The Internet of Things and (Re)Insurance: Grappling with the Regulatory Challenges
In an age where devices outnumber humans[i], a new big data reality of hyper-connectivity and automation looms as the Internet of Things (‘IoT’) increasingly takes hold across societies and economies. Aptly described as the ‘global infrastructure for the information society’[ii], it is transforming every imaginable process – how a light switch is controlled, how we navigate in the air or at sea, how cities operate, and how manufacturing processes are conducted.
For the insurance industry, this inevitably opens up a multitude of opportunities. It will change the way we as an industry interact with customers and the very risks we insure. Imagine, for example, having the ability to detect a faulty engine, or to find the root cause of an accident at the click of a button. The increasing usage of IoT spanning a breadth of insurance classes will also create the need for new insurance products that address the unprecedented extent of the risks posed, as data breaches and cyber-attacks will have far-reaching – and potentially fatal – consequences. Insurers and reinsurers will play a vital role as demand for new insurance products will grow. However, the regulatory challenges must also be borne in mind. Data privacy obligations will likely become ever more onerous, the determination of liability will become increasingly complex, and regulatory risk locations will become more numerous.
For regulators, the challenge will be in appropriately managing the fine balance between consumer protections and commercial freedoms. For the insurance industry, this is the time to proactively take action, and steer the direction of the insurance landscape of the future.
Why (Re)Insurers Should Take Note
Though definitions vary, IoT refers fundamentally to the interconnectivity of objects to devices or networks, which communicate to transmit and obtain data. Virtually anything can now be connected in this way, including consumer and commercial products. The opportunities it presents for the Lloyd’s market will be perhaps most significant in the industrial sector given the heightened liabilities inherent in complex multi-jurisdictional supply chains and stakeholders, which will demand more specialised insurance products. Reinsurance will also play a vital role in supporting overall market growth where such disruptive technologies are concerned, taking on some of the risk as higher limits and remits are implicated.
Virgin Airlines, for example, is harnessing IoT in their aircraft maintenance operations, allowing them to proactively detect and rectify mechanical faults. China plans to use IoT to accelerate its economic prowess through smarter, higher-value manufacturing under its ‘Made in China 2025’ initiative. Autonomous vehicles and drones are set to control the ‘smart farms’ of the future with technology that could combat issues related to climate change and bio-diversity. In cities, IoT is being leveraged to alleviate the mounting challenges associated with urbanisation, such as the environment, safety, and transport. IoT is already proving to be a practicable solution to reducing road accidents in Los Angeles, USA. This will only grow – over 500 Chinese cities are now embarking on initiatives to tackle issues such as pollution and transport[iii], and as much as USD 41 trillion is predicted to be spent on ‘smart city’ initiatives worldwide over the next 20 years.[iv]
However, IoT’s efficiencies come at a price. The Distributed Denial-of-Service (DDoS) attacks that took place last year demonstrated the new and complex risk landscape for IoT products. More data is being transmitted than ever before, reliant on sensors and connected devices that do not require the intervention of a human being. This hyperconnectivity provides multiple ports of entry for attack, with many devices not being designed with the appropriate data security measures in mind. The DDoS attack, for example, entered the network via 25,000 hacked CCTV cameras.[v] This presents a goldmine for hackers, who will be able to access sensitive data on a mass scale. It will also make nations vulnerable to cyber-terrorist attacks, which will have the potential to debilitate essential services, and cause physical harm to persons and property. Lloyd’s is keeping close watch on these scenarios and has developed a scenario exploring losses arising from a cyber-attack on a US power grid (Business Blackout, 2015) with Cambridge University, as well as a cloud failure and a mass vulnerabilities scenarios (Counting the cost, 2017) in collaboration with Cyence.
The potential and pace of innovation will therefore require more specialist insurance products that go beyond the confines of a typical cyber policy, which would be insufficient to cover the extent of these risks. Where cyber-terrorism is concerned, it is also unlikely to fall within the remit of a traditional terrorism insurance policy.[vi] Given IoT’s widespread use, other classes are also likely to be engaged. IoT insurance products will therefore need to straddle the divide between insurance classes. Casualty classes in particular will face difficult questions as to the attribution and apportionment of liability. In the automotive industry, for example, IoT integration and data analytics increasingly edge towards automation and lessen the need for driver judgement, with the ability to diagnose the health of the vehicle and provide personalised advice to the driver on parking, fuel levels and speed limits. As human error becomes less pertinent, these questions will only grow as seen in the recent House of Commons debates on the Automated and Electric Vehicles Bill. The potential of such consequences may therefore affect classes such as Directors & Officers liability and product liability, depending on where the legal liability for the malfunction of a connected device lies. In the EU, for example, Directive 85/374/EEC on defective products liability holds liable ‘producers’ (broadly defined), even where no negligence or fault on their part is found, in instances where damage is caused by death, personal injury, or to private property.
In addition, the insurance industry should consider its own opportunities to harness IoT to positively inform end-user relationships and risk management practices. The provision of data will ultimately create greater brand loyalty by aiding the customisation of products based on customer needs, whilst having the dual function of preventing unwarranted claims and in some cases, reducing the risk significantly.
Unsurprisingly, data privacy will be the number one challenge. Whilst law-making has not kept pace with that of innovation, regulators and legislative bodies around the world are already responding. Those utilising IoT will likely be subject to increasingly onerous operational burdens, and those seeking to insure such risks may also face challenges given the numerous regulatory risk locations that may arise.
For example, the EU’s upcoming General Data Privacy Regulation (‘GDPR’), which comes into force in the UK on 25 May 2018, will impose enhanced data protection obligations on those who process or store data. Notably, the GDPR’s accountability principle (Article 5) restricts the collection and storage of personal data to specified, explicit and legitimate purposes. This poses a challenge where such data is collected via sensors and transmitted across an IoT network, and insurers seeking to do so will require careful consideration of the methods and devices they employ. Currently, many IoT devices are reportedly weak on data protection, with 59% failing to accurately explain how personal information is collected, used and disclosed.[vii] In the US, the Department of Homeland Security has released a set of six non-binding ‘strategic principles’ to address cyber security challenges in IoT, recognising the threat it poses to critical infrastructure and national security. As with the GDPR, its principles are designed specifically for those at the business level, such as manufacturers and service providers, to incorporate security and privacy measures into their practices. In Singapore, similar changes are set to take place as part of the National Cybersecurity Masterplan 2018.
As innovation continues to accelerate beyond expectations, regulators and legislative bodies worldwide will therefore need to determine whether new regulations ought to be introduced to tackle the issues presented by IoT and other products of the innovation economy. However, the main challenge will lie in ensuring the appropriate balance is struck to ensure that such protections will foster, rather than hinder, global commercial activity. The global ecosystem in which IoT operates demands that regulation should not be in silo. Rather, it requires multi-stakeholder dialogue and cooperation between regulators, insurers, data security firms, producers and service providers to ensure cross-border trade is facilitated through the mutual recognition of laws and regulations.
Meanwhile, the insurance industry must not simply march lock-step to the pace of regulation. Now is the time to take a proactive, entrepreneurial approach to IoT and other products of the innovation economy. With its potential to be at the forefront of the greatest innovations and risks of the future, this will enable our industry to shape the regulatory landscape in a positive way.
With a projected economic impact of as much as USD 11.1 trillion per year[viii], IoT’s exponential growth presents key opportunities for the insurance industry – new and specialised insurance products, new ways to engage with customers, and enhanced risk management practices. Reinsurance will play an essential role in making this possible. Inevitably, this will come with unprecedented regulatory challenges around data privacy and cyber security, which must be appropriately complied with and factored into the determination of the degree of risk. Nevertheless, Lloyd’s market, as an enabler of the innovative progress of mankind, has the opportunity to act and guarantee its competitive stake. Whilst the swift pace of innovation today is unassailable by most, the future will be brightest for those insurers who proactively leverage this key economic driver.
The Lloyd’s Innovation team is currently working with UCL STEaPP and the PETRAS Research Hub on an emerging risks and research report that will serve as a discussion document for identifying emerging risks and opportunities arising from the interconnected and increasingly ubiquitous character of the Internet of Things (IoT). In particular, the report aims to discuss the current and future emerging risks and opportunities, to outline the insurance challenges with the analysis of risk and liability within the increasingly complex IoT ecosystem, and to provide a diverse array of IoT risk examples across a range of sectors.
[i] Evans, D. (2011). The Internet of Things. [Blog] Cisco Blogs.
[ii] International Telecommunication Union (2012). Overview of the Internet of things. Recommendation ITU-T Y.2060, p. 1. [pdf] ITU-T Y-Series Recommendations.
[iii] China Daily (2017). China’s ‘smart cities’ to number 500 before end of 2017. [online]
[iv] Pattani, A. (2016). Building the city of the future – at a $41 trillion price tag. CNBC. [online]
[v] Khandelwal, S. (2016). IoT Botnet – 25,000 CCTV Cameras Hacked to launch DDoS Attack. [Blog] The Hacker News.
[vi] Lloyd’s, (2017). Future cities: building infrastructure resilience. [pdf] Arup, pp. 38-39.
[vii] Warren, L. (2017). Data protection and Internet of Things: How will GDPR impact your business? [Blog] Jelf.
[viii] McKinsey Global Institute. (2015). The Internet of Things: Mapping the Value Beyond the Hype. [pdf] p. 2.