April 1, 2016 by Brian Rosenbaum, Senior Vice President, Financial Services Group,and National Director, Legal and Research Practice, Aon Reed Stenhouse Inc.
One of the greatest challenges that the insurance industry will deal with over the next few years is how to effectively and profitably transfer the risks associated with machine-to-machine technology or the Internet of Things (IoT).
IoT is a term that has been defined in a variety of ways. For example, consider the following definition: it is a system of intelligently connected smart-computing devices, machines, objects, animals and people that have unique identifiers and, as a result, can sense one another and communicate without the impetus of human-to-human or human-to-computer contact, thus changing how, where and by whom decisions about the physical world are made.
The benefits conferred by IoT in all facets of life are obvious and immense, including those below:
Along with these benefits, however, is the fact that the more people rely on the interconnectivity of devices through closed and open networks to control the things in the world, the more everyone is vulnerable to cyber crime, extortion and disruption. This is especially true because the rate at which the IoT phenomenon is unfolding often does not give IoT innovators the time to develop adequate security measures for device-to-device communication.
IoT risks are no longer theoretical. There have been IoT attacks where manufacturing facilities have been blown up, oil and gas pipelines have been set on fire, consumer vehicles have been hijacked, medical devices have been tampered with, and building and home environmental systems have been disabled. These incidents have caused both property damage and/or personal injury to organizations, governments and individuals, resulting in various heads of economic loss.
In theory, a number of insurance policies – including cyber, commercial general liability (CGL) or property – could provide some coverage for these types of losses. But do they? What has the insurance industry provided to consumers, governments and organizations in the way of risk transfer to deal with IoT exposures?
The focus of cyber liability insurance over the past decade has been to protect insured organizations from losses arising out of the unauthorized access to, or loss of, individuals’ personal identifiable information that the organization has collected (this has been extended to include the loss of non-personal confidential information of a third party).
There are two fundamental coverages provided by the typical cyber policy. The first covers the organization’s own costs (first-party costs) in investigating and mitigating the effects of the breach, as well as complying with applicable privacy laws, regulations and guidelines (that is, notification, forensic investigation, credit monitoring, call centre and breach coach costs) irrespective of whether a third party, such as a customer, client or employee, sues the organization for a breach of security or privacy.
The second provides third-party liability protection by paying for defence costs, as well as amounts to settle or satisfy a judgment or pay an insurable fine levied by a regulator as a result of an investigatory or regulatory proceeding. Additional coverage can be purchased for cyber extortion, business interruption and digital asset restoration.
It would be easy to conclude that coverage might be available under a cyber policy for IoT losses resulting from a cyber breach. However, that is likely not the case. All cyber policies contain some sort of bodily injury and property damage exclusion that states the insurer is not liable for the payment of loss if the claim is for either personal injury or property damage.
Since IoT exposures most often result in either property damage or personal injury, organizations should not look to their cyber policies for fulsome coverage for those type of losses. The rationale for this exclusion is that these types of matters should be covered under other insurance, namely property or CGL policies. But is that truly the case?
The CGL policy is the most popular type of insurance businesses typically purchase. The basic CGL policy protects the policyholder from liability for bodily injury and property damage caused to third parties. For damaged property to be covered, it must be tangible in nature.
While it may appear at first that a CGL policy would cover many of the losses resulting from an IoT exposure, there are a number of exclusions and wording issues that could create coverage issues.
The first potential hurdle to accessing insurance proceeds under a CGL policy for a hacking incident is that courts have vacillated about whether or not data is tangible property. If the damage to property or persons comes as a result of the damage to, or manipulation of, data, and the data is not considered tangible property, coverage for the resulting physical losses could be limited. As well, many CGL policies contain broad electronic data exclusions that could limit or preclude coverage where a device or system is accessed through unauthorized means.
IoT losses that arise, in part, out of malfunctions within a device itself as a result of an intrusion may not be covered by application of the impaired property exclusion. This exclusion could reduce or eliminate coverage for coding errors and other software defects exacerbated by some sort of malicious code or malware.
CGL coverage for IoT-type losses has not been thoroughly tested in the courts and there is enough potential for ambiguity in this coverage such that there is no certainty about the extent to which a CGL policy would respond.
Property insurance covers the policyholders’ own assets. It will provide protection for losses that arise from direct physical loss of, or damage to, covered property caused by, or resulting from, any covered cause of loss. Property policies can be written on a named-peril basis or on an all-risks basis.
But in either case, if there is a property loss occasioned by a flood or explosion (two perils that are almost always covered under a property policy) at an organization, the policy will respond. That said, will the policy respond if the flood or exposure is caused by a cyber event such as a hack?
Similar to CGL policies, some property policies have electronic data exclusions. These exclusions could certainly limit coverage for IoT incidents.
Further, the majority of property policies are silent on whether or not they will respond to cyber-related damage. As such, it is unclear if the property damage resulting from an explosion that was caused by a malicious code will be covered.
Unlike CGL policies that have been tested to some degree in courts with respect to IoT losses, there has been virtually no judicial analysis of available coverage under property policies for first-party claims arising out of cyber incidents.
As it stands, policyholders are no more secure relying on their property policies for first-party coverage for IoT exposures than they are in relying on their CGL insurance for third-party liability protection.
AUDITING FOR COVERAGE GAPS
Given the uncertainty in coverage under cyber, CGL and property policies for IoT-type exposures, it is advisable that organizations be proactive and undertake a comprehensive review and audit of all of their insurance polices to identify gaps in coverage. This is, by no means, an easy task as there are vagaries in all wordings and few legal precedents to provide guidance.
But stress testing of policies against plausible loss scenarios can be useful in identifying coverage issues. It is highly recommended insured organizations enlist the help of a well-informed insurance professional to assist in this endeavour.
RISK TRANSFER SOLUTIONS FOR IOT
Identifying gaps in insurance coverage for IoT is only the first step. The insurance industry has a meaningful opportunity to come up with IoT risk transfer solutions for policyholders. Although there are a few specialized insurance policies that expressly, and with much more certainty, cover IoT exposures, they are offered only in certain industry sectors, largely in excess or umbrella form or are relatively expensive.
Brokers must help to innovate coverage on a grander scale to deal with a broad range of insureds with IoT risk. They must push the insurer community to clearly define where coverage is, and is not, and be well-informed to explain it to their clients.
If the client/broker community will be one of the impetuses for change, the insurer community will have to embrace that change. A major challenge for insurers, however, will be how to profitably underwrite and charge for IoT risks without reams of loss data and analysis.
In addition, insurers will have to determine if they wish to cover liability issues arising out of IoT things in CGL policies, property and cyber policies, or in a new and commercially available insurance wording.
If the former, insurers are going to have to remove some of the exclusionary language that currently exists in these policies, revamp a number of terms and conditions, and implement clear and express wording with respect to how they will respond to IoT-type claims.
There is little debate that the advent of IoT has changed the world significantly, in many cases for the better. However, the risks of machine-to-machine technology are real, significant and current. The insurance industry, as a whole, has not properly and thoroughly examined the extent to which it is currently providing coverage for these risks, nor has it dealt with a multiplicity of ambiguous, overlapping and unclear wording in the insurance policies it offers.
Policyholders are concerned about their IoT risks and are asking questions about what is, and is not, transferred in their respective insurance programs. The insurance industry must have answers for them. Clearly, there is much to be done.