P&C the April 2016 issue

Digital Mind Field

The Internet of Things blurs fault lines as it shifts personal risk to commercial in many sectors.
By Russ Banham Posted on April 30, 2016

Everything and everyone around us is connected via highly sophisticated and fast-evolving computerized systems.
Within these connections are wireless sensors, software and networks that allow for the collection and exchange of data. This is the Internet of Things. It is quickly becoming a part of everything we do and just as quickly is changing the landscape of potential risk. If insurers don’t change with it, they could be left in the disconnected dust.

According to Goldman Sachs, the Internet of Things is quickly taking hold in five key areas: wearable devices, automobiles, homes, cities and the industrial Internet—the latter including major infrastructures like transportation, oil and gas, and healthcare. Taken together, these five areas connect literally billions of devices to the Internet, all of them vulnerable to devastating risks. And one of the biggest challenges in this system is assigning fault.

For example, a homeowner in Boston who forgets to turn off the water before heading off on a one-week business trip in January must bear responsibility for the busted pipes that ensue. Fortunately, the losses are absorbed by the errant individual’s homeowners insurance. But if the person’s house were equipped with a sensor and telematics designed to wirelessly transmit directions to turn off the water valve when the temperature reaches a certain threshold, the fault could lie elsewhere.

Blurred Lines

These once-clear boundaries for multiple types of commercial and personal lines risk are blurring. Pamela Ferrandino, an executive vice president and national casualty practice leader at Willis North America, recently hosted a panel on the uncertain exposures created by the digital ecosystem. “It seems that different types of insurance policies are converging, which is creating confusion,” she says. “As everything begins to interconnect, where does one product stop and another begin?” 

She provided the following scenario: “Let’s say there is an arson event in which a building burns to the ground. Presumably this is covered by property insurance. But what if the sensors in the sprinkler system or the smoke detector failed to work? Then, that’s a product liability claim. But what if the sensors were wirelessly connected to the Internet and hacked? That would be covered by cyber risk insurance.”

Determining fault in the above scenario can be a protracted exercise. And when lines of fault distort, the courts are called upon to provide clarity. Michael O’Brien, a partner, member of the cyber risk team, and co-chair of the product liability practice team at law firm Wilson Elser Moskowitz Edelman & Dicker, in White Plains, New York, sees a litigation field day ahead for attorneys apportioning fault.

“In the new digital ecosystem, your washing machine, microwave oven and clothes dryer will automatically upload data to their respective manufacturers and to you on your mobile device,” he says. “This data can be extremely valuable, telling you and the company the condition of the appliance, helping to identify small problems before they become big, costly ones.” Rather than staying home and waiting for the repairman to show up, O’Brien says, a technician may be able to fix the issue remotely.

“But what if the intelligent microwave short circuits and causes a fire?” he says. “Was the cause of the damage the operating software or the electrical components? Is the repairman at fault? Is the manufacturer of the sensor liable? Or is some other party on the hook?”

From Personal to Commercial Lines

As the connections in the digital ecosystem branch out even further, the difficulties compound. For example, some utilities are experimenting with remotely accessing thermostat data for energy conservation purposes. A utility experiences peak energy demands during wintry months when consumers turn on their furnaces en masse. To handle the demand, a utility buys additional power at higher prices.

But furnaces aren’t turned on and operating 24 hours a day. Rather, they turn on for about 20 minutes until a particular temperature is reached, then they turn off. A utility could manage peak loads by remotely accessing thermostats in a specific geographic region to turn on one group of furnaces at noon and another group at 12:20, when the first group turns off, thereby limiting additional power purchases.

But what if a wrongdoer hacks into this network and turns off the furnace in every home in Boston while most people are at work? Who is responsible for the massive losses that would accrue, pipes bursting and water gushing, people slipping and falling, transportation systems grinding to a halt? “These are great ways to contain energy costs, but they also create new risks,” O’Brien says.

He and Ferrandino are not alone in this view. “While the Internet of Things will bring a great deal of convenience to our lives and to our businesses,” says Robert Hartwig, the chief economist and president of the Insurance Information Institute, “behind the scenes are unsettled questions as to where the ultimate liability will rest.”

Historically, if you failed to replace the batteries in the smoke detector, it was your own fault. If you got into a car accident because you went through a red light, it was your own fault. “Now with everyday products interconnected…some of this liability will shift to the commercial realm—into areas like product and cyber liability,”

Hartwig says. “The problem is that technology development is racing ahead of the ability of legislators, regulators and industries to catch up and make sense of this from a liability standpoint.”

As everything begins to interconnect, where does one product stop and another begin?
Pamela Ferrandino, EVP, Willis North America

In July 2015, Wired magazine recruited two hackers to help demonstrate the potential for damage in an Internet-connected world. The hackers tapped into a vehicle’s infotainment software, which opened a pathway to the car’s dashboard functions and accelerator, steering and braking systems. At their will, the Jeep sped up or slowed to a crawl. “Within days,” O’Brien says, “Chrysler recalled 1.4 million vehicles.”

Had malicious, not ethical, hackers commandeered the Jeep and crashed into an embankment, would the driver’s personal or commercial automobile insurance policy address the consequent property damage and bodily injury losses?

“Theoretically,” O’Brien says, “this would be a loss caused by cyber breach insurance, but today’s cyber insurance policy is predominantly focused on protecting data from being stolen. Since no data were stolen, it’s questionable whether the cyber insurance would prevail. I’ve been on panels with high-ranking insurer executives and presented this scenario to them, asking if the cyber policy would come into play. They were unsure.”

Adam Cottini, managing director of Arthur J. Gallagher’s cyber liability practice, gives the industry five years at best to figure out how to respond to the risks and opportunities of the interconnected ecosystem. “Carriers and brokers have to determine what to do with the cyber event in all its manifestations,” he says. “We need to decide whether or not we stick with these different buckets like financial loss, bodily injury or property damage for an event to be considered insured by a cyber policy.

“Maybe a common theme for cyber in the future should be that it just doesn’t matter where or how the loss originated,” he continues. “If the end result of a cyber event is a loss, the insurance policy would come into play. This would require changes in today’s cyber policy language, which I think we will see. Five years from now, it won’t look much like it looks today.”

The Blame Game

In a commercial lines context, traditional principles of strict liability are breaking down. Under these principles, fault flows up the chain of distribution from the retailer to the manufacturer. “Parts suppliers and manufacturers typically handle these risks under the terms of the supply agreement, which spells out the contractual duty to defend and indemnify against damages caused by a malfunctioning device,” O’Brien says.

But when products are embedded with sensors connected wirelessly by the Internet to data analytics systems accessible by a consumer through an app on a mobile device (that could potentially be hacked), this definition of fault fractures. Does full responsibility for loss still flow to the original equipment manufacturer? What about the software developer or the sensor manufacturer?

And what fault do consumers bear when they use products in the chain of commerce? Could they, too, be at risk?

“Consumers might be responsible for a portion of the fault if they had failed to install security software updates, used simple passwords that were hacked, or downloaded malware from an unsecure site,” O’Brien says.

Although there has yet to be a related lawsuit to figure this out, O’Brien sees them coming. A savvy attorney might contend consumers must share in a portion of the fault burden simply because they made the choice to use an Internet-connected device instead of a traditional mechanical one. “You’re taking assets that have been around forever and now using them in different ways,” says Randy Nornes, executive vice president of Aon Risk Solutions. “And when you do that, you create new liabilities.”

The countless questions arising from the interconnected ecosystem underscore just how difficult it will be to investigate causes of loss to establish liability. Assuming traditional insurance policies remain in play, each insurer’s attorneys will point fingers every which way, guaranteeing messy litigation culminating in unexpected losses for one or more companies.

“It’s doubtful insurers anticipated such outcomes when they calculated the premiums for their products,” O’Brien says. “Consequently, they could be exposing themselves to significant losses beyond what they had contemplated.”

Are insurers aware of the enormity of the threat? “There are pockets of insurers with innovation groups and strategy groups that are starting to think about this, but most industry leaders figure insurance has been around for hundreds of years and these things simply come and go,” says Anand Rao, a principal in PwC’s advisory practice. “They have no sense of urgency. They hear and read things about autonomous cars and connected devices but figure if losses arise, they won’t happen on their watch. They’re wrong, of course.”

Complacency certainly is not a solution. Not when a report by Deloitte identifies the insurance industry as one of several sectors that will be substantially changed by the transformative technological trends now under way and possibly displaced because of them.

“We expect the [Internet of Things] to have an impact on insurers beyond just car insurance, since monitoring devices are increasingly embedded in all sorts of machines, devices and properties or attached to people,” says Anthony Abbattista, a principal and leader of Deloitte Consulting’s insurance technology practice. “Even a piece of plywood today has a cheap sensor in it to monitor the ambient environment.”

Cheap sensors are a concern of security solutions provider Symantec.

“These devices are a lot more vulnerable than most people think,” says Brian Witten, Symantec’s senior director of Internet of Things Security. “There have been studies of home automation equipment where nine devices were analyzed to see how many contained security mistakes. All nine were vulnerable, and seven had multiple serious vulnerabilities—ways in which they could be easily hacked.”

That’s home automation. Cars are even scarier. “The majority of the cars on the road today have similar vulnerabilities,” Witten says. “None of them are immune, not one brand. The proliferation of the Internet of Things without security is reckless.” 

While the Internet of Things will bring a great deal of convenience to our lives and to our businesses, behind the scenes are unsettled questions as to where the ultimate liability will rest.
Robert Hartwig, president, Insurance Information Institute

This is not the time for the insurance industry to procrastinate, much less stick its head in the sand. Other industries, such as automobile manufacturing, are taking action. General Motors recently announced it would no longer take legal action against hackers as long as they pass on how they were able to hack into the company’s vehicles. This information would then assist GM to develop stronger security systems.

However, many experts are concerned that insurers will retreat from these exposures. “As we’ve seen in past, the industry has a tendency when new risks rear to simply exclude them in their policies instead of trying to understand what these threats are to make products that address them,” Nornes says. “The opportunities for the industry are there for the taking.”

He says the industry must “advance into this uncharted territory,” leading the development of new products before technology behemoths like Google, Amazon and Apple do it first. “Insurers make 34% of premium income from automobile insurance alone,” Nornes says. “That’s a massive chunk of premium that will continue to decline as semiautonomous crash-avoidance systems make cars safer.”

The Opportunity Lies in the Risk

Just as technology subtracts from insurers’ bottom lines, so, too, can technology add to it. “Industries incorporating these connected technologies need risk-management expertise and risk-transfer solutions,” Rao says. “For brokers, this is a great way to create value-added services and new lines of business. Rather than insurance being a reactive product where something happens and you write a check, it can become more predictive and proactive.”

By partnering with industries and companies to acquire the data produced by their Internet-enabled systems, insurance brokers and carriers can analyze this intelligence to reduce the probability of loss, counseling needed interventions. Risk-transfer products can be priced in part on this exchange of data and consultative advice.

Rao cites the example of a manufacturing facility at which the machinery sends performance criteria to the control room. “By monitoring this data in real time, the insurer can locate potential trouble spots, intervening to bypass the problem,” he says. “What might have ordinarily ended up as a machine that would be down for a long period of time, causing significant business interruption losses, is avoided.”

Similar partnerships can be arranged with manufacturers of all sorts of products, as well as utilities, transportation networks and technology providers—pretty much every industry vertical. “The same technologies creating all these new risks and legal uncertainties can be leveraged by the insurance industry to manage the threats,” Rao says.

Some of this is already occurring. Abbattista cites telematics the industry has embedded in cars to collect data on driving behaviors. “Several carriers are becoming pretty advanced with telematics in their usage-based insurance strategies, aggregating and analyzing the data that’s collected from these monitoring devices,” he says. “The insights have guided them to revamp their underwriting and pricing to provide discounts.” He says these same actions can be taken with regard to the Internet of Things. “If the industry doesn’t do it,” Abbattista says, “the door is open to external competitors that will.”

Rao is convinced that, without such timely action, the insurance industry will confront significant loss of market share. “This is not a joke—insurance is very high on the list of industries subject to disruption, higher than banks,” he says. “We’ve seen the remains of other industries that failed to recognize a competitive threat from outside—makers of cameras and video equipment, record stores, travel agents, taxis and now hotels. The industry has a little time left to seize the opportunity before it.”

Bold Actions Now

Some in the industry are beginning to rethink long-entrenched practices. In October 2015, AIG broke with tradition and appointed a new chief underwriting officer, Madhu Tadikonda, who hailed not from the ranks of traditional underwriters but from the more rarefied world of science. He had previously served as the insurer’s chief science officer. And Swiss Re just announced a partnership with IBM Watson to develop more advanced cognitive computing solutions assisting underwriting.

Some carriers may follow the leads of these innovative insurers, starting with recruiting people with technology skills and putting them into leadership positions. “From a human capital standpoint, the people in the insurance industry today aren’t the same people we will need tomorrow—quants and other scientists, as opposed to old-fashioned underwriters,” Nornes says.

Other carriers, such as The Hartford, Transamerica, Axa, XL Group and American Family, are embracing innovation by forming their own venture capital funds. By and large, the venture capital funds are directed to invest in start-up technology companies that are creating or have developed products that can assist carriers to do things they currently cannot.

For example, American Family Ventures, the venture capital fund formed by American Family, has invested in ImageVision, which uses visual analytics to help companies monetize image and video content. Another investment was made in SNUPI Technologies, a sensor and services company focused on home safety and security.

For brokers, this is a great way to create value-added services and new lines of business.
Anand Rao, principal, PwC

Solutions also may arise outside the insurance industry. Symantec’s Witten points out that sensor security, while low on the totem pole of today, is sure to improve, given the low cost this would require. He provided the example of a sensor embedded in a concrete bridge to measure vibration. “For dimes, you can build security into the sensor chip the physical width of a human hair that runs on power harvested by the actual vibration it is measuring,” he says. “When you can do this so cheaply, there is no reason why it shouldn’t be done.”

Insurers can assist this development by lowering their premiums on products that can provide the highest levels of security. This is not the case today. “If a house has five doors, just putting a lock on one of the doors won’t keep out a thief,” Witten says. “All five doors need to be locked. With sensors, all nine vulnerabilities must be strengthened.”

As these examples indicate, the industry appears to be awakening to the opportunities of the interconnected ecosystem. Insurers seem ready to tackle complex causes of loss in this new world to create solutions that transfer these threats, continuing to grease the wheels of commerce and put a few pennies into their coffers. “I must say that I feel this swelling interest, particularly among my younger colleagues, in reimaging the services and solutions the industry provides,” Nornes says. “That gives me hope for tomorrow.” 

More in P&C

Weathering Cyber Storms
P&C Weathering Cyber Storms
Q&A with Joshua Motta, CEO and Co-Founder, Coalition
P&C Certified Cybersecurity
HITRUST certification can give small to medium-sized businesses peace of mind th...
Changing Weather Patterns Demand New Property Insurance Solutions
P&C Changing Weather Patterns Demand New Property Insurance Solutions
Q&A with Don Doyle Jr., Senior Vice President, Excess & Surplus Lines, and Dawn ...
Sponsored By Cincinnati Insurance
Wind vs. Water
P&C Wind vs. Water
The National Flood Insurance Program has lasted far longer than intended. Withou...
Balancing Costs and Coverage
P&C Balancing Costs and Coverage
As premises liability claims costs rise, the industry must f...
Sponsored By Nationwide
Saving Lives
P&C Saving Lives
Strong prevention components to active shooter policies can ...