Is IoT creating a new risk paradigm for business?

  • When issues arise from the use of IoT devices, figuring out who's responsible can be legally complex.

  • Customary insurance policies don't cover risks related to IoT, exposing companies to losses and potential litigation.

The Internet of Things (IoT) is quickly connecting all things to each other — and to us. The clothes dryer informs the smartphone that a new rubber washer is needed or the appliance will malfunction. A sensor imbedded in the drywall reports that moisture content behind the wall is rising fast. Our cars automatically veer right when an algorithm inside the computer operating the steering system analyzes a video image indicating danger on the left.

Gartner now predicts that a jaw-dropping 20.8 billion things will be connected to the Internet by 2020, up from 6.4 billion this year. These things comprise pretty much every appliance in the house, as well as machine-to-machine systems on the factory floor, where different pieces of equipment communicate with each other to do things like slow down or speed up based on customer demand forecasts. The benefits from such technologies range from new and better-run products to the creation of new businesses.

That’s the thrilling upside of IoT. The downside is a thriller, too, as IoT creates entirely new risk paradigms.

Take the example of a leaking pipe behind a kitchen wall. Normally, when a pipe leaks, this is a visible occurrence. The homeowner responds to evidence of the leak, has the wall torn down, and the pipe fixed. The homeowner’s insurance policy then picks up the costs of the repairs. But what if an IoT sensor imbedded in the drywall in the kitchen to measure moisture content erroneously reports a problem, as the result of the device being hacked for example? The consumer believes there is a leak and a contractor is called to tear the wall down. Will the insurer pay for the unnecessary work by the contractor?

Not likely, says Michael O’Brien, a partner, cyberrisk team member, and co-chair of the product liability practice team at law firm Wilson Elser Moskowitz Edelman & Dicker. O’Brien has been studying the relationship of IoT and devices to loss causation and insurance protection.

“When something malicious happens, people and businesses typically file (insurance) claims,” O’Brien says. “But IoT adds a layer of complexity to how these losses are evaluated and whether or not they’re actually insured.”

Inevitable finger pointing

Traditional insurance policies exclude cyber-related losses unless otherwise specified. In the previous example, the homeowner’s insurer may argue that the cause of the property damage (as laid out in the fine print), had nothing to do with the insured perils (in this case an actual pipe leak). The insurer will point the finger at other parties, such as the manufacturer of the drywall, and the manufacturer of the drywall may blame the sensor manufacturer. A third-party component provider may also be deemed culpable, or the contractor who installed the sensor in the drywall, or the provider of Internet and wireless services, if the malfunction is due to the system being penetrated by a hacker.

The risks created by IoT extend to enterprises as well. According to published reports, automaker Nissan recently disabled a mobile app that controlled its Leaf electric car after it realized that hackers might be able to access the vehicle’s temperature controls. It sounds like no more than a simple inconvenience, except that much of a car’s computerized controls are integrated. Jeep learned this after two ethical hackers hired by Wired magazine hacked into a Jeep’s entertainment system to see if they could remotely slow down or stop the vehicle. They could—the brakes were controlled by the car’s crash avoidance system, which was integrated with the entertainment system.

Note that this was an ethical hacking. Had it been real and resulted in actual damages, would the automobile insurance policy absorb these costs? “Probably,” says O’Brien. “But it would then seek to subrogate the claim to other parties, such as automotive suppliers.

Solving the puzzle

So what’s the solution? A good first step would be to make the sensors at the heart of IoT solutions as invulnerable to hacking as possible. So far, this is not the case. One industry study indicates that seven in 10 IoT devices are vulnerable to attack. The report states, for example, that most devices allow simple passwords such as “1234,” and 70 percent do not encrypt communications to the Internet.

Another solution is for insurance companies to change the terms and conditions in their traditional policies, by simply stating cyberrisk losses are covered. “To be fair to insurers, they never anticipated their products would be called upon in these loss scenarios,” says O’Brien. “But, since such scenarios are fast becoming more likely, they need to set the record straight on what is and isn’t covered. I believe there’s also an opportunity for the insurers that come out first with broader protections to gain a competitive edge.”

IoT is here to stay. The upsides are too many to halt its progress. It’s time now for manufacturers and insurers to address the downside. This CEO’s Guide to Securing the Internet of Things offers valuable cybersecurity insights decision-makers in every industry.

Russ Banham is a Pulitzer-nominated business journalist and author of 24 books who writes frequently about human capital management. All opinions are his own. AT&T sponsored this post.

Russ Banham Journalist Freelance About Russ