When the U.S. Department of Homeland Security, the National Highway Traffic Safety Administration, and the Food and Drug Administration each have issued guidance on the risks to health, safety, and productivity associated with unsecured devices on the so-called Internet of Things (“IoT”), we can reasonably assume that these risks are substantial and of meaningful duration. By one estimate, approximately 23 billion “things” are now part of the IoT. That number may climb to 50 billion things by 2020. Global spending on IoT devices and services was $656 billion in 2014. It is estimated to rise to a whopping $1.7 trillion in 2020. The IoT is not a fad. It is our future. Here, as in most other areas in life, benefits are joined at the hip with risks.
In lay terms, the “IoT” refers to devices that are able to process information through software and computer servers to autonomously connect with and to monitor and control the operations of other devices. The devices currently in the IoT include a host of consumer and healthcare products — window shades, light switches, speed governors on vehicles, CCTV cameras, fitness trackers, pacemakers — and industrial control systems that monitor and operate industrial processes in manufacturing plants, electric generating power plants, and the electrical grid.
The benefits of the IoT will be enormous. These will include greater efficiency, increased productivity, and less waste in the creation and use of products and services, and in the creation of products, services, and capabilities that were the stuff of science fiction just a few decades ago: remotely monitoring and controlling an industrial motor to increase energy efficiency and reduce maintenance, turning on your home lights from your desk at work, remotely monitoring patients with chronic diseases so that visits to the doctor’s office are reduced, and countless other capabilities.
The benefits of the IoT; however, come with cyber risks. In October of this year, a cyber attack launched through hundreds of thousands of routine, internet-connected devices such as CCTV cameras, digital video recorders, printers, and routers shut down several large consumer websites. It may be just a matter of time before cyber attacks mounted through the IoT shut down or wreak havoc on industrial manufacturing processes, power plants, the electrical grid, medical devices (e.g., pacemakers, dialysis machines), and consumer products. Industry insiders predict that with millions of unsecured devices throughout the world that can be hacked and synchronized to mount future distributed denial of service attacks, the risks are going to get worse before they get better.
The Department of Homeland Security has described the risks as including “malicious actors manipulating the flow of information to and from network-connected devices or tampering with devices themselves, which can lead to the theft of sensitive data and loss of consumer privacy, interruption of business operations, slowdown of internet functionality through large-scale distributed denial-of-service attacks, and potential disruptions to critical infrastructure.”
A corporation may be victimized in an IoT-facilitated attack either because its products were a conduit used in the attack or because it is a target of the attack. When a corporation’s products have facilitated a cyber attack, it may find itself facing claims asserted by the victims of the attacks. These claims may seek damages for property damage, bodily injury, business interruption or other forms of economic loss, and data theft. When a corporation is a victim of a cyber attack, it may suffer similar losses.
Faced with these substantial and growing exposures, corporate policyholders will look to their insurance coverage for protection. Cyber insurance is all the rage. But how much coverage would a cyber policy provide to a corporate-insured whose IoT products are highjacked and used in a cyber attack or who is an unfortunate victim of an attack the goal of which is the disruption or destruction of the insured’s property or cyber capabilities?
Consider, first, liability exposures. Many cyber policies contain exclusions for third-party claims and damages for (a) physical injury to tangible property, (b) bodily injury, and (c) product recalls, including damage to property containing an allegedly defective product. These sorts of liability exposures, however, may be precisely the types of losses caused by a cyber attack made through the IoT.
Consider, for example, an attack on a critical piece of infrastructure, such as a dam or electric grid, that is conducted through IoT devices. If the attacker also obtains operational control of the dam or grid, the resulting property damage and personal injuries could be enormous. The potential defendants in the resulting class actions could well include: the owner of the infrastructure, the operator, the manufacturers of the devices through which the attack was made, developers of the control system software, developers of the security software providing firewalls and malware protection, and any other designer of those devices. Multiple defendants translates to expensive litigation. (Expensive investigations by regulators are also likely to follow in many industries.) When these defendant-insureds turn to their cyber policies for defense and indemnity coverage, they may well hear from their insurers that the alleged bodily injury and property damage liabilities are excluded based on coverage-defeating interpretations of policy language not drafted with these issues in mind. The insurer’s views on coverage are hardly dispositive, however, and the policyholder may need to initiate a coverage action to obtain coverage.
Even if an insured does not face third-party liability as a result of a cyber attack, it may still find that its own computer systems, related hardware (routers, air conditioning systems), and other tangible property (such as the dam, electric generators, related buildings, or the electric grid) have been damaged or rendered inoperable by a cyber attack. Will the policyholder’s cyber coverage respond?
Exclusions for certain losses arising out of bodily injury and property damage (other than electronic data) are also not uncommon in first-party cyber policies. When a corporate-insured’s computers and its other tangible property are damaged by a cyber attack, it may find its insurer pointing to these exclusions (with or without reasonable justification) to deny coverage. Similarly, if a healthcare provider has treated or is treating a patient with a network-connected medical device (e.g., a dialysis machine) that is hacked, leading to the death of a patient, the provider’s cyber insurer may attempt to rely on such exclusions to deny coverage. Again, obtaining coverage from a recalcitrant insurer may require expensive litigation.
Cyber insurance is an important tool for corporate-insureds to manage and reduce cyber risks to vital corporate assets. Yet even Lloyd’s of London has noted the uncertainty and ambiguity in the scope of coverage for cyber attacks. Apparent limitations on cyber coverage often can be addressed by negotiation with the insurer in the placement process or by existing coverage under other lines of insurance (e.g., the policyholder’s general liability, first-party property, and specialty lines coverages), but only if the policyholder or its representatives are attuned to the risks and the nuances in policy language. In addition, some insurers are now marketing cyber policies that more clearly afford coverage for bodily injury and property damage claims and losses. When such coverages are available, the insured will want to carefully consider the adequacy of the limits or sublimits of such coverages relative to its exposure and how the policy’s self-insurance features (deductibles, self-insured retentions) may operate in various loss scenarios.
In our increasingly interconnected cyber future, prudent policyholders would do well to understand and assess how each of the policies in their insurance program addresses the growing risks represented by the IoT.