Risk managers hedge bets between IoT benefits and vulnerabilities Bookmark has been added
Risk managers hedge bets between IoT benefits and vulnerabilities
For investments in Internet of Things (IoT) to pay off, insurance risk managers need to stay a step ahead of hackers by implementing stronger security tactics.
IoT is becoming an everyday encounter
While I’m not much of a gambler, I’d surely wager that as you read this blog you are either wearing some form of IoT device, have one in the room/office/home/vehicle you are sitting in, or encountered any number of them on your way to work today. The myriad of sensors is now being embedded in most forms of equipment, vehicles, clothing, and infrastructure to measure, collect, protect, and inform.
The number and variety of these sensors are growing rapidly. The International Data Corporation forecasts global spending on the IoT will reach $745 billion in 2019, a 15.4 percent increase over 2018, and will maintain a double-digit annual growth rate throughout the 2017-2022 forecast period to surpass the $1 trillion mark in 2022.1
The insurance sector’s attention to IoT continues to grow
The pervasiveness of connectivity through the IoT and how it will fuel artificial intelligence (AI) was front and center at the recent Risk and Insurance Management Society (RIMS) conference in Boston. It was quite apparent that commercial insurance buyers for companies big and small are placing a good deal of focus on the benefits of integrating wireless sensors throughout their operations, infrastructure, and even their personnel via wearables.
IoT devices are a relatively inexpensive, novel way for insurance carriers and intermediaries to increase and strengthen connections with the risk managers buying their products and services. At the same time, this phenomenon is expanding an insurer’s value proposition beyond coverage to loss prevention, while lowering loss ratios, collecting new sources of alternative data for more personalized products and pricing, and helping write risks previously deemed undesirable.
Discussions about IoT vulnerabilities take center stage
But it was not all unicorns and rainbows at RIMS. The glaring potential downside risks of IoT were just as present at the conference, giving pause to risk management stewards and conceivably impacting their ability to sleep soundly.
One presenter regaled the audience with a tale of a visit to his dentist, where the receptionist had a smart speaker (which serves as an IoT hub) on her desk. She was clearly not alone in using such a device at the office or when working from home but was most certainly unaware that each time she discussed a patient’s information the device may have been “listening in,” making personally identifiable data potentially accessible to hackers.
Such possible breaches may not appear to be much of a threat on the surface. However, when these Internet-connected devices are assembled into a botnet, the consequences can be ruinous on a significant scale. Thus, many at RIMS expressed alarm not about attacks on individual sensors, but rather that they will be co-opted to execute wider-reaching assaults. From smart microwaves, refrigerators, and lightbulbs to sensors entrenched in smart city infrastructure, the systemic peril was the bigger picture issue worrying risk managers, given the alarming implications for widespread damage and liabilities.
In one such attack in 2016, a Mirai botnet (Japanese malware) exploited insecure IoT devices to scan the Web for open Telnet ports and launched a distributed denial of service (DDoS) attack, essentially knocking out large segments of the Internet in the US.2 Alarmingly, the Mirai botnet has since been updated and gained increased effectiveness.3
Lackluster security measures make IoT a target of hackers
Speakers at the RIMS conference warned that IoT security remains one of the weakest links in wireless connectivity, and the culpability is widespread. Several cautioned that IoT-enabled devices commonly require only weak password/reset credentials. And they often lack adequate processing capacity for secure controls, so producers/manufacturers may not have the skills or impetus to include security features, particularly in the lower priced devices. Others pointed out that there is still a general lack of uniformity in standards and protocols around regulations related to the use of wireless devices and connectivity.
Hackers are drawn to this low hanging fruit. In some cases, attacks are introduced at the bottom of the supply chain through vendors or subcontractors to get into corporate networks. In one instance, hackers used a thermometer in a casino lobby aquarium to get into the corporate network and steal the high-roller database.4
It’s time to act now
While it is clear IoT devices are a vital source of information in the knowledge economy now and going forward, for insurers and risk managers alike, it is even more evident that security can no longer be an afterthought, and that new types of liabilities should be considered when assessing coverage needs.
Risk managers will need to position themselves to get ahead of these emerging threats, which may include providing policy and process training and awareness for employees, as well as arranging adequate insurance to cover potential casualties. Additionally, they can consider regular network monitoring and audits, even in less traditional functions like facilities management and vendor oversight, and system cutoffs when hacks occur.
Likewise, insurers would be prudent to perform threat and risk assessments to bolster their own defenses against IoT-related cyber-attacks, as well as invest in IoT data security and fraud protection.5
It’s likely that risk management stewards will place their bets to benefit from increasingly pervasive IoT capabilities, but it will be incumbent on them to hedge these bets with added security measures. The question is, can they adequately reconcile the two—taking advantage of the positive elements of digital connectivity for loss prevention while containing the downside risk of generating new liabilities due to inevitable nefarious activity?
1 IDC Worldwide Semiannual Internet of Things Spending Guide, January 2019.
2 The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet, CSO from IDG, by Josh Fruhlinger, March 9, 2018.
3 Mirai variant picks up new tricks, expands list of targeted devices, HELPNETSECURITY, by Zeljka Zorz, March 19, 2019.
4 Hackers once stole a casino’s high-roller database through a thermometer in the lobby fish tank, Business Insider, by Oscar Williams-Grut, April 15, 2018.
5 What insurers need to know about the downside of 'IoT': Property & casualty insurers must take time to understand this new frontier of threat and risk., Property Casualty 360, by Henrik Kiertzner and Norman Black, March 07, 2019.
QuickLook is a weekly blog from the Deloitte Center for Financial Services about technology, innovation, growth, regulation, and other challenges facing the industry. The views expressed in this blog are those of the blogger and not official statements by Deloitte or any of its affiliates or member firms.