Insurance leaders say today’s risk environment is creating challenges that are more difficult to predict than ever before. This is leading insurers to rethink how they assess risk and make the right decisions without sacrificing speed and efficiency.
“Risk is risk, and insurers are very good at addressing risk, containing it, minimizing it, especially when they think that the risk is too complex or evolving,” said Scott Seaman, attorney at Hinshaw Law, during a panel discussion at Carrier Management’s annual InsurTech Summit. “But the fast pace in which the environment is moving can be a killer. It takes time to arbitrage and price policies correctly, particularly at an accelerated pace. It becomes easy to be late to the party.”
Nicole Farley, chief insurance officer at Bold Penguin, agreed and added that speed shouldn’t be the only priority for insurers in such a complex risk environment.
“When you’re balancing speed and discipline, I think it’s really important to look at speed as an output of a well-designed system, not a strategy,” she said. “Your goal shouldn’t be going into everything and being like, ‘How am I the fastest? How do I get there the quickest?’ If that’s the way you’re looking at it, you’re eventually going to just be underwriting blind.”
She said the current environment is creating pressure for insurers, which can accelerate the wrong instinct to gather more data versus commit to an effective decision framework first.
“I think that’s a costly mistake. We get data for data’s sake versus having intentional thought of which data we need to bring in and maybe taking that extra pause,” she said. “A lot of mistakes I see are that it’s actually overinformation. You want to rely too heavily on all the data coming through and not actually take a step back and say, ‘What’s the framework that I’m trying to answer with?’ And then allow the data to influence that.”
Chetan Kandhari, chief innovation and digital officer at Nationwide, said that confidence in decision-making is about preparedness, defensibility, traceability and aligning with regulations.
“Make the decision understandable and traceable,” he said. “Be able to make sure that you have curated and trusted data and the best information at the time that you make the decision. It’s important for leaders to make sure that the data is absolutely trusted because today there’s a lot of data exhaust that’s out there. And [insurance] is a highly regulated industry. We have to make sure that it follows our regulations and compliance needs.”
Observe, Orient, Decide, Act
Once the framework, data and compliance needs are in place and insurers are ready to start introducing speed, Judson Dressler, director of Resilience’s Risk Operations Center, recommended a strategy from his military background after serving for 20 years in the U.S. Air Force before joining Resilience. He pointed to an OODA loop framework, with OODA standing for observe, orient, decide, act.
“A decision-making framework is failing when it consistently loses that OODA loop. If it’s slower than the threats, you’re going to always be reacting. You’re going to always be behind,” he said. “If your framework to identify a new threat and implement a change in underwriting pricing and security measures takes longer than the threat’s operational cycle, or if you’re frequently hit with threats or risks that the framework should have predicted or addressed, it’s a sign that your framework is too slow or that the current risk environment is moving past you.”
He added that a framework can be successful initially, but over time, if the human effort required to make it work becomes disproportionate to the results, it’s time to re-evaluate.
“If the process requires constant heroic interventions from your experts just to make it work, just to hold that line, it’s not going to work out,” he said. “This high operational cost either in time, stress or expertise is probably a good signal that your framework has become more of a liability and less of an accelerator.”
Dressler also said that insurers should be analyzing adversary behavior and risk aggregation across their entire portfolio, as well as clients’ security postures, to stay ahead of the risks.
“The earliest warning sign is often not the system failure; it’s an observed shift in adversary behavior. So, insurers should pay attention to the signals that really do indicate the intent and the capabilities of the threat actors,” he said, adding this can look like rising prices for access into specific industry verticals or the availability of a new, specialized extortion toolkit that only works in a certain location.
“These signals really tell us that the adversary sees the sector as a high-value, profitable target, making the attack much more likely regardless of specific clients’ immediate vulnerability,” he said.
From a cyber perspective, concentration risk is also about technological dependencies that could cause aggregation losses across the portfolio, so insurers need to focus on how much of their portfolio is relying on single managed service providers, software libraries or core third-party cloud providers, he said.
“Finally, a strong security posture is not a static state. It’s a continuously monitored and maintained configuration,” he said. “So, failure to enforce fundamental controls like multi-factor authentication to administrative accounts, or unpatched internet-facing assets, these show you that the security culture has shifted. Operational sloppiness will inevitably be exploited even by low-skilled threat actors because anybody, especially with automated AI tools, can find those types of vulnerabilities easily out there and use readily available exploits to get into those type of systems.”
Seaman said he does see many insurers understanding the need to connect all of these dots between departments and functions in order to view risks and opportunities from a holistic perspective.
“Insurers have been shifting away from isolated risk assessment silos to more integrated risk management strategies to quantify how a particular event can cascade across different domains,” he said.
He sees insurers conducting stress testing and scenario analysis as well as advanced casualty catastrophic modeling to quantify liabilities associated with either natural disasters or other disasters that act the same way.
“They’re infrequent, but they’re systemic,” Seaman said. “So, it’s really an evolving dynamics environment that insurers are reacting to, and I think in a lot of cases reacting well to.”
Keeping the Human in the Loop
Kandhari said despite all of the risks discussed on the panel, the biggest risk he sees is inaction. This means insurers need to be using technology to accelerate speed and efficiency while keeping humans in the drivers’ seat.
“We want to make sure the humans are in the driver’s seat, and the humans are leading the decisions using AI as a thought partner,” he said. “It’s about applying those critical thinking skills to make sure that you are serving the actual purpose of the business and then using AI to augment that human decision-making.”
Seaman said that insurers have navigated difficult risk environments in the past, and he feels confident they can do it again now.
“America is approaching our 250th birthday, and insurance has really guided our economy and helped backstop our economy through enormous changes and evolution,” he said. “Insurers have responded to a host of changes and have always managed to get through, and it’s because of the talented people in the insurance industry.”
