The complexity and insecurity of the Internet of Things (IoT) make it hard for insurers to underwrite emerging technologies, yet insurance is pivotal to the IoT as it helps to lower risk and unlock innovation. As the connected economy continues to scale at an unprecedented rate, we need to explore how insurers and the technology ecosystem can work together to model cyber risks.
We are finally starting to realize the extraordinary potential of the Internet of Things. In the early days, we were promised more data, deeper insights, greater efficiency and productivity. Now, connected devices are changing the way we live and work. Analysts estimate the IoT will drive services valued between $5-12 trillion by 2030, while more than 41 billion IoT devices are expected to be installed by 2027, up from 8 billion in 2019.
The widespread adoption of IoT technologies will re-shape entire industries, including our own. This is because the data that is generated by the devices that are being deployed at scale enables us to challenge existing processes and business models and create new opportunities. However, digital transformation also involves risk. When we innovate, we are usually stepping into the unknown.
In other aspects of our life we look to insurance companies to help us manage uncertainty. For example, we may be a careful driver, but we still take out insurance to protect our cars, ourselves and other road In other aspects of our life we look to insurance companies to help us manage uncertainty. For example, we may be a careful driver, but we still take out insurance to protect our cars, ourselves and other road users – because we do not know what is around the corner. That gives us the confidence to get behind the wheel and it provides financial backing, which means we won’t be left counting the costs of an accident on our own.
The IoT, on the other hand, is rapidly evolving and that makes insuring it much more complicated. In this blog, I’m going to explore the relationship between the IoT and insurers, and what steps the technology ecosystem can take to build trust and assurance in the devices powering the IoT.
Insuring the IoT: Four Big Questions
As the IoT is made up of billions of connected devices, built with components from multiple companies, who all wAs the IoT is made up of billions of connected devices, built with components from multiple companies, who all work to different security standards, insurers need to understand:
- How significant are the risks?
- Who is responsible, or liable, if something goes wrong?
- What is the cost of failure?
- Can these failures aggregate and multiply?
How Significant are the Risks?
To find the answers, insurers start by modeling risk. However, despite recent headlines that show a To find the answers, insurers start by modeling risk. However, despite recent headlines that show a worrying increase in the number of cyberattacks on IoT devices (up 700% each year since 2019), we do not have comprehensive historical data upon which insurers can base their modeling. What is more, because of the unpredictable nature of the malevolent intent of bad actors, historical scale and rate of incidence cannot be viewed as a predictor of future scale and rate of incidence. Together, these make the job of quantifying and qualifying risk even more challenging.
We are also asking insurers to see the potential of the technology as well as the current reality. As the IoT We are also asking insurers to see the potential of the technology as well as the current reality. As the IoT grows, we become less involved in installing, connecting and managing the devices, and the scale of an attack on them potentially increases. Insurers need to look beyond where we are now to this hyper-connected landscape, where vast numbers of small, internet-connected devices with varying degrees of security can be targeted by hackers for less than $100, according to the Financial Times.
It is the same in other industries and situations where devices are being deployed at scale.
Who is Responsible, or Liable, if Something Goes Wrong?
In addition, insurers need to understand the roles and responsibilities of every organization that has an impact on the delivery of value to a client, and their expectations of each other. The complexity and hyper-connectivity of the IoT value chain makes this incredibly difficult too. Unfortunately, insurers do need to know where liability lies in the event of a hack if they are to help to mitigate the impact of it. Who do you think would be at fault if an attack on a single smart meter caused widespread disruption? The hardware, software, or operating system developer? The connectivity manager or cloud service provider? The device maker, the enterprise, end user or even the government?
What is the Cost of Failure?
Finally, the insurance market depends on capital. However, capital is only available to organizations and industries that have been built on trust. That is because an insurer’s ability to write premiums, just as they do when you take out car insurance, is greater if they can spread the risk between a number of parties. To do that, they need to be able to convince themselves, and the companies they are sharing the risk with, that they understand the worst-case scenario. For all of the reasons we have described above, that is not straightforward.
So, where does that leave the companies that are designing, developing and manufacturing products for the IoT? What proactive steps can we take to help remove some of the barriers to insuring the IoT?
Understanding the Supply Chain is Critical
According to world-leading insurer, Munich Re, to enable digital transformation across sectors we must be able to build people’s confidence in embedded devices and increase transparency. We need to think differently about insurance products being developed and the value they create for customers. One clear way of doing this is to explore the devices underpinning key services, and explore whether they are designed with best practices in mind.
Tim Davy, the firm’s Cyber Security Specialist explains: “We have digital assets now but also expanded supply chain challenges from a risk perspective. Where does liability start and stop? Starting at the core, we talk about Security By Design a lot and having trusted components within an organization or system allows us to compartmentalize where we’d see that risk”.
One of the strengths of the IoT is that the information that is being gathered by these connected devices can be used to inform decision making and is often a catalyst for change. Therefore, we must have confidence in the technologies and in the data they generate. If we can establish a chain of trust from the device to the data, it will also offer us some assurance over the business-critical services that our products now enable. Tim continues: “Having trusted components within an organization or system helps insurers to compartmentalize risk and reduce the cost of inaction. With more trusted components, comes greater business resiliency and more understanding of supply chains that keeps the cost of failure to a minimum.”
Trust must be designed-in to a device, starting at the silicon. However, as we scale the IoT, we cannot expect the level of security expertise available to manufacturers to grow with it. We also cannot afford for security to be an afterthought. To address this challenge, and to ensure that we continue to innovate, we have to work together to make the IoT more secure. As Tim explains: ““Having standards and regulations in place in industries helps put the yard stick in the right place and sets the right direction.” In my mind, this means putting frameworks in place to give product developers access to world-leading security expertise and helping them meet international laws, regulations and baseline requirements. It also involves working together to establish a common security standard that is based on a Root of Trust.
This will help us demonstrate to insurers that the risk of a cyberattack has been reduced. Investing in security upfront will also save time and resources and get products to market faster in the longer term.
Leading by Example
We all have a role to play in adopting best practice while we wait for insurers to unravel the complexities of the IoT in a way that enables them to properly understand the risks and liability. Helping insurers join the IoT ecosystem and create profitable products is what will help us achieve the collective goal of building trust in the IoT.
Initiatives such as PSA Certified, the independent assurance framework and certification scheme for the IoT, have been developed to make this process easier. The program helps you build-in the right level of security for your device and maps to existing and emerging laws, regulations and baseline requirements.
Offering a standardized indicator of security, PSA Certified creates a chain of trust across the supply chain and minimizes the technical probability and impact of hacks. This enables risk models that are rational, accurate and monetizable and means insurers can see which companies that have established a chain of trust. As Tim Davey summarizes, “The work of PSA Certified and other initiatives are helping to drive trust and that’s a key pillar for insurance.”
If you’d like to hear more about how the ecosystem is collaborating to mitigate cyber risk and build trust and assurance in the IoT, you can find our 2022 Advisory Paper on Reducing the Cost of IoT Security here.