Cyber risk and property liability could amplify as connected devices become more popular – and insurers need to pay attention now


Cyber world

Although it is easy to predict some of the consequences of the growing popularity of connected devices, many will not be understood fully for some time. Insurers need to pay attention now, however.

Each of the two main concerns – security (cyber risks) and property liability (casualty) – has the potential to affect the other, and other lines of business can also be affected, as was exemplified, for example, in the 2014 attack on a German steel plant by hackers: see box right.

This demonstrated how, if connected devices are attacked or malfunction, people and businesses can be at risk, thus creating new product liabilities. The question insurers need to be asking is who will identify and allocate fault and who will pay.

Under traditional principles of strict liability, fault flows up the chain of distribution from the retailer to the manufacturer through mid-channel distributors. However, in the case of connected devices, new complexities arise.

For example, will the software developer be liable if a connected device causes a loss? Who is responsible for its vulnerability to attack? Will the consumer become a target for fault apportionment if they failed to update security software, used easily hacked passwords or downloaded malware from insecure sites?

Insurers need to decide now how to manage these claims and what kind of expertise they will require to do this – as well as what other lines may be affected by the internet of things, such as financial lines, property, marine/cargo and aviation.

To read AIG’s White Paper on the Internet of Things, click here.


Discussions about cyber security usually focus on the risk of damage to brand and reputation caused by security breaches or compromised systems. However, another, much more serious risk is emerging: that of actual physical damage.

In December 2014, hackers accessed networks at a German steel mill and disrupted control functions to the extent that a blast furnace could not be shut down properly, causing “massive” damage.

This type of attack first made the headlines in 2010 when the Stuxnet worm – widely thought to have been deployed by the US and Israel – disrupted Iranian nuclear facilities.

Both attacks highlighted the danger hackers pose to key infrastructure and their ability to cause real-world damage. It is feared incidents will only increase as industrial systems become more complex and interconnected.