Podcast

Cyber Podcast: How Internet of Things (IoT) Relates to Cyber Exposures

By Alliant Specialty

Listen on SoundCloud

More episodes from Cyber Podcast

 

Intro (00:00):

Welcome to a special edition of Alliant Specialty Podcast, Cyber Awareness Month with Steve Shappell and David Finz.

 

Steve Shappell (00:11):

Hello, and welcome to an Alliant Specialty Cyber Awareness Month podcast. Today, I have on with me David Finz, who heads up our legal and claims cyber response. David, welcome. One of the things we want to talk about today, as part of this Cyber Awareness Month, is rather interesting, and I think misunderstood, or less understood, IoT, can you talk a little bit about what IoT is and how it relates to cyber exposures generally in the marketplace as we view them?

 

Davis Finz (00:47):

Sure. First of all, thanks for having me on Steve. The IoT or "internet of things" is a concept that broadly describes the proliferation of technology becoming embedded in other devices that we don't normally think of as part of a computer network, right? This could include smart appliances, medical diagnostic equipment, self-driving vehicles, and what the concern is, is that we are increasing the attack surface for threat actors to come in and wreak havoc with these devices, because as convenient as they are, as much as they improve our lives, there is the potential there for bodily injury and property damage as a result of a compromise to the security of the networks that this technology relies upon to operate.

 

Steve Shappell (01:37):

Great. Can you talk a little bit about this concept of contingent liability, contingent property and bodily injury liability, and where there's coverage and, more important for this discussion, where there are gaps in coverage for this contingent liability?

 

David Finz (01:53):

Sure. So, probably the best way to frame this discussion is to understand that a commercially available cyber insurance policy typically does not cover losses for bodily injury and property damage, those losses are excluded. Now, there are certain aspects of that where we're nibbling around the fringes right now, for example, computer hardware replacement costs, or what's commonly known as bricking. That's a form of property damage that the cyber insurance product has begun to cover. However, that's an exception to the rule. So, with the understanding that bodily injury and property damage are excluded under these policies, there is an enhancement available now from many markets that is known as coverage for contingent bodily injury and property damage, and that's just a fancy legal way of basically saying that the wrongful act, whether it's an attack or some negligence, needs to be one degree removed from the actual loss. The harm that was caused, it cannot be what lawyers call "a direct and proximate cause of the injury or the property damage". 

So just to give an example, if I am running a commercial refrigeration unit and I am looking to make sure that my product is kept at a certain temperature so that it does not spoil, and I'm relying upon a programmable smart thermostat to do that, If a hacker were to come in on a long holiday weekend and tamper with that thermostat remotely, they just broke into the network, and they changed the temperature and they raised it to cause all of that product to spoil. Or, if I was running a data center, and all the servers got fried because the temperature was too high, well, that's direct property damage, so, I would not expect that loss to be covered by a typical cyber insurance policy. However, if instead of changing the temperature themselves, if the threat actor were to go in and mess with the algorithm, so that there was an inaccurate reading on the thermostat and I, as the owner, relied on that erroneous information to my detriment, and I, myself, raised the temperature, now the threat actor is not the direct cause of the property damage, I am. But I did it because of an indirect cause namely, that he messed with the algorithm. So, that is an example of a contingent loss that is subject to coverage now, under a commercial insurance policy, if you ask for it, this is an enhancement, it is not typically available in a base form, and that coverage needs to be negotiated by your broker. Frankly, not every market is prepared to offer it at this point, but a qualified insurance broker can help you navigate that, if that is, in fact, an exposure for your business.

 

Steve Shappell (04:43):

David, for those circumstances, where there can be some potential coverage negotiated with an underwriter, is the process, the underwriting process, more cumbersome than it would otherwise be, for buying or renewing traditional cyber coverage?

 

David Finz (05:00):

Well, to some extent, clearly, the underwriter is going to want to have an understanding of an organization's security controls in the first place. However, going back to my example of the refrigeration unit, if I understand now, that you are looking for contingent property damage coverage, right? Now, I'm going to sit in the shoes of the underwriter. Some of the things I'm going to want to know is, apart from the controls you have in place, who are your vendors and who are you relying on for that thermostat? What's the technology based on and what controls do they have in place? So, now I'm beginning to get interested in your vendor management practices. Now, obviously, I can't necessarily underwrite to the security controls of every vendor that you have, but I can begin to ask you about what procedures you have in place, as an organization. When you engage a vendor, and we, as an insurance broker, can help guide our clients in terms of the types of vendor management questions they should be asking, to help them manage their own risk. 

If you think about, for example, all of the actors that could be involved in a self-driving or autonomous vehicle, right? You have a chip maker, who is putting this technology into a vehicle, so now you have an automotive manufacturer and they are using a GPS signal, that's probably coming off of a satellite company, or some subscription that the insured maintains through a commercial provider to be able to use that technology, so if something goes wrong, there could be a multiplicity of actors there, and it's not realistic. It's not practical to think that an underwriter is going to be able to examine the security practices of every one of those organizations, however, they do expect the insured to have a good contractual language in place, and to do their due diligence around the types of firms that they are engaging to deploy this technology in their own devices.

So, one thing that the cyber insurance marketplace is going to need to deal with over the next several years is how it is going to respond to the growing exposure for bodily injury and property damage, that is directly caused by a security breach. Right now, there is not an off-the-shelf, if you will, commercially available risk transfer solution for that exposure, because general liability and property policies typically have a cyber exclusion on them and, conversely, cyber policies. As I mentioned before, by and large, exclude direct bodily injury and property damage, but the technology is not waiting for anyone, so it will continue to evolve. The cyber insurance marketplace is going to need to determine how it's going to underwrite that risk in order to stay relevant in years to come.

 

Steve Shappell (07:38):

Well, David, thank you. This has been a really interesting and frankly, cutting-edge topic, right? We're budding up against the gaping coverage and evolving coverage in the marketplace. So, we will keep our finger on the pulse of this development, as David described, right? This is an evolving and kind of cutting-edge coverage issue. So, we'll keep our finger on the pulse of this and we'll have podcasts, in the future, on cyber, covering this topic and touch base, and keep everybody informed.