Product Family

Increasing the connectivity of devices, a movement known as the Internet of Things, is ushering in convenience for millions of people – as well as security concerns and liability questions.

The proliferation of wireless devices and apps that connect to the Internet is creating some risks that many people may not realize. Everybody wants the functionality of the devices and the associated convenience, but there can be many things unintended consequences and risks.  As more and more “things” become interconnected, is there an opportunity for the insurance industry to identify and address the developing risks?  Most certainly. 

Many of us now have modern appliances that provide great convenience and we have come to love them.  Just think about that coffee pot in your kitchen that can wake itself up and have your preferred coffee brewed and waiting to help you wake up.  But the newer, smarter things are coming with wireless capabilities to help make your life is even more convenient.  You can now contact these things via your smart phone.  You can monitor your home environment through the thermostat, turn on your stove to heat up, have a video chat with your partner or children, or even provide feedback on your pacemaker to your physician.  Your newer appliances including washers, dryers and refrigerators can be monitored and tracked by the manufacturer for maintenance and diagnoses.  There are even billboards with ads quoting “Your furnace will call us”.  So if all these things are connected to the Internet, what else can might they be able to do?

Many of us spend considerable money on locks and security systems to protect our homes and families from intrusion, fire and other perils.  But, what if these systems could be hacked to open a back door to your wireless network, hop onto your home computer and get information they shouldn’t be able to access.  So not only is there privacy concerns, if the product fails because of a cunning hacker or a network failure, is there greater product liability because of its connection to the Internet?  Manufacturers will look to their insurers to defend and indemnify their products in this new era of interconnectedness. 


Rise of the machines


The idea of machines communicating with machines is not new, but the Internet of Things concept began catching on around 2009, as a way to reduce waste, costs and losses for manufacturers and consumers. Information technology research firm Gartner Inc. estimates that by 2020, there will be more than 30 billion Internet-connected devices in use worldwide. By comparison, in 2009 there were 2.5 billion such devices.

Connected devices in the Internet of Things run the gamut: computers, smart phones, automobiles, HVAC systems, household appliances, medical devices, and even running shoes. Virtually any object can be tagged, tracked and inventoried through sensors, such as radio-frequency identification or RFID, or other now common means such as a barcodes and QR codes.

Object tracking can be helpful and improve efficiency, but it’s where devices are connected and tracking without users’ awareness that privacy and security risks can arise.  And many of these devices are being designed without even a thought of security.  Just think of the automobile before safety mandates were enforced.  At the Consumer Electronics Show, a gathering of technology manufacturers that draws more than 150,000 attendees annually, products are unveiled one year, and the very next year, someone demonstrates how to hack them.

Manufacturers and users should not leave connectivity wide open. Good sense and prudent risk management suggest that we add security measures to devices capable of transmitting and receiving data.  The lack of security measures in connected devices was illustrated recently by news reports of hackers cracking into refrigerators and televisions to send spam messages. Game apps and many other kinds of apps can send text messages, so the risk of hackers using connected devices in ways their manufacturers or owners never intended is very real.

Some regulatory agencies are already showing their concern.  The US Food and Drug Administration (FDA) has decided to update its guidance on cybersecurity for medical devices.  FDA is now paying close attention to medical device manufacturers’ (MDMs) wireless technology risk management procedures and failure to meet applicable FDA regulations could potentially lead to an enforcement action for a manufacturer. 

Recently, UK Prime Minister David Cameron announced an additional £45M funding for the development of the internet of things technology at the CeBIT technology show.  Hopefully, some of this funding will be used to ensure that privacy and security are a consideration in the product design stage.  


Security risks pose serious threat and liability


Security breaches in machines and systems on which large numbers of people and businesses rely are a serious risk. As an example, for many years, commercial heating, ventilation and air-conditioning systems have used embedded electronics that enable remote maintenance and diagnostics. In many cases, these devices are not connected to the location’s network when they should be segregated off.  The potential liability is tremendous.  This case has come to fruition with the recent hack of Target stores where the first level of entry was the maintenance engineer’s credentials.  What other scenarios are out there?  Perhaps holding a hospital for ransom?

Location-based services allow app users to quickly get information on nearby amenities, travel directions and the like. But that same functionality can track users’ movements, which some may consider an infringement of their privacy.  If it’s tracking where a user goes, what else is it following about that user?

One industry that tracks consumer behavior data closely is retail. That enables stores to send discount offerings and product suggestions – sometimes to the surprise of consumers. Recently, a friend of ours, in her 60s, was startled when she began receiving coupons and discounts of baby products.  Upon reflection, she realized that she had made several recent gift purchases for expecting friends.

Most apps provide the ability to opt in or out of tracking, but often people leave tracking on by default because they just don’t have the time to read those long user agreements.

Certainly the added data collection opportunities will be helpful for the insurance industry who relies on data and analytics to underwrite wisely.   Yet, there are risks in the accumulation of data in one place. Taken together, such data could provide important details about a person and their habits that criminal elements might use if they gained access.  Television and movies have already developed the story lines.  Do you really think that the real bad guys can’t do the same?

Products that use connectivity should be designed with security in mind. The Internet of Things offers lots of positives – even life-saving benefits – but we need to demand that they be designed more appropriately.  Just as insurers helped develop fire safety standards, there is certainly an opportunity here for security, risk management and insurance specialists to connect with each other and help businesses achieve more secure connections on the Internet of Things.  


About the AuthorThomas Dunbar is the Chief Information Risk Officer for XL Group Ltd. Mr. Dunbar is responsible for XL Group’s overall Information Risk Management program, including the company’s information risk and security strategies, tactics, planning, governance, architecture and operations. He is a member of the IT Leadership team, the Operations Risk Committee, and the Data Privacy Committee. He joined XL in 2002 as their first Global CISO.

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.