The complexity and insecurity of the IoT make it hard for insurers to back new technologies, yet insurance is pivotal as it offers a low-risk way to experiment. So, what can the electronics industry do to build trust?
We are finally starting to realize the extraordinary potential of the Internet of Things (IoT). In the early days, we were promised more data, deeper insights, greater efficiency and productivity. Now, connected devices are changing the way we live and work.
The widespread adoption of IoT technologies will re-shape entire industries, including our own. This is because the data that is generated by the devices that are being deployed at scale enables us to challenge existing processes and business models and create new opportunities. However, digital transformation also involves risk. When we innovate, we are usually stepping into the unknown.
In other aspects of our life we look to insurance companies to help us manage uncertainty. For example, we may be a careful driver, but we still take out insurance to protect our cars, ourselves and other road users – because we do not know what is around the corner. That gives us the confidence to get behind the wheel and it provides financial backing, which means we won’t be left counting the costs of an accident on our own.
However, the automotive industry is well established so insurers understand the risks before they underwrite them. The IoT, on the other hand, is evolving and that makes insuring it much more complicated. In this blog, I’m going to explore the relationship between the IoT and insurers, and what steps the technology industry needs to take to overcome the key issues.
Insuring the IoT: Four Big Questions
As the IoT is made up of billions of connected devices, built with components from multiple companies, who all work to different security standards, insurers need to understand:
- How significant are the risks?
- Who is responsible, or liable, if something goes wrong?
- What is the cost of failure?
- Can these failures aggregate and multiply?
How Significant are the Risks?
To find the answers, insurers start by modeling risk. However, despite recent headlines that show a worrying increase in the number of cyberattacks on IoT devices, we do not have comprehensive historical data upon which insurers can base their modeling. What is more, because of the unpredictable nature of the malevolent intent of bad actors, historical scale and rate of incidence cannot be viewed as a predictor of future scale and rate of incidence. Together, these make the job of quantifying and qualifying risk even more challenging.
We are also asking insurers to see the potential of the technology as well as the current reality. As the IoT grows, we become less involved in installing, connecting and managing the devices, and the scale of an attack on them potentially increases. Insurers need to look beyond where we are now to this hyper-connected landscape.
It is the same in other industries and situations where devices are being deployed at scale.
Who is Responsible, or Liable, if Something Goes Wrong?
In addition, insurers need to understand the roles and responsibilities of every organization that has an impact on the delivery of value to a client, and their expectations of each other. The complexity and hyper-connectivity of the IoT value chain makes this incredibly difficult too. Unfortunately, insurers do need to know where liability lies in the event of a hack if they are to help to mitigate the impact of it. Who do you think would be at fault if an attack on a single smart meter caused widespread disruption? The hardware, software, or operating system developer? The connectivity manager or cloud service provider? The device maker, the enterprise, end user or even the government?
What is the Cost of Failure?
Finally, the insurance market depends on capital. However, capital is only available to organizations and industries that have been built on trust. That is because an insurer’s ability to write premiums, just as they do when you take out car insurance, is greater if they can spread the risk between a number of parties. To do that, they need to be able to convince themselves, and the companies they are sharing the risk with, that they understand the worst-case scenario. For all of the reasons we have described above, that is not straightforward.
So, where does that leave the companies that are designing, developing and manufacturing products for the IoT?
Can These Failures Aggregate and Multiply?
According to world-leading insurer, Munich Re, to enable digital transformation across sectors we must be able to build people’s confidence in embedded devices and increase transparency. Peter Armstrong, the firm’s senior cyber subject matter expert explains: “Without it, we won’t be able to identify the breakdown of liability in these value chains and offer the insurance capital that is necessary. The implications of that for the technology industry are that it will slow down deployment and adoption and there will be a level of uncertainty around the new value propositions that the IoT seeks to enable.”
In practical terms that means we need to think differently about the products we develop and the value they create for our customers. One of the strengths of the IoT is that the information that is being gathered by these connected devices can be used to inform decision making and is often a catalyst for change. Therefore, we must have confidence in the technologies and in the data they generate. If we can establish a chain of trust from the device to the data, it will also offer us some assurance over the business-critical services that our products now enable.
Trust must be designed-in to a device, starting at the silicon. However, as we scale the IoT, we cannot expect the level of security expertise available to manufacturers to grow with it. We also cannot afford for security to be an afterthought. To address this challenge, and to ensure that we continue to innovate, we have to work together to make the IoT more secure. That means putting frameworks in place to give product developers access to world-leading security expertise and helping them meet international laws, regulations and baseline requirements. It also involves working together to establish a common security standard that is based on a Root of Trust.
This will help us demonstrate to insurers that the risk of a cyberattack has been reduced. Investing in security upfront will also save time and resources and get products to market faster in the longer term.
Leading by Example
We all have a role to play in adopting best practice while we wait for insurers to unravel the complexities of the IoT in a way that enables them to properly understand the risks and liability.
Initiatives such as PSA Certified, the independent assurance framework and certification scheme for the IoT, have been developed to make this process easier. The program helps you build-in the right level of security for your device and maps to existing and emerging laws, regulations and baseline requirements, and that, according to Peter, is important. “That’s how we get the opportunity of being able to measure and judge compliance against a mandated view,” he says.
However, he also goes on to explain that it is not always that clear cut. Sometimes, governments and industry organizations issue ‘guidance’ rather than rules. “The defined Root of Trust protocols that talk to nuanced issues can provide confidence and an easy win for insurers,” he says. “It can speed up adoption and deployment of the new technologies because we can offer warranties to back those technologies. So, in essence, it is important for the technology industry to lead and continue to embrace the requirement for compliance in this evolving environment …”
The PSA Certified website lists the products that have been independently assessed as having met baseline security standards. This means insurers can see the companies that have established that chain of trust.
If you’d like to learn more about this topic, I recently moderated a podcast looking into the insurance industry’s response to the growth of the IoT. You can find ‘The $6T Importance of Security: Liability in an Insecure World and the Rise of Insurance’, as part of the Arm presents Fireside Chats series, on Apple Podcasts, Google Podcasts and on Spotify.