which devices with sensors connected to the Internet collect, store and analyze massive amounts of data, and play an increasingly prominent role in the physical world. Vast in scope, the IoT is one of the fastestgrowing aspects of information technology, and has huge implications for the insurance industry. An estimated 10 billion devices are connected to the Internet today, and that figure is projected to double or triple by 2020. A recent study conducted by the McKinsey Global Institute estimates that the IoT will have a total potential economic impact of $3.9 to $11.1 trillion a year by 2025. The ever-expanding IoT business classes present opportunities for the insurance
WHO NEEDS IOT COVERAGE? Manufacturers: While not particularly vulnerable to a traditional cyber breach, “they may be incredibly exposed to the Internet of Things because they have devices connecting throughout the Internet, and that could lead to other compromises that could result in physical or property damage,” says Travelers’ Tim Francis. “It’s an area of exposure that is underappreciated.” Healthcare: In the past decade, the healthcare sector has been one of the biggest beneficiaries of the IoT. Technologies on the horizon range from sensors and microcomputers fitted in the human body that could monitor health conditions, to highly automated devices and processes that could help increase the efficiency of critical treatments with a limited human interface. Education: Innovations such as Internet-enabled and interactive smart classrooms and various student tracking systems could help to make schools more secure.
“We don’t even know all the potential things out there that could impact the Internet, computers and the Internet of Things” John Coletti, XL Catlin industry to cover the risks associated with them; one study estimates that 70% of the most commonly used IoT devices contain vulnerabilities. “I think that we don’t talk enough in the cyber industry about things that use computers that aren’t about privacy,” says Michael Palotay, senior vice president of underwriting and head of the cyber product team at NAS Insurance. “Manufacturers use computers to keep their assembly lines running; utility companies use old legacy computer controls. All of those systems are vulnerable and not easily upgraded. When they get hacked or even malfunction, it can have a big effect.” IoT issues dominate today’s business environment as well. “Devices are connecting to other devices, and in many ways, are not being watched as carefully as you might think,” Francis says. “People don’t always check those connections, and as was seen in the Target security breach, they can be used as a means of entry into the company. We should embrace the technology, but we also need to understand the risks that go along with it.”
Industrial-scale threats Those risks run the gamut from privacy breaches and device malfunctions to industrial espionage and cyber terrorism events. The IoT pertains to more than just small devices – it also includes some of the world’s largest assets, such as trains, gas and wind turbines, oil refineries, factories, harbors and smart grids, all of which are now equipped with Internet-connected sensors and actuators.
“The biggest evolutionary step in cyber liability insurance has to do with nondata-breach types of risk that have to do with cyber risk relating to control systems – when someone hacks into the power grid and shuts down a utility company, or damages a manufacturing plant and shuts off equipment and disrupts the whole supply chain,” says Jeremy Barnett, senior vice president of marketing at NAS Insurance. The aggregation potential in such a scenario can be devastating. If a utility company gets shut down, for example, so are tens of thousands of other customers who rely on electricity to run their businesses. “And now you have this wide ring of business interruption claims, and it’s ultimately related back to a software issue or cyber breach,” Barnett says. “It has nothing to do with data, but it has to do with the cyber crime affecting these control systems.” Taken to a grand level, such scenarios could even spin out into state-sponsored cyber terrorism. “But at the same time,” Barnett adds, “you can imagine the evolution of corporate espionage when competitor A wants to take down competitor B, what they can do to disrupt their competitor’s business. That’s an emerging risk where cyber liability insurance is now starting to fit in.”
Emerging products Insurers that are working to develop effective IoT coverage solutions spend a lot of time trying to imagine the seemingly outlandish loss scenarios that may well be at their doorsteps within a few short years. For example, Kletzli says, “let’s say an organization decides to embed technology to
58-61_Ad led Cyber-SUBBED.indd 59
22/01/2016 7:35:30 AM