February 3, 2016 by Angela Stelmakowich, Editor
One of the insurance industry’s biggest challenges on the underwriting side is “how to effectively and profitably transfer cyber risk with respect to machine-to-machine technology,” so-called Internet of Things, Brian Rosenbaum, national director of the Legal and Research Practice at Aon Risk Solutions, said Tuesday during an industry event.
“I really can’t overestimate how significant the risks associated with machine-to-machine technology are, despite the tremendous benefits that the Internet of Things will confer,” Rosenbaum told those assembled for the 49th Annual Canadian Insurance Claims Managers Association/ Canadian Independent Adjusters’ Association Ontario Chapter Joint Conference in downtown Toronto.
He defined IoT as “the intelligent connectivity of smart devices by which objects can sense one another and communicate, thus changing how, where and by whom decisions about our physical world are made both in a commercial and non-commercial context.”
Acknowledging that the definition is broad, he suggested the associated risks are also potentially extensive. It used to be that, for the most part, cyber risk and cyber risk insurance revolved around protecting personal identifiable information.
“From the perspective of a business, it’s the collection of information about their employees or their customers or their clients. And it also extends to non-confidential information,” such as intellectual property that businesses are collecting and maintaining, he noted.
“Arguably, the biggest risk we face today is the risk going forward with respect to property damage and personal injuries as a result of a cyber event,” Rosenbaum ventured. “I can tell you that today, our real estate clients are terrified about coverage for physical damage to their plants and personal injury in their plants as a result of a cyber event,” he reported.
“They are worried about a hack into their automated systems,” he said, noting the same goes for energy and commercial manufacturing clients. Consider that “41% of all hacks targeted to critical infrastructure have been targeted to the energy sector,” Rosenbaum pointed out.
Reports are that by 2020, billions of machines will be exchanging data on a daily basis, he said. “What I’m concerned about is that the underwriting community is not ready for this. We don’t really appreciate how vulnerable we are to cyber terrorism, extortion, systems breakdown and just plain mischief.”
For clients asking whether or not they have coverage for these risks on any of their policies and, if not, what coverage is needed, “what I’m concerned about is that we don’t have the answers to these questions. We’re not keeping up with these emerging risks from a placement and underwriting point of view,” Rosenbaum told attendees.
Though there may be cyber policies dealing with the loss of personal information, “with respect to the Internet of Things, did we figure out what coverage was already embedded in our existing policies?” he asked. “Did we determine if there is overlapping coverage? Did we account for where there was uncertainty?”
Already, there have been claims related to loss of personally identifiable information, Rosenbaum said. Still, “as the big first wave of claims for personal injury and property damage as a result of a cyber event emerge, we’re going to see a lot more litigation and a lot more pressure on the claims people to make good decisions with respect to that,” he predicted.
“Are we providing this coverage on our policies now and to what extent?” Rosenbaum asked. “I can tell you in reviewing CGL (commercial general liability) policies, D&O (directors and officers) policies, cyber policies, the answer to that question is not clear,” he answered.
“For the most part, insurance wordings are limited with respect to physical perils arising from a cyber event,” Rosenbaum (pictured right) said. “The majority of CGL policies contain what I would call a data or cyber exclusion,” he explained, adding that unless there is tailored wording or a watered down exclusion, there will generally not be “fulsome coverage if somebody is injured as a result of a cyber event.”
Indeed, typical cyber policies contain a bodily injury and property exclusion that applies to third-party liability, meaning “that will lead to a lack of coverage for any of these Internet of Things exposures we’re talking about today,” Rosenbaum said. The same is true of E&O (errors and omissions) and D&O when they contain the same type of exclusionary language, he said.
“Slivers of coverage still exist on other policies,” including property policies, depending on how they are worded, he said.
That said, there could be conflicts and confusion created. “You might have overlapping coverage between a property policy – giving business interruption or data restoration expenses – versus a cyber policy,” Rosenbaum explained.
“We haven’t deal with how those policies are going to react together,” he said, and “other clauses in those policies haven’t been sorted through.”
Although there is currently some specialized IoT products available, Rosenbaum’s take is that “a lot of it may be inadvertent and not by design. And that’s going to create a lot of problems for people in this room as to whether or not they’re going to allow coverage.”
The industry as a whole needs to do a better job, Rosenbaum argued, because there will be more legal cases going forward. “It might be practical for us to all work together to determine what type of coverage we can give.”
To do so, it is necessary to answer some very challenging questions, including the following:
More coverage of the CICMA/CIAA 49th Annual Joint Conference