As Accenture’s Global Insurance Industry Lead, John Cusano is excited at the potential of the Internet of Things (IoT) to transform the business of insurance. But he cautions carriers: with innovation comes risk. We asked him about the threats and opportunities posed by this growing network of devices, and how insurers can protect themselves and their customers.
How big a deal is the IoT for the insurance industry?
Cusano: The Internet of Things could be the greatest impetus to growth for the industry since people started buying automobiles and driving them into things. It’s not exaggerating to say it will probably change the overall focus from products to services, as well as the way risk is assessed and priced, the way carriers interact with their customers, and the way they go to market. It will also, in its own right, create the opportunity for new insurance products. But because it will become as ubiquitous and uncontrolled as the Internet we’re more familiar with, and will transmit vast amounts of personal data, it will be irresistible to cyber attackers.
Before we get onto the risks, what new products could the IoT give rise to?
Cusano: There is huge potential for carriers to provide insurance against identity and data theft, business interruption and other consequences of cyber attacks. Also for when the IoT fails and autonomous cars or drones get out of control and cause damage. Many of these types of risk are already prevalent, and as the IoT plays an increasing role in all industries they will become more so. This presents a big revenue opportunity for early movers that have the data and the underwriting analytics to accurately assess and price their exposure. In addition to insurance, it also creates the opportunity for risk mitigation services, which these carriers – in collaboration with technology, home security and other partners – could offer to their customers.
If the vulnerability of the IoT is such a big issue, surely solving it will be a top priority by those who stand to benefit?
Cusano: Let’s not kid ourselves that the IoT will become secure; if anything, it’s going to become more porous to intrusion. This is partly because the proliferation of devices presents intruders with limitless entry points. Also, so many different industries are using the IoT for so many different things that their security and privacy needs vary greatly, and in fact often conflict. And that conflict can occur internally too. Insurers’ IT organizations may be pretty good at keeping the bad guys out, but their operational technology domain has a contrasting priority: production availability. Finding a way around this dilemma will be key to the successful exploitation of the IoT.
What kinds of threats do insurers face from cyber attackers?
Cusano: There are several. The first is obviously the risk that customer data will be stolen. This presents a very serious reputational threat to carriers which, to be frank, don’t currently enjoy the greatest trust and affection among consumers. Then there’s the risk that hackers could hijack the services insurers provide – perhaps by interrupting the flow of data – and in the process derail their operational model. Insurers also need to be aware of the liability they incur by offering IoT-related services, and should ensure they account for it in their underwriting and pricing. And then finally there’s the threat that cyber attackers could use the carrier’s network to gain access to its customers devices and – like the developers of the famous Stuxnet worm – actually damage or destroy the customers’ assets. So there’s a great deal at stake.
You say the IoT is not going to become secure anytime soon. Is there anything insurers can do to protect themselves and their customers?
Cusano: The point is that it’s not realistic to try to shut the intruders out. Instead, carriers need to create resilient and agile security solutions that are highly sensitive to any signs of intrusion and able to respond quickly and effectively, before damage is done. In our recent report entitled Security Call to Action—Preparing for the Internet of Things we list a number of steps insurers can take to enhance their security. One example is using analytics and pattern-detection software that identifies malware the moment it’s deployed. Even the stealthiest malware changes system behavior, so when anomalies are detected the software can trigger security alerts and defensive actions that thwart the intrusion.
So there is hope that the potential of the IoT won’t be compromised by the inherent vulnerability of the global network.
Cusano: Cyber-threats have become an inevitable feature of doing business in the 21st century. Insurers are desperate for growth, and the IoT – and insurance against this type of risk – are the best opportunities that have arisen in decades. They just need to be aware of the threats they face, be mindful of the limitations of conventional counter-measures, and focus on vigilance and agility. They should also recognize that they can’t do it all themselves. They need to work closely with technology providers to share best security practices; with public policy makers to clarify and simplify their data protection and public liability policies; and with all relevant stakeholders to support long-term strategic R&D that addresses this critical challenge.