By Pascal Millaire
We are at an inflection point. The Internet is transitioning from controlling information to controlling physical things, which has profound implications for both the global economy and the future of insurance. In this post, I will provide 7 predictions for how the Internet of Things (IoT) will change the insurance industry, although ultimately these predictions only scratch the surface as there are few lines of insurance that won’t be impacted by cyber risk in next 5-10 years.
Background on Internet of Things (IoT)
- Continued Growth of Affirmative Cyber Insurance Policies:
According to Lloyd’s of London, cyber attacks cost businesses $400 billion in losses per year and by some estimates, cyber crime costs the global economy trillions of dollars per year. The current cyber insurance market, which is focused on data protection, is around $2.7 billion globally. The market has doubled over the past 24-36 months and growth shows no signs of abating. Growth of affirmative cyber insurance data and liability policies, that primarily cover costs associated with data breaches, is just a tip of the ‘IoT iceberg’ as cyber becomes an even more important insurable risk.
- Some Core Insurance Lines Will Decline: IoT will change the nature of the risks that consumers and businesses face. For example, according to AT Kearney, features such as Advanced Driver Assisted Systems (ADAS), semi-autonomous vehicles and tracking of stolen vehicles will be deployed in half of the cars on the road by 2025. By some estimates, the global auto insurance market will shrink by 60% or more, where there is a reduction in driver error and a resulting decline in the insurance needed for this risk. As key insurable losses become preventable by IoT, core insurance lines will decline.
- IoT Aggregation Risk Starts Pervading A Diverse Set of Insurance Lines: IoT can turn large-scale hacks into global cyber catastrophes. Already, there have been successful hacks on industrial control systems that have led to major physical damage in heavy industries. Fortunately, these incidents have been isolated to ‘one-off’ occurrences however with key industrial control systems, logistics tracking systems and building automation systems crossing tens of thousands of businesses, the potential for major cross-cutting cyber events is increasing. IoT aggregation risk occurs in insurance lines where it wasn’t previously observed, accounted for or priced into the cost of an insurance policy.
- Cyber Peril Exclusions Grow in Commercial Policies: In the years to come, we will see highly public ‘forcing events’ related to cyber attacks on IoT devices. Unfortunately, it is not a matter of if but when we see major IoT cyber hacks. When these events happen, insurers will likely respond by writing in more explicit exclusions for cyber perils in insurance lines such as product liability, property, E&O and other policies. In many cases insurers are focused on the aggregation risks that exist within their affirmative cyber data and liability policies, when the reality is there is tremendous silent coverage in the rest of an insurer’s portfolio today.
- ‘Cyber Gap’ Insurance Policies Emerge: There will be an expanding list of critical cyber perils that won’t be covered under a standard insurance policy. Specialty cyber insurance policies and endorsements will surface to fill in the need for IoT cyber risk coverage. McKinsey estimates that up to $3.7 trillion in value could be unlocked in factories alone from IoT. Too much value is at stake for clients not to seek coverage from insurers and the market demand is too large for insurers not to provide this cover, although it will take deep cyber expertise to understand these novel risks.
- New Cyber Risk Capital Market Offerings Emerge: Currently the global insurance market has $4-5B in capacity for nuclear risks and $100B for natural catastrophes. Fixing the ‘Y2K bug’ alone is estimated to have cost $100B and the costs associated with remediating IoT security deficiencies could be very high, particularly when IoT componentry does not always have a means for remote firmware updates. Given cyber events represent hundreds of billions of dollars (or more) of potential liability, which have low correlation with other events, there is a role for capital markets providers to step in to help transfer risk. Given initial explorations already happening today, London could emerge as a major market for insurance linked securities tied back to cyber risk.
- Insurers Will Help Drive IoT Security: Consumers aren’t necessarily buying technology products with IoT risk in mind; regulators are struggling to keep up; and in a race to get new products to market, technology companies are often launching new products, often without adequate cyber security in mind. Symantec’s research has shown 19% mobile apps used to control IoT devices don’t use SSL connections to the cloud and over 50% didn’t provide a mechanism for firmware updates, or if they did those updates were not encrypted. Given insurers are taking on the financial risk associated with IoT going wrong, insurers have an important role to play in making sure that the basics are done right for the risks they underwrite.
The emergence of IoT is a tremendous technological development that will create wide-ranging benefits for governments, businesses and consumers. However, it will also propel cyber risk into the limelight as the most important risk of the 21st Century.
As an industry that transfers and mutualizes risk, the implications for insurers are far reaching and there will be both winners and losers. Those that win will have a deep understanding of the evolving nature of cyber risk, leveraging cyber data, intelligence and expertise. Companies like Symantec will have an important role to play in helping to understand evolving threats, which is why we have set up a dedicated Cyber Insurance Group to support our insurer partners.
It is hard to predict the future of technology and the risks that new technology will create with any degree of certainty. What is certain is that where there is risk, there is an opportunity for insurers to provide risk transfer solutions through insurance products. Just as there is innovation in technology, there will be innovation in insurance as both industries come together to unlock the potential of the Internet of Things.
Looking for more insights? Be sure to read What Every CISO Needs to Know about Cyber Insurance.
Pascal Millaire is Vice President at Symantec Corporation and the General Manager of the company’s Cyber Insurance Group.