It’s Not Just Twitter’s Problem: What Insurers Need to Know about DDoS and the Snake in the IoT Garden of Eden

On Friday October 21 a massive Distributed Denial of Service (DDoS) made over 1,000 websites unreachable, including, Twitter, Netflix and PayPal. Two cloud providers, Amazon Web Services and Heroku reportedly also experienced periods of unavailability.

The attack was directed against a key part of the internet’s infrastructure, a domain name system provider, Dynamic Network Services aka Dyn. When a person enters a web address into a browser, such as, the browser in turn needs an IP address (a string of numbers and periods) to actually connect with that web address. Domain name system providers are a critical source of IP addresses.

On Friday Dyn was the target of perhaps the largest ever DDoS, when its site was overcome by tens of million of requests for IP addresses. Because Dyn could not provide the correct IP addresses for Twitter and the other affected sites, those sites became unreachable for much of the day.

It also appears that the DDoS was mounted using a widely available malware program called Mirai. Mirai searches the web for IoT connected devices (such as digital video recorders and IP cameras) whose admin systems which can be captured using simple default user names and passwords, such as ADMIN and 12345. Mirai can then mobilize those devices into a botnet which executes a directed DDoS attack.

There are a number of potentially serious implications for insurers:

  • An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholder and the insurer providing the discounts to a variety of potential losses.
  • If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses.
  • As insurers continue to migrate their front-end and back-office systems to the cloud, the availability of those systems to customers, producers, and internal staff may drop below acceptable levels for certain periods of time.

The Internet of Things will change insurance and society in many positive ways. But the means used to mount the October 21 attack highlights vulnerabilities that insurers must recognize as they build their IoT plans and initiatives.

The Evolving Role of Architects

In the last couple of weeks I’ve had the great opportunity to spend time with IT architects of various sorts both inside and outside of the insurance industry. The discussions have been illuminating and offer different visions and futures both for technology that supports insurers and for the future of the architecture function in insurers.

One of the main events that allowed for this conversation was a round table held in London with architects from insurers. The main topics were the relevance of microservices style architectures to insurance, the role of the architects in AI and InsurTech and the future role of architects at insurers. Another event that offered an interesting contrast was the inaugural London Software Architecture Conference which I'll call SACon below (Twitter feed).


I won't fully define microservices here but briefly it’s an approach to delivering software where each service is built as it’s own application which can be scaled independently from other services.

Microservices as a way of delivering software was the default approach at the SACon. There were sessions where architects sharing stories about why sometimes you had to work with a monolith or even making the case for not having the services in discrete applications. Meanwhile at the round table the monolith was the default still with the case being made for microservices in some parts of the architecture.

There are use cases where microservices make a great deal of sense, particularly in already distributed systems where a great deal of data is being streamed between applications. Here the infrastructure of microservices and the libraries supporting the reactive manifesto such as Hysterix and Rx* (e.g. RxJava) and indeed one insurer related their use of microservices to support IoT. Others discussed using this style of approach and the tooling surrounding these architectures to launch new products and increase change throughput but in all cases these were far from replacing the core architecture.

For now microservices is not the default for insurer software but is certainly a tool in the box. An observation or two from SACon from those looking to adopt: First it doesn’t solve the question of how big a service or a component is, something architects need to discuss and refine and; Second, microservices needs a great deal of automation to make work, a topic covered in our DevOps report to be published shortly.

Architects and AI

I have a background with training and experience both in computer science, AI and machine learning. One thing that I noticed going to the analytics conferences where AI is discussed is the absence of IT representation – plenty of actuaries, MI/BI folks, marketing folks – was this a place for architects?

Most insurers present at the round table had activity within the organisation for AI. For the most part only data architects are involved in this discussion – AI being distinct from business and applications architecture for now. It’s my opinion that AI components will form part of the wider applications architecture in the future, with AI components being as common place as programmed ones.

Architects and InsurTech

Here is an area where architects can more immediately contribute in a meaningful way both in reviewing opportunities and unique capabilities from InsurTech firms and in discussing integration where acquisition rather than investment is the goal.

The challenge here of course is the age old challenge for architects – to have a seat in the discussion the architect function needs to demonstrate the value it can bring and it’s internal expertise.

Finally, one amusing discussion I had was with a few architects from startups. As I discussed legacy systems they also related seeing legacy systems in their organisations – albeit the legacy systems were 2 or 4 years old rather than 20 or 40 years old. The intriguing thing here was the reasons for them becoming legacy were the same as insurers – availability of skills, supportability and responsiveness to changing demands. It may hearten architects at insurers that start ups aren’t immune to legacy issues!



In search of a new ‘dominant design’ for the industry. What does insurtech have to offer?

There is little in the world of insurtech happening today that insurers couldn’t arguably choose to do for themselves if they were motivated to do it. They have the capital to invest. They have resources and could hire to fill gaps in any new capabilities required. They importantly understand the market and know how to move with the trends. And yet, despite having all of these things, they readily engage with the start-up community to do the things that arguably they could do for themselves.  So, why is that?   

In Making the Most of the Innovation Ecosystem, Mike Fitzgerald’s observes the main cultural differences between insurers and the start-ups they court. These cultural differences give us a strong clue as to why insurers engage with start-ups, even though on paper they do not and should not need them.

Alongside these deep cultural differences, I believe that there is another angle worth exploring to help answer the question, and that’s the market’s maturity stage and, with it, the strategies required to succeed.

One model that helps explain this relates to the work of Abernathy and Utterback on dynamic innovation and the concept of the ‘dominant design’. To be relevant to this discussion, you first need to believe that we’re on the cusp of a shift from an old world view of the industry based upon a well-understood and stable design towards one where substantial parts of the insurance proposition and value network are up for grabs. You also need to believe that, for a period at least, these two (or more) worlds will co-exist.

So, here’s a quick overview of the model (in case you’re not familiar with it)…

Settling on a “Dominant Design”

First introduced way back in the mid-1970s and based upon empirical research (famously using conformance towards the QWERTY keyboard as an example), Abernathy and Utterback observed that when a market (or specifically a technology within a market) is new, there first exists a period of fluidity where creativity and product innovation flourishes. During this period, huge variation in approaches and product designs can co-exist as different players in the market experiment with what works and what does not.

In this early fluid stage, a market is typically small, and dominated by enthusiasts and early adopters. Over time, a dominant design begins to emerge as concepts become better understood and demand for a certain style of product proves to be more successful than others. Here, within an insurance context, you'd expect to see high levels of change and a preference for self-build IT systems in order to control and lower the cost of experimentation.

Once the dominant design has been established, competition increases and market activity switches from product innovation to process innovation – as each firm scrambles to find higher quality and more efficient ways to scale in order to capture a greater market share. This is the transitionary stage. 

Finally, at the specific stage, competitive rivalry intensifies spurred on by new entrants emulating the dominant design, incremental innovation takes hold and a successful growth (or survival) strategy switches to one that either follows a niche or low-cost commodity path. Within an insurance context, outsourcing and standardisation on enterprise systems are likely to dominate discussions.

Applying the ‘dominant design’ concept to the world of insurance and insurtech

Building upon the co-existence assumption made earlier, within the world of insurtech today, there are broadly (and crudely) two types of firm: (1) those focused on a complete proposition rethink (such as Trov, Slice and Lemonade); and (2) those focused on B2B enablement (such as Everledger, Quantemplate and RightIndem). The former reside in ‘Fluid’ stage (where the new ‘dominant design’ for the industry has not yet been set and still may fail) and the latter in the ‘Transitionary’ stage (where the dominant design is known, but there are just better ways to do it).

Figure: Innovation, Insurance and the 'Dominant Design'


(Source: Celent – Adapted from Abernathy and Utterback (1975)

Outside of insurtech, within the 'Specific' stage, there is the traditional world of insurance (where nearly all of the world’s insurance premiums still sit by the way) that is dominated by incumbent insurers, incumbent distribution firms, incumbent technology vendors, and incumbent service providers.

So what? 

What I like about this model is that it starts to make better sense of what I believe we’re seeing in the world around us. It also helps us to better classify different initiatives and partnership opportunities, and encourages us to identify specific tactics for each stage – the key lesson being "not to apply a ‘one-size fits’ all strategy to the firm".

Finally, and more importantly, it moves the debate on from being one about engaging insurtech start-ups purely to catalyze cultural change (i.e. to effect the things that the incumbent firms cannot easily do for themselves) towards one begging more strategic and structural questions to be asked, such as will a new ‘dominant design’ for the industry really emerge?, what will be its time-frame to scale?, and what specific actions are required to respond (i.e. to lead or to observe and then fast-follow).

Going back to my original question “What does insurtech have to offer?”. Insurers can do nearly all of what is taking place within insurtech as it exists today by themselves…but, as stated at the start of this blog, if, and only if, they are motivated to do so.

And there’s the rub. Many incumbents have been operating very successfully for so long in the ‘specific’ stage optimizing their solutions that making the shift required to emulate a ‘fluid’ stage is a major undertaking – why take the risk?. However, this is not the only issue that is holding them back. For me, the bigger question remains one of whether there is enough evidence to show the existence of an emerging new ‘dominant design’ for the industry in the ‘fluid’ stage that will scale to a size that threatens the status quo. Consequently, in the meantime, partnering and placing strategic investments with insurtech firms capable of working in a more ‘fluid’ way may offer a smarter more efficient bet in the meantime.

In a way, what we’re seeing today happening between insurers and insurtech firms  is the equivalent of checking out the race horses in the paddock prior to a race.  Let the race begin!







Where is the innovation in Individual life and annuity?

I had the pleasure of attending an amazing event last week in Las Vegas. The InsureTech Connect event drew over 1,500 people, from insurers to vendor to investors. Given the unprecedented size of an inaugural event, I was very impressed with how well the event worked. The sessions were good, but for me, the opportunity to have individual meetings with key industry players was even better. Our own Oliver Wyman was the primary sponsor of the event.

As I cover individual and group products, plus health and have an experience in P&C, I personally got a lot out of the event. I did have one major observation which I think speaks of the individual life and annuity industry. While I did not do a scientific study, I would estimate that over 50% of the content was focused on P&C insurance. This is not particularly surprising as they have all the cool technology like drones. My estimate was that the group insurers and health insurers were about 45% of the content, with an emphasis on topics like wellness programs and direct to consumer exchanges.

If you did the math, this only leaves 5% of the content for individual life and annuity products and that may very well have been a stretch. There was one session on eliminating the health data gathering for underwriting, which was well done and well attended, but past that, not so much.

Some insurers are diversifying, into Group or Wealth management, but I would not characterize that as innovation.

So what is holding us back as an industry? There are many things, from risk aversion, to length of the application to the sheer amount of data required for underwriting. I could write pages and pages on the topic, which explains why the next blog post you read from me is likely going to discuss the report I am finishing on this exact topic.

The potential for disruption in the space is huge and the coveted Millennial buyer is looking for just such innovation. Let’s make it happen.

The Rise and Rise of Analytics in Insurance

As noted in our prior research insurance has always been an industry that relies on advanced analytics and has always sought to predict the future (as it pertains to risk) based on the past. (For research on advanced analytics in insurers see here, here and here).

As observed in the last post here analytics, AI and automation has been a key focus of InsurTech firms but do not assume that the investment is limited to newbies and start-ups. I have for a few years now been attending and following the Strata+Hadoop conferences and others focused on advanced analytics and the broad range of tools and opportunities coming out of the big data organisations. This last week I attended a conference focused on the insurance industry and was surprised to see the two worlds have finally, genuinely overlapped – just take a look at the sponsors.

As Nicolas Michellod and I have noted in the past, insurers have already been investing in these technologies but only those that have made the effort to speak “insurance”. What the conversations at Insurance Analytics Europe (twitter feed) demonstrated was a new focus on core data science tools and capabilities. This continued the theme from DIA Barcelona (twitter) earlier in the year.

The event followed InsTech London’s meeting (Twitter) looking at data innovation and it’s opportunities for Lloyd’s, the London market and the TOM initiative. Here the focus was on InsurTech firms that would partner on analytics, would sell data or would enable non-data scientists to benefit from advances in machine learning, predictive analytics and other advanced analytics disciplines.

While this trend of democratising advanced analytics was discussed by analytics heads and CDO’s at the analytics conference the focus was much more on communicating value, surfacing existing capability and tools within the organisation and to put it bluntly, getting better at managing data.

In short – AI, Analytics, Machine Learning, Automation – these were all hot topics at InsurTech Connect and similar events but for the insurers out there – don’t assume these are purely the domain of InsurTech. Insurers are increasingly investing in these capabilities which in turn is attracting firms with a great deal to offer our industry. For those big data firms that ruled out insurance as a target market a couple of years ago – look again, the appetite is here.

As a techy and AI guy of old I am deeply enthused by this focus and excited to see what new offerings come out of the incumbent insurers and not just InsurTech.

Do have a look at the aware machine report and the blog too. We’re increasing our coverage in this area so if you have a solution focused on this space please reach out to Nicolas, Mike or myself so we can include you and for the insurers look out for a report shortly.


“All that glitters is not gold”: Four concepts, four potential insurtech responses

As a few of us head to InsureTech Connect in Vegas this week to explore what the world has to offer in insurtech, I feel the need to keep my feet firmly on the ground and not to get too caught up in all of the glitz and glamour of both the location and the trendy start-up scene with its sea of beards.

“Bah, humbug!”, I hear you taunt in response.

Although I love the insurtech scene and welcome the fresh ideas, enthusiasm and willingness to be bold it brings (….and it’s way overdue and our industry needs a really good shake-up), I am mindful that history warns us that we should maintain an air of caution at this stage in any tech market’s development.  As the saying goes, “all that glitters is not gold” and there will undoubtedly be winners and losers (perhaps making Vegas all the more appropriate for the location).

Also, until wider market commentary around insurtech switches from the investment going in towards the value coming out of the start-ups (with real numbers on stealing market share, run-away customer demand, and incredible returns), we simply won’t know which way the market will move…if at all.

So, where will I be looking for the signs of a fresh gold seam and what might be an appropriate response for an insurer’s ‘insurtech strategy’?  From my perspective, there are four areas to focus upon:

  • Distribution. Undoubtedly, this is the area under the greatest threat of change through mobile, embedded micro-transactions and a change in demographics.  If you’re a traditional agent or direct writer, watch-out. If you’re an insurer on the other hand, your biggest challenge is likely to be the “speed of pivot” between current traditional and new channels that emerge. As a primary insurer, market scanning, operational agility and partnerships are likely to be critical elements of your insurtech strategy.
  • Automation, Analytics and AI. For decades, the industry has been running on robust (at least ‘robust’ for some of the time) transactional systems. For the bold, we’re now at a point where a substantial chunk of the operating model could arguably be replaced by not much more than an algorithm surrounded by a much smaller team of people to handle the customer touch-points. “Cloud native”, analytically driven micro-service architectures are the direction of travel. In markets exposed to aggregators, we have already seen some evidence of these characteristics being adopted by new entrants to the market.  As an incumbent, the challenge remains an age-old one of internal operational transformation and overcoming cultural inertia. Here, an insurtech strategy may be one of partnership in order to catalyse a change.
  • New propositions.  New risks, new data sources and, with them, new services.  Whether cyber-risk, the sharing economy or IoT enabled services, there is a lot of ground to cover here.  Out of these, new risks and use of new data sources appear to show the greatest promise in the near-term, and within the normal remit of an everyday insurer’s strategy. The IoT requires a different response. Although very very hot, it is a slower burn than other proposition related areas, primarily due to differing rates of sensor adoption, sensor installation economics, the absence of standards, the “what’s in it for me?” end-user proposition and the number of parties to engage, each with different agenda and requiring co-ordination. That said, it’s inevitable that it will become ever more pervasive across the industry. The bigger question, however, is what will the insurance industry’s role be in shaping it? Any insurer interested in the IoT needs to have effective partnership strategy with adjacent industries at its core.
  • New risk-bearing models. The word ‘disruption’ is overused in our industry, often without a solid understanding of what it truly means (for example, I’ve lost count of the number of times I’ve seen it used to describe a neat technology ‘widget’ that performs just one step in an end-to-end process).

Simply speaking, in order for an industry to be disrupted, one of two things needs to happen. Either new technology needs to open-up a significant jump in productivity (rendering the old ways of doing things as obsolete) or there emerges an effective substitution for the need being satisfied (with the consumer switching as a consequence).  Anything else could be argued as just normal competition and shpuld be expected.

As highlighted in my first point above, it’s evident that distribution is facing an increasingly turbulent time.  It is also clear that some technologies may enable a leap in productivity once implemented in the extreme (and not just for a single process step). However, for me, the court is still out for the substitution of the main risk-carrying entity itself.

However, one area that threatens this position is P2P (both at the front-end with insureds and the back-end with methods of alternative risk transfer). Even though it appeals to the more geeky and technical side of me, the barriers to adoption at scale just feel a little too high currently – whether market education related or regulatory (as, if executed poorly, a misselling scandal may result).

Furthermore, market efficiency is probably still better served through the current market structure than P2P owing to the ‘law of large numbers’, albeit implemented on better technology and with greater transparency. After all, there is a reason why mutual insurers have been merging or converting to public companies around the world.

That said, I’m willing to be proven wrong and will be looking eagerly for firms / evidence to demonstrate otherwise. In this area, although the brave will venture out regardless, an appropriate insurtech strategy for the more cautious feels like a classic ‘watch, learn, and be ready to pounce’ with a ‘Fast Second’ strategy.

For insurers reflecting on their engagement strategy for insurtech, the common thread across all but one of the areas above is the need for effective partnerships between insurers and start-ups. As Mike Fitzgerald observes in Insurer Start-up Partnerships: How Maximize the Value of Insurtech Investments:

“Both sides face challenges. Industry incumbents face the burden of their legacy systems, their aversion to failure, and a habit of extended decision cycles. Newcomers lack the capital to underwrite risk, do not understand the regulatory environment, and cannot scale easily." 

There is value (and hopefully gold) to be gained from both sides in engagement.

Finally, while interest in insurtech is high, any insurer ought to be maintaining a watch on activity, providing that a strong bias towards value being delivered is taken (as opposed to money going in).

So, in summary, that’s what I’ll be focused on over the next few days – the hunt for value around these four themes.

Life Insurance Automated Underwriting – A 25 Year Journey

Automated underwriting has come a long way in the last 25 years. It may be surprising that there was automated underwriting 25 years ago. At that time, it was called ‘expert’ underwriting. The idea was right, but the timing was wrong. The underwriting engines were black box algorithms; there was no user interface; data was […]Continue reading...

The Muslin is off the Lemon — Lemonade Launches

Today’s announcement by Lemonade provides an example of what actual disruption in insurance looks like. Disruption — the term is overused in the hype around innovation. In Celent’s research on innovation in insurance, we see that what is often tagged as disruptive is actually an improvement, not a displacement, of the existing business model. The […]Continue reading...

Vrooom: New Federal Guidance Should Accelerate Development of Autonomous Cars

September 20 was a good day for the development of autonomous cars. The Feds, as embodied by the Department of Transportation and the National Highway Traffic Safety Administration (NHTSA), have issued guidance and principles for the development of autonomous cars. There are two key takeaways: By issuing guidance, rather than regulation, the Feds are trying […]Continue reading...

Changing the Landscape of Customer Experience with Advanced Analytics

That timeless principle – “Know Your Customer” – has never been more relevant than today. Customer expectations are escalating rapidly. They want transparency in products and pricing; personalization of options and choices; and control throughout their interactions. For an insurance company, the path to success is to offer those products, choices, and interactions that are […]Continue reading...