Tech-Tock is a new column where we address the cyber world connection to life insurance and the distribution channels. Several thought leaders will discuss the latest technology trends and why you should care about mobile/marketing, web/new business, document management/compliance, security/risk and more; basically, technology, its business effect and its trends. At the end of the day, we want to intrigue you and give you a sense of urgency to integrate with change.
I think the way to start is to identify our players and their technology. Our players are the Millennial and Baby Boomer generations. The Boomers represent the institutions and the Millennials are the new middle management of these same institutions. As Millennials grew up in the digital explosion, the way they learned access to information behavior is so different that it affects the way they approach problem solving. At age 30, Boomers would have to call a travel agent to book a flight…today Millennials can hold a portal in their hand and in less than 60 seconds do the same. At age 30, Boomers would have to drag their finger in circles listening to clicks to order a pizza…today Millennials hold up a portal and say, “Order pizza.” Millennials have different experiences with transactions today and the process of selling and processing life insurance will evolve and integrate with their portal; point being it will be a marketplace app.
Technology thinking has already changed, whereby Millennials are all about outsourcing. I’ve seen, in my 40 years of involvement with technology, a cycle of on-premise to outsourcing cycles changing every 10 years. The new generation has adopted outsourcing and it will never change again. With the advent of Cloud computing, and soon the new Quantum computing, third party platforms will host all the applications and internally all the institutions will host are their portal interfaces (mobile, tablet, desktop & IoT devices).
Recently attending the Nexus Insurance Show (Chicago, November 2018) the startup companies presenting powerful new applications understand the demand for hosted applications because the Millennials are the buyers. Artificial Intelligence lead the day with everyone of the 40 exhibitors talking about their unique application and benefits of AI. One showed how eights pictures of a damaged car could produce a repair estimate in less than a minute. One showed smart home AI whereby water leaks could be detected and turned off saving millions in claims. One showed a Machine Learning process flow application which could display the real time movement of the company’s workflow and measure their efficiencies. Many of the companies will be acquired and continue to expand the tool bag of larger established vendors which will be the winners. Winners because with so many startups building out a solution to solve a specific problem, integration has always been the challenge. In the past the institutions supported standard organizations for supply chain integration, but this remains labor intensive with ongoing expenses. As larger vendors acquire technology and accept the responsibility of tight integration, only then will they emerge. The last thing to do is ask a Millennial to key information in over and over again.
Boomers—no matter the size or number of people in your institution, the message is to keep your technology fresh, exciting and outsourced. It’s time to turn off that server in the closet and to start finding outsourced tools to help train, sell, process, deliver and store your business all from a portal. Millennials, you need to be patient. I have not seen much change in technology in the life insurance industry over the last 20 years. Example: Independent life production comes in on paper 80 percent of the time even today. The good news is you’re now in charge and I see the change coming very fast. Congratulations!
Cyber Security… Join The Party
In the spirit of Tech-Tock, I’m going to discuss cyber security from a compliance perspective. This is still about technology and does have a sense of urgency for financial services professionals. The trend I’ve witnessed for the last few years is pushing downward into the supply chain-compliance. Cyber security companies like SimplicIT that provide managed it solutions in idaho believe they have a good handle on defensive, layering, real-time protection, and that the problem today is pushing down into the supply chain and continues to close vulnerabilities. They develop software that tries their best to protect your data from external breaches, for example, companies similar to Fleetsmith try their best to protect your business with application security.
Technology-wise the movement here is “Trust No One” when it comes to securing data and data access. The day is coming soon where two factor log-ons will be required for everyday users. Two factor access starts with your typical login and a strong password, you know, the one you never change. The system will then send you a code (i.e., text message, email, phone call, fob code, etc.) which you will enter into your log-on process and you’re in. As you move deeper into IT Land you see a group of professionals that keep that cyber world running and have all the keys to the kingdom. Not trusting them is taking shape in third-party key vaulting; companies have a key and the D3P have a key and to decrypt the data requires both parties to participate. Layers.
So these Cyber professionals mentioned previously believe technology in the market today, when properly deployed and maintained, can protect confidential information. They claim today’s vulnerabilities are those businesses that let their partners into their world in various degrees that pose the threat. Making their case over time in many forums has created more compliance and is pushing deeper into the supply chain. This has produced the recent rollout of the European Union’s General Data Protection Regulations (GDPR) which added some user rights and big fines. The most popular user right is the ability to have your personal information destroyed after use. When this hits the U.S. hang on! Revenue models will implode-no more data markets. California has just released their new state law in effect killing the data resale market. Fines that start at 20 million EU and can go as high as four percent of the company’s EU revenue has everyone’s attention.
Privacy and identity protection is also beginning to hit some current technology we use today-E-Signing, the backbone of the E-App initiative. Case law has taken a turn whereby judges are not accepting login and password as adequate for signer authentication. In two 2016 cases the California courts ruled that login and password were insufficient evidence to prove identity. After a decade of identity theft, who can trust anyone’s documentation. Courts want more evidence to authenticate- like adding biometric to the signing event (e.g., voice signatures and video signing).
So, what does that mean to the brokerage and agent community? More compliance. In my experience, the BGA/agent was not a real threat because regulations had a high threshold before you needed to report and execute a breach event. The trend today is that these thresholds are falling fast and breach level record counts of 50,000 or more are dropping to 500 or more (NY DOR Regulation 500). So, the world of compliance is descending upon the BGA/agent community.
This means significant change for many BGAs and agents and the way they look at cyber compliance “peer apathy.” The “because the majority of your peers don’t spend the resources on compliance, so why should you” mentality is over. You’ll know it’s over when you get your first request for your annual SOC2 Type2 audit report. I know because I receive many calls these days asking me: “What is a SOC2 audit and should I care?” Service Organization Controls testing level 2 covers internal financial, human resources (SOC1) and cyber security controls. Type 2 means the audit period is the past 12 months of records demonstrating your compliance to the subject controls. Controls are cyber practices, HR screening, threat training, data protection and access to confidential information safeguards. I usually respond to the SOC2 phone question with a typical 200 Control questionnaire and ask the caller to self-assess.
This is where the story gets interesting. The next call usually starts with, “I don’t do any of this, I don’t have a Chief Security Information Officer.” If you’re the principle of the organization, you’re now the CSO. The next question usually is, “I outsource all my computing needs (i.e., hosted CRM, hosted AMS, hosted document management, etc.) so why do I need to do this?” Simple. The regulations make it clear that you can outsource your technology-but not your responsibility-to third parties. Outsourcing is good because your vendors can provide their SOC2 Type2 audit reports, which provide oversight requirements of all your vendors and can serve many answers to the control questions, leaving about 100 controls to go. Now the SOC2 audit focuses on how your organization interacts with the hosted solutions. Auditors will want to review your cyber security policies and procedures on how you manage, background checks, least privileged access, incident reporting, disaster recovery, social media conduct, hard drive destruction, email encryption and so on. Just because you outsource your technology does not relieve you of conducting a third party SOC2 Type 2 audit.
The cyber world and government regulators believe today that if everyone in a supply chain of confidential information conformed to cyber compliance, identity theft would be greatly reduced. Well now, what do I do and what’s it going to cost? Let’s start with, if you’re a home-grown solution, a third-party PEN test (about $15,000-$30,000). Next, find a law firm which provides breach services and internal SOC2 control consulting (about $25,000 to $50,000). This law firm serves two purposes-preparing your control (i.e., budgeting) remediation plan and they would be the first phone call to make if you have evidence of or suspect a breach. Remember, a breach is unauthorized access to confidential information (i.e., lost notebook with no disk encryption, unencrypted email traffic, terminations that walkout with their shadow files, not shredding paper files, etc.). When using penetration testing, you are basically sanctioning an authorized breach in order to identify areas of vulnerability in a network. When you’re ready, a SOC2 audit (about $20,000 – $50,000) every year. What makes it more expensive is the fact that, in the life insurance world, you’re subject to HIPAA and PCI audit requirements which are separate from SOC2 audits. I really think life insurance is the most expensive group when it comes to compliance cost because of the information you manage. Once you have your SOC2 audit complete, now you can get Cyber Insurance. Cyber insurance companies generally want a complete SOC2 audit so they can underwrite your risk. With a good report expect to pay around $10,000-$20,000 annually for $2 million to $3 million in coverage.
Independent agents should review their E&O insurance and expand coverage for the risk they have access to and engage in personal encryption solutions (i.e., encrypted notebooks/computing, communications archiving, email encryption and password management tools). Agents working from PC-based computing at home should consider virtualizing (e.g., VMware Desktop) their business computing, separating their work life from their family or personal life (around $2,000-$3,000). Accordingly, in case you were not already aware, VMware Workstation is a virtual machine software that is used to run multiple operating systems over a single host computer. Each virtual machine can run a single instance of any operating system, such as Microsoft or Linux, simultaneously. If you would like to learn more about VMware Workstation, you might want to consider completing some of the fantastic vmware certifications out there. Ultimately, getting an industry-approved certification from a vendor such as VMware demonstrates to employers that you can be trusted to work to a high standard.
Well there you have it. The train has left the station and the trends discussed above are coming soon to a BGA/agent near you. Some call it the cost of doing business…I think it’s just seat belts on an airplane. Welcome to the party, Hans.