Reading Bruce Schneier’s new book Liars and Outliers: Enabling the Trust that Society Needs to Thrive (reviewed here) made me think about the management of a life insurance company using a security lens. And underwriting is the part of a life insurance company’s management that lends itself most to a security lens.
What is underwriting?
In selling insurance policies, insurers try to select risks that have a predictable chance of claiming. But in most cases, the prospective policyholder knows more about the risk of claiming than the insurer does. So underwriting is the insurer’s opportunity to level the playing field. Insurers find out as much as they can about a policyholder so that they can assess the terms and conditions of the policy. What risks can the insurer cover (if any)? What price should the policyholder pay? And are there any exclusions from the risks covered?
For life insurers, underwriting has a huge range. For small policies, sometimes there is no underwriting; instead there is a clause in the policy that death because of pre-existing conditions will not be covered. For multi-million dollar policies, an insurer will ask for a medical report, blood tests, maybe an ECG.
So what does all this have to do with security?
Effectively the underwriting is security – forcing the prospective policyholder to comply by the insurer’s rules. The insurer is using a combination of types of pressure to select risks that match the insurer’s expected loss rates. We can consider this as part of Schneier’s different types of security:
Moral pressure does work to some extent in insurance. Customers generally do want to do the right thing in a variety of reasons. But you only have to talk to backpackers in any youth hostel and you will find stories of “stolen goods” being claimed on travel insurance. Moral pressure is not as strong in customers making insurance claims as it is in many other areas of life.
In modern society, there isn’t all that much reputational pressure to do the right thing by insurers. For a variety of reasons, the reputational pressure is more on the insurers than their customers. It takes a fairly egregious form of consumer fraud (for example the person caught working as a removalist while claiming disability benefits because of a back injury) before the insurer is generally seen as morally in the right.
This is the first place that insurers have some real leverage. Most insurance contracts have a rule of utmost good faith. Customers must disclose anything that they expect might be relevant. Many customers are quite nervous about this aspect and will disclose as much as possible. The trick for insurers is to work out the right balance between this kind of pressure, and the formal security system of underwriting.
Underwriting is clearly a security system for insurers. Insurers are using underwriting effectively to check a customer’s disclosure. So for life insurance, asking for a doctor’s report, an ECG, a blood test is very analogous to the X-ray machine at airports – it says to customers that you won’t be able to fake your health to the insurance customer.
Does this lens change the strategy?
So what does it mean to companies to think through security lens? To me it means thinking about all the other ways in which you could bring pressure to bear on customers to do what you want them to do. The way in which you want customers to behave is to tell you everything about their health that they know, or even suspect, so that you can rate the risk as accurately as possible.
Underwriting is worth while because the fact that it exists means that customers are less likely to try on non disclosure of their own, known health issues. But this can, in many cases, be fixed without the formal blood tests.
Customers can be made more likely to disclose by
- making customers feel part of the same group as insurers (the way the old mutual and friendly society companies did),
- by relying on reputational pressure (partly by making the insurance company seem much more of a positive part of society),
- by trying to strengthen the moral pressure on customers to do the right thing (partly by changing the group they feel a part of), as well as
- strengthening security systems such as underwriting.
Ironically, using security thinking about insurance (at least Schneier’s wide-ranging thinking) suggests many much broader ways of improving insurance risk than old-fashioned underwriting.
For the skilled underwriter, all of the processes above will be instinctive. Using a different framework, though, may help companies and underwriters to change their processes more rigorously.