The internet of things is growing quickly. Today, countless devices, appliances, vehicles and buildings have embedded sensors, software and network connectivity that enable them to wirelessly accumulate and exchange data. This information flows over the internet to inform factory workers that a piece of equipment is in dire need of maintenance or tell homeowners that their security system was compromised.
Soon virtually everything will be IoT-enabled—26 billion, 30 billion or 50 billion objects will be connected to the internet by 2020, according to wide-ranging estimates by Gartner, ABI Research and Cisco, respectively. As this occurs, new risks are emerging for homeowners and businesses alike, and traditional insurance policies may not cover losses that result.
One reason for this is that IoT brings new potentially liable parties into a loss scenario. “Say a factory suffers an electrical fire from a malfunctioning piece of equipment,” said Michael O’Brien, a partner at law firm Wilson Elser Moskowitz Edelman & Dicker. “Now, assume the investigator of the fire’s cause and origin and the supporting forensic engineers determine that the most probable cause is the IoT enablement of the equipment. In the post-fire forensic investigation, evidence emerges that someone had hacked into the sensors and operational controls in the equipment that measured heat, sending erroneous information via the internet, which resulted in overriding the critical safety controls of the machinery, causing the electrical fire.”
Assuming the manufacturer’s property insurance policy will pick up the cost of the loss, the question then becomes whether this insurance company will pursue subrogation against potentially responsible third parties. “These third parties may run the gamut from the equipment maker and component suppliers to the sensor manufacturer, the company that installed the sensor, if it was an outside party, and even the software developers contributing to different elements of the sensor, such as the electronics and gauges,” he said. “These parties may not have adequate—or any—cyber insurance to address the potential liability exposure caused by the manufacturer’s financial losses, simply because they never expected to need it.”
Basics of IoT
The question of liability only scratches the surface of the potential impact facing many companies. Not only are the number of IoT-enabled objects rapidly increasing, but these objects are connecting with other objects in a network, and eventually these networks will connect with other networks. The world will be connected in ways that were unimaginable a decade ago.
Already, many of our household appliances, televisions and cars connect to smartphones and other mobile devices. Machines connect to other machines in a factory. Marketers are able to engage customers with products and services in an instant, thanks to GPS-enabled location data. Supply chains are woven together with RFID tags that track freight movements. All of these systems will soon connect to other systems in networks of profound utility and complexity.
Insurers and brokers are just getting up to speed on the extraordinary changes to the risk landscape and questions about related insurance coverage that are already coming up in IoT-enabled environments. So are risk managers in the manufacturing space. “Not surprisingly, the fastest-growing industry group in terms of purchasing cyber insurance in 2015 was manufacturing,” said Robert Parisi, managing director and cyber product lead at Marsh. “Everyone tends to think of cyber insurance as protecting data privacy, but there are other aspects to the insurance that are equally if not more important to consider.”
Parisi believes the question of whether or not these insurance terms and conditions address IoT-related losses is one of the most interesting issues in the marketplace right now. “Where is the appropriate home for a risk that results from the failure of a technology that is not a physical peril, yet causes physical damage? Does the loss reside with a cyber policy, property policy or some other policy? This is all under discussion,” he said. “Of course, risk managers don’t care, so long as they’re covered.”
For now, there are no easy answers. “Technology is a constantly evolving threat, and underwriters have had to enhance their understanding of IoT risks in relation to [taking them on] their balance sheet,” Parisi said. “I believe they’re trying to be proactive in offering a solution, but they’re not rolling over to do it. As they dig deeper into these risks, they’ll see better where the gaps may be and work to fill them. We’re hearing very fluid discussions on this topic right now.”
Nevertheless, Parisi underscored just how extraordinary the business losses may be in an IoT “network of networks” future. “If you asked me what damage a computer might do 10 years ago, I’d say not all that much,” he said. “Today, they can destroy the world.”
Dire Scenarios Await—Maybe
One example of the damage that could result from compromised network systems is the 2015 hacking of Ukraine’s electrical grid, which resulted in a massive power failure. More than 30 of the country’s 135 power substations were shut down for about six hours, cutting electricity to more than 80,000 homes. Hackers reportedly used malware to direct the grid’s industrial control computers to disconnect the substations, then followed this up with a virus that made the computers inoperable.
Now imagine if hackers were to cause a similar catastrophe in a city like New York, London or Paris. The blackout would shut down public transportation. Local airports would close. Financial markets would cease trading. Hundreds of thousands of people would need to be evacuated to safer locations.
This is a doomsday scenario, but many other examples point to possible disasters on a smaller, more personal scale. In July 2015, for instance, Wired magazine reported how security researchers Charlie Miller and Chris Valasek were able to exploit a software vulnerability, hack into the dashboard computer of a Jeep Cherokee and seize control of the vehicle. The hackers were able to remotely take over the steering, transmission and brakes and speed up or slow down the vehicle at will. Shortly after the article was published, Jeep’s parent company, Fiat Chrysler, recalled 1.4 million vehicles across several brands that all had the same vulnerability.
These were ethical hackers attempting to ferret out potential risk. If their intent had been malicious, the potential loss of life, bodily injuries and property damage could have been substantial. Were this to actually occur, would the affected drivers’ automobile insurance cover the related financial losses? Probably, but that would be the first domino in a complex liability chain as the insurers might then sue other culpable parties to recoup their losses.
Other ethical hacks have demonstrated similar vulnerabilities. A mobile application controlling Nissan’s Leaf electric car was recently hacked by an Australian researcher who was able to access the car’s temperature controls and other functions using its VIN (vehicle identification number). Nissan quickly disabled the app. “There’s nothing in the internet world that can’t be hacked,” said Kevin Meagher, senior vice president of business development at ROC Connect, which develops programs for IoT.
The sensors embedded in objects to measure heat, moisture content, vibration, oil pressure and other conditions are particularly vulnerable to hacking. A July 2014 study by Hewlett-Packard indicated that seven out of 10 popular IoT devices contain vulnerabilities. Researchers tested a variety of devices, including home thermostats, remote power outlets, sprinkler controllers and alarm systems. The findings were sobering: 70% of the sensors did not encrypt internet or local network communications; half performed unencrypted communications to the cloud, internet or local network; and 80% failed to require passwords of sufficient complexity and length, with most devices allowing such simple passwords as “1234.”
Meagher noted that the batteries in many sensors also are rarely encrypted, opening yet another gateway for hackers. “The reality is that someone can hack into a sensor with a laptop while sitting in a car outside your house or outside your plant,” he said.
Growing Awareness
Many risk managers have only recently become aware of the breadth of risks and insurance uncertainties produced by their companies’ IoT devices. “It’s complicated and emerging, and we have difficulty talking about it because there’s not a lot of data yet on these risks or whether the related losses have been denied [by insurers],” said John Hach, risk manager at Lincoln Electric, a Cleveland-based global manufacturer of welding products and welding automation tools.
Lincoln Electric’s overseas plants have sensor-embedded machinery that is wirelessly connected to computers over the internet. “Welding is loaded with sensors, which we put in to actually reduce risk,” he said. “I’m aware that a malefactor could hack into our system and make the welds defective. While our property policy covers IT-related losses, it only covers us and not third parties [using our products]. Insurers need to get their arms around this to address potential gaps.”
Large public entities are also IoT-enabled. For example, Orange County Transportation Authority in Orange, California, recently embedded its buses with sensors to gather data on driver behavior. “The sensors tell us how much braking a driver regularly applies or the speeds at which they drive,” said Al Gorski, the transportation authority’s chief risk officer and an adjunct professor of risk management and insurance at California State University in Fullerton. “Down the line, I imagine we’ll equip the buses with crash avoidance technology as well, especially if our insurers provide a discount for their use.”
Gorski knows that these IoT systems could be hacked and thus create liability issues. “There’s always the concern that technology can be misused and the knowledge that it will be misused,” he said. “Were this the case and our buses were hacked, I’m not sure we’d be insured for the potential losses. At the moment, the IoT appears to be outpacing the law, regulations and insurance policies. Lawyers will make a ton of money on this stuff.”
O’Brien agrees. “When there are disputes over which party is responsible for a loss, typically litigation can be expected and ultimately some manner of dispute resolution will occur, whether it be by mediation, arbitration or the courtroom,” he said. “This is where these issues are likely to be resolved.”
Because so many different industries are seeking to take advantage of the benefits of internet connectivity, a single insurance solution will likely not suffice. “Since each industry has a different way of operating and doing business and transferring risks, insurers will need to tailor solutions accordingly,” O’Brien explained. “This is generally not the case right now. At the end of the day, like data breach insurance, there will not be a one-size-fits-all policy.”
Insurer awareness of the risks of IoT, particularly in relation to their existing policies, will also likely generate innovative risk transfer solutions. “As this awareness grows and insurers begin to address the potential for large-scale internet-based losses resulting in property damage or bodily injury or both, the industry will adjust by developing policy exclusions or endorsements, while grappling with trying to determine how much risk to take and what premium to charge for this risk,” O’Brien said.
In the meantime, IoT systems are becoming safer from hacking. “We’re increasingly seeing tiered levels of security being embedded into IoT devices, starting with the ones that absolutely have to be safe, such as systems in airplanes that connect to air traffic control towers,” Meagher said.
Proactive Measures
Risk managers do not have to wait for these new insurance endorsements or security improvements. Rather, they should investigate where and how their organizations are currently using IoT-enabled objects. “It’s up to risk managers to be proactive about this, asking questions of operations, factory personnel and supply chain managers,” said Randy Nornes, executive vice president at Aon Risk Solutions.
Many risk managers are doing just that. “This is a complex quagmire we’re in,” said Leslie Lamb, director of global risk and resilience management at Cisco Systems. “It’s our job to understand the risks of the IoT the best we can, and then relay this information to the underwriting community—not through a broker, but directly. I don’t want to disintermediate the brokers, but I want to be in a position to tell our story as accurately and as transparently as possible. I want the underwriters to know exactly what our potential IoT risks are so there are no surprises.”
Collaboration is essential. “If a risk manager can help define what the risk is, insurance companies will listen,” Nornes said. “Through a combination of off-the-shelf policies and re-engineered coverages, companies can rest assured that the IoT threat is diminished.”
With consumers adopting up to 50 billion IoT devices in the next few years, it will be important for risk managers and insurance providers to stay ahead of the curve in order to avoid the detrimental consequences of compromised networks and faulty technology. As O’Brien pointed out, “Ignorance of future risks and procrastination over taking action are never solutions.”