth: MGAs of either type often provide specialized insurance products, at least at first. The specialization they offer is the reason why customers (and fronting partners) agree to work with them instead of a traditional provider. That said, you might also find an MGA that sells standard products but takes the MGA form because it has a unique channel or customers and wants to share in the resulting profits.
Required capabilities/partnerships: Setting up an MGA generally requires more time and effort than setting up an agency/brokerage. This is because the carrier vests important authority in the MGA, and therefore must work with it to build trust, set guidelines, determine objectives and decide on limits to that authority. Start-ups looking to set up an MGA should be ready to provide evidence they can underwrite uniquely and successfully or have a proprietary channel filled with profitable risks. Fronting often requires a different process, and the setup time required varies based on risk participation or obligations of the program partner. Start-ups should also carefully consider the costs and benefits of being an agency vs. MGA — appointment process difficulty vs. profit sharing, long-term goals for risk assumption, etc.
Regulation: MGAs, like carriers, are regulated by state law. They are often required to be licensed producers. Start-ups should engage experienced legal counsel before attempting to set up an MGA relationship.
Insurance carriers build, sell and service insurance products. To do this, they often vertically integrate a number of business functions, including some we’ve discussed above — product development, underwriting, sales, marketing, claims, finance/investment, etc.
Carriers come in a variety of forms. For example, they can be admitted or non-admitted. Admitted carriers are licensed in each state of operation; non-admitted carriers are not. Often, non-admitted carriers exist to insure complex risks that conventional insurance marketplaces avoid. Carriers can also be “captives” — essentially a form of self-insurance where the insurer is wholly owned by the insured. Explaining captives could fill a separate post, but if you’re interested in the model you can start your research here.
Attributes to consider:
Revenue Model: Insurance carrier economics can be complicated, but the basic concepts are straightforward. Insurers collect premium payments from insureds, which they generally expect to cover the costs of any claims (referred to as “losses”). In doing so, they profit in two ways. The first is pricing coverage so the total premiums received are greater than the amount of claims paid, though there are regulations and market pressures that dictate profitability. The second is investing premiums. Because insurance carriers collect premiums before they pay claims, they often have a large pool of capital available, called the “float,” which they invest for their own benefit. Warren Buffett’s annual letters to Berkshire shareholders are a great source of knowledge for anyone looking to understand insurance economics. Albert Wenger of USV also recently posted an interesting series that breaks down insurance fundamentals.
Product breadth: Carriers have few limitations on which products they can offer. However, the products you sell affect regulatory requirements, required infrastructure and profitability.
Required capabilities/partnerships: Carriers can market and sell their products using any or all of the intermediaries in this post. While carriers are often the primary risk-bearing entity — they absorb the profits and losses from underwriting — in many cases they partner with reinsurers to hedge against unexpected losses or underperformance. There are a variety of reinsurance structures, but two common ones are excess of loss (reinsurer takes over all payment obligations after the carrier pays a certain amount of losses) and quota share (reinsurer pays a fixed percentage of every loss).
Regulation: I’ll touch on a few concepts, but carrier regulation is another complex topic I won’t cover comprehensively in this post. Carriers must secure the appropriate licenses to operate in each country/state (even non-admitted carriers, which still have some regulatory obligations). They also have to ensure any capital requirements issued by regulators are met. This means keeping enough money on the balance sheet (reserves/surplus) to ensure solvency and liquidity, i.e. maintaining an ability to pay claims. Carriers also generally have to prove their pricing is adequate, not excessive, and not unfairly discriminatory by filing rates (their pricing models) with state commissioners. Rate filings can be “file and use” (pre-approval not required to sell policies), or “prior approval” (rates must be approved before you can sell policies).
In this overview, I did not address a number of other interesting topics, including tradeoffs between group choices. For example, you should also consider things like exit/liquidity expectations, barriers to entry and creating unfair advantages before starting an insurance business. Perhaps I’ll address these in a future post. However, I hope this brief summary sparks questions and new considerations for start-ups entering the insurance distribution value chain.
I’m looking forward to watching thoughtful founders create companies in each of the groups above. If you’re one of these founders, please feel free to reach out!
Typically, disruption hits a tipping point at which just less than
50% of the incumbent revenue is lost in about a five-year timeframe. Recent disruptions that provide valuable insight include streaming video’s impact on the video rental market. When broadband in the home reached ubiquity and video compression technology matured, low-cost streaming devices were developed and, within four years, the video rental business was completely transformed. The same pattern can be seen in the Internet-direct insurance model for car insurance. At present, 50% of the revenue from the traditional agent-based distribution model has been moved to direct insurance providers.
Revenue at risk will exceed 20% by 2020
According to our survey, the vast majority (83%) of respondents from traditional financial institutions (FIs) believe that part of their business is at risk of being lost to standalone FinTech companies; that figure reaches 95% in the case of banks. In addition, incumbents believe 23% of their business could be at risk because of the further development of FinTech, though FinTech companies anticipate they may be able to acquire 33% of the incumbents’ business. In this regard, the banking and payments industries are feeling more pressure from FinTech companies. Fund transfer and payments industry respondents believe they could lose as much as 28% of their market share, while bankers estimate that banks are likely to lose 24%.
A rebalancing of power
FinTech companies are not just bringing concrete solutions
to a morphing consumer base, they are also empowering customers by providing new services that can be delivered with the use of technological applications. The rise of “digital finance” allows consumers to connect to information anywhere at any time, and digital services can address their needs in a more convenient way than traditional nine-to-five financial advisers can.
According to our survey, two-thirds (67%) of the companies ranked pressure on margins as the top FinTech-related threat. One of the key ways FinTechs support the margin pressure point through innovation is step function improvements in operating costs. For instance, the movement to cloud-based platforms not only decreases up-front costs but also reduces continuing infrastructure costs. This may stem from two main scenarios. First, standalone FinTech companies might snatch business opportunities from incumbents, such as when business-to-consumer (B2C) FinTech companies sell their products and services directly to customers and position themselves as more dynamic and agile alternatives to traditional players. Secondly, business-to-business (B2B) FinTech companies might empower specific incumbents through strategic partnerships with the intent to provide better services.
FinTech, a source of opportunities
FinTech also offers myriad possibilities for the financial services (FS) industry. B2B FinTech companies create real opportunities for incumbents to improve their traditional offerings. For example, white label robo-advisers can improve the customer experience of an independent financial adviser by providing software that helps clients better navigate the investment world. In the insurance industry, a telematics technology provider can help insurers track risks and driving habits and can provide additional services such as pay-as-you-go solutions.
Partnerships with FinTech companies could increase the efficiency of incumbent businesses. Indeed, a large majority of respondents (73%) rated cost reduction as the main opportunity related to the rise of FinTech. In this regard, incumbents could simplify and rationalize their core processes, services and products and, consequently, reduce inefficiencies in their operations.
But FinTech is not just about cutting costs. Incumbents partnering with FinTech companies could deliver a differentiated offering, improve customer retention and bring in additional revenues. In this regard, 74% of fund transfer and payment institutions consider additional revenues to be an opportunity coming from FinTech. This is already true in the payments industry, where FinTech generates additional revenues through faster and easier payments and digital wallet transactions.
This post was co-written by: John Shipman, Dean Nicolacakis, Manoj Kashyap and Steve Davies.