At the 2018 Chicagoland Risk Forum, a panel discussed cyber risks associated with the Internet of Things.
The speakers were:
- John Hackett – Cassiday Schade LLP
- Margaret Shipitalo – Cassiday Schade LLP
- Kenneth Shu – Beasley Group
- Neil Blauvet – United Airlines
The Internet of Things (IoT) is any device that can be connected to the internet. In 2003 there were around 500 million devices connected to the internet. By 2020 that number will be over 50 billion. Examples of IoT devices includes fitness trackers, thermostats, automobiles, home appliances. smart speakers, etc. These devices are used in manny different aspects of business and in most homes.
All these devices are constantly taking in information and have little to any security features. They are susceptible to being hacked. They typically lack firmware updates that allow for security patches to be deployed.
From a risk management standpoint, there is tremendous exposure around the IoT including financial loss, property loss, and bodily injury and privacy breaches.
Examples of IoT hacks include hacking into a casino aquarium to gain information about high rollers, the FDA recall of pacemakers that were hacked, and the widely publicized WannaCry virus that impacted thousands of devices around the world.
One of the challenges for risk managers is trying to quantify the cost of data breaches. A great tool for this is the Ponemon Institute 2018 Cost of a Data Breach Study: Global Overview, sponsored by IBM Security. This study does a good job outlining the direct costs of a breach and the cost per record in breaches of various sizes. You can access the report HERE
From an insurance coverage standpoint, business interruption is a significant insurance consideration along with the privacy breaches. With IoT devices one of the big challenges is figuring out what device led to the breach. Since 2014, most CGL policies have contained an electronic dat exclusion making having cyber coverage essential.
A big part of the costs associated with a data breach is completing the computer forensics to figure out exactly what information was breached. This helps you know who needs to be notified and what additional steps need to be taken. The forensics review is also essential to defending in any litigation around the breach as it will detail the steps you took to identify the extent of the breach and to correct it.
When securing cyber coverage it is important to review the policies carefully. There is no standard form for cyber insurance and because of this there can be significant variation in what is covered. Polices are complex and tend to contain numerous exclusions that limit coverage. There is also very limited case law out there interpreting cyber policies. Some companies use specialized insurance coverage attorneys to review their cyber insurance forms. You broker should be able to assist with this.
In terms of liability claims, most of what is being seen is class-action lawsuits associated with large breaches. Plaintiff’s attorneys are very aggressive in these cases and they are doing a good job identifying members of the class.
One of the important coverages for companies to consider is around system failures. If your computer system failed, what impact would that have on your business and how much would it cost you? There are many aspects in this including direct costs to your customers and also costs associated with correcting things from your business standpoint.
Coverage for regulatory proceedings is also a significant element of any cyber policy. New regulations around this in the EU has caused this type of coverage to evolve even further. Be careful around assumptions of liability in your contracts and the impact that may have on your cyber coverage. Exclusions around liability assumed by contract are a common element in insurance policies.
Technology E&O insurance is a newer form of cyber coverage that combines multimedia insurance and professional liability insurance. This insurance covers providers of technology services or products from financial loss. It applies to errors and omissions along with liability assumed by contract.
For risk managers, a big challenge is the risk transfer associated with vendor contracts. Risk management needs to be involved early in any discussions around vendor contracts in particular with issues around indemnity and limitations of liability. Vendor contracts should also allow you the ability to review the vendor’s systems, cyber insurance, and incident response teams. These discussions need to happen before vendor contracts are signed because you lose any negotiating leverage after they are executed.