BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Connected world creates coverage conundrum

Conventional insurance policies fall short when applied to exposures presented by internet of things

Connected world creates coverage conundrum

The “internet of things” — the concept of connecting a device to the internet — and its potential for disaster are growing concerns for risk managers and insurers because the devices are increasingly embedded in infrastructure projects.

Often associated with devices used to build “smart homes” by connecting appliances, entertainment systems, communications systems, fitness devices and other consumer goods, the internet of things also has wide, and not always secure, applications in industry.

There is greater risk of bodily injury and property damage with internet-connected devices used in critical functions in the power grid, for example, including nuclear plants; marine; transportation, including aircraft and self-driving cars; and even in the development of so-called “smart cities” that apply a variety of digital and electronic technologies.

The potential source of that danger includes nation-states, criminal hackers and disgruntled employees, although nation-states may pose the greatest risk, observers say.

Recent examples of the infrastructure’s vulnerability include hackers’ exploitation of a fault last year in the technology of Ruel-Malmaison, France-based utility Schneider Electric S.E., which halted operations at an undisclosed industrial facility. In addition, several cyber attacks on Ukraine’s power grid since 2015 have been attributed to Russia.

Some observers believe the problem lies in historic lack of regard for security and the greater focus instead on the devices’ economic benefits.

The insurance industry, which can play a critical role in this area, is beginning to address internet of things exposures through its coverages, increasingly in the form of hybrid policies that contain elements of cyber, property and casualty coverage.

But while many internet of things risks are being addressed by regulators, such as the U.S. Department of Defense, that oversee their contractors, “for a lot of companies, there’s not really currently an incentive for them to build security by design into new devices,” said John P. Carlin, a partner with Morrison Foerster L.L.P. in Washington and former assistant attorney general for the U.S. Department of Justice’s national security division.

More can be done on that front by either the government or by industries agreeing to voluntary standards, he said.

Commercial policyholders are increasingly aware of the issue, said Adam Cottini, managing director of insurance and risk management in North America at Arthur J. Gallagher & Co. in New York. But, he added, “I believe they’re still trying to get their handle” on it.

In some cases, it may be a budgetary issue, Mr. Cottini said. There may be a combination of vulnerabilities that exist, “but they must deploy resources to stay on top of them,” he said.

The issue has led to an unsettled situation with respect to insurance, say observers.

Insurers are trying to figure out where the peril should be placed, said Gary Gresham, Tampa, Florida-based senior vice president with Aon Risk Solutions’ power practice.

“If there’s a property damage issue, should it be under the property policy or should it be under cyber?” he said. “Right now, the insurance market really hasn’t solidified.”

While FM Global offers property coverage with no cyber exclusions, including internet of things-related risks, “I see insurers responding to cyber risk in a very segmented way, meaning cyber policies are very cyber focused” and only look at digital assets protection and associated business interruption, said Grace Ries, the insurer’s president of cyber underwriting in Johnston, Rhode Island.

Similarly, property insurers only look at traditional perils, she said. “We need to start offering our clients more combined solutions, where they can have comprehensive solutions to address their property risk and cyber risks all in one,” she said.

“Many markets are unclear both with clients and with themselves as to how coverage may respond,” said Marcin Weryk, New York-based vice president and underwriting manager at XL Group Ltd., which does business as XL Catlin.

Underwriters with an extensive knowledge base of property/casualty need to collaborate with underwriters who understand network connectivity and risk, Mr. Weryk said.

“It’s a very interesting proposition in the cyber world right now”’ because “companies may have coverage gaps when it comes to property damage and bodily injury caused by a cyber attack or cyber peril,” said Michael Born, Kansas City, Missouri-based vice president of the global technology and privacy practice at Lockton Cos. L.L.C.

Organizations should be looking at the issue holistically, said Joe DePaul, New York-based head of FINEX cyber/E&O for North America at Willis Towers Watson P.L.C.

“It is a combination of various different coverages really making up the solution that we’re currently talking about,” which could include property/casualty, cyber and directors and officers liability, he said.

This is beginning to be addressed, say observers. Cyber insurance traditionally has dealt with the monetary damages that could arise from a security breach, Mr. Born said. But “there is a movement now to add bodily injury and property damage to the cyber policies,” he said.

“This is a leading edge of what we think of as cyber insurance right now,” said Mr. Born.

Mr. Weryk said, “There are special products being developed by many underwriting companies” that clearly delineate where coverage may lie if an event occurred because of a network hack that has caused property, bodily injury or third-party loss.

“I think the marketplace will keep moving in that direction, where there is more dedicated product,” he said.

“I can see some gradual progress” toward comprehensive solutions, said Ms. Ries.

Mr. Born said while “the insurance business is beginning to respond to this peril, and to the exposure,” where “that coverage is ultimately going to lead is still up in the air.”

“In my opinion, it still primarily belongs in the cyber policy” rather than in property or commercial general liability policies,” Mr. Born said. “It’s probably more important to understand the threats and the risks and the chances of something going wrong than to understand the damages if something does go wrong.”

Cyber exposures are evolving from being an information technology department issue to an enterprisewide concern. “The history of cyber security has been almost solely focused on IT operations, and not as an enterprisewide issue,” said Larry Clinton, president and CEO of the Arlington, Virginia-based trade association Internet Security Alliance.

But insurers tend to look at issues, including cyber, much more from an enterprisewide perspective, which is critical.

“The insurers have really been leaders in that regard,” said Mr. Clinton.

However, “If there’s a true catastrophe, there might be enough insurance, but I don’t know if enough people are buying it,” said Bob Parisi, New York-based cyber product leader for Marsh L.L.C.

“People really need to take a fresh look at that piece of the puzzle,” not just the firewalls in their computer systems but the devices their networks are controlling, said Mr. Born.

The first step is for entities to understand their environment in conjunction with “what’s out there in the field,” said Scott Corzine, New York-based senior managing director at Ankura Consulting Group L.L.C., a cyber security consulting firm.

“They have to get a handle on all that, and then they have to create a strategy for security of those industrial control devices,” he said.

“We need to design an overarching cyber security plan. We’re not doing this right now,” said Mr. Clinton. “Right now, the way to deal with cyber security is incremental.”



Read Next