Understanding cyber insurance and the IoT

This entry was posted on Thursday, March 30th, 2017.

Written by Asaf Ashkenazi for Rambus

Denise Johnson of Claims Journal recently observed that there has been a noticeable jump in spearfishing and ransomware incidents. Concurrently, data security has weakened due to an increase in connected and mobile devices. As such, it has become critical for businesses and insurers to fully understand how to effectively protect themselves against such attacks.

“That’s according to an expert panel discussion held during the American Bar Association Torts annual insurance coverage litigation mid-year program,” writes Johnson. “[For example], Lisa Phillips, a national practice advisor for the Wells Fargo Insurance Errors & Omissions Cyber Group, said the structure of cyber policies varies according to the party protected.”


Specifically, third party liability policies cover privacy liability, network security, media liability, regulatory action (and may carry a sublimit), while first party coverage includes reimbursement coverage, privacy notification, crisis management expenses and credit monitoring services. Additional first party reimbursement coverages, says Johnson, may include cyber extortion, business interruption and data restoration.

Clearly, there are many ‘known unknowns’ when it comes to understanding the full extent of cyber insurance liability and coverage. As the cyber insurance industry continues to evolve, precisely defining the boundaries of a cyber-attack and subsequent damage will become more difficult. Moreover, insurance companies are likely to demand that policy holders meet certain standard security practices and implementation to qualify for coverage. Multiple exclusions and limitation of compensation for direct damage (for example, loss of potential business due to an outage) may force claimants to accept far less than they were expecting.

Adding an Internet of Things (IoT) dimension to an already uncertain cyber insurance model raises many questions, while altering the current status quo for both the insurer and claimant. For example, how will cyber insurance impact automotive insurance? Will premiums increase every time there is a major risk or hacking event? Will premium rates be affected by the inclusion or exclusion of remote control connectivity?

To limit their liability (which is likely to be extensive), cyber insurance companies will almost certainly want to know specific security details, such as what (effective) mechanisms are put in place to restrict unauthorized access to devices and systems. This paradigm could very well start with vehicles and ultimately extend to a range of devices, including refrigerators, ovens, dryers and washing machines. Of course, the industry will have to determine the warranty limitations of connected appliances. For example, what happens if a washing machine or refrigerator is remotely disabled because the owner didn’t adequately protect the appliance from digital intruders? Who is held liable?

As the Jeep Chrysler hack illustrates, a manufacturer may not intend for a device or system to support remote access to certain functions. Nevertheless, malicious attackers can still hack and change default settings. For example, the unauthorized remote injection of stealth code can enable unauthorized digital entry to restricted areas of a device or system – resulting in significant changes to access levels along with the creation of exploitable vulnerabilities.

In conclusion, the cyber insurance paradigm is evolving to meet an ever-increasing threat landscape crowded with vulnerable IoT devices. Although there are more questions than answers about the future parameters of cyber insurance, increased security measures will undoubtedly play a critical role in defining the contours of future policies.