While the internet of things was intended to make life easier by connecting everyday objects to the internet, enabling them to send and receive data, experts warn that it is also giving new opportunities to hackers.
A bipartisan bill introduced into the U.S. Senate on Aug. 1 — S. 1691, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 — would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards.
It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.
“The legislation is an important step in raising awareness and accountability for internet of things manufacturers,” said Tracie Grella, global head of cyber risk insurance for American International Group Inc. in New York. “It’s focused on manufacturers that are supplying to the federal government, but that’s a great step because the requirements and security controls could trickle down to all their products which are available for the private sector and consumers.”
Jason Krauss, cyber/errors and omissions thought and product leader for Willis Towers Watson P.L.C.’s FINEX North America in New York, said the bill “is significant because it underscores just how big of a threat IoT device security vulnerabilities can be to organizations of all sizes.”
Ryan Gibney, Northeast cyber technology practice leader for Lockton Cos. L.L.C. in New York, said that “the overarching issue with regard to the internet of things is that these are day-to-day consumer products that are not being built with security in mind.”
“They’re being built with overall usability and not security, so I think this (bill) is a positive step, especially with regard to equipment that’s going to be provided to the government,” he said.
The list of consumer products connected to the internet of things is getting longer and includes such items as baby monitors and surveillance cameras. Stamford, Connecticut-based research firm Gartner Inc. forecasts that 8.4 billion connected things will be in use worldwide in 2017, up 31% from 2016, and will reach 20.4 billion by 2020.
In July, news accounts described how hackers tried to steal data from an unnamed North American casino through a fish tank that had been connected to the internet to feed the fish and keep their environment comfortable. Although extra security had been set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped.
“The internet of things really broadened the attack surface for cyber hackers,” said Matthew McCabe, New York-based senior vice president with Marsh L.L.C.’s cyber security practice. “At one point, it was attacking the network, but now every device that you’re used to seeing in a home or business seemingly can be attached to the internet for purposes of efficiency or convenience. But all these create new points of vulnerability. We’re trying to do security catch-up at this point, and it’s hard to do catch-up because the genie’s already out of the bottle.”
Companies must have an inventory of all the internet of things technology that’s deployed, know the right controls, apply patches and update their default passwords, Ms. Grella said.
“We’re starting to see more customized language specific to IoT policies, but cyber insurance policies provide coverage for a number of different risk factors related to IoT,” she said.
Ms. Grella added that “IoT devices can be compromised and shut down, which results in business interruption exposure for organizations using IoT devices. Cyber insurance provides coverage for that business interruption, the cyber attack.” Most forms of cyber insurance on the market provide coverage for such exposures as liability to a third party, economic losses as a result of business or network interruption, or an extortion demand in a ransomware incident, Mr. Krauss said.
“Stand-alone cyber insurance is the perfect product for the risk associated with these devices,” Mr. Krauss said. “It’s a pretty broad product, and there are a number of insuring agreements associated with this product.”
Insurance coverage depends on the consequence of the attack, Mr. McCabe said.
If the cyber compromise against an IoT device results in a physical outcome such as an explosion or fire, then very likely a property or casualty coverage would respond. However, he said, if the outcome is an outage of the network or compromised confidential data, a cyber insurance policy would respond.
A cyber specialist policy will provide coverage for first-party costs associated with investigating the breach and managing the notification of the event, Mr. Gibney said.
The policy will also provide liability and regulatory coverage related to breaches.
However, Mr. Gibney said cyber exposures continue to change, and the market is evolving with regard to addressing a cyber event that causes physical damage and ensuing business interruption. Solutions are available in the traditional property/ casualty market, as well as specialist marketplace to address this growing exposure, he said.