We are at an inflection point. The Internet is transitioning from controlling information to controlling physical things, which has profound implications for both the global economy and the future of insurance. In this post, I will provide 7 predictions for how the Internet of Things (IoT) will change the insurance industry, although ultimately these predictions only scratch the surface as there are few lines of insurance that won’t be impacted by cyber risk in next 5-10 years.
Background on Internet of Things (IoT)
It is estimated that there will be up to 200 billion everyday objects connected to the Internet by 2020. Applications for the Internet of Things (IoT) are as diverse as consumer devices, manufacturing sensors, health monitoring, connected vehicles, office automation, and all the way to fully ‘smart cities’. The emergence of IoT technologies is a tremendous development that spans all aspects of human existence and could unlock up to $11 trillion per year in value to the global economy by 2025, according to the McKinsey Global Institute.
What these numbers don’t show, however, is the tremendous physical and financial risks associated with the emergence of having everyday objects connected to the Internet. According to the 2016 Symantec Internet Security Threat Report (ISTR), hundreds of millions of Internet-connected TVs are vulnerable to click fraud, botnets, data theft, and even ransomware and these numbers are growing rapidly. Cyber attacks on internet-connected devices create systemic risks and the potential for hundreds of billions of dollars in losses. When physical devices can be hacked (and potentially hacked en masse) the potential for major business interruption, physical damage and even loss of life becomes very real.
This isn’t to say we should not pursue IoT technologies. In fact in many ways, IoT will make society safer, as well as more efficient and convenient. Every year 1.2MM people die in automobile accidents and ~90% of those accidents attributable to driver error, which will decline as more internet-connected vehicles incorporate advanced safety features. However, as Internet-connected devices become pervasive in all aspects of our lives, the nature of risks facing consumers and businesses will be fundamentally different.
While the future is uncertain, especially as it pertains to technology, here are 7 predictions on how IoT could impact insurers.
- Continued Growth of Affirmative Cyber Insurance Policies:
According to Lloyd’s of London, cyber attacks cost businesses $400 billion in losses per year and by some estimates, cyber crime costs the global economy trillions of dollars per year. The current cyber insurance market, which is focused on data protection, is around $2.7 billion globally. The market has doubled over the past 24-36 months and growth shows no signs of abating. Growth of affirmative cyber insurance data and liability policies, that primarily cover costs associated with data breaches, is just a tip of the ‘IoT iceberg’ as cyber becomes an even more important insurable risk.
- Some Core Insurance Lines Will Decline: IoT will change the nature of the risks that consumers and businesses face. For example, according to AT Kearney, features such as Advanced Driver Assisted Systems (ADAS), semi-autonomous vehicles and tracking of stolen vehicles will be deployed in half of the cars on the road by 2025. By some estimates, the global auto insurance market will shrink by 60% or more, where there is a reduction in driver error and a resulting decline in the insurance needed for this risk. As key insurable losses become preventable by IoT, core insurance lines will decline.
- IoT Aggregation Risk Starts Pervading A Diverse Set of Insurance Lines: IoT can turn large-scale hacks into global cyber catastrophes. Already, there have been successful hacks on industrial control systems that have led to major physical damage in heavy industries. Fortunately, these incidents have been isolated to ‘one-off’ occurrences however with key industrial control systems, logistics tracking systems and building automation systems crossing tens of thousands of businesses, the potential for major cross-cutting cyber events is increasing. IoT aggregation risk occurs in insurance lines where it wasn’t previously observed, accounted for or priced into the cost of an insurance policy.
- Cyber Peril Exclusions Grow in Commercial Policies: In the years to come, we will see highly public ‘forcing events’ related to cyber attacks on IoT devices. Unfortunately, it is not a matter of if but when we see major IoT cyber hacks. When these events happen, insurers will likely respond by writing in more explicit exclusions for cyber perils in insurance lines such as product liability, property, E&O and other policies. In many cases insurers are focused on the aggregation risks that exist within their affirmative cyber data and liability policies, when the reality is there is tremendous silent coverage in the rest of an insurer’s portfolio today.
- ‘Cyber Gap’ Insurance Policies Emerge: There will be an expanding list of critical cyber perils that won’t be covered under a standard insurance policy. Specialty cyber insurance policies and endorsements will surface to fill in the need for IoT cyber risk coverage. McKinsey estimates that up to $3.7 trillion in value could be unlocked in factories alone from IoT. Too much value is at stake for clients not to seek coverage from insurers and the market demand is too large for insurers not to provide this cover, although it will take deep cyber expertise to understand these novel risks.
- New Cyber Risk Capital Market Offerings Emerge: Currently the global insurance market has $4-5B in capacity for nuclear risks and $100B for natural catastrophes. Fixing the ‘Y2K bug’ alone is estimated to have cost $100B and the costs associated with remediating IoT security deficiencies could be very high, particularly when IoT componentry does not always have a means for remote firmware updates. Given cyber events represent hundreds of billions of dollars (or more) of potential liability, which have low correlation with other events, there is a role for capital markets providers to step in to help transfer risk. Given initial explorations already happening today, London could emerge as a major market for insurance linked securities tied back to cyber risk.
- Insurers Will Help Drive IoT Security: Consumers aren’t necessarily buying technology products with IoT risk in mind; regulators are struggling to keep up; and in a race to get new products to market, technology companies are often launching new products, often without adequate cyber security in mind. Symantec’s research has shown 19% mobile apps used to control IoT devices don’t use SSL connections to the cloud and over 50% didn’t provide a mechanism for firmware updates, or if they did those updates were not encrypted. Given insurers are taking on the financial risk associated with IoT going wrong, insurers have an important role to play in making sure that the basics are done right for the risks they underwrite.
The emergence of IoT is a tremendous technological development that will create wide-ranging benefits for governments, businesses and consumers. However, it will also propel cyber risk into the limelight as the most important risk of the 21st Century.
As an industry that transfers and mutualizes risk, the implications for insurers are far reaching and there will be both winners and losers. Those that win will have a deep understanding of the evolving nature of cyber risk, leveraging cyber data, intelligence and expertise. Companies like Symantec will have an important role to play in helping to understand evolving threats, which is why we have set up a dedicated Cyber Insurance Group to support our insurer partners.
It is hard to predict the future of technology and the risks that new technology will create with any degree of certainty. What is certain is that where there is risk, there is an opportunity for insurers to provide risk transfer solutions through insurance products. Just as there is innovation in technology, there will be innovation in insurance as both industries come together to unlock the potential of the Internet of Things.
Looking for more insights? Be sure to read What Every CISO Needs to Know about Cyber Insurance.