Construction never stopped in some cities and states during the height of the COVID-19 outbreak — and some airport and public works projects, in fact, gained some efficiencies because of fewer travelers and passers-by on the periphery of job sites.
Where work continued, contractors adjusted on the fly to help reduce coronavirus health risks to their crews. Now, as more construction projects are permitted to resume, contractors can incorporate lessons learned so far and factor in new variables to help manage risks and rebuild momentum in a world transformed by COVID-19.
Contractors deal with unexpected challenges frequently, often weather-related. That experience will serve the industry well as it adjusts to new safety requirements along with complexities of returning to sites where work perhaps started but then was halted.
Costs may increase, and schedules may stretch to compensate for additional steps that must be taken each day before hammer meets nail. Simply doing what’s compulsory shouldn’t be the focus.
How will you take temperatures so as to avoid breaching the six feet of social distance?
Will workers be trained to take temperatures using no-contact thermometers, or will a third-party medical service or portable testing centers be brought in?
What temperature threshold will send a worker away?
What documentation, if any, will be kept of workers’ test results, and how will confidentiality be preserved?
Do workers need to arrive earlier than in the past, and does that have ramifications for overtime?
There are lots of decisions — and that’s just for temperature screening.
The protocols for face coverings require similarly detailed decision making as well as awareness of state and local mandates. Are face coverings required at all times, or only when it’s not possible to keep six feet of social distance? Are cloth face coverings sufficient, or are respirators approved by the National Institute for Occupational Safety and Health (NIOSH) mandated in certain circumstances?
Note that these new protocols may lead to new risks, such as fogging of eye protection and creation of blind spots. Consider applying anti-fog solution to the lenses, or use helmets with face shields, if appropriate.
This planning may seem daunting, but establishing protocols and communications materials now will make it much less onerous to enforce going forward.
Review financial and supply chain status
Contractors who complete a post-shutdown risk register or hazard analysis should expand their focus beyond health issues. It’s wise to ensure financing, permits and insurance policies have not expired. Consider requalifying subcontractors to check financial status. If there are red flags, consider using joint checks to ensure that lower-tier subcontractors and suppliers receive payment. And is your own cash flow sufficient to make payroll, or have you made other arrangements?
Note that some supply chain and labor issues resulting from the shutdown have not yet been resolved. Make sure you have the materials and crew you need to keep the sequence of work on target.
New reasons to adopt emerging technology
In the hierarchy of technology adoption, many contractors are starting by converting to virtual training and orientation to enable social distancing. Make sure you adequately test your technology and distribute clear instructions to help your workers adjust to using it.
Next, consider the use of technology such as wearables that allow contact tracing, which could help ensure that workers are complying with social distancing guidelines. Wearables for construction are being modified so that, for example, a worker could receive an alert when less than six feet from another worker. Some systems also allow you to identify what workers may have come in contact with an infected worker, should someone later test positive.
There also are opportunities to increase your use of offsite and onsite prefabrication, in part to reduce the number of people on a site at one time and possibly to contribute to efficiency.
Finally, this may be a great time to experiment with emerging technology, such as using robots to do floor layout, which has the potential to improve accuracy as well as reduce the number of people on a job site at one time.
There are some silver linings
No one would have invited coronavirus into the world, but new protocols to reduce health hazards may produce additional benefits.
Limiting the use of elevators to materials and creating one-way pathways for personnel may not only assist in social distancing but also contribute to increased productivity.
These steps could become a best practice worth keeping, along with many other new procedures.
It’s too soon to gauge the net impact of the coronavirus pandemic. But in terms of the business outlook, potential positive developments could include:
Construction opportunities increasing in sectors such as healthcare, infrastructure, warehousing (which was already going strong) and manufacturing.
Growth in modular, off-site construction, in part because it can help reduce the number of people on a job site at one time.
More U.S. manufacturing of construction materials, in response to coronavirus-related supply chain delays associated with offshore providers.
Regional population shifts in response to the hardships endured during the pandemic. These may result in increased residential construction in areas of growth, followed by additional commercial and infrastructure development.
In the near term, some projects will be under pressure to accelerate to get back on schedule. But COVID-related mandates may force a slowing of the process, which could enhance overall site safety and quality of work.
Vigilance, as always, is key — and not just about coronavirus. We need to remain attentive to typical construction-related injuries and issues such as heat-related illnesses. Caring for people will help us take care of business now and during the months of recovery ahead.
From a cyber security standpoint, the move back to a work setting for employees should not be the challenge that moving to “work from home” may have been for many organizations. Network security in the workspace is already in place, and employees are quite familiar and at ease working in the work environment.
By now, businesses should have already addressed issues of remote access, the use of multifactor authentication and virtual private networks (VPNs). But in the wake of COVID-19, as businesses return to the workplace, organizations should take some lessons from the COVID-19 pandemic. We recommend they use this information to shore up potential weak spots in their cyber security program’s incident response plan.
The greatest lesson to take away from the pandemic has to do with preparedness. What has been witnessed over the last three months is crisis response, on a global level, taken to its extreme. Every business and local, county and state government, and even individuals were forced into some form of crisis management. Some were able to respond better than others.
“Something like this will never happen”
One of the reasons that many were not prepared for the pandemic and did not respond well was because they believed that “something like this will never happen.” It’s a phrase that is heard often by those in the cyber security industry. Organizations often rationalize they are able to live with less than optimal cyber security because they feel they are too small to attract hackers, or they don’t have anything that anyone would want to steal. We know now that “something like this” can happen, and the results can be catastrophic.
Additionally, an organization does not have to possess something that a hacker wants to steal, to be a desirable target. All it has to possess is an opening; some vulnerability that allows a bad guy entry to exploit the opportunity to interrupt business and maybe even demand a ransom.
As businesses begin to return to workplace operations, now is a great time for them to reevaluate their approach to cyber security as a whole, and cyber resilience in particular, while drawing some comparisons to what the world has experienced in the pandemic.
1. Identify assets
Using the National Institute of Standards and Technology (NIST) Cyber Security Framework as a guide, consider the first risk category of IDENTIFY. The first objective of cyber security is for an organization to understand its assets. A business must ask itself, “What do we have that needs to be protected? What are our high-value/high-criticality assets? What are the risks and vulnerabilities associated with those assets? Where are those assets located? Are they on the cloud? On the premises? Do we have all of our assets accounted for in an inventory? Do we verify that inventory regularly?”
When the pandemic hit, many entities found themselves without a full understanding of the assets they possessed and what they still needed. Assets including hospital beds, ventilators, usable test kits and procedures and personal protective equipment. In many cases, the result was a scramble over a long period to acquire the necessary assets.
2. Protect assets
Following the NIST framework, once assets have been identified, and risks assessed and ranked for criticality, what protective controls are in place to protect those assets? In the towns, cities and states that we live in, there are healthcare systems, networks of healthcare providers, nursing homes, pharmacies and other components all geared to providing protection to our countries’ most valuable assets: people.
What about in the business community? Are businesses providing their most critical assets, such as data, hardware, software and even business processes, with the protections aligned with their importance? Do these businesses segment their critical assets or encrypt critical data? Do they educate their employees about cyber security and the roles they play in maintaining it? Do they provide their employees with the proper amount of access to IT assets?
3. Detect the problem
The third risk category in the NIST framework is DETECT. How can businesses know when something bad might be happening? How do businesses monitor for indicators of compromise within their networks? In the pandemic, the World Health Organization has been acting as a parallel to a managed security services provider (MSSP) or a security operations center (SOC) for the network of countries around the world. The job is to detect the initial outbreak and alert the rest of the world to the danger.
4. Respond to the crisis
Each business needs to assess its ability to detect potentially malicious activity in corporate networks. Is each organization engaging a third-party MSSP? Is it performing up to expectations? If a business is doing its own monitoring, is that monitoring complete and effective? Is the business monitoring the most valuable or risky assets closely enough? Is it processing all the right information? Does the business even know what malicious behavior looks like or how to find it?
5. Find a path to recovery
With these steps developed, businesses can finally consider what response and recovery will look like. NIST suggests considering how to handle response and recovery in our networks compared with how the various government agencies have handled theirs.
First, businesses should have a documented incident response plan for their networks and should make sure it has been reviewed recently for adequacy. The incident response plan needs to clearly define roles and responsibilities for all participants. It needs to include procedures for identification, containment, eradication, recovery and lessons learned. The plan should also state how the business will communicate information about the incident to internal and external audiences. In developing the incident response plan, it is key for businesses to line up and perhaps even contract with third parties for technical response services that they don’t have in-house.
Businesses also should make sure their incident response plan is designed to consider a “black swan” event, which is an unexpected, catastrophic event that forces a complete shutdown of a company’s network and its services. As rare as black swan events may be, they do occur. Many remember the first outbreak of ransomware just a few years ago and how it caused the complete shutdown of some global networks. Even some companies with what might be considered very good cyber security were severely hurt. Why? Because they did not contemplate such an event and therefore did not build their response plan for effectiveness against a black swan event. The development of an incident response plan is not complete until it contemplates and prepares for such a rare and devastating event.
Finally, with respect to response and recovery, testing plans is incredibly important. Plans that are in place, but have not been tested for several years, are likely to be missing some details that will limit their usefulness when it really counts – in a cyber event. Businesses that test their plans regularly – minimally once per year – and update the plan based on lessons learned from both tests and actual events will have experiences in actual cyber events that are probably much less painful than if they did not plan and test the plan regularly.
The COVID-19 pandemic of 2020 is real – it’s not a test – and the lessons learned from the event are substantial and painful. The phrase “Never let a good crisis go to waste” has been repeated in a cynical manner many times, but it does have value in the context of current events. City, state and federal governments will certainly be revisiting their pandemic crisis management policies and procedures in the near term. It’s also a good time to revisit cyber risk management and incident response procedures.
While every carrier manages claims operations in a slightly different way, there are three consistent technology setups currently in practice: Green Screen, Home-Grown and Modern. The back-end operational workflows for each of these practices are generally the same: The adjuster manually enters notes, manually sends emails or makes calls and manually ties documents from the document management systems to the claim systems. The challenge here is that the adjuster is the centrally intelligent component. Relying on an adjuster to connect various systems mires the adjuster in overly manual steps, leaving claims processing vulnerable to reduced speed, mistakes and inefficiencies – all of which lessen customer satisfaction.
While more common overseas and in smaller markets, green screen systems are still found in many claims operations today. The green screen is a simple claim database that only accepts user inputs from a text-based screen with minimal capabilities to integrate into any other systems. Adjusters are forced to use a separate document management system to store files and photos and use a separate email system for outward communications.
Carriers relying on green screen systems see inefficiency with data transfer. Adjusters have to hunt for documents that are not tied to a claim number, annotate the decisions they have made in the green screen system and communicate in a separate system to the customer. Most of the mindshare of the organization is spent on teaching the humans the rules of the claim and how to document their thoughts in the system.
Some organizations have managed to build their own systems internally over the years. In these systems, various IT projects over the years have been spliced together with complicated business rules that aim to reduce the human error and ensure legal compliance. Carriers with a home-grown system face significant IT spending to maintain their complex infrastructure. Even with a large IT staff, it is nearly impossible to launch new technology initiatives because change affects rules buried deep in the system. The result is a system that is expensive, inflexible, complex and generally oblivious to the customer experience.
Recently, carriers have consolidated their legacy systems into one modern platform. These setups require a large engagement with a third-party system integrator and many years of thoughtful planning and data migration. However, the output is rarely a truly consolidated system. Carriers with modern systems are bound to long-term, third-party support contracts and face many of the issues that home-grown carriers face. Complicated business logic is embedded in the software to try to avoid human errors, but it leads to complexity and rigidity that ensure internal compliance while ignoring the customer experience.
Carriers and Customers
As customer needs are changing, carriers’ technology should be changing, too. Today’s customers expect a seamless tech experience with clear communication, automation and the ability to input via apps, photos, phones and inboxes. There are several new tech solutions that aim to ease a challenge of current carrier tech configurations. At Snapsheet, we have already built software that eases nearly all of these customer expectations.
Here are the capabilities that are critical to advanced claims technology – all of which will help meet customer needs:
Cloud-Based Architecture: This feature is important for a flexible design, which eases the implementation. There is no data migration, no system integration and no multi-year project plan. Claims software is launched stand-alone around existing systems or as a full-on replacement. It enables carriers to track, with real-time precision, all of the customer interactions, how the customer engages with the claims process and how the adjuster is engaging with the customer. Immediate insights are gained and can be operationalized.
Intelligent Claims Files: Instead of relying on the adjuster to tie systems together and shepherd the customer through the claims process, the Snapsheet platform has advanced capabilities that understand the expectations of each step in the claims process and guide the customer through the appropriate actions. An intelligent engine coordinates the communications and documentation needs for each file and advises the adjuster when to take action. If all of the requested information is provided, the engine may choose to automatically move the work to the next stage.
Real-time metrics and operational transparency: It enables the carriers to track, with real-time precision, all of the customer interactions, how the customer engages with the claims process, and how the adjuster is engaging with the customer. Immediate insights are gained and can be operationalized. The result is an enhanced customer claims experience, led by automation and real-time customer engagement to provide a tailored journey through any claim in any language in any country.
Customized roll-out: Customization is key. Even with a single consistent platform, such as Snapsheet’s, it is important to customize implementation for whatever legacy IT configuration exists. This adds flexibility and ease-of-use to each project. Snapsheet’s recent strategic collaboration with Zurich is an example of taking a new software approach by putting the customer experience first. Various county entities in Zurich use each of the three software setups mentioned above. Snapsheet software can be leveraged across any configuration, activating software modules that smooth or plug efficiency gaps in the current process, or completely replace existing claims systems.
As we kick off 2019 and insurtech continues to expand, the industry will see even greater advancement in the technology space for carriers and claims processes. Automated systems are important to guide the customer through the correct claims journey and ultimately allow carriers more time to innovate.
P&C insurance carriers have witnessed a lot of changes in the past decade, but few have been as surprising as the shift of power currently taking place across the industry.
According to Dennis Chookaszian, the former CEO and chair of CNA, carriers maintain only 40% of profits today, representing a drop of 20 to 25 points from the 1960s. An equal share now goes to the distribution system, as carriers line up to acquire and maintain more customers.
What’s behind this shift in profitability can’t be summed up in a single word, but increasing competition, new market entrants, improving technology, changing customer expectations and continued consumer price sensitivity all play a role.
To remain competitive, carriers will need to gain more control over distribution, a goal that even Chookaszian admits will not be easy to achieve.
Why the Power-Shift Toward Distribution
In the mid-part of the last decade, insurance carriers required two primary competencies to operate: data and capital. Because neither was easy to acquire, competition was less robust, and incumbent carriers found greater profitability, taking in roughly two-thirds of insurance transaction profits.
Today, data is everywhere, and through the use of analytics, simpler than ever to understand and use. Capital is also easier to acquire, as is evidenced by the growing number of insurtech players in the industry. According to Willis Towers Watson, $2.3 billion was invested in new insurance tech companies in 2017.
According to Chookaszian, the core competency for insurers now lies in distribution and control of the customer.
“It’s become so competitive that the carriers basically are always out looking for new accounts,” Chookaszian says.
That means higher commissions are paid to agents as carriers battle it out for market share, resulting in shrinking margins.
“Given the shift in profitability to distribution, the carriers that will be better off will try to regain some control over distribution,” Chookaszian says.
Admittedly, that is not an easy thing to do. The agent enterprise is part and parcel of most insurance operations. Directly selling insurance to consumers will require insurers to set up their own distribution systems, while still supporting their vast networks of independent or captive agent forces.
When Benjamin Franklin started the first successful U.S.-based insurance company in 1752, he was dealing with a localized Philadelphia population, but, by the end of the 18th century, citizens were moving westward, making it necessary for insurers to expand their distribution networks.
The Hartford made the first foray into direct distribution by offering insurance through the mail, but few consumers of the time were willing to give up the personal services of an agent when it came to purchasing something as critical as insurance. Carriers of the time faced a similar dilemma as carriers do today: how to acquire customers in a changing marketplace.
According to the J.D. Power 2018 US. Insurance Shopping Study, insurers are aggressively courting customers with new options and amenities as auto insurance rates remain stagnant and the number of consumers seeking coverage declines.
“We’re entering an era of consumer-centric insurance that will likely be marked by a surge in new digital offerings and serious efforts by insurers to improve the auto insurance shopping experience,” says Tom Super, director of the property and casualty insurance practice at J.D. Power.
This shift is happening across all lines of coverage, even small commercial.
While citizens on the new 17th-century frontier may have been hesitant to buy coverage without the guidance of an agent, many 21st-century buyers have no such qualms. Nearly half of consumers responding to a survey conducted by Clearsurance said that they would purchase an insurance policy online, while 65% believe this will be the primary channel for purchasing coverage within the next five years.
According to research conducted by Accenture, consumers are open to a number of new possibilities when it comes to buying the policies they need:
Power in the form of profits may have shifted to distribution, but consumers are making a power play of their own, demanding greater service and amenities and taking their business to the carrier most capable of meeting preferences and price points. In a world of shifting power, creating an active, online distribution channel puts more of the profit back into the carrier’s bottom line and allows it to attract more customers in three distinct ways.
Cutting Transaction Costs
According to a report from the Geneva Association, the leading international insurance think tank for strategically important insurance and risk management issues, 40% of P&C premiums are absorbed by transaction costs, leading to inflated policy pricing that drives away potential customers. PwC pegs distribution as a heavy culprit, reporting that 30% of the cost of an insurance product is eaten up in distribution.
On the other hand, Bain predicts that insurers could cut the cost of acquisition by as much as 43% through digitalization. Underwriting expenses could drop as much as 53%.
Reducing these costs allows insurers to present a more attractively priced product to consumers, an important consideration given that 50% of customers base their loyalty with an insurer on price.
To understand how costs are reduced through digital distribution, it helps to understand how a leading digital distribution platform works to raise efficiency. According to PwC, up to 80% of the underwriting process can be consumed by administrative tasks that require manual workarounds, such as re-entering information into multiple systems.
Much of this re-inputting of data is due to the siloed nature of insurers’ administration systems. Digital distribution platforms create a layer between the front-end online storefront, where customers enter application data, and the back-end systems used to store information.
As consumers enter their personal details into the online application, all back-end systems are populated automatically, eliminating the need for manual work-arounds. Everyone across the organization has the same view of the customer and access to any information that has been provided.
Digital platforms are also masters of straight-through processing, automating the quote-to-issue lifecycle and reducing the need for manual underwriting. By automatically quoting, binding and issuing routine policies, insurers reduce costs and also provide a more “informed basis for pricing and loss evaluation,” according to PwC.
As costs drop, insurers are also able to more competitively price insurance coverage. Lower prices win more customers allowing insurers to take back some of the profitability of distribution.
Improving Customer Experiences
When it comes to insurer-insured relationships, there is a gap between what consumers want and what insurers provide. Consumers rate the following points as very important aspects of the insurance buying experience:
Clear and easy information on policies
Access to information whenever it is needed
Ability to compare rates and switch plans
A wide range of services
But few consumers agree their insurer is meeting these expectations:
27% see clear and easy information on policies
29% report access to information whenever they need it
21% say there is the ability to compare rates and switch plans
24% see a wide range of services
The customer experience is becoming a key differentiator across the insurance industry. McKinsey reports two to four times higher growth and 30% higher profitability for insurers that provide best-in-class customer service, but here’s the rub. Only the top quartile of carriers fall into this category.
Becoming a customer experience leader requires insurers to understand that the separate functions associated with policy sales and distribution appear as a single journey to consumers. They expect to quote, bind and issue multiple policies through a single application, using as many channels as they feel necessary to get the job done.
While 80% of consumers touch a digital channel at least once during an insurance transaction, 45% of auto insurance shoppers use multiple channels when making a purchase. They expect to be recognized across these channels, picking up in one where they left off in another.
The multiple back-end systems employed by most insurers present a strategic dilemma here, as well as in the area of cost containment. Without transparency between channels, consumers are forced to restart a transaction every time they change their engagement method.
“It amounts to a great deal of frustration for the consumer,” says Tom Hammond, president U.S. operations, BOLT. “You start an application online and then call the customer-facing call center, and they can’t see what you did through the online storefront.”
Hammond explains that digital distribution needs to be omni-channel distribution, seamlessly integrated with a single view of the customer. It’s the only way to meet consumer experience expectations now and into the future.
Thanks to advances in analytics and artificial intelligence, the amount of data that is available to carriers has grown significantly, and consumers expect that information to be leveraged for their benefit. Eighty percent of consumers want personalized offers and pricing from their insurers.
Progressive is one of the 22% of carriers currently making strides to offer personalized, real-time digital services, having recently released HomeQuote Explorer. From an app or computer, consumers can enter information once and receive side-by-side comparisons from multiple homeowners insurance providers. According to the company, they leverage a network of home insurers to make sure customers can find the coverage they need at a comfortable price.
Oliver Lauer, head of architecture/head of IT innovation at Zurich, believes these collaborative networks are an integral part of the digital future of insurance.
“Digital innovation means you have to develop your insurance company to an open and digitally enabled platform that can interface with everybody every time in real time – from customers to brokers, to other insurers, but also to fintechs and insurtechs,” Lauer says.
Using a digitally enabled market network, insurers can fill product gaps and even meet customer needs when they don’t have an appetite for the risk. The premise is simple. By offering coverage from other insurers, they maintain the customer relationship and reap the rewards of loyalty.
As society changes and consumer needs evolve, the ability to personalize bundled coverage to the needs of the individual will become increasingly important. Consumers are now looking for coverage to mitigate risk in previously unheard-of areas, such as cyber security, identity theft and even activities related to legalized marijuana.
When an insurer is unable to provide the coverage a customer needs, it risks forfeiting that relationship, and any other policies bundled with it, to another carrier. But when the carrier takes part in a market network, it can bundle the appropriate coverage from another insurer with its own products, personalizing the coverage to better fit the needs of the customer.
Digital platforms offering market networks also set the stage for insurers to offer ancillary services, such as roadside assistance, that make their insurance products more attractive to consumers. We see this happening with increasing frequency as carriers seek to improve the customer experience and lift their acquisition efforts.
DMC Insurance, a provider of commercial transportation insurance solutions, recently announced a partnership with BlackBerry Radar. The venture would provide transportation companies with real-time data on vehicle location, as well as cargo-related information, such as temperature, humidity, door status and load state. Information like this will help companies better manage risk.
In the personal lines market, insurers are partnering to offer services that enhance the life of their customers. Allstate’s partnership with OpenBay allows consumers to review repair shops and schedule an appointment from an app. Allianz is helping home owners safeguard properties by partnering with Panasonic on sensors that monitor home functions and report issues. Customers can even schedule repairs through the service.
Digital Distribution Benefits All
J.D. Power reveals that digital insurers are winning the intense battle for market share in the insurance industry, starting a shift that could help level the profitability field between distributors and carriers. In a recent insurance shopper survey, overall satisfaction was six points higher for digital insurers over those that sell through independent agents. This lead grows to 12 points when compared with carriers with exclusive agents.
According to research by IDC, digital succeeds on the strength of its data. The ability to collect and analyze the vast stores of data available through these interactions, including such variables as the time of day the consumer shopped for coverage, the channel the consumer used, and stores of information collected from third-parties as part of the automated application process, provides the key to improved customer service.
“By analyzing this data, insurers can understand each customer’s lifestyle, behaviors and preferences in order to engage with them at the right time and place, offer personalized service and offers and more,” says Andy Hirst, vice president of banking solutions, SAP Banking Industry Business Unit.
As insurers create omni-channel engagement, they’re strengthening distribution from every angle, giving consumers the option to quote coverage online when it’s most convenient for them, and then buy it right then and there or to seamlessly call an agent to discuss their options and their risk.
Customer experience is rapidly becoming the foundation of success in the industry, and digital distribution provides the first link in building that base of core customer satisfaction. By providing consumers with multiple channels of engagement and the ability to meet more of their needs at any time, day or night, carriers are taking back the lead on profitability.
As web-first rapidly becomes the norm for today’s businesses, a new bogeyman is lurking: cybersecurity. With IT systems no longer an adjunct but the central pillar of most organizations, cyberattacks have come to represent an existential threat. No less serious is the risk to the vast repositories of customer data that today’s businesses sit on top of, which have grown far faster than security architectures can keep pace with.
According to PwC’s 19th annual CEO survey, 61% of CEOs are concerned about cybersecurity, with everything from phishing to denial- of- service attacks on the rise.
For the insurance industry, cybersecurity represents both an opportunity and a threat: an opportunity in that enterprises are crying out for coverage against the cyber risks they face, a threat because carriers, of course, hold large amounts of customer data and are hence targets for cyber-attacks and hacks themselves.
A theme across this content series, and one we explored specifically in our feature on marketing and customer-centricity, has been the imperative for insurers to better engage with customers’ needs – before customers start taking those needs elsewhere. On the commercial side, cyber risk is therefore an enticing opportunity for insurers, as their clients’ businesses are only going to get more online, not less, and security risks abound (especially with anything IoT-related).
However, cyber events are particularly challenging to insure against due firstly to their manifold knock-on effects, which range from barely quantifiable reputational damage to share-price collapse, and secondly to the lack of historical data. Substantial focus will therefore be required for insurers to fully realize the cyber-coverage opportunity.
“Insurers just don’t have the capability or the skillset to produce things that customers want to buy, particularly with so-called cyber products that mostly don’t cover the specific risks that the clients are concerned about. There’s a total disconnect there between the reality of business for all the Fortune 500 companies in the world and what insurers think they’re going to provide them by way of services and products.” — Steve Tunstall, CEO and co-founder at Inzsure.com
Cybersecurity is a sprawling area, so this part of our series is primarily aimed at cybersecurity as threat, as opposed to cybersecurity as opportunity: What are carriers doing to protect their customers’ data and to mitigate against the threat of data breaches?
We start with a look at carriers’ attitudes to cyber threats like data breach, followed by a look at how – and how confidently – they are addressing these. To finish off, we cast an eye over the longer-term evolution of cybersecurity as carriers pressing forward with digital transformation seek, at the same time, to future-proof their systems.
The following stats and perspectives are drawn from our Global Trend Map; a breakdown of all respondents, and details of our methodology, are included in the full report, which you can download for free at any time.
1) Assessing the Scale of the Cyber Threat
69% of carriers are “very concerned” about information security breaches.
While (re)insurers are open to the same sorts of attack as other large enterprises, the event we choose to focus on here is data breach. There is nothing that strikes so much at the core of the insurance business, which has been a data business since the very beginning; at the same time, (re)insurers – as professional data stewards – ought to be relatively well-placed to defend themselves. The harm that could come from a cyber breach at a carrier is multifaceted: Stolen data could cause customers direct commercial damage, whereas tampered-with data could render carriers’ risk models worthless, affecting both them and their customers further down the line. It is no surprise then to see the overwhelming majority of (re)insurers registering concern with information security breaches (94%).
Cyber-attacks affect other players in the insurance ecosystem, too, and there are plenty of weak points in the “water cycle” of customer and company data; so we also encounter a majority concern among the other ecosystem players that contributed to our survey.
Our broader research suggests that data breaches are particularly high up the agenda in Asia-Pacific. We reached out to David Piesse, chairman of IIS Ambassadors and ambassador Asia Pacific at the International Insurance Society (IIS), based in Hong Kong, to understand more about what is happening in the region:
“Digitization is leapfrogging in Asia, and so are industrial parks with smart devices and machine learning running the processing. Because of global supply-chain issues, this makes the need to mitigate and protect data integrity an urgency even without regulation where best-practice risk management must be implemented.”
Piesse continues: “Asia Pacific is only starting to look at regulations for data breach as opposed to data privacy laws, which have been around for some time. This leads us into the debate of the difference between privacy (encryption) and data integrity, which are two different arms of the cybersecurity triangle that must be embedded in all cyber risk management approaches.
“The time from compromise to discovery in Asia is now on average 580 days, according to statistics. Therefore, we must assume compromise of data across time, as there have been no notification laws and hence no catalyst to mitigate. This is why there is concern in Asia Pacific. The take-up of cyber insurance in Asia is fairly low as compared with the U.S. and U.K. for this reason.”
Our respondents’ data-breach concerns are matched by high confidence that data security is adequate, and this probably has a lot to do with mitigation planning across their organizations.
As we see from our graphic, three-quarters of carriers are confident in their security, and we find a similar level of confidence among respondents from the broader ecosystem. While these figures are encouraging, a quarter of respondents lacking confidence on this important measure is still cause for concern when we consider the number of customers that any one company can have. Even just a few percentage points of the ecosystem still represents rich pickings for online criminals and massive disruption for thousands, and potentially millions, of customers.
“Insurers have been very early adapters of computer technology. Given this maturity, one might think they should be able to control technology security on all layers, but the opposite is usually the case.” — Oliver Lauer, head of architecture/head of IT innovation at Zurich
When we turn to look at concrete mitigation plans, we observe that these are relatively commonplace.
However, 11% of carriers having no plan is concerning, given the absolute amount of business interruption this potentially represents (6% answered “don’t know”). Another factor to bear in mind is the potential fallibility of mitigation plans, so the proportion of carriers that are actually safe from security breaches will certainly be less than the 83% quoted above. We should also remember that data breach is just one type of cyber-attack and consequently just one aspect of (re)insurers’ overall cybersecurity strategy, which needs to be comprehensive.
“Insurers are very late in the game of opening their systems for the digital age, and most of their software systems are 25 years old and older, and are “secure by nature” due to their legacy walled garden architectures. And now they are modernizing their systems at the speed of light, and their security architectures and capabilities can hardly follow.” — Oliver Lauer
We expect carriers – and all businesses for that matter – to continue ramping up their cyber defenses over the coming months and years, especially given recent high-profile incidents like the Wanna Decryptor attack in May 2017, which hit nearly 100 countries around the world.
When assessing the full spectrum of cybersecurity risks, it can be difficult to know where to start and what to prioritize, so we asked financial services influencer Michael Quindazzi, business development leader and management consultant at PwC, for five key questions every insurer should be asking itself, from the board down:
— Who are our adversaries, what are their targets and what would be the impact of an attack?
— What are the most important assets we need to protect?
— How effective are our processes, assignment of responsibilities and systems safeguards?
— Are we integrating threat intelligence and assessments into cyber-defense programs?
— Are we assessing vulnerabilities against emerging threat vectors?
As with building on unstable foundations, the risks from getting one’s approach to security wrong at the outset only get bigger the further down the road you go. We spoke to Oliver Lauer, head of architecture/head of IT innovation at Zurich, who frames the security conundrum in the following terms:
“Insurers are implementing digital cores with full connectivity to everything, omni- and multi-channel and open API architectures, and usually they have no real idea what these new implementations mean for their security systems – they are still handling security like they did in the past with their ‘closed shop’ approaches.
“This will lead – in my eyes – to very dangerous threats in the future. And even if they have recognized these risks and have the money to invest, it’s very difficult to hire the necessary resources. Everybody is looking for security experts at the moment.…”
What is clear is that today’s digital platforms introduce a fundamentally new security dynamic requiring a different way of thinking from security professionals at carriers.
3) Longer-Term Evolution
58% of carriers have updated their security strategies to reflect the rise of new digital platforms.
As we can see from the chart below, the majority of insurers and reinsurers have made adjustments to their security strategy to reflect the rise of digital platforms, and we get a similar figure when we consider our other ecosystem players.
For now, though, this is a small majority (58%), less than the 83% who had mitigation plans for data breaches. As the industry gets savvier about cybersecurity as a whole, we expect this figure to rise sharply.
“With customer data-protection and privacy rules becoming more scrutinized across Europe and the globe, it is not a surprise that the chief information security officer is taking such a prevalent position within enterprises. The role will need to ensure appropriate usage of customer data and overcome digital privacy and security issues.” — Sabine VanderLinden, managing director at Startupbootcamp