The Internet of Things

Part one of our feature on how internet-connected devices – from thermostats to nuclear reactors – are presenting the next big risk in cyber insurance

The Internet of Things

Business strategy

By

Just a few years ago, people used the Internet to connect with other people. Now, the things we own make that connection – in many cases, without our involvement.
 
“It’s gone from computers to cell phones and well beyond that,” says Tim Francis, cyber insurance lead at Travelers. “In the old days, you had a fridge and freezer, and it kept stuff cold. Now, your fridge knows what’s inside of it, and when you are low on eggs, it can tell you and order the eggs for you.”
 
As our devices start to connect outside the home and have more and more personal information on them, there is now the possibility – as far-fetched as it may seem – of a data breach taking place in the fridge, toaster or thermostat.
 
Indeed, the biggest retail hack in US history started with a smart thermostat that proved to be a convenient back door to retail giant Target’s computer systems. The breach was a perfect example of how something as mundane as an HVAC system, once connected to the Internet, can be used as a portal to bring a corporate behemoth to its knees.
 
“Embedding technology can offer companies improvements in efficiency and safety, but the risk is they could open additional points of entry for individuals with malicious intent,” says Matt Kletzli, head of management liability and cyber protection program manager at Victor O. Schinnerer & Company. “A premise of risk management is that the remedy for one risk could actually create new risks for organizations. The same may be true for these technological advances.”
 
The insecurity of things
This is the essential conundrum of the Internet of Things: We live in an era in which devices with sensors connected to the Internet collect, store and analyze massive amounts of data, and play an increasingly prominent role in the physical world.
 
Vast in scope, the IoT is one of the fastest growing aspects of information technology, and has huge implications for the insurance industry. An estimated 10 billion devices are connected to the Internet today, and that figure is projected to double or triple by 2020. A recent study conducted by the McKinsey Global Institute estimates that the IoT will have a total potential economic impact of $3.9 to $11.1 trillion a year by 2025.
 
The ever-expanding IoT business classes present opportunities for the insurance industry to cover the risks associated with them; one study estimates that 70% of the most commonly used IoT devices contain vulnerabilities.
 
“I think that we don’t talk enough in the cyber industry about things that use computers that aren’t about privacy,” says Michael Palotay, senior vice president of underwriting and head of the cyber product team at NAS Insurance. “Manufacturers use computers to keep their assembly lines running; utility companies use old legacy computer controls. All of those systems are vulnerable and not easily upgraded. When they get hacked or even malfunction, it can have a big effect.”
 
IoT issues dominate today’s business environment as well. “Devices are connecting to other devices, and in many ways, are not being watched as carefully as you might think,” Francis says. “People don’t always check those connections, and as was seen in the Target security breach, they can be used as a means of entry into the company. We should embrace the technology, but we also need to understand the risks that go along with it.”
 
Industrial-scale threats
Those risks run the gamut from privacy breaches and device malfunctions to industrial espionage and cyber terrorism events. The IoT pertains to more than just small devices – it also includes some of the world’s largest assets, such as trains, gas and wind turbines, oil refineries, factories, harbors and smart grids, all of which are now equipped with Internet-connected sensors and actuators.
 
“The biggest evolutionary step in cyber liability insurance has to do with non data- breach types of risk that have to do with cyber risk relating to control systems – when someone hacks into the power grid and shuts down a utility company, or damages a manufacturing plant and shuts off equipment and disrupts the whole supply chain,” says Jeremy Barnett, senior vice president of marketing at NAS Insurance.
 
The aggregation potential in such a scenario can be devastating. If a utility company gets shut down, for example, so are tens of thousands of other customers who rely on electricity to run their businesses.
 
“And now you have this wide ring of business interruption claims, and it’s ultimately related back to a software issue or cyber breach,” Barnett says. “It has nothing to do with data, but it has to do with the cyber crime affecting these control systems.”
 
Taken to a grand level, such scenarios could even spin out into state-sponsored cyber terrorism. “But at the same time,” Barnett adds, “you can imagine the evolution of corporate espionage when competitor A wants to take down competitor B, what they can do to disrupt their competitor’s business. That’s an emerging risk where cyber liability insurance is now starting to fit in.”


To be continued

Keep up with the latest news and events

Join our mailing list, it’s free!