P&C the December 2019 issue

Big Data, IoT Demand Cyber-Risk Focus

Systems are too connected and risks are too great to address cyber security in silos.
By Michael Elliott Posted on November 21, 2019

Anyone with access to your refrigerator’s data could possibly access your credit card information, daily routine, work schedule and a host of other personal details. A refrigerator connected to your home network gives cyber criminals access to even more of your family’s private data.

These security threats may sound far-fetched or overblown. Far from it. In 2017, hackers used a smart thermometer in a casino’s fish tank, bypassing firewalls and security protections, to access patron data on the casino’s network. Earlier this year, the Food and Drug Administration issued a warning about a vulnerability in some insulin pumps that could allow hackers nearby to access the device and even initiate insulin doses.

The rise of the internet of things (IoT) and connected devices has created an entirely new category of cyber risk vulnerabilities. Organizations, in the race to capitalize on connected devices, automation and data analytics before competitors can, are opening themselves and customers up to increased vulnerabilities. As risk professionals, we cannot overlook or downplay the very real cyber risks that come with rapidly advancing technologies. It falls to us to emphasize these risks within our organizations and with clients and suppliers.

Only as Strong as the Weakest Link

While smart refrigerators and fish tanks do come with real cyber-security concerns, there are 21 billion IoT devices out there that are more likely and lucrative targets for business-focused hackers and attackers. The challenge for risk managers is that any cyber-security effort is only as strong as its weakest component. At the casino, it may be the fish tank in the lobby. At a major corporation, it may be a sensor at a supplier’s warehouse or a wearable device provided to a customer. Keeping track of all the internal connected devices and the data they contain is challenging enough, let alone keeping a handle on all customers, vendors, partners, and the accompanying security vulnerabilities.

Compounding the problem for insurance organizations is the real difficulty that persists in pricing and quantifying cyber risk. Cyber attacks have the potential to create catastrophic losses and are growing more common every day. Ponemon Institute reported in 2018 that the average cost of a cyber breach in the United States was $7.91 million. These costs are large and unpredictable, but there are evolving tools and approaches that can help mitigate cyber risks. Organizations must prioritize these risk prevention investments alongside new products and data sources.

Keeping Risk Virtual with Digital Twins

One fast-emerging area that can offer resilience is digital twins, virtual replicas of real-world devices and structures. The concept and technology date back to the Apollo space mission as a way to test and model complex systems in a digital environment. Software engineers, risk managers, and business development teams can use digital twins to review a network of connected devices and systems, run simulations of the vulnerabilities, and develop plans to respond to cyber attacks.

For example, a building software company may create a digital twin modeling a location’s fire, environmental, and security systems. It can test those systems for cyber-security threats and other vulnerabilities using the digital twin. This exact replica provides deep insights without interrupting the business or endangering occupants, employees or emergency responders.

Digital twin technology usually incorporates a powerful analytics tool based on recent advances in artificial intelligence, particularly machine learning. Almost two thirds of organizations using IoT tech are in the process of establishing digital twin tools, according to Gartner. The tool is not without challenges, however. Data generated via digital twins itself can still be subject to privacy concerns and cyber attacks. What’s more, truly robust digital twin modeling typically requires transparent data across supply chains and partnerships. Many industries are still figuring out exactly how this data sharing will play out.

Keeping track of all the internal connected devices and the data they contain is challenging enough, let alone keeping a handle on all customers, vendors, partners, and the accompanying security vulnerabilities.

An Enterprise Approach

This past March, the United Kingdom’s Financial Conduct Authority issued a report on cyber security that states, “Incidents will occur. The ability to respond and recover from them should be a key part of a business’s risk management and operational resilience planning.” Organizations are increasingly taking an enterprise approach to cyber risk with a focus on loss prevention and organizational resilience. The rise of connected devices and large systems with many security touchpoints and third-party partners demands this approach. Deloitte sums up the new reality well in a “Perspectives” report on cyber risk and IoT: “An integrated risk philosophy is not optional.”

In the past, parts of an organization with more exposure to cyber threats could spend time and resources on security without considering the rest of the organization. Today, most organizations are quickly moving toward a world where systems are too connected and the risks are too great to address cyber security in silos. Risk professionals must provide an enterprise-wide perspective and the guidance and resources needed to reduce the risk of cyber losses and create more cyber-resilient organizations.

Big Data Reality Check

As more IoT devices come online and organizations find new ways to leverage the data collected from them, cyber threats offer a sobering reality of the risks that come with innovation. Across industries, we’ve let exciting new product offerings and IoT-enabled tools expand quickly without always managing the risks involved.

From a risk standpoint, organizations should balance their investments in cyber resilience and data security with the potential benefits from IoT devices. This approach may slow innovation somewhat, but it may save a company from crippling, catastrophic losses.

Michael Elliott is senior director of knowledge resources at The Institutes.

More in P&C

Lifestyles of the Rich and Risky
P&C Lifestyles of the Rich and Risky
Affluent insurance customers may not be protecting themselves against increasing...
P&C Farm Bill Idles
Congress will need to overcome election-year paralysis to finally vote on the fi...
Premium Increases Slowed But Challenging Conditions Remain
P&C Premium Increases Slowed But Challenging Conditions Remain
The Council’s Commercial P/C Market Index for Q4 is here.