IoT Creates New Risk Dynamic and Demands Creative Solutions

Broker Aon has issued a new study which says the Internet of Things (IoT) creates a new breed of threat that demands a new approach to risk mitigation.

The report authored by Aon’s Emma Karhan and Kelly Superczynski, warns that the market needs to adopt a different approach to the risks that the IoT pose.

“The constant connectivity and data sharing through the anticipated 20.4 billion connected devices by 2020 invites new opportunities to compromise security,” it said. “Increasingly, connected devices for both personal and business use ushers in vulnerabilities that cyber-attackers can exploit. In fact, IoT devices are notoriously easy to infiltrate. NETSCOUT estimates that IoT devices are, on average, likely to be compromised within five minutes of connectivity to the Internet.”

However, IoT cyber risks present an opportunity for insurers to support organisations by raising awareness of risk management and exploring new cyber insurance products and services to provide protection.

“IoT and other unmanaged devices increase exposure to typical cyber-loss events due to their growing volume and relative lack of security,” it added. “Commoditisation and globalisation also play a role as most IoT devices involve a long, complex supply chain.

“Catastrophic risks like business interruption, fire, explosion and sabotage can now be activated by hostile cyber actors. Attackers need only one trivial vulnerability to enter a network, and from there it’s relatively easy for them to take control.”

However, the report warns traditional IT security tools and methods “simply do not work for IoT devices”, partially due to their diversity and because they cannot easily be secured as they are black boxes.

“IoT is the entry point of choice for cyber attacks. Attackers have an extreme advantage today because they know how to analyse IoT firmware and find trivial vulnerabilities,” states the report. “Until organisations are able to level the playing field, their entire network is at risk in ways unimaginable a decade ago.”

The report adds that the market has to create new solutions.

“In many cases, the knock-on effects of cyber attacks involving tangible assets enter the realm of non-affirmative or ‘silent’ cyber risk. These are cyber exposures nestled within traditional property or general liability policies that were not worded by property and casualty underwriters to account for the proliferation of a technological new era. Insurers’ IoT cyber insurance potential remains largely untapped as they must first substantially innovate existing products to reflect evolving cyber risks.”

It concludes: “Companies that rely on IoT may be exposed to unforeseen risks that may not be insured today. Insurers, reinsurers and their customers must work together to understand, mitigate and transfer these new, complex risks in an increasingly IoT-driven world to achieve the opportunities in a safe and secure way.”