Insurance is a mature business that developed over the centuries to serve important social needs. Insurance policies can be long-term contracts involving promises lasting several decades, and insurers have long promoted themselves as offering financial strength and stability. States, in turn, have passed laws to regulate market practices and solvency to ensure that insurers’ promises are made fairly, that the products they sell match those promises and that they have adequate financial resources to meet them.

Perhaps because of this, the insurance business is perceived as stodgy, beholden to inefficient legacy distribution systems and practices, overly regulated and resistant to change. And perhaps because of that, there is now a thriving ecosystem of individuals and enterprises—in industry parlance, “Insuretech”—devoted to developing innovative applications of technology to improve, modernize or, in some cases, disrupt insurance.

This ecosystem includes technology startups, venture capital (VC) funds, insurer-backed VC funds, brick and mortar insurers, agents and brokers, accelerators, incubators and, more recently, regulators. Insuretech offers many opportunities and can be sorted into three principal areas of focus:

• Better customer experience. New technologies have radically changed consumer expectations for customer interface. Think Amazon. Consumers want an easy and quick purchase, preferably from a mobile device. They want instant price comparisons and prompt delivery. They don’t want intermediaries. Yet none of these are attributes of traditional distribution channels for insurance. Captive or independent agents and brokers are often small businesses with rudimentary office technology. New technologies and apps offer ways to improve insurance buying and claims to be more in line with raised expectations.

• “Big data.” Insurance is and always has been data-driven. The availability today of massive amounts of information that can be sorted and analyzed through enhanced computing offers insurers the capability to price risks more accurately, target sales at more profitable risks and deploy capital to where it can be put to its best use. Many tech start-ups are focused on data analytics, risk modeling and algorithmic underwriting. Better data also can be used for claims processing and fraud detection.

• Business process improvements. Insuretech offers myriad ways to improve business processes, including back-office activities the customer never sees. The insurance industry is considered very inefficient when judged on the portion of total premiums actually used to pay losses. Much of this inefficiency is due to the fact that the business is highly intermediated, with one or multiple insurance producers in the chain each taking a commission. Those costs might not be avoidable if insurers still want a flow of the business controlled by intermediaries. So lowering costs through technology-driven improvements to back-office administration is very attractive.

Regulations Matter

The focus is on regulation because some see it as an area where the new and the old come into conflict, which can be a drag on the pace of change. Regulations that matter for Insuretech include:

Licensing. Entities that engage in the transaction of an insurance business in a state are required to be licensed as an insurer in that state. Licensing is also required for those who solicit, negotiate or sell insurance on behalf of another, or those who investigate, adjust and settle insurance claims. Because insurance is regulated at the state level, whether a new and different product is insurance, or whether a new and different way of offering a product is selling insurance, is a state-specific test. Further, it is not always obvious that an activity constitutes licensable activities. For example, it’s normal business practice for compensation for a service or product to be tied to the amount of revenues generated. But in an insurance context, regulators will ask if such compensation is a commission for the sale of insurance that only a licensed agent or broker can receive.

• Data security and privacy. This is a rapidly developing area, and the driving force for giving consumers greater rights over their personal data may be outside the insurance industry, as seen by the recent enactment of California’s Consumer Privacy Act or the Illinois Biometric Information Act. However, data security and privacy are particularly relevant for insurers because they capture and use personal history, and medical and behavior information for underwriting and claims far beyond what other businesses do.

Regulators have already begun to implement rules that address what insurers (and other involved third parties) are doing to safeguard that information. In 2016, the New York Department of Financial Services (NYDFS) adopted a cybersecurity regulation, Cybersecurity Requirements for Financial Services Companies, 23 NYCRR Part 500. In 2017, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law, which substantially tracks the New York regulation. These new rules require insurance licensees to maintain an information security program based on a cybersecurity risk assessment subject to board of directors’ oversight, evaluate and address cybersecurity risks posed by third-party service providers, establish a written incident response plan, and investigate and provide notice to state insurance departments regarding cybersecurity events.

Regarding privacy, the relevant rules in the United States largely consist of rules adopted during the 1990s and 2000s to implement the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLB). However, adoption of comprehensive data privacy rules like the European Union’s General Data Protection Regulation (GDPR), which empowers consumers as data owners, could have far-reaching consequences on an insurer’s ability to utilize data to transform underwriting.

• Unfair discrimination. Regulators grapple with whether algorithmic underwriting and the use of data analytics result in unfair discrimination in underwriting risks. States have broad prohibitions on discrimination based on various protected classifications (age, race, creed, color, religion, sex, sexual orientation, national origin, ancestry, etc.) but they also prohibit unfair discrimination in rates, terms and conditions. In practice that means rates, terms and conditions that are not justified by sound actuarial principles. Some consumer advocates have voiced objections to predictive analytics and the new risk classifications made possible by today’s enhanced analytics on the basis that they have a disparate impact on minority and low-income communities and that there are inherent biases built into the models and the historical data they use. The industry’s response has been that a disparate impact analysis has no application to insurance underwriting given the legal requirement to base underwriting on actuarial principles. The conversation nonetheless has made regulators alert to a need to understand “blackbox” models to evaluate whether they produce an actuarially supportable relationship to risk or whether any improper biases are present in the data or methodologies.

What Should Innovators Do?

The industry wants to innovate and move fast. It is trying to adopt the so-called Silicon Valley mindset of building an MVP (Minimum Viable Product) and iterating over time to “get it right.” Unlike most start-up environments, where today you can try to “build it” to see if “they will come,” in highly regulated industries like insurance, you can’t just build it. You need to know that what you build is something that can be sold or used legally within the regulatory framework.

More often than not, a new idea, technology or platform is presented, and the law is silent or at least unclear. Industry wants to get it right, but feels hamstrung by a lack of guidance from regulators. So, what can an innovator do?

For new and different insurance propositions, give consideration to connecting with applicable regulators early and often. Regulators have spoken out to encourage this participation, and companies are doing this already. For example, Lemonade—an Insuretech start-up that built a new insurance company to sell renters’ insurance exclusively online—approached regulators directly in certain states to grant a license under existing laws and, in Florida, worked together with regulators to change the underlying statute. See generally Bradley Tusk, The Fixer (2018), ch. 21.

If an approach is made, innovators should be thoughtful about which jurisdiction they are considering. A decision to be in a particular market should first and foremost be driven by business considerations—market demographics, physical hazards, available distribution channels, culture and where the principals are already located. But considering the regulatory environment is appropriate too. Different regulators may have different motivations and different concerns. Some may be more receptive to certain types of innovation over others. Local concerns and needs could further drive the issue.

Last, when presenting a proposition to a regulator, don’t present something that’s only half-way thought through. Use common sense. Be specific about the proposition, what regulation currently is implicated and how you would like it applied. This requires planning and good advice. Remember that regulators do not think about the world in the same way as entrepreneurs. Catchphrases like “disruption” or “transformative” will likely not move the needle unless presented in a balanced way.

John Pruitt is a partner at Eversheds Sutherland (US) and co-chairs its global insurance practice. Ed Stelzer advises Insuretech and other innovators on the intersection of legal and strategic risks with technological disruption.