This week, I had the pleasure of participating in a panel discussion at the IEEE’s International Symposium on Technologies for Homeland Security on the topic of the Internet of Things. Asked to speak as a journalist covering the areas of cybersecurity and insurance, I wrote up a bit on my thoughts – and assumed that naturally, a wider audience would love to hear them as well, minus my customary enthusiatic gesticulating. Voila!
For the insurance industry, the Internet of Things highlights the siloes that have been created regarding cyber insurance, as well as the difficulty in underwriting and pricing for cyber events that could potentially cause real physical damage and/or bodily injury. It represents the intersection of potential liability for creating “hackable” devices, privacy violations, real-life damage or injury, damage to critical infrastructure, and even between commercial insurance and personal insurance, given that so many connected devices are personal items such as phones, homes, Fitbits, vehicles, and more.
As one attorney told me a few months ago, technology is moving faster than risk assessment experts have ever done. He noted, “Most cyber policies don’t cover cyber risks that would result in what I would call a ‘hard loss.’ I think the technology is outstripping what people who think about risk are doing.”
Cyber insurance as a subset of the industry has evolved to be a solid solution for paying for the costs of data breach remediation. Propelled by notification laws in 47 states, a number that’s been rising steadily since California passed the first one in 2003, cyber insurance grew to be a product that meets that need, for the clients who opt to pick up that coverage. That’s the case in the U.S., of course, less so in Europe, which has less of a privacy-based culture of enforcement, although current EU policy rumblings suggest that may soon change.
So, the U.S. cyber insurance market has pretty heavily focused on data breaches and addressing the “concept” of harm rather than specific, identifiable harm. The industry position that commercial general liability policies or CGLs are not meant to deal with data breaches has been rather dramatically debated in courts, Sony’s 2011 Playstation breach is the most notable battleground, but there have been others. And when looking at the Internet of Things, you start to ask, can or should the CGL respond to “bodily injury” arising out of cyber attacks? Some attorneys say yes, given that coverage for bodily injury stands separate as a result from “personal and advertising injury” – the portion of the CGL that insurers pointedly say does not include privacy violations or monetary harm from data breaches. Of course, some of those same lawyers say that attaching cyber exclusions to any CGL tacitly – or explicitly, depending on how aggressively you’d like to nudge the insurance industry – acknowledges that an unendorsed CGL that is silent as to cyber would in fact include coverage for the damage suffered by those affected by data breaches. If they have been harmed, that is. To this point, the significant reason for the dismissal of many data breach class actions has been that plaintiffs lack standing under Article III of the Constitution – they’ve failed to show that they have been harmed by a data breach. And there, too, courts have differed, just as they are likely to in the case of Internet-connected devices.
For example, your car’s GPS. They’re delightful and useful. Mine is named Margot, after a character on NBC’s TV show Hannibal with a similarly laconic voice and an air of not being particularly invested in whether I get where I’m going. Margot helped me drive here today, in fact, but she, as a device, reminds me every time I hit that power button that Garmin as a purveyor of GPS devices is not responsible for any vehicular shenanigans I might get into while following the directions. Liability waivers, whether you initial a form or whether you see a warning flash onto your GPS screen every time you turn it on, are the first line of defense for companies and their insurers when it comes to the Internet of Things. It’s the first rule for purchasing any complex and even some not so complex devices. You buy it and if it breaks you when you use it incorrectly, that’s not on the manufacturer. However, you’d be surprised at how many instances there are of GPS/swamp/pond/giant intersection incidents there – including one lawsuit against Google, for providing allegedly erroneous directions and causing an serious accident. A judge was not convinced and did not grant the plaintiff the $100,000 she was seeking in damages. Luckily for her, car insurance continues to be a thing, despite reports of its suspected demise in a future of self-driving cars and pedestrian cities and citizen space travel – all of which promise a bright future of a different sort for insurance.
But we’re not talking about user error with the Internet of Things and that’s where potential liability really gets tricky. Say you have a connected vehicle. You as technology professionals, engineers and the like, are likely more familiar with the many, many features of the increasingly autonomous fleets of cars rolling off the line these days. When thought leaders in the insurance world and risk managers sit around and come up with scenarios for the disasters that could befall any particular line of business – and they appear to do this for fun no small amount of the time — they consider every possible angle. You have a car that provides you with a rear view “back up” camera – very much driven by a computerized system. Or you have car doors that can remotely be locked and unlocked? Could all of this and more be hacked? Security experts say yes. Sen. Edward Markey of Massachusetts certainly thinks so. You can take that with however many grains of salt you’d like, as he is a politician rather than a security expert, scientist, or insurer.
But Sen. Markey issued a report earlier this year raising concerns about the privacy and security of consumers who use these cars but may not understand the implications of the nifty capabilities. Markey’s finding included the fact that nearly every car manufactured today includes wireless technology that could be vulnerable to hacking or inappropriate data collection or privacy violations. He found that automakers do not really keep tracking of hacking incidents – although several automakers responded that they were not aware of any such incidents and only two other events were reported, one relating to a third-party app that interacted with the vehicle’s Bluetooth connection and an effort by some tech-savvy individuals to reprogram their onboard computers to put a little rev in their engines. So, Markey’s conclusion that hacks aren’t tracked may not be painting the most accurate picture. He did also characterize security measures as “inconsistent and haphazard” across the board. Markey also questioned the data collection and privacy concerns attached to many of the devices connected to the Internet.
And indeed, a lawsuit has already been filed against several vehicle manufacturers by a Dallas attorney claiming that vulnerabilities within the cars’ onboard computers mean that “anyone can hack into them, take control of the basic functions of the vehicle, and thereby endanger the safety of the driver and others.” The law suits is currently in the early stages of a U.S. District court.
It might be harder and harder to apply the phrase “buyer beware” to situations like this, or others stemming from the Internet of Things. I’ve talked a great deal of the advances the insurance industry has made in cyber insurance, but when you start to get into the territory of cyber-related bodily injury and physical damage, that’s where you begin to find a bit of a schism in the insurance industry. Some industry professionals say this is territory well trod by traditional insurance policies and cyber should be considered another peril along with fire, wind, and all the other risks faced. As one underwriter put it during Advisen’s Cyber Risk Insights Conference in New York last fall, there are “thousands of things that could make an oil rig blow up and a hacker getting in is just one of them,” although he described the chance of a cyber event giving rise to a bodily injury as “infinitesimally small.” Property insurers are best equipped to handle those claims, he said. That includes claims that could arise from Internet-connected consumer products like automated home thermostats, smart refrigerators, pacemakers, etc. These fall into the same type of world as product liability, something insurers are excellent at handling, even in cases where there could be a widespread product recall, for example.
The same industry chap had another great comment regarding cyber-related damage that I’ll share with you – “This is why the insurance industry gets such a bad name, because they see us as wriggling out of claims. Why not accept that along with all the other perils?”
On the other side of the argument, you have industry reps who point out that the real issue becomes actual security of devices. The “things” we’re talking about aren’t built with an eye toward maintaining privacy or security, they’re built with an eye toward a useful, easy-to-operate end result.
Applying cyber insurance principles to physical damage requires more applicable underwriting data, which, regrettably, means more loss events that provide insurers with an accurate picture of the effects of cyber attacks. To date, we have information on just two events that have caused actual physical damage. A German steel mill reported a hacked blast furnace that damaged the mill and halted operations – publicly available details are scanty for that one, and Stuxnet, the malware that first came to attention in 2010 for disabling portions of Iran’s nuclear power facilities. If you’re saying to yourself, well, I’ve heard of those, what else can the insurance industry tell me about physical damage-causing cyber events – that’s essentially it.
But this is a really key point for insuring for Internet of Things events. Hackers are resourceful and relentless and they are people, with motivations that are multiple and mysterious. The insurance industry may have centuries of data on the conditions that are likely to lead to a housefire or a hurricane, but the human element of hacking – and the human mistakes at organizations that can lead to cyber attacks – present a significant, hopefully surmountable challenge for insurers. More dialogue across industry borders, more sharing of technology and information, and more awareness of the potential risks can only help everyone reach the common goal of safer connectivity.