Top 5 IoT risks you need to know about now

Everything from smart fridges and lightbulbs to remote sensors and cities will collect data that can be analysed and used to provide a wealth of bespoke products and services. The impacts will be huge - by 2020, some 25 billion devices will be connected to the Internet (Nordrum, 2016) with some studies estimating this number will rise to 125 billion in 2030 (IHS Markit, 2017).

These will include many things that have never been connected to the Internet before. Like all new technologies, IoT offers substantial new opportunities but these have to be considered in parallel with the new risks that come with it.

To make sense of this new world, Lloyd’s worked with University College London’s (UCL) Department of Science, Technology, Engineering and Public Policy (STEaPP) and the PETRAS IoT Research Hub.The team research presents five key findings:

1. IoT will lead to data capture and management at an unprecedented scale. While this could mean better risk assessment and flexible, bespoke and real-time products; but it may also increase policyholder concerns about the use and accuracy of their data.

2. New types of threats and harms will emerge, which will increase the pressure on insurers to come up with new products and services that are closely aligned to customer needs.

3. The scale and variability of the type of disruption that could occur will affect multiple sectors and lines of business. The range of security standards that currently exist and the difficulty in establishing a baseline for IoT security will make it hard for insurers to make risk assessments in the future.

4. Insurance policies will increasingly influence and manage risk behaviour. Personalisation of policies will be capable of predicting and mitigating risks based on large scale data and trends analysis.

5. There are critical blind spots in the regulation and legislation of IoT devices and their impacts. These include uncertainties surrounding attribution and liability should anything go wrong

In addition to these findings, the report identifies 6 main risk areas associated with IoT technology:

1. Multidimensionality: IoT devices and services can be a target of cyber attacks, and can multiply security and privacy risks. This could lead to increased demand for cyber insurance policies as businesses seek to protect themselves from increased vulnerability.

2. Harms: Overall the impacts of IoT functionalities, and their intentional or unintentional disruption will see the emergence of new types of harms such as loss of data, loss of privacy, loss of business, loss of reputation, exploitation, and information asymmetries. The convergence of physical and digital harm (for example, breach of digital systems leading to real life consequences such as fires, bodily injuries, and system breakdowns) will have implications on how defective products, supply chain management, safety assurance processes, and cybersecurity environments are regulated and insured. From an ethical perspective, unfair customer treatment (for examples, exclusions) and barriers to market entry based on national security considerations might arise from the adoption of IoT.

3. Scale of impact: Because of the multiple connections between IoT devices and the Internet, there is a risk that systemic failure could occur if security is breached at any one of the connection points.

4. Traditional risk assessment: As a consequence of changes in the nature of threats, losses, and vulnerabilities, the IoT will require new processes and mechanisms for risk assessments. Whereas previous cyber risk exposures were mostly limited to digital infrastructures, IoT - due to its cyber-physical nature - can have both digital and physical implications. This interplay requires risk assessments to account for both physical safety and information security, with preexisting risk assessments having neither adjusted to this variability and scale, nor accounted for the dynamism of interconnected IoT systems.

5. Risk management: As mentioned, risk management processes could be improved by using IoT, but best practice are still being developed. Particular challenges include systemic vulnerabilities and the convergence of safety and security which do not necessarily have the same focus and are sometimes mutually exclusive.

6. Liability and attribution: With the number of stakeholders involved in IoT development and use, including manufacturers, software developers, and network and cloud providers, assigning liability when things go wrong is complex. Is a disruptive event the fault of a person (insider threat) or an actor Executive summary 7 Networked world – Risks and opportunities in the Internet of Things (criminals/terrorists), or a technical fault (e.g. algorithmic bias) within the larger IoT system? Due to the global nature of the supply chain and the diversity of IoT devices and components, the attribution of disruptive events will not only become more difficult but also more important.

One of the key challenges to managing new risks introduced by the IoT is that existing policies and regulatory frameworks are currently not providing sufficient incentives and corrective measures to ensure that all entities in the IoT supply chain internalise the cost of security into their businesses.