10 MINS READ
Industries worldwide are rapidly adopting the internet of things (IoT).
This enables them to unlock new business value, drive revenue growth, and gain competitive advantage. The IoT market is on a rally—it is expected to double from $300.3 billion in 2021 to $650.5 billion by 2026, according to market data firm ReporterLink. However, IoT security is still lagging, and manufacturers have been slow to respond to device security needs. Recent cyberattacks like the one against Norway’s online services and that against the Port of London Authority have all targeted IoT devices, highlighting the susceptibility of these systems as soft targets. The cost implications for insurers are heavy: According to Fitch Ratings, cyber insurance claims grew by 200% in three years; in 2021, commercial insurer CNA Financial paid hackers $40 million as ransom for a cyberattack. In this high-risk environment, how can cyber insurers mitigate risks for themselves and avoid making hefty payouts against claims?
Stay aware, stay protected
First, insurers need to keep pace with IoT technology.
This will help them to fully understand the risks that come with it and to be able to mitigate those risks. Their awareness in the following areas can help:
Implications of IoT-related policy wording: Most IoT devices have smart features that have the ability to control other physical systems or machines. Breaches can lead to serious data privacy issues, exposure to property loss, bodily injury, and the like. These new attack vectors may not be defined or covered under existing policies. For instance, an IoT telematics device may be hacked to provide a false guidance and cause an accident. The resulting liability may turn out to be an area of contention for coverage either in existing lines or cyber insurance. Without policies that clearly define exclusions and inclusions, insurers may end up with large claim payouts.
IoT in commercial insurance: Driven by proven improvements in productivity, insights, and savings, enterprises are moving towards industrial IoT and smart factories. On the flip side, businesses are emerging as critical targets for attacks. Cyberattacks extend beyond IT infrastructure to non-IT assets such as equipment and workplace safety sensors. A compromised IoT device results in large-scale damage leading to higher claims. As insurers are now increasingly capturing data from IoT devices in real time, they face two challenges—securing IoT devices and protecting the data they collect. To address the security issues around IoT devices, insurers can take advantage of them by automatically triggering claims when there is a breach. Insurers can perform a remote damage assessment due to the connectivity of the devices and the data stored in them. This positions insurers to gain early insights in risk mitigation, pricing, targeting of customer segments.
Emerging applications of IoT: While advancements in technology enhance customer experience, they also open new avenues for risk exposure. For example, blockchain-based smart contracts on IoT devices pave the way for automated transactions resulting in improved operations. New technology platforms like the metaverse also use IoT for enhanced user experience. IoT devices with in-built artificial intelligence (AI) store customer data locally for real-time decisioning. However, without the appropriate security measures, these technologies are vulnerable to attack. Insurers with the capabilities to assess and mitigate risks will offer comprehensive coverages and improve their market share.
Fighting IoT risks: Three things to focus on
Here are a few things cyber insurers need to focus on:
IoT risk assessment: The nature of IoT risk demands a quantifiable risk assessment approach. By adopting new risk assessment models such as the IoT Micromort Model, companies can predict impact using units of mortality risk or value at risk based on economic impact. These allow insurers to offer improved coverage devoid of ambiguities for high-risk IoT environments.
IoT risk prevention: Ensuring cyber awareness among users along with establishing proper cyber hygiene practices are key to risk prevention. Insurers can also enforce built-in security or encryption in IoT devices. Moreover, cyber insurers can recommend employing user entity and behavior analysis (UEBA) as well as endpoint detection and response (EDR) solutions to customers to get a real-time view of the end points and associated threats.
IoT safety and compliance: Regulators have taken cognizance of the IoT trend and have introduced bills and proposals providing security guidelines to reduce IoT device vulnerabilities. California’s IoT Devices’ Security Law and the IoT Cybersecurity Improvement Act 2020, among others, are all aimed at regulating IoT devices and mitigate risks. With data privacy regulations applicable to IoT devices, future regulations will focus on enhancing security, such as banning preset passwords and assigning IP addresses, among others. Embedding a thorough compliance check will help insurers to identify security loopholes and weak spots.
De-risk with confidence
Considering the multitude of benefits, the proliferation of IoT is inevitable.
Cyber insurers should be aware of the risk exposure arising from the pervasive and interconnected nature of IoT. They need to take a cautious yet proactive approach in addressing IoT risks, with the purpose of securing customer assets while achieving growth. Those that leverage new risk assessment models ensure the security of IoT assets and offer well-defined cyber coverages that stand to gain.