Protect your Clients from Halloween Horrors!
Julie was so pleased with her programmable thermostat...until the jilted ex-husband hacked into the device and turned off the heat when she went to her parents for Christmas. It was an unpleasant surprise to come home to frozen pipes!
Kent was so proud of his new key-less entry locks. How convenient it was to just have a code rather than worry about losing his keys. It was also convenient for the burglars who hacked his lock and walked right in the front door and made off with his high end audio equipment.
Keri's son downloaded the newest game craze onto the family's computer. Unfortunately, it was full of malware and the perpetrators were able to gain access to sensitive bank account information and cleaned out the checking account before anyone noticed.
What's lurking in your clients' homes? A programmable thermostat, key-less locks, and too many computers and devices to count...
Have you sold your clients the right protection or just set yourself up for a nasty E&O claim?
Burand & Associates' premier agency training program is here to help. Our Three Dimensional Training™ program incorporates adult learning techniques and client-focused strategies while positioning the agency to reduce E&O exposures. The result is a holistic program for personal and commercial lines that integrates the Three Dimensions of agency success:
- Better protection for your clients' assets
- Increased sales
- Reduced E&O exposures
Contact us today at firstname.lastname@example.org to learn more.
[Back to Top]
Confessions of a Failed Insurance Father
I learned my son purchased a policy without using a quality independent insurance agent and he purchased a policy from a carrier that I would not recommend. How could I have failed so miserably to instill in him that insurance is not a commodity? How could I have failed to teach that having a professional agent assist and be an advocate is valuable? I understand how I failed to teach the importance of looking beyond a rating company's rating when determining which carrier. At least the carrier is decently rated.
I asked for a copy of his correspondence and this company is slick. Existing agencies and carriers really should copy the approach. For young, naïve people who think all policies are the same, a carrier/agency willing to take advantage will have a field day. This means one of the key elements to winning this business is to adopt the same technology and marketing approaches and then add quality coverages, advice, etc. to the equation. No point exists in insisting that people should study policies or learn on their own that insurance is not a commodity. You have to teach this through your proposals, your marketing, your sales, your advertising, your websites, and all your communications. It is up to you to be proactive, not the consumer.
Whether "you" are the company or "you" are the agency/broker, it is up to you to make a difference. That is your job if you are a professional.
Next step, teach why an agent is important. Is an agent just a worthless 15% extra cost? What exactly do you do for your money? How do prospects know you do this? The tag lines, "We find the best price." "We find the best coverage." "We find the best price and coverage" are all worn out (and dangerous from an E&O perspective). What are you actually going to do they can't do for themselves or think they can do for themselves? Most people today believe they can search the Internet and find the best price so if you think your offer to find the best rate is important, think again. It looks like you are trying to get paid for doing something they can do for themselves. These are not the pre-search engine days. At least get your tag line to recognize it is not the year 2000 any longer.
In other words, what is your real, tangible advantage to consumers? Next, how are you even articulating this advantage? If you cannot define and then successfully articulate why you are worth 15%, you may not be worth 15%. It is funny that I work with specific producers that can define and articulate their value while in the same agency, others cannot. Both have all the same tools and same companies. Guess who outsells whom.
P.S. He now has a quality policy from a quality agent.
[Back to Top]
The Hits Keep Coming - More Transitional Cybersecurity Requirements from New York's Department of Financial Services,
by Scott Lyon
It has been more than a year and a half since the New York Department of Financial Services cybersecurity regulations (Cyber Rules) came into effect, and yet another compliance deadline has passed.
Broadly, "Covered Entities" (insurers, individual brokers, agents and adjusters licensed by or registered with the NYDFS) were required to have implemented audit trails so security incidents can be detected and responded to quickly and material financial transactions can be reconstructed in the event that electronic data is modified or erased (for example, if ransomware encrypts all of the files on your server and you are unable to retrieve them). In addition, the Cyber Rules require you to have written and implemented policies for, among other things, the retention and disposal of nonpublic information. Likewise, your business should have implemented encryption or other commensurate controls to protect the confidentiality and integrity of data in transit and at rest.
Indeed, all of the foregoing should have been completed by September 3rd, so that you can file next year's Certification of Compliance with the Superintendent of Financial Services no later than February 15, 2019. In case you are unsure if your efforts this year have complied with the new cybersecurity regulations, here is a more detailed description of your most recent obligations as they are set forth in the Cyber Rules:
Audit Trails (new for September 2018)
Based on its Risk Assessment, each Covered Entity shall securely maintain systems that, to the extent applicable:
(1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and
(2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.
Breaking this down, the first requirement focuses on your ability to recover data whose integrity/validity has been affected, such as in the case of ransomware or data modification attacks. For example, if your billing records are deleted or encrypted by an attacker so that you have no way of knowing which clients have paid and when, you would need to have a backup of those systems so that you could reconstruct that data.
The second requirement is focused on your ability to identify and track potential attacks on your networks, regardless of whether data is modified. This could involve maintaining system or firewall logs, monitoring unsuccessful login attempts, account logins during odd hours or from unusual time zones, or other indicators that may suggest your system has been compromised. Many networks have the capability of generating these records, so you will want to make sure that you have a system in place to monitor and review them as appropriate.
Each Covered Entity's cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity's technology environment. These procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.
If you are developing your own software products (whether internally or through an independent developer), this requirement focuses on your ability to incorporate secure development practices. This involves factoring in security throughout the entire data lifecycle, from the moment it is collected, through processing, storage, and ultimately data destruction (dictated in part by your data retention policy -- you have one of those, right?).
Limitations on Data Retention
Speaking of which, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Data retention has also become a hot topic under the EU's General Data Protection Regulation, which became enforceable on May 25, 2018.
Training and Monitoring
Each Covered Entity shall implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users.
In other words, you should have systems in place that can monitor user activity (for example, data loss prevention (DLP) and intrusion detection/prevention systems (IDS/IPS)), designed to trigger alerts if either an unauthorized user access your systems or an authorized user starts accessing Nonpublic Information they should not be. This regulation focuses on the risk of Insider Threats, an issue too often overlooked when organizations focus on security primarily at their network borders.
Encryption of Nonpublic Information
Based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest. To the extent a Covered Entity determines that encryption of Nonpublic Information in transit over external networks is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity's CISO.
So does this mean you need to encrypt all of your data -- not necessarily. There are many benefits to encryption - for example, exfiltrated data encrypted with a strong encryption standard without an encryption key is essentially a blob of useless data that will take more effort to crack than it is worth. However, the Cyber Rules acknowledge that encryption may not be the most appropriate control in all cases and leave the door open for compensating controls. This does not mean it is optional -- it merely means that another control to protect the data that is commensurate with encryption could potentially be an acceptable alternative control.
Again, your Certification of Compliance is due to the superintendent by February 15, 2019. In the meantime, there may be more work to be done.
As a reminder, beginning March 1, 2018, your CISO became obligated to report at least annually to the key stakeholders in your organization on the strengths, weaknesses, past performance and future objectives of your security program. And unless you qualified for a limited exemption or are engaged in continuous monitoring, you also need to submit to annual penetration testing, in which security professionals actively test whether they can hack you by penetrating your organization's security defenses. Additionally, you must perform bi-annual vulnerability assessments and actively train all organization personnel on security awareness and best practices, similar to the harassment training many organizations already currently perform.
In addition, you are urged to mark your calendars -- the final transitional compliance deadline is March 1, 2019, when Covered Entities like you must have in place a Third Party Service Provider Security Policy that address a risk assessment of third parties with access to your systems or data, as well as a statement of the minimum cybersecurity practices you will require from them.
Understandably, New York's cybersecurity regulations are a lot of work, so if your organization needs assistance satisfying any of the requirements above, the cybersecurity and regulatory professionals at Michelman & Robinson are here to help.
Michelman & Robinson, LLP
Michelman & Robinson, LLP (M&R) is a national law firm that represents the country's largest insurance carriers, brokers, agents and reinsurance companies. The firm's insurance lawyers are amongst the most skilled and sought after in the industry, handling everything from claims disputes and coverage litigation to complex regulatory and administrative matters. Indeed, M&R offers one of the most reputable and preeminent insurance law practices in the U.S. For more information, please visit www.mrllp.com.
[Back to Top]
I recently ran across a situation that maybe borders on ethical issues and definitely makes policy checking a living nightmare. Here is the situation:
A carrier issued a personal lines policy. One of the endorsements, an important endorsement, was the shotgun marriage of two different forms. They took page 1 of one form and page 2 of a different form and called it good. Different form numbers, different dates, and so forth. Think about all the issues this creates. I do not know how the carrier can track this. But how can a person catch these situations when policy checking? The differences were not minor.
Furthermore, the carrier claimed ISO copyright but they changed the wording. In other words, this was not a standard form. It was a proprietary form hiding behind a fake copyright. (For a great article regarding how to catch fake copyrights of ISO policies when policy checking, go here: https://www.irmi.com/articles/expert-commentary/nonstandard-policies-similar-to-standard.)
I have several suggestions for agencies that come across these situations:
- You are facing a situation of carrier incompetence or carrier malfeasance. I suppose it is somewhat better to think of the carrier as being staffed by good but incompetent people versus evil people, but either way, the agency is going to spend more time, more money checking policies and still will have an increased E&O exposure and possibly an unhappy client at claim time. Is the solution to just do business with higher caliber carriers?
- Depending on the situation, report the problem to the insurance department. I understand the need to avoid sticking your neck out. Maybe get a high quality carrier to submit it for you or maybe you can do it anonymously or maybe you can get your state association to assist. But these incompetent companies are taking advantage of the good agents and good carriers.
- If the issue is an ISO copyright, call ISO. I doubt they appreciate companies claiming an ISO copyright when they are not actually using ISO copyrighted forms.
- This is an opportunity. One of the great advantages a high quality independent agent provides is actually policy checking. An insured going direct or buying insurance from an agent that no longer policy checks is getting a raw deal. This is one of the most important services an agency can provide.
- This is also an opportunity to advertise that you know your coverages and your companies are not doing sloppy cutting and pasting of documents.
[Back to Top]
Why can't stock analysts pick winners 100% of the time?
(And even if they could, why is the value of always being right 50% of what it was?)
In a stock picking study reported in The Economist (12-23-17), two researchers basically asked whether it made sense to study publicly traded companies' data intensely enough to exactly predict the next few quarters' results in order to buy and sell those companies' stocks based on how the quarters' result would impact the stock price or if this was a fool's errand. They took a fascinating approach. They looked backwards with the assumption they had perfectly predicted the earnings and therefore, bought and sold those stocks before the stock price changed. The researchers figured out a formula that worked extremely well, with hindsight. Using older data, and assuming the quarters' earnings could have actually been predicted, their formula outperformed the market by 4%+ each quarter! This is a phenomenal, if hypothetical, result. The margin of error actually performing this well upfront rather than in hindsight is a different story, but still fascinating.
Even more fascinating was that their results were cut in half using the last few decades' data, even working in hindsight with the same formula. They discovered the historical 4% was only worth 2% today and the margin of error was too little to use. So what changed over the last thirty years? To go from a 4% per quarter premium to a 2% per quarter premium is huge.
The answer: It may be an accounting issue! It may actually be an accounting issue that is clear as day to insurance distributors because it is an accounting issue agencies have been involved with for decades. The crux of the issue is this:
How much does it cost to write a $1,000 commission account?
The answer is, of course, it depends. It depends on whether you buy that account or if you sell the account. The reason is that while $1,000 revenue is $1,000 revenue, accounting rules dictate diametrically different treatment of the costs associated with acquiring that account. Therefore, earnings and profits are hugely affected depending on whether the account is purchased or developed.
|Here is an example of a developed (sold) account:
||Cash increases $160 pretax
|35% producer compensation = $350
|18% CSR compensation (average salary equivalent) = $180
|7% Benefits (average cost of benefits relative to commission) = $70
|7% Benefits (average cost of benefits relative to commission) = $70
|4% Sales cost such at auto, travel, entertainment = $40
|20% overhead = $200
|Total cost = $840
|Here is an example of a purchased account, using a purchase price of 1.5 times:
|$33 expense (15 yr amortization x 50%)
||($1,500) cash (or an addition of liability or some combination)
You might notice that I added $750 goodwill and only amortized 50% of the purchase price. This is because most of the serial buyers do not amortize the full purchase price. Instead, they allocate a large portion to a form of non-amortizable goodwill. The benefit they gain is their profit margin is higher if they do not amortize the full purchase price. The goodwill may look good on the balance sheet too and depending on whom one believes (relative to specific accounting, regulatory experts and the specific firm), the accuracy of self-completed impairment audits on that goodwill, firms may be getting a free pass on this point.
The study tested whether reported profits matter as much today and not just as profits correlate to insurance distribution but many industries with large intangible assets. Intangible assets today as a whole are far larger than 30 years ago. They looked at, in particular, whether accounting methodology biases acquisitions versus actual sales/organic growth results.
Their discovery was that accounting absolutely creates a bias. Accounting methodology favors acquisitions and therefore, earnings correlate less today to stock price than it used to, which explains why the premium went from 4% to 2%. Simply put today earnings do not equal profit. You read this correctly, earnings do not equal profit.
Therefore, if earnings do not equal profit, are earnings correlated to share movement? Not like it used to be. If one exactly predicts future earnings, one does not make half as much as they historically would have made by predicting the future share price. Moreover, it is a continuum with the extra value declining proportionately to the amount spent on intangibles.
The article then went on to miss an important point. Why invest in organic growth if accounting methodology favors acquisitions? Also, should accounting methodology create strategy?
The answer is that it depends. If one is trying to create arbitrage opportunities with someone else's money, it makes sense to use acquisitions. This is where a buyer pays, for example, 1.5 times but their stock is valued at 1.8 times so that when they buy the asset, the asset automatically appreciates in value by .3 times.
This importance of how accounting rules dictate different cost assessments for organic vs acquired growth explains much of why public companies account for acquisitions differently than private companies. Private companies are usually less concerned with reporting lower earnings. They are more concerned with cash flow.
An opportunity exists for both strategies. If one wants to grow organically, it probably pays to be privately held (private equity does not equal privately held either). It should be easier to grow organically too because the acquisition minded organizations have to focus on profits and accounting methodology that helps them report higher earnings. That environment makes it difficult to truly focus on the expensive prospect of actually making new sales, at least when using standard accounting.
[Back to Top]
Different rules for different companies and distributors?
Here is an interesting, maybe distressing, fact: Almost 100% of all health insurance carrier impairments between 2014-2016, inclusive, were the direct result of the ACA. Approximately 20 such carriers have become impaired according to A.M. Best. These insurance companies were created specifically as a result of the ACA so their lives were short. Insurance companies that have such short lives are almost, in my experience, always seriously incompetently managed without an adequate appreciation of capitalization, how growth affects capital, and why actuarial projections, especially for a start-up in a fast changing health insurance environment, will have high margins of error thereby necessitating a larger than normal capital cushion. These points are simply logical. Rocket scientists are not required to figure this out and yet all these companies failed. The question I have is whether they were required to meet the same capital standards as other companies? I am not confident they were. I can look up the data and the data suggests they were not but that is not the same thing as suggesting different rules were applied. It is worth considering though.
I do not share this information to beat up the ACA or to suggest insurance departments are not doing their job or that the rating companies did not do their job (most of the companies were not rated, maybe for a reason). These are not the relevant points. Instead, the question that is important is whether regulatory and rating organizations are creating multiple sets of special rules for a variety of new players. Another example is how a particular distributor of health insurance was discovered and made public to be operating without licenses and not even all the states fined them. Similarly, when one insurance department pressed them regarding rebating, certain politicians overrode the insurance department stating that rebating cannot apply to a technology company. Regardless of who is distributing insurance, whether it be a technology company or a guy with a typewriter and carbon paper, rebating is rebating. A second set of rules was created.
It seems a level playing field is best for consumers, for distributors trying to do what is right, and for existing insurance companies trying to provide the best combinations of price, service, claims and stability. I do not see how special differentiating rules can benefit consumers but I see how these new entities can be enriched under special rules.
Another example is requiring greater clarity relative to the quality of capital. I know the various capital adequacy ratios (CAR) consider quality of capital in their calculations. This fact is extremely valuable to consumers, agents, and quality carriers. But the reality is, most people have never heard of CAR ratios. Most people even in the industry have no idea. While I applaud the few companies that have A++ ratings and even those with A+ ratings, few consumers or agents care if a company has an A++ rating or, unfortunately, an A- rating. However, in my experience, if I explain that a company has surplus notes, agents and consumers understand quickly the quality of surplus is maybe less than par or even less than acceptable. I find most agents are incredulous that surplus notes are even allowed. I am not opining on whether surplus notes are good or bad but transparency makes a difference.
Another capital example is relative to a true reciprocal. I meet agents all the time selling policies backed by reciprocals who do not know what a reciprocal is. They somehow have missed the importance of the powers of attorney they ask clients to sign. When I explain the insureds are creating the surplus, and you can read this in A.M. Best's reports where A.M. Best is clear the surplus backed by policyholders is critical to their calculations, agents have been known to turn ashen. We lose when we use numbers and letters without explaining key elements.
A different example of different rules is the use of nonactuarial pricing. Companies may have surpassed regulators' abilities to monitor whether all pricing is actuarially based. For example, price elasticity definitely seems to be employed. The best example of this, a well-known example, is how companies charge so much more for renewals versus new business rates. There is absolutely no way both the new business and renewal pricing is truly actuarially based, especially when the renewal price is always higher. The only possible actuarial explanation for this is every account this company writes gets worse when that company writes it. If that is the case, the company probably should be shot out of mercy.
As detailed in the book, Everybody Lies, by Seth Stephens-Davidowitz (page 262), a specific firm, Optimal Decisions Group, built a model to learn how much customers are willing to pay for life insurance. The amount people are willing to pay does not have an actuarial basis. From a completely different angle, as reported in "Freaknomics," term life internet pricing transparency caused rates to decline a total of $1 billion per year. Transparency is not actuarially based.
One set of true actuarially based rules should apply or no actuarial requirements should exist. But if the rules exist and good companies try to follow them while others find ways around the rules and are not caught, the industry and consumers are not served well. Agents often know the difference too and those that try to steer clients toward the stronger companies can lose business as a result.
A new example of imposing different sets of rules involves differentiating between human and non-human distributors of insurance. Non-humans are artificial intelligence entities. I have read actual legislation that has been written and likely will pass, based on my sources, that will require human distributors to carry a license and be responsible for their actions. A non-human's responsibilities will not include carrying an insurance license. I understand that licenses are for humans but this does not require absolving other entities from carrying a license. It may be a different kind of license that imposes responsibilities but the abdication of any license is clearly assigning different rules for different players.
Insurance is a highly regulated business because it is so important to society on so many levels. It greatly reduces the cost of financing. It greatly enhances the recovery from catastrophic losses. It greases the wheels of our economy and society. Without regulation, insurance is one of the easiest industries in which to operate huge financial scams and Ponzi schemes. Without regulation, it is so easy to promise coverage years from now, collect the money, and disappear. With the exception of the ACA companies, few regulated insurers have left insureds hanging in the last decade but prior, even a few well-known rated insurance carriers did go insolvent when mismanaged, arguably for personal gain.
One level playing field and one set of rules for everyone makes the most sense for the industry and consumers. I heard a well-connected speaker recently advise that some insurance commissioners wanted to relax the rules for some new entities because they were really technology companies promising to deliver a far better consumer experience. I am all for a better consumer experience but math is awesome because X capital - Y losses always equals the same. Therefore, X capital is always the same regardless of whether it is an old fashioned insurance company or a new tech model. The industry is not sexy and we would do everyone a favor by accepting the reality that math applies to sexy tech companies too.
Consumers who are injured through bad robotic advice are just as injured as when they get bad human advice. The same kind of license should equally apply. The same rebating rules should apply. The same kind of capital requirements should apply or carry warnings. Different rules for different players is a slippery slope to huge industry wide problems.
[Back to Top]
Chris Burand is president and owner of Burand & Associates, LLC, a management consulting firm that has been specializing in the property/casualty insurance industry since 1992. Burand is recognized as a leading consultant for agency valuations, helping agents increase profits and reduce the cost of sales. His services include: agency valuations/due diligence, producer compensation plans, expert witness services, E&O carrier approved E&O procedure reviews, and agency operation enhancement reviews. He also provides the acclaimed Contingency Contract Analysis® Service and has the largest database and knowledge of contingency contracts in the insurance industry.
Burand has more than 30 years' experience in the insurance industry. He is a featured speaker across the continent at more than 300 conventions and educational programs. He has written for numerous industry publications including Insurance Journal, American Agent & Broker, and National Underwriter. He also publishes Burand's Insurance Agency Adviser for independent insurance agents.
Burand is a member of the Institute of Business Appraisers and NACVA, a department head for the Independent Insurance Agents and Brokers of America's Virtual University, an instructor for Insurance Journal's Academy of Insurance, and a volunteer counselor for the Small Business Administration's SCORE program. Chris Burand is also a Certified Business Appraiser and certified E&O Auditor.
NOTE: The information provided in this newsletter is intended for educational and informational purposes only and it represents only the views of the authors. It is not a recommendation that a particular course of action be followed. Burand & Associates, LLC and Chris Burand assume, and will have, no responsibility for liability or damage which may result from the use of any of this information.
Burand & Associates, LLC is an advocate of agencies which constructively manage and improve their contingency contracts by learning how to negotiate and use their contingency contracts more effectively. We maintain that agents can achieve considerably better results without ever taking actions that are detrimental or disadvantageous to the insureds. We have never and would not ever recommend an agent or agency implement a policy or otherwise advocate increasing its contingency income ahead of the insureds' interests.
A complete understanding of the subjects covered in this newsletter may require broader and additional knowledge beyond the information presented. None of the materials in this newsletter should be construed as offering legal advice, and the specific advice of legal counsel is recommended before acting on any matter discussed in this newsletter. Regulated individuals/entities should also ensure that they comply with all applicable laws, rules, and regulations.
If you wish to be removed from this mailing, please e-mail AgencyAdviser@burand-associates.com.
Copyright 1995 - 2018, Chris Burand