Can We Insure the Internet of Things Against Cyber Risk?

Software with security flaws, and a lack of historical data on risks, have made the Internet of things tough to insure.

Tim Mullaneyarchive page

January 25, 2016

Insuring the security of connected products is hard for a simple reason: they are too new, and too little is known about the economic losses or personal injury they might cause. What the industry needs is data, and analytics to translate statistics on losses into policy standards and consistent pricing. Only then can emerging industries like self-driving cars and network-connected medical devices really take off, says software security expert Josh Corman.

Efforts to build a strong insurance industry in this area are expected to begin bearing fruit in early 2016, experts say. A number of groups have begun setting standards for protecting cybersecurity in Internet-of-things devices, and the hope is that they will standardize insurance practice and begin establishing the legal standards for handling data, helping to determine who’s responsible for what losses when things go wrong, says George Washington University Law School lecturer Paul Rosenzweig.

Makers of next-generation connected devices—and services—need insurance against malfunctions from bad software as well as any damage hackers might cause. Many connected devices and the systems connecting them use freely available open-source software that has security flaws well known to the industry, says Corman.

But even highly customized software can pose problems. Tesla’s release last summer of an autonomous-steering upgrade illustrated the possible risk, though no injuries were reported. Hackers also demonstrated that they could remotely take over a Jeep through its onboard computers. The potential for cars to cause accidents shows how computer-security problems can cause trouble distinct from the harm done in traditional cybercrimes like theft of credit card data. As Internet business, once centered on retailing, becomes a hub for manufacturers, health care, and services, its insurance needs get more complicated.

Carriers have sold limited amounts of cyberinsurance for years, but little is known about the market, says Eric Nordman, director of regulatory services at the National Association of Insurance Commissioners, a group of state regulators. Almost all the insurance written now is believed to cover the costs of losing customers’ personal information to hackers. State laws require disclosure of those breaches, so carriers know how common the incidents really are, and how much they cost to fix. Loss of intellectual property or personal injury, such as injuries that might occur if Tesla’s steering system were hacked, are often simply not insurable, Rosenzweig says.