Tag Archives: national association of insurance commissioners

NAIC’s New Rules: Challenges, Solutions

For security and compliance professionals, the announcement of new regulatory standards can be a stark reminder that the to-do list is long and the day is short. But with careful preparation and concerted, coordinated efforts to mature governance, risk management and compliance (GRC) activities, compliance and security teams can face new rules and standards with confidence.

After many iterations and comment periods, the National Association of Insurance Commissioners (NAIC) announced the adoption of the Insurance Data Security Model Law in October 2017. The model law — which encompasses rules for licensed entities about data security and data breach investigations and notifications — establishes more rigorous guidelines for the insurance industry. It shares many similarities with the New York State Department of Financial Services (NYDFS) cybersecurity requirements for financial services companies, currently considered to be the highest bar — and a best practice — so the NAIC’s model law is likely to be adopted by many states as the governing standard.

The NAIC’s rules specify information security programs should be based on “an ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event.”

In particular, take a close look at Section 4: Information Security Program. It details implementing a program and the requirements for assessments, reporting, audits, policies and procedures. It sounds straightforward on the surface but grows in complexity the more you read; you need to not only identify internal and external threats but also assess the potential damage and take active, concrete steps to manage the threats. Section 4 also calls for more accountability when it comes to protecting data — each insurer must submit an annual statement by February 15 certifying compliance with Section 4 or identifying areas that need improvement, as well as remediation plans.

See also: Insurance Is Not a Magazine Subscription

It is important to note that the insurance industry has unique challenges around internal risk, third parties and intricately collaborative processes. Many entities and individuals are involved in a single claim: brokers, dealers, agents, actuaries, adjustors and claims processors. This creates more room for error, more potential gaps in security coverage and more difficulty managing contributors. Comprehensive procedures supported by integrated risk management technology solutions will help weave a tighter web.

Renewed Focus on Third Parties

As is the case with many of the major cyber security and data privacy frameworks (e.g., HIPAA, NYDFS, GDPR), the NAIC’s model law gives special attention to required oversight of third-party providers. Licensed entities are responsible for ensuring that third parties implement administrative, technical and physical measures to protect and secure the information systems and nonpublic information they hold or have access to.

Meeting these requirements means licensed entities need to conduct assessments to ensure third parties are following security, privacy and notification guidelines. In Section 4.c.: Risk Assessment, it stipulates identifying threats by means of an ongoing assessment and an annual review of systems, controls, processes and procedures.

Developing a comprehensive and streamlined system for vendor risk management is an increasingly critical component of both security and compliance programs — especially for large enterprises and those with complex partnership and outsourcing structures.

Incident Response is Key

The NAIC’s model law also specifies requirements for incident investigations and mandates that breaches are reported to the commissioner within 72 hours. In this notification, insurers must provide as much information as possible, including: the date of the breach; how the information was exposed; the types of information exposed; the period during which the system was compromised; planned remediation efforts; a copy of the company’s privacy policy; and more. Additionally, licensees must notify consumers of the breach as their state’s data breach notification law requires.

It will be nearly impossible to meet these demands if your security information is outdated, incomplete or difficult to pull together. Expedient incident response can have a significant effect on outcomes. If you can quickly coordinate clear, accurate communications to regulators, third parties and customers about a breach or cyber attack, you can contain reputational damage, protect end-users and prove negligence was not a factor.

See also: It’s Time to Act on Connected Insurance

How to Become Prepared — and Stay that Way

While some of the specific requirements of NAIC’s new model law might cause alarm, most insurance businesses already have well-defined processes and controls. The need to keep sensitive customer data secure and private isn’t new, and high-profile data breaches (e.g., Equifax, Anthem, Aetna) keep a spotlight on the consequences of failing to do so.

Licensed entities are most likely to be challenged by the outer ends of the integrated risk management spectrum — the granular details of controls, policies and procedures on one end as well as the development of a sustainable security culture on the other. Both can be enhanced and reinforced through an enterprise-wide, technology-driven approach to GRC efforts.

By implementing a centralized integrated risk management platform, insurance organizations can move away from fragmented manual processes (spreadsheets and email) and toward higher degrees of automation and analytics.

The difficulty of meeting the NAIC’s requirements depends on the maturity of a company’s security and compliance program.

Companies that are already using an integrated risk management platform will easily be able to identify the gaps in compliance and efficiently make needed changes to achieve compliance. Those who do not have mature programs in place will have a longer path, from reviewing the requirements and identifying compliance gaps to the challenging goal of creating a culture of security.

Talking Insurtech With Regulators

Key Points 

  • Recent shifts in insurance regulation are driven by consumer demand.
  • Traps for the unwary mean that insurtech startups should engage with regulators early and often.
  • Brokers need to know how to navigate the complex framework of anti-rebate and anti-inducement laws.

It is no secret: Investors are pouring money into insurtech startups with the goal of transforming the insurance industry. This increased investment is fueling not only growth in the industry, but also growth in the number of conferences, expos and seminars that allow companies to promote their products, build connections and stay abreast of the latest trends. Last month, more than 3,500 startups, insurers, investors, and service providers converged on Las Vegas for the largest and most global of such conferences: InsureTech Connect.

Attendees at this year’s event were treated to a host of presentations, from insightful fireside chats with entrepreneurs, such as Metromile’s Dan Preston and Ring’s Jamie Siminoff, to thought-provoking panels on satellite imagery, telematics, wearables and innovative strategies for insurance companies of the future.

See also: InsureTech Connect 2017: What’s New  

But, as excitement and buzz steadily mount, at least one panel reminded attendees that insurance—while highly ripe for innovation—is also a highly regulated industry. The panel (“Balancing Innovation and Regulation”) featured Michael Consedine (CEO of the National Association of Insurance Commissioners), Ted Nickel (Insurance Commissioner of Wisconsin) and Chris Cheatham (CEO of Risk Genius).

Here are our key takeaways of that panel discussion.

Recent policy shifts are driven by consumer demand.

Over the past 200 years, the insurance industry has gone through periodic changes. But, as Consedine explained, this is the first time that significant changes are being driven by consumer demand. Specifically, consumers are demanding simpler and more intuitive policies; a streamlined and digital application process; faster claims payments; mobile access; and new products, such as peer-to-peer or pay-as-you-go. Insurance regulators nationwide realize that innovation will lead to consumers being better served, and, as a result, they are taking an active role in being a part of the conversation and enabling innovation.

Traps for the unwary mean that insurtech startups should engage with regulators early and often.

Once a company begins to analyze risk or price products, it runs the risk of being considered an insurance company and, more importantly, being subject to a host of often complex regulations that vary from state to state. For instance, while the amount and quality of available data are exploding—opening up the possibility of using new or unconventional data to price risk—state laws prohibit not only unfair discrimination generally, but also specific factors from being considered when pricing risk. In other words, as Mr. Nickel explained, a data set may show that there are more pool deaths in years when a Nicholas Cage movie is released, but whether that correlation is actuarially sound, let alone a fair basis on which to make pricing or rate decisions, is something that companies should discuss with regulators before launching. The same is true with respect to other issues, such as privacy or cybersecurity regulations—companies should understand the regulatory regime in which they operate and ensure that they are in compliance. To that end, Mr. Nickel encouraged companies to engage regulators from the outset to explain how a new algorithm or business model works to ensure that they are not running afoul of state regulations.

If you are a broker, be aware of anti-rebate and anti-inducement laws.

Nearly every state (with the notable exception of California) has some form of anti-rebate or anti-inducement laws on the books. Generally, these laws prevent a broker from providing something of value to a customer to “induce” an insurance purchase. While promotional items, such as golf balls and pens, are often exempt from such laws, a company must be especially careful when it begins to offer—at no charge—more valuable goods or services to its customers. According to Nickel, these laws might be particularly problematic for new entrants into the industry. For example, if a broker provides a wearable device to its customers, might such a gift implicate anti-rebate laws? What about specialized software provided at no charge? New companies in the broker space should ask themselves these sorts of questions sooner rather than later, seeking out counsel when necessary to avoid regulatory issues down the road.

New Approach to Cyber Insurance

The most active players in the fledgling but fast-growing cyber insurance market are hustling to differentiate themselves.

The early adopters and innovators are doing so by accelerating the promotion of value-added services—tools and systems that can help companies improve their security postures and thus reduce the likelihood of ever filing a cyber damages claim.

As more businesses look to purchase cyber liability policies, insurance sellers are striving to dial up the right mix of such services, a blend that can help them profitably meet this pent-up demand without taking on too much risk.

The incentive is compelling: Consultancy PricewaterhouseCoopers estimates that the cyber insurance market will grow from about $2.5 billion in 2014 to $7.5 billion by 2020. European financial services giant Allianz goes a step further with its prediction that cyber insurance sales will top $20 billion by 2025.

This anticipated growth in demand for cyber liability coverage—coupled with the comparatively low level of loss claims—has created strong competition in this nascent market.

The Insurance Information Institute estimated last year that about 60 companies offered standalone cyber liability policies. In total, more than 500 insurers provide some form of cyber risk coverage, according to a recent analysis by the National Association of Insurance Commissioners.

“There are quite a few players, so they are looking for ways to differentiate themselves and find competitive edges,” says David K. Bradford, co-founder and chief strategy officer for Advisen, an insurance research and analysis company.

Insurance companies make adjustments

Insurance carriers hot after a piece of this burgeoning market are beginning to offer value-added services to make their cyber offerings stand out.

See also: 8 Points to Consider on Cyber Insurance  

Rather than growing these services in-house, most are partnering with vendors and consultants that specialize in awareness training, network security and data protection. Services that boost the value of cyber policies are being supplied for free, or offered at a discount.  Typical cyber insurance valued-added services include:

  • Phishing and cyber hygiene awareness training
  • Incidence response planning
  • Security risk assessments
  • Best practices web portals and software-as-a-service tools
  • Threat detection services
  • Employee and customer identity theft coverage
  • Breach response services

One measure of value-added services gaining traction comes from the Betterley Report, which recently surveyed 31 carriers that offer cyber policies. Betterley found that about half offered “active avoidance services,” while nearly all offered some sort of pre-breach planning tools.

Rick Betterley, president of Betterley Risk Consultants, which publishes the Betterley Report, says there is still a long way to go. “There’s much more that can be done to help the insureds be better protected,” he says.

Betterley is a big proponent of adding risk-management services to cyber policies. He calls the approach Cyber 3.0, adding that it’s akin to the notion of insuring a highly protected risk in a property insurance policy. Cyber value-added services, he says, are the equivalent of fire insurance companies requiring sprinklers.

“It’s not required that insurance companies provide the services, but it’s required that they help insureds identify what services are likely to generate a reduction in premiums,” Betterley says.

Sector faces new challenges

That said, the cyber insurance sector is still finding its way. With auto crashes, fire or natural disasters, losses are well defined and fully understood. Cyber exposures, by contrast, are hard to pin down. Network vulnerabilities are extremely complex and continually evolving. And historic data on insurance claims related to data breaches remains, at least for the moment, in short supply.

An added challenge, Betterley says, is that insurance companies are unable to satisfactorily measure the effectiveness of security technologies and services in preventing a data breach.

Advisen’s Bradford agrees. “It’s a rapidly evolving area that changes day to day, and underwriters are definitely wary of recommending a particular vendor or approach,” he says.

Eventually, the insurance industry will figure out how to make meaningful correlations and separate the wheat from the chaff.

“In bringing in these value-added services, we can help shore up some of those areas where we’re seeing human error,” observes Dave Wasson, cyber liability practice leader at Hays Cos., a commercial insurance brokerage and risk management consultancy. “We’ll be at a point where we’ll know what makes a difference, and we can put our money, time and efforts into those solutions.”

Eric Hodge, director of consulting at IDT911 Consulting, part of IDT911, which underwrites ThirdCertainty.com, concurs. One ironic result of the recent spike of ransomware attacks aimed at businesses, Hodge says, is that more hard data is getting generated that is useful for calculating loss profiles.

See also: Another Reason to Consider Cyber Insurance  

Along the same lines, settlements of class-action lawsuits related to breaches of high-profile retailers, such as Target and Sony, is helping amass data that will help the industry flesh out evolving actuarial tables.

“Losses from cyber attacks and data breaches are becoming easier to quantify,” Hodge says. “And market forces are absolutely lining up to reward the wider use of these activities. It’s harder to ignore the fiscal argument for an insurer to go the extra mile in helping the insured organizations make sure that a costly breach doesn’t occur.”

AIG blazes trail

One notable proponent leading the way is multinational insurance giant AIG, which is nurturing partnerships with about a half-dozen cybersecurity vendors.

AIG services—some of which are offered to policyholders at no cost—range from threat intelligence and cyber risk maturity assessments to active detection and vulnerabilities assessments.

RiskAnalytics, one of AIG’s partner vendors, provides threat intelligence services, including a service that detects and shuns blacklisted IP addresses. Any AIG insured with a minimum $5,000 policy can participate at no additional cost.

The company’s partnership is exclusive to AIG, and appears to be very popular.

“We’re bringing in multiyear contracts, and the average sales price is on an impressive trajectory,” says RiskAnalytics Chief Operative Officer Kurt Lee. “It’s all born out of (customers) using that (introductory) service through the policy.”

Recognizing the trend, more vendors are seizing the opportunity to market their services to insurance carriers.

Vendors are willing to jump through the many hoops because a partnership with an insurance company is an opportunity to get a soft introduction to a potential client, says Mike Patterson, vice president of strategy at Rook Security, a managed security services provider (MSSP) that is reaching out to carriers.

Dismantling roadblocks

As with any new approach, broad adoption of cyber insurance value-added services isn’t without hurdles. One major obstacle is the “’this-isn’t-how-we’ve-always-done-it’ way of thinking,” says IDT911’s Hodge. “It’s like trying to change our election processes—people resist altering a system that has been in place for a couple hundred years.”

Another barrier is cost. Insurance companies tend to reserve free or discounted added services for heavyweight clients that spend small fortunes on annual premiums, says John Farley, vice president and cyber risk practice leader at insurance brokerage HUB International.

“Carriers can’t give away a lot of resources, so the smaller premium payers are not getting a lot of these services,” Farley says. “But if they can streamline and automate resources and figure out how to get customizable, usable information to the insurance buyer, that insurance carrier will probably stand out.”

Brian Branner, RiskAnalytics’ executive vice president, says that’s exactly one of the benefits that AIG derives from their partnership.

“If we can get the insureds to use the services we provide, we should lower AIG’s loss ratio because they’ll be safer organizations, and AIG should receive less claims,” he says.

Hidden costs of a breach can affect a large enterprise for years, and prove catastrophic to a small business. So insurance companies in the vanguard are looking to find business clients that are taking information security seriously.

See also: The State of Cyber Insurance  

As more companies buy cyber policies, and use any attendant services, the result could be a halo effect, says IDT911’s Hodge.

“This is certainly something that the insurers are counting on,” Hodge says. “A more secure buyer is a lower actuarial risk to the insurer.”

Meanwhile, policyholders should steadily become better equipped to securely do business in an internet-centric economy riddled with evolving exposures.

Hodge says: “In my experience, the buyer is often pleasantly surprised by the improvement that can come about quickly in terms of knowing their risk, being compliant with their industry standards and being able to indicate to the marketplace that they are taking good care of their customer’s information.”

This post originally appeared on ThirdCertainty. It was written by Rodika Tollefson.

5 Key Questions for Midsize Insurers

This year, mid-sized insurers continue to face significant challenges, but these challenges can be treated as opportunities for organizations to distinguish themselves from competitors. As the digital economy continues to spur change, insurers would be wise to get in front of the curve by taking steps to improve underwriting and increase profitability. Here are five questions mid-sized insurers should ask themselves to help guide their business transformation.

1. How well do we leverage our data?

The days of the actuary as the primary data interpreter are waning as data analysts with access to an ever-increasing set of tools are leaving actuaries in their wake. Insurance companies are starting to take notice, and those that are leveraging their data to make informed decisions are enjoying faster growth and increased profitability. A data innovation strategy must come from the top of an organization and go down. However, the scope of the endeavor and the multitude of choices can be daunting. For example, a predictive model can provide great insight, but it may be more prudent to design a model that enhances your organization’s decision-making capabilities rather than one that replaces current methods. Management information, underwriting, pricing, claims management, claims reserving and actuarial reserving should all be informed by your organization’s data, which makes developing and implementing a smart data strategy imperative.

See also: A Closer Look at the Future of Insurance  

2. Is regulation an opportunity or an obstacle?

Regulation is useful when it promotes strong digital protection standards, the advantages of which are best illustrated when the inevitable cyber breach hits the press. Your organization may not be directly subject to General Data Protection Regulation or New York State Department of Financial Services (NYDFS) cybersecurity regulations, but the standards are illuminating, nevertheless. At a minimum, your firm should be reviewing compliance standards and determining which ones it should be implementing as a function of industry best practices. Since the National Association of Insurance Commissioners currently produces a less-comprehensive standard, a company may someday find itself on the defense, arguing it did only what was required. NYDFS standards could easily become the de facto standard, especially over the next few years as third-party vendors doing business with New York-based financial institutions will need to ensure compliance with NYDFS requirements. The reality is that data is an asset, and insurance companies rely heavily on data to run their businesses. Insurers will be collecting and using even more data in the future. They must take steps to protect this valuable, growing business asset and be prepared to adopt the highest standards of protection for their insureds.

3. Will our organization be the next to be disrupted?

For the past few years, venture capital dollars have been flowing into insurance disruptors such as Cyence, Metromile and Lemonade. Certainly, we won’t see complete disruption overnight, but small changes will likely occur more frequently than expected, and, over time, the effects will have a significant impact on current business models. Your company could be disrupted by a current competitor using advanced machine learning algorithms in the underwriting process. Or perhaps an insurtech startup will begin to capture all your new insurance prospects through its new mobile app and lower price point, halting your growth. Similarly, consider non-insurance-specific disruptions, such as developments in the “Internet of Things.” What if a new device is rolled out by a competitor that protects its insureds from meaningful injuries by using sensors to alert workers and their employers of dangerous conditions — providing a distinct advantage to their workers’ compensation insurance rates. Will your firm be the disruptor or the disrupted? Regardless of the answer, what is your firm doing to prepare for the impact?

4. Are we transferring risks to the capital markets?

The reinsurance market has been transformed over the past decade by insurance-linked securities (ILS), alternative reinsurance instruments like catastrophe bonds and collateralized reinsurance contracts, whose value is affected by an insured loss event. ILS investors are typically willing to accept a lower rate of return than traditional reinsurance companies because of the diversifying effect on the insurance-linked investor’s broader portfolio. That incentive has drawn more investor capital to the reinsurance market, putting pressure on reinsurance rates and even causing reinsurers to start their own investment funds. And while long-term relationships between insurers and reinsurers have tremendous value, your organization should be looking at all efficient opportunities to lay off excess risk and protect your company from earnings volatility.

See also: Can Insurance Be Made Affordable?  

5. Why do we need a digital innovation strategy?

For many, innovation is inherently uncomfortable and volatile. Technology is changing rapidly, and the insurance industry is already starting to evolve. Managing an insurance transformation process triggered by a digital revolution will not be easy, but it must begin with identifying your current value proposition: Why do your clients value your insurance? Identify what you do well as an organization and what you can improve upon. By incorporating your starting point into a change plan that recognizes current strengths and explores future possibilities, your firm will be better prepared to navigate the coming industry transformation and will be better positioned to thrive on the other side of change.

Can Blockchains Be Insured?

Are blockchains insurable? This question was posed as a topic for presentation by the Center of Insurance Policy and Research, a research arm of the National Association of Insurance Commissioners (CIPR/NAIC).

The trigger appears to be that some insurance companies are being asked to insure the business operations of blockchain enterprises. This same question would apply to legacy businesses that may choose to use or participate in a blockchain, which is basically a shared database managed by software. If one listens to blockchain activists, this issue could apply to everyone in the near future.

The Ingenesist Project volunteered the following opinion to the question: “Are blockchains insurable?”

The article is long and comprehensive, but the implications are staggering. The article begins by describing the landscape of finance and entrepreneurship in terms of insurability. It follows with, in essence, a mathematical proof that blockchains are indeed insurable but that business processes using blockchains may not be.

Luckily, the technology offers sufficient mathematical underpinning to adequately calculate risk and thereby pool risk exposures of its components. However, trouble arises when digital assets can neither be treated as money nor as property. As such, an extralegal condition may exist that would be categorically non-insurable in mainstream finance.

See also: Why Insurers Caught the Blockchain Bug  

“Extralegal” refers to a condition where something is neither legal nor illegal. Economist Hernando De Soto writes about how the extralegal sector in many parts of the world grossly inhibits economic growth because people are unable to secure “title” to property and businesses they create. They are unable to bridge the capitalization gap — that is, the ability to borrow against tangible assets or future returns.

Blockchain technology appears to be languishing in the extralegal domain as courts and governments have few uniform ideas about how and where this tech fits in society — that is, until something goes wrong, such as a major hack where important people lose a lot of money. Only then will some patchwork of blanket legislation likely emerge that favors those of one sector over another. The running joke in crypto-space is that any effort to control blockchain technology would negate any benefits of having it one in the first place.

A Third Option

The CIPR/NAIC article raises the possibility that the pairing of blockchain technology with professional engineers (as the decentralized adjudicators of smart contracts) would achieve a state of insurability and thus bridge the capitalization gap required for mainstream financing of blockchain enterprise. This arrangement applies primarily to basic infrastructure and derivatives of basic infrastructure, which may not actually be a bad thing at all.

See also: What Is and What Isn’t a Blockchain?  

The Critical Path

The Earth is currently an epic case study in deferred maintenance. There are very real and serious global problems that affect every living creature that we need to attend to immediately. Critical path methodology is a technique familiar to all builders as a set of instructions specifying where one action must precede the next for subsequent actions to occur. Millions of business plans that provide basic human needs and protect our natural resources and that are currently unprofitable will suddenly become hugely profitable.

Screen Shot 2016-08-04 at 9.50.03 PM

These outcomes could be accomplished with the recommendations provided within the CIPR/NAIC article. Please read this article and forward it to others who are interested in this technology. There is very real value to be released and money to be made in the next economic paradigm that is currently at our fingertips. All we need to do is align insurance with engineering on a shared database.