Can We Insure the Internet of Things Against Cyber Risk?
Insuring the security of connected products is hard for a simple reason: they are too new, and too little is known about the economic losses or personal injury they might cause. What the industry needs is data, and analytics to translate statistics on losses into policy standards and consistent pricing. Only then can emerging industries like self-driving cars and network-connected medical devices really take off, says software security expert Josh Corman.
Efforts to build a strong insurance industry in this area are expected to begin bearing fruit in early 2016, experts say. A number of groups have begun setting standards for protecting cybersecurity in Internet-of-things devices, and the hope is that they will standardize insurance practice and begin establishing the legal standards for handling data, helping to determine who’s responsible for what losses when things go wrong, says George Washington University Law School lecturer Paul Rosenzweig.
Makers of next-generation connected devices—and services—need insurance against malfunctions from bad software as well as any damage hackers might cause. Many connected devices and the systems connecting them use freely available open-source software that has security flaws well known to the industry, says Corman.
But even highly customized software can pose problems. Tesla’s release last summer of an autonomous-steering upgrade illustrated the possible risk, though no injuries were reported. Hackers also demonstrated that they could remotely take over a Jeep through its onboard computers. The potential for cars to cause accidents shows how computer-security problems can cause trouble distinct from the harm done in traditional cybercrimes like theft of credit card data. As Internet business, once centered on retailing, becomes a hub for manufacturers, health care, and services, its insurance needs get more complicated.


Carriers have sold limited amounts of cyberinsurance for years, but little is known about the market, says Eric Nordman, director of regulatory services at the National Association of Insurance Commissioners, a group of state regulators. Almost all the insurance written now is believed to cover the costs of losing customers’ personal information to hackers. State laws require disclosure of those breaches, so carriers know how common the incidents really are, and how much they cost to fix. Loss of intellectual property or personal injury, such as injuries that might occur if Tesla’s steering system were hacked, are often simply not insurable, Rosenzweig says.
Keep Reading
Most Popular
Geoffrey Hinton tells us why he’s now scared of the tech he helped build
“I have suddenly switched my views on whether these things are going to be more intelligent than us.”
ChatGPT is going to change education, not destroy it
The narrative around cheating students doesn’t tell the whole story. Meet the teachers who think generative AI could actually make learning better.
Meet the people who use Notion to plan their whole lives
The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.