Underwriting and claims systems built for modern regulation
Financial Services — Insurance
What the compliance landscape actually demands.
Insurance technology is regulated at the state level in the United States — 50 insurance departments with separate examination schedules, different model law adoption timelines, and increasing willingness to use technology examination authority. The NAIC Model Cybersecurity Law — now adopted by a majority of US states — requires insurers to implement comprehensive information security programs, conduct annual risk assessments, and notify state insurance departments of cybersecurity events within 72 hours. The technical requirements map to specific infrastructure decisions: encryption standards, access control implementations, vulnerability management programs, and incident response capabilities that must be documented and tested annually. The NYDFS Cybersecurity Regulation — the most stringent insurance technology cybersecurity standard in the US market — has been amended twice since 2017, with the 2023 amendments adding multifactor authentication requirements, enhanced penetration testing obligations, and new governance requirements including annual senior officer certifications. Any insurer doing business in New York must comply, which effectively covers every significant insurer in the US market. NYDFS enforcement is aggressive: penalties in the millions for material control failures, and public enforcement actions that create reputational exposure independent of the penalty amount.
Launching an insurance product nationally means satisfying 50 different state regulators simultaneously — most of whom have adopted cybersecurity examination powers they are increasingly willing to use.
Insurance technology is decades behind. Legacy claims processing, manual underwriting workflows, and compliance frameworks that vary by state and country. Engineering teams need to build systems that operate across regulatory jurisdictions without multiplying compliance cost.
Talk to an Engineer →
First call is a senior engineer — not a sales team. We understand your regulatory environment before we write a line of code.
Start a ConversationWhere Incumbents Fall Short
Insurance technology is decades behind adjacent financial services verticals, and the gap is most visible in claims processing and underwriting workflows. Legacy claims platforms — Guidewire, Duck Creek, and older custom systems — were built for desktop-first workflows, not API-driven integration or real-time data exchange. State-specific regulatory variations in coverage requirements, form filings, and premium calculation rules create compliance complexity that most insurtechs dramatically underestimate when building nationally. The MDL-668 Insurance Data Security Model Law is the compliance requirement that most insurance technology vendors don't know exists — it imposes information security program requirements, annual risk assessment obligations, and breach notification timelines that create engineering requirements shaping how systems are built, monitored, and maintained. The Lloyd's Market Association's cyber underwriting requirements add another layer: insurers who rely on London market reinsurance capacity must demonstrate cybersecurity controls aligned with NIST CSF 2.0 and ISO 27001 to maintain their underwriting relationships. CCPA and GDPR apply to policyholder data for California residents and EU policyholders respectively — with consent management, data deletion, and cross-border transfer requirements that most insurance policy administration systems were not designed to accommodate.
How We Approach Insurance
The Algorithm approaches insurance technology with state regulatory fragmentation as a design input, not a post-launch concern. Policy administration systems are built with jurisdiction-aware business logic — coverage rules, premium calculations, and form filing requirements that vary by state are parameterized and configurable rather than hardcoded, enabling the same system to satisfy 50 different regulatory environments. NYDFS cybersecurity compliance is treated as the floor: if the system satisfies 23 NYCRR 500, it satisfies the analogous requirements in every other state that has adopted a model law based on the NYDFS regulation. MDL-668 documentation — information security program policies, risk assessment methodology, vendor management records, and incident response procedures — is produced as part of the engagement, with evidence packages organized for the state examination format. Claims processing modernization is designed for real-time adjudication and API-driven provider interaction, with audit trails that satisfy both HIPAA requirements for health insurance products and state insurance examination expectations. The compliance team has the QSA and state examiner packages ready before the first examination is scheduled.
What Success Looks Like
A successful engagement delivers claims processing, underwriting, or policyholder management technology that satisfies MDL-668 cybersecurity requirements in every state where the carrier operates, handles multi-state regulatory filings accurately without manual jurisdiction-specific workarounds, and integrates with the carrier's existing systems without creating coverage gaps in the audit trail. NYDFS compliance documentation satisfies the 2023 amendment requirements including MFA evidence, penetration test results, and senior officer certification support. The compliance function has evidence packages ready for state examiners without a manual collection exercise. The technology team is not maintaining a patchwork of jurisdiction-specific compliance workarounds. Underwriting automation produces decision documentation sufficient for state examination and CCPA data subject request response.
Duration: 8 - 16 weeks
Output: Production system + audit documentation
An insurer modernizing claims processing typically engages at Tier I or II depending on multi-jurisdiction complexity.
What We Deploy in Insurance
Financial Services — Insurance Compliance Assessment
A structured checklist for evaluating your AI and software vendor's readiness across the key regulatory frameworks in Financial Services. Free — no email required.
Download PDF →Ready When You Are
Working in Insurance?
We've deployed teams in this environment. First call is a senior engineer.