Efforts to tame the Wild West of IoT to take hold.
The Wild West of IoT will see an increase in regulation and self-regulation in 2020, with the rollout of measures to improve the security of connected devices. Insurers should watch this space, as these changes will help define – and hopefully mitigate – the risks related to IoT.
Two US states have enacted IoT-specific cybersecurity laws that will come into effect on January 1 2020: California (SB 327), which enacted the first law of this kind, and Oregon (HB 2395). Both laws require manufacturers who manufacture connected devices in these states, or sell or offer to sell them (regardless of where they are manufactured) to equip their connected devices with "reasonable security features" to protect the devices and information stored on them from access, destruction, modification, use or disclosure that is not authorized by the consumer. Other US states are contemplating similar laws. Given the breadth of these markets, manufacturers around the world should take heed.
On the other side of the pond, in May 2019, the UK government announced that it would introduce new laws for Internet-connected devices, including a potential labelling scheme for consumer IoT products to aid consumer-purchasing decisions and to facilitate consumer trust in manufacturers that adhere to certain guidelines. As the UK government has been otherwise occupied of late, we await follow-up in 2020.
In the meantime, we expect to see growth in self-regulation by the IoT industry as a means to fend off further regulation and to build customer trust. As more companies publicly join such initiatives, the pressure for laggards to join will grow. The question is whether and how self-regulating companies will show customers that they are implementing the required measures and if customers will reward them by making purchasing decisions accordingly.