Why technology is about to revolutionize the specialty commercial insurance market

Jonathan Sherling is the Head of Financial Institutions at Corvus Insurance. He has extensive experience working as a senior leader in professional lines, from commercial management liability to financial institution products. At Corvus, he leads the team working to broaden its portfolio of Smart Commercial Insurance products to include Smart FI Insurance. He is based in the New York City office.


It’s impossible to ignore how software has changed our world in the past decade — we now use ride-hailing apps for transportation, turn to streaming services for limitless entertainment, and track our food deliveries through third-party apps. Companies are pioneering new and evolving technologies as well as infrastructure to remain competitive. If they don’t, they fall behind — Blockbuster and cab companies can attest to the struggles of staying afloat once they’re competing against software-focused, industry disruptors. The marketplace envisioned by Marc Andreesen when he wrote that “software is eating the world” back in 2011 is becoming evident in every part of our working and personal lives.

There are exceptions, however. Notably reluctant to evolve, most commercial insurers have shrugged off technological disruption, and remain behind the curve of incumbent businesses in other industries who are in some cases already several years into wholesale digital transformations.

The lagging pace in our industry is not for a lack of inspiration from closely-related fields. The past decade has seen the explosive growth of “Fintech”, with enormous investments in the banking and finance sectors. And within insurance there’s been significant tech investment in personal lines: at the time of writing, Lemonade has a greater market cap than The Hanover, Kemper, RLI and other household names. Hippo, Metromile and Root are notable additions to the insurtech push in this market. These success stories in banking, finance, and personal lines insurance have proven overwhelmingly that venture-backed, technology-driven businesses can penetrate highly regulated industries.

So why did commercial insurance get left behind? Let’s explore what has happened in other industries as a lens to see where opportunities lay ahead.

When Insurance and Finance Parted Ways

While the majority of the insurance industry remained stagnant from a technology perspective in the 1990s, we saw a dramatic shift in the functionality of tools employed in the banking sector during that time. Banks capitalized on software to enhance efficiency, while markets progressed to fully electronic trading. With the digitalization of portfolio management, as well as software simulations of trading positions and adverse events, the financial industry was able to redefine how it worked. The birth of “fintech” shortly followed, particularly in consumer-facing markets. We are now starting to see the marriage of fintech and traditional models as recently evidenced by companies like SoFi.

It’s notable that within fintech the businesses that have seen the most success are those that have acknowledged and embraced regulation. While there is some history of those within the fintech industry to be blind to regulation — with a mantra of “we are not financial institutions” — those that have instead blurred the lines and coordinated with banks and regulators have been able to work collaboratively to create regulations specific to their offerings. It was long believed, both in finance and insurance, that if something was complicated enough, it was immune from the disruptions of the tech world. We can see that is no longer the case, especially if the tech is making complex processes easier.

Meanwhile, insurers in specialty commercial did little to invest in new technology to aid better risk analysis, risk selection, mitigation, modeling, stress testing and event simulation. Today, many insurers are not capitalizing on technology for underwriting, and some lines in specialty insurance continue to utilize processes that are completely manual. Looking at the success of Lemonade and others, we can assume that software and the use of data science for analytics and decision making will not be long in coming for specialty insurance.

One notable exception to this long-brewing dynamic is worth mentioning. Cyber-focused insurtechs have pioneered the use of public-facing security information about insureds to inform underwriting, risk selection and pricing while also providing security recommendations to aid with risk mitigation. As models like those used by tech-enabled MGA’s continue to build sophistication by leveraging an increasing number of data sources, the marginal benefit to the combined ratio via lower loss and expense ratios will become increasingly evident. Traditional insurers will be hard-pressed to ignore these advancements when their businesses are held up to the light against the competition.

Tech, Meet Insurance

Insurtechs have seen success with new underwriting models and techniques driven by predictive modelling and harnessing real-time data. This allows them to view risk in an entirely new way, often more effectively. There’s no reason this approach must remain limited to lines like Cyber Liability.

D&O, for example, has decades of actuarial data and experience. Underwriters are drawn to measuring company solvency, sector exposure, the competitive landscape and so on. The underwriting information available to measure those metrics (in the case of private companies) is sometimes one or two years old, and may not be reflective of the current risk that company carries. Insurtechs are establishing new underwriting models and techniques that can harness real-time data, apply predictive modelling to that data and view the risk in a new paradigm.

Skeptics will assert that using different models to assess risk outside the existing framework is only worthwhile if it outperforms the existing framework it seeks to replace. That is a fair position; but we are well past the point in technological progress where the ability to harness data to better predict underwriting losses over time is in question. If such models haven’t been successfully demonstrated in real-world underwriting for a particular product, the question now is not if, but when, they will. Fintechs and insurtechs may have taken on simpler or more data-rich targets first, but with the concept now proven, there’s a playbook for more ambitious applications.

Even if one remains doubtful that technology will overhaul existing underwriting frameworks, there are a number of ways to harness data science while working within them. For example, insurers can use machine learning to digest material, such as the priorities document and subsequent updates or trends in SEC enforcement, as they are released, and automatically apply that logic to their underwriting model. A product manager now has more time to spend elsewhere: educating, drafting language, reviewing referrals and simulating the impact of hypothetical adjustments to underwriting appetite on the current or historical portfolio.

Although the technology described would surely allow overwhelmed underwriters and product managers to shift their focus beyond data gathering, data entry, and basic analysis to the more technical aspects of their roles — negotiating and executing complex transactions — the benefits extend beyond time efficiency. As the algorithms become more sophisticated, underwriting managers are able to better position their portfolios and aid product development. The utilization of data can help identify products, coverage sectors, attachment strategies and pricing elasticity — all of which can be simulated to establish the optimums in a predictive manner.

D&O, Ready for Tech

Traditional carriers risk being left behind as startups in specialty commercial insurance enhance the use of AI and data-science based tech to overhaul the underwriting process. At Corvus, we’ve seen how specialty insurance and technology work collaboratively and cohesively to provide brokers with actionable information that assist with risk management. We use data to provide our distribution partners and clients feedback on their risk, exposures and transparency into our underwriting assumptions.

In other industries, we’ve witnessed how working with the rise of technology and software has enabled companies to innovate and succeed. We’ve also seen how a resistance to our evolving insurance marketplace has been commonplace (and still is) for many carriers. But if we look back at the evolution of fintech — where many startups are now collaborating with the banks themselves — we can see how the integration of technology and intricate processes is the future.

For more information on what Corvus has to offer in these areas, please visit our website.

COVID EPLI Update Podcast: Vaccine and Return to Work Implications for EPLI Insurers and Policyholders

Now that vaccines are slowly beginning to roll out, and at least some landlords in major metropolitan areas are predicting a more ramped-up return to work in June or July, COVID related EPLI claims are a rising concern for employers. Elan Kandel of Bailey Cavalieri LLC, Tanner Hackett of Yourcounterpart, Michelle Gordon of Markel, Jaime LaPlante of Bailey Cavalieri LLC, and Tom Sheridan of Mitsui discuss sources of potential EPLI claims, trends with EPLI claims, return to work issues, vaccine related issues and accommodations, and more in this podcast.

Listen to the podcast episode below, or on the PLUS Connect App:

Elan Kandel represents insurance companies with respect to all aspects of claims involving directors and officers liability, employment practices liability, fiduciary liability, professional liability and commercial general liability policies.

Michelle Gordon is Claims Manager of the Management Liability team at Markel Service, Incorporated. Michelle is responsible for overseeing a team of claims examiners located across the US. Her team handles employment practices liability, directors and officers liability, and errors and omissions claims for private and public institutions. Prior to joining Markel Service, Incorporated, Michelle practiced law as an insurance defense attorney in New York, focusing on professional and general liability. She received her bachelor’s degree from Binghamton University and her law degree from Hofstra University School of Law. She is currently President-Elect of the New York City Association of Insurance Women.

Jamie A. LaPlante is experienced in all aspects of management-side employment and labor law at the state and federal levels. She defends employers in a variety of litigation matters under Title VII of the Civil Rights Act, the Americans with Disabilities Act (ADA), the Age Discrimination in Employment Act (ADEA), the Family Medical Leave Act (FMLA), the Fair Labor Standards Act (FLSA), and other state and federal laws and regulations, as well as breach of contract, whistleblower claims, workers’ compensation retaliation, and public policy violations.

Tom Sheridan is the Specialty Lines Claims Manager at Mitsui Sumitomo Insurance Group (“MSIG”) where he supervises the handling of Management Liability (D&O, EPLI and Fiduciary), Cyber, certain complex GL and Excess claims as well as oversight of MGA and TPA-handled claims.  Prior to joining MSIG, Tom was a litigator at the law firm of Riker Danzig in Morristown, New Jersey. 

Tanner Hackett is the co-founder of multiple businesses including, Lazada Malaysia, which was purchased by Alibaba, and Button, which is recognized as one of the best place to work by Inc. Magazine, Fortune, Entrepreneur Magazine, and Crain’s

Checklist for Becoming Cyber Secure

Mark Bassingthwaighte, Esq.

Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, the
nation’s largest direct writer of lawyers’ malpractice insurance. In his tenure with the
company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.

NOTE: This material is intended as only an example which you may use in developing your own form.  It is not considered legal advice and as always, you will need to do your own research to make your own conclusions with regard to the laws of your jurisdiction.  In no event will ALPS be liable for any direct, indirect, or consequential damages resulting from the use of this material.

Checklist for Becoming Cyber Secure

This checklist is intended to help those who have a desire to become more cyber secure know where to start. It may also be helpful in identifying areas of concern that can and should be discussed with IT support personnel. Most importantly, be aware that cybercrime attack vectors will continue to change and evolve as will the sophistication of the attacks. Becoming cyber secure is an ongoing process, not a once and done effort. That said, here are the basics; and note that when the word “devices” is used, this word is meant to include computers, servers, all mobile devices and any home computers that are being used for work.

____ Cyber criminals often target older devices and software, so keep hardware and software as current as possible because newer devices and applications typically include improved security features. Also note that software which is no longer supported, meaning security updates are no longer issued, cannot ethically be used.

____ Keep your server in a locked room because physical security matters!

____ Install robust Internet security software suites on all devices.

____ Utilize effective intrusion detection systems.

____ Use a spam filter.

____ Disable popups through browser configurations and/or install an ad blocker on all devices.

____ Keep all software on all devices up to date by promptly installing all critical security patches as they are released.

____ Determine where all office data is stored by creating a network diagram and make sure this diagram remains current because it will be useful to digital forensic experts in the event of a security breach.  In addition, this diagram can and should be used to create a security policy that responsibly addresses every situation where any data resides.

____ Identify all laws and regulations which may apply to your data in order to make sure you are in compliance with these laws and regulations. For example, does your firm hold data which is governed by HIPAA, HITECH or Sarbanes Oxley? Do you hold personally identifiable information?

____ Password protect all devices.

____ Use two-factor authentication when and wherever possible. This is particularly important with all banking and financial sites.

____ Develop a password policy that mandates the use of strong passwords (or passphrases) if the device or application will accept them.  Strong passwords are defined as being 16 characters or more in length using a combination of uppercase and lowercase letters, numbers, and special characters.  Note: Every application and device in use should have its own unique password and no password should ever be reused once changed.  The use of a password manager can make this task easier and more secure than, for example, storing passwords in a file labeled “passwords” or writing them down and placing that list in a desk drawer.

____ Prohibit the sharing of user IDs and passwords with anyone, to include others within the firm.

____ Have your IT support person change the default values, for example default passwords, on all wireless routers, server operating systems, etc. because these values are freely available on the Internet.

____ Wireless networks should be set up with proper security to include enabling strong encryption. This means you must disable WEP and WPA encryption and require WPA2 encryption. If the router supports WPA3 encryption, use it. Do not overlook home networks if home computers are being used for work.

____ In order to prevent access to your firm’s confidential data, setup a properly configured wireless guest network.  No guest should ever have direct wireless access to your firm’s network.

____ Backup all data, periodically do a test restore of the backup, and store the backup in accordance with a disaster recovery plan because floods, fires and ransomware attacks happen. Backups must be encrypted if taken off site or stored in the cloud, and if using a cloud vendor, the vendor should not have access to the decryption key.

____ Any mobile device that goes off site and contains any client confidences must be password protected, should have the ability to be remotely wiped if lost or stolen, and should be encrypted. This includes jump drives, external hard drives, laptops, smart phones, and tablets.

____ Limit privileges and access as appropriate. For example, does everyone in the office need access to the firm’s financial or employment records? Can everyone download and install anything they want on any device they have access to? Can everyone make changes to the system configuration? Don’t make it easy for cybercriminals. Place limits on what people can do. Such limits can either be set up electronically via file permissions or physically via a locked door or cabinet.

____ Encrypt any email if it contains confidential information or use a secure client portal.  Check with your IT support for help with proper installation and configuration of your selected solution.

____ Encrypt all data you place in the cloud. Some cloud companies advertise that they encrypt your data but only do so while the data is in transit. You must make certain your data is encrypted “at rest” as well. Better yet, don’t rely on the cloud provider for this at all. Encrypt your data before placing it in the cloud to enable you to have control over the encryption key.

____ Read the terms of service of any third-party vendor that will hold your confidential data.  Remember, the standard of reasonableness applies. At a minimum, you need to know and understand what happens to your data while in the hands of an outside vendor in order to allow you to responsibly address any concerns.

____ Mandate that all work-related Internet sessions be encrypted and prohibit the use of unsecured open public Wi-Fi networks. This does mean that access to the office network must always occur using a VPN, MiFi, smartphone hotspot or some other type of encrypted connection.

____ Prohibit the use of any public computer for any reason. This would include the use of computer stations made available in the business center of a resort or hotel just as one example.

____ Have a policy that prohibits the jailbreaking of any mobile device that will be used for work. Jailbreaking is defined as modifying the operating system from its original state.

____ Never allow a non-employee to have access to your network absent appropriate oversight. In a similar vein, immediately cut off all avenues of access to the network for anyone who has been terminated. Terminated individuals should never have access to any office computer or network plug, even if it’s to simply download personal files, absent a trusted escort.

____ Provide mandatory data security and social engineering awareness training to everyone at the office at least every six months.

____ Develop a cyberbreach incidence response plan and provide the necessary training. At its most basic, if anyone suspects a device has been breached, teach them how to immediately disconnect from the Internet and/or the office network and instruct them to contact IT support immediately. They should never try to resolve the problem themselves!

____ Purchase a cyber liability insurance policy.

____ Check your internal and Internet-facing network security at least annually to make sure your network is secure. This can be done by having a vulnerability assessment or penetration test done.

____ Properly dispose of any device or digital media that has or had any business-related data on it. Don’t overlook digital copiers, digital cameras, memory cards, CDs, DVDs, jump drives, backup tapes, etc. All devices and media must be digitally wiped clean and/or physically destroyed. This does mean that devices cannot be given away for personal use, donated, recycled, or sold unless the entire drives have been overwritten.  Note: a restore to factory default settings is not an acceptable alternative to wiping a drive.