The Internet of Things: A cyber risk without a smarthome?

By Erin Ayers on November 7, 2014

At the heart of insurance industry preparations for liability attached to the “Internet of Things” is a debate over the appropriate policies to address physical damage and bodily injury produced by risks perceived to be the domain of cyber coverage.

“Smarthomes,” semi-autonomous or fully driverless cars, medical devices, alarm systems – all of these can fall under the umbrella of the Internet of Things, being connected by sensors to servers and software. Technology may be moving faster than the insurance industry can keep up with, in terms of the risks presented and the physical damages and bodily injuries that could result.

The question becomes, should such risks be the domain of traditional insurance policies that have historically covered issues such as product liability or equipment breakdown, or should they be left to cyber insurance policies, which address the actions of hackers or data-related losses?

The topic came up during a panel discussion at Advisen’s recent Cyber Risk Insights Conference, where moderator Alan Brill suggested that in the past, some might have wondered, “Why is Advisen running a panel on science fiction?” The concern is real-life, however, and of pressing concern for the industry on the topic of security, privacy, compliance, and risk management.

“It’s technology. It’s insurance. It’s legal issues not just here, but globally,” said Alan Brill, senior managing director at Kroll. “We live in a connected world. Are the folks that are making the technology thinking in terms of privacy, data collection, and security?”

Dr. Rey Leclerc Sveinsson, cyber risk, security and privacy leader at Swiss Re, noted that all IoT devices “carry an incredible security risk.” He cited a Hewlett-Packard Security survey that found 80 percent of smart devices had no encryption – and 90 percent of them collected personally identifiable information or personal health information.

“The security of these devices needs to be taken into account,” Leclerc Sveinsson said.

Graeme Newman, marketing director of CFC Underwriting, predicted that the insurance industry would feel the effect of IoT risks over the next 18 months – and may not be prepared.

“They sit there blissfully ignorant and they write policies without any exclusions,” he told the audience. “That creates a whole world of liability that those shops aren’t even aware of.”

The industry needs to look at the practical insurance implications of the situation, outside of all the “Chicken Little-type” stories of hacking into ATMs, critical infrastructure, stoplights or pacemakers, Newman stated. There could be some reservation in increasing security on smart devices on the part of manufacturers and users.

“The Internet of Things is supposed to make our lives easier, not harder. And security makes things harder, not easier,” he said.

Rick Welsh, head of cyber insurance for Aegis, commented that IoT risks highlight the prevalence and need for cyber insurance, which has previously been in its own “silo.”

“All of sudden, it’s much more contiguous to other types of insurance,” he said, citing business interruption and property damage. Welsh added, “It’s actually not so ethereal.”

“The Internet of Things is so pervasive that every part of the insurance package has to be considered in light of the new set of risks,” noted Brill.

According to Newman, insurers have been slow in responding to this new risk. He highlighted the industry response to data breach claims in the retail sector.

“We need a shift, but it’s a long, long way off from an underwriting point of view,” he said.

Welsh pointed that insurers have succeeded in introducing cyber exclusions on general liability policies, resulting in “pushback” from insureds who thought they had the coverage.

Welsh and Newman differed in their views on whether traditional insurance policies should pick up losses due to damages arising from cyber risks. As Newman put it, there are “thousands of things that could make oil rig blow up and a hacker getting in is just one of them,” although he described the chance of a cyber event giving rise to a bodily injury as “infinitesimally small.” Physical property insurers are best equipped to handle property damage claims related to cyber risks, according to Newman, while cyber insurers are “damned good” at data breach and privacy claims.

“This is why the insurance industry gets such a bad name, because they see us as wriggling out of claims,” he commented. “Why not accept that along with all the other perils?”

Welsh pointed out that from an underwriting and modeling standpoint, security of the devices is the key, as is properly identifying the real risk. Cyber insurance can better address operational technology – hardware and software that monitors and controls physical processes or devices.

“Part of the problem is we’re not using the right terminology,” he said.

And attacks on critical infrastructure will cause physical damage claims, Welsh added. The industry must find a way to “blend” the lines, while keeping cyber risks addressed by the appropriate coverage.

“If we’re going to do this properly, cyber insurance has to find a way to talk to some of these other insurance silos,” he said.

Newman predicted that the industry will need a “lot of time and a lot of claims” to fuel its own change.

“The reality of the insurance industry is that nothing really happens until you get claims,” he said.

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].