The deployment of IoT devices is rapidly transforming industries where organisations are leveraging real-time data from IoT devices to better manage operations, risk and ESG metrics.
From a risk management perspective, IoT and real-time data enable a shift from a reactive to a predictive and preventative model i.e. leaks can be fixed at the tap dripping stage, not (just) once a location is flooded. Not only is physical damage mitigated, so is the consequent business interruption. There is however a dark side to the use of these devices, primarily related to cyber risk – a challenge where the insurance and the technology sectors as well as human behaviour need to come together.
The increased integration of IoT devices in assets, properties, vessels, and aeroplanes to name but a few has amplified cyber threats and related security concerns. Let’s not forget the infamous Las Vegas fish tank incident in 2018 where a casino was compromised through a vulnerability in an IoT thermometer in a fish tank. This led to unauthorised access to a database of gamblers with consequential reputational damage.
According to the ZscalerTM ThreatLabz 2023 Enterprise IoT and OT Threat Report, 2023 has seen a four-fold increase in malware attacks against IoT and OT devices. Where 52% of IoT device traffic comes from manufacturing and retail companies per their research, cyber risk poses a significant threat to businesses.
As IoT applications continue to diversify across multiple sectors and are embedded into assets and critical infrastructure, the potential damage from cyber attacks increases. The sheer scale of devices being connected on a daily basis presents a multi-faceted challenge.
The challenges around cybersecurity stem from the ecosystem and connectedness of those organisations deploying the devices, the technology providers, insurers and brokers. The technology sector has been proactive in addressing security issues, often working years in advance of new products hitting the market, yet this does not help devices that are already deployed and that may have legacy vulnerabilities that can be exploited by hackers.
Industry standards and best practices are being developed to create a uniform understanding of what constitutes secure IoT usage. However, while compliance with these best practices can provide a degree of security, it also risks fostering a false sense of safety.
There needs to be a change in approach from a ‘defender’ mindset to an ‘attacker’ mindset i.e. being proactive rather than reactive when it comes to security. It means not only understanding the function and benefits of a particular IoT device but also the risks associated with its compromise.
There is a need for proper education for buyers, installers, risk managers, and insurers to understand how IoT devices are constructed and what data they may hold or transmit. Education must encompass not just the individual devices but the broader ecosystem in which they operate. The cornerstone of cyber security is the protection of data, hence the need to evaluate the overall IT systems supporting IoT devices rather than assessing the devices in isolation.
A recent alumni of the Lloyd’s of London Innovation Lab, Axio have developed a cyber security assessment and quantification tool, Axio 360, which offers a realistic scenario analysis and cyber risk quantification by understanding the potential financial impact of cyber events across potential physical damage and business interruption costs.
There is a unique opportunity for collaboration between the insurance and technology sectors. Where cyber security solutions must be multilateral, considering aspects from both technological design and operational risk, extending to the very architecture of business processes.
Proactive testing for various compromise scenarios, coupled with corrective and preventive action, remains critical for building secure operational environments. Testing alongside an accreditation such as Secured by Design in the UK, can provide an additional layer of confidence and trust. But ultimately, accountability must be collective. Only a harmonised effort from manufacturers, insurers, and end-users can build a robust defence against the evolving challenges posed by IoT devices in the landscape of cyber risk
So, whilst IoT offers transformative benefits to the insurance and multiple industry sectors, it simultaneously poses significant cyber risks. As the boundaries between the digital and physical world (the ‘phygital’ world) continue to blur, the imperative for a collaborative, multi-stakeholder approach to cybersecurity has never been more urgent.
Hélène Stanway is a former Head of Innovation & Emerging Technology at AXA XL where she specialised in IoT initiatives. Hélène is now the Co-founder of the SENSE Consortium, where she consults for and speaks all over the world to companies and insurance audiences about navigating and embracing digital innovation.