Skip to Content

Can We Insure the Internet of Things Against Cyber Risk?

Software with security flaws, and a lack of historical data on risks, have made the Internet of things tough to insure.
January 25, 2016

Insuring the security of connected products is hard for a simple reason: they are too new, and too little is known about the economic losses or personal injury they might cause. What the industry needs is data, and analytics to translate statistics on losses into policy standards and consistent pricing. Only then can emerging industries like self-driving cars and network-connected medical devices really take off, says software security expert Josh Corman.

Efforts to build a strong insurance industry in this area are expected to begin bearing fruit in early 2016, experts say. A number of groups have begun setting standards for protecting cybersecurity in Internet-of-things devices, and the hope is that they will standardize insurance practice and begin establishing the legal standards for handling data, helping to determine who’s responsible for what losses when things go wrong, says George Washington University Law School lecturer Paul ­Rosenzweig.

Makers of next-generation connected devices—and services—need insurance against malfunctions from bad software as well as any damage hackers might cause. Many connected devices and the systems connecting them use freely available open-source software that has security flaws well known to the industry, says Corman.

But even highly customized software can pose problems. Tesla’s release last summer of an autonomous-steering upgrade illustrated the possible risk, though no injuries were reported. Hackers also demonstrated that they could remotely take over a Jeep through its onboard computers. The potential for cars to cause accidents shows how computer-security problems can cause trouble distinct from the harm done in traditional cybercrimes like theft of credit card data. As Internet business, once centered on retailing, becomes a hub for manufacturers, health care, and services, its insurance needs get more complicated.

Carriers have sold limited amounts of cyberinsurance for years, but little is known about the market, says Eric ­Nordman, director of regulatory services at the National Association of Insurance Commissioners, a group of state regulators. Almost all the insurance written now is believed to cover the costs of losing customers’ personal information to hackers. State laws require disclosure of those breaches, so carriers know how common the incidents really are, and how much they cost to fix. Loss of intellectual property or personal injury, such as injuries that might occur if Tesla’s steering system were hacked, are often simply not insurable, Rosenzweig says.

Keep Reading

Most Popular

Here’s how a Twitter engineer says it will break in the coming weeks

One insider says the company’s current staffing isn’t able to sustain the platform.

Technology that lets us “speak” to our dead relatives has arrived. Are we ready?

Digital clones of the people we love could forever change how we grieve.

How to befriend a crow

I watched a bunch of crows on TikTok and now I'm trying to connect with some local birds.

Starlink signals can be reverse-engineered to work like GPS—whether SpaceX likes it or not

Elon said no thanks to using his mega-constellation for navigation. Researchers went ahead anyway.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.