Considering insurance to manage IoT-driven catastrophic cyber-risk
Traditional insurance policies covering catastrophic IoT-driven cyber-risks are inadequate. Here's what needs to change

The rapidly evolving era of IoT-driven smart cities and societies has ushered in realistic possibilities of society incurring a non-traditional catastrophic cyber-loss worth billions of dollars just out of a single cyberattack. Here, "catastrophic loss" often refers to a tangible monetary equivalent extremely severe for the victim, arising from a surprisingly low-likelihood adverse event (e.g., analogous to an earthquake). As an example, a cyber-attack on Internet-connected home IoT devices such as air conditioners, refrigerators, ovens, and room heaters can:
One might argue that cyber-insurance is a standard cyber-risk management mechanism for handling cyber-loss incidents resulting in catastrophic societal financial consequences. Consequently, we should delve into:
Traditional insurance policies (usually along with exclusions and deductibles) broadly span two types: policies covering loss or liability through tangible property damage and business disruption and policies covering liability or third-party cyber-risk.
In the past decade, property and business disruption policies have been underwritten to consider cyber as an additional source of damage but do not explicitly account for correlated cyber-risk sources. This ambiguity has led to courts dismissing lawsuits that demanded cyber-loss coverage due to correlated cyber-risk—let alone catastrophic cyber-risk that is correlated. Examples of such lawsuits related to the IoT space include (but are not limited to):
Moreover, to make things complicated for the insured, the underwritten policy legal language is often framed to restrict coverage only for non-intentional/accidental cyber-attacks and/or on non-portable IoT devices with the requirement of additional proof that damage and business interruption of claimed amounts were caused by cyber-elements not excluded from policy language. Hence, current versions of traditional insurance appending cyber-coverage would be of less value in covering IoT-driven catastrophic cyber-risk losses.
The landscape for traditional insurance covering catastrophic IoT-driven cyber-risk on liability or third-party grounds is not that bright either. There are numerous classes of policyholders in the IoT space with potential liability coverage claims—device manufacturers subject to a cyber-attack, hardware and firmware manufacturers, and cyber-vulnerable software providers. The CGL insurance policies bought by these policyholders should ideally cover the liability losses in question. However, as the status quo stands, courts have transferred liability to device and software manufacturers to protect their clients from the adverse effects of cyber-attacked products – thereby putting less burden on cyber-insurers to cover liability losses, let alone catastrophic cyber-losses. In addition, many policy contracts contain provisions limiting the liability for catastrophic damages related to IoT products far below a victim organisation"s actual multi-party cyber-risk exposure.
Stand-alone cyber-insurance markets cover:
Irrespective of whether cyber-insurance markets are stand-alone or otherwise, cyber-insurers find it challenging to underwrite policies covering correlated IoT-driven catastrophic cyber risk because:
The benefit of cyber reinsurance markets is that they insure aggregate cyber risk that might wipe out cyber insurers" capital after a cyber catastrophe event. Their drawback is that they operate mostly out of quota-share treaties, wherein cyber insurers cede only a specific fraction of cyber risk to a reinsurer. This leads to cyber insurers adopting coverage limit management techniques, the drawback of which is reduced capital inflow.
Catastrophe bonds are purchased by investors such as hedge funds who push capital into the cyber reinsurance market in return for periodic interests, with the condition that if a catastrophic event were to occur, the invested capital would go all into reimbursing victims of the cyber-catastrophe who demand coverage from their cyber-insurers. The interest proceeds are then traded in the multi-trillion-dollar financial market. While the catastrophe bond market for cyber has arrived but is in its infancy, there is no doubt that such markets will scale if reinsurers adopt the excess-of-loss reinsurance model compared to the quota-sharing model. This is because cyber insurers can diversify excess loss through reinsurance, which would further diversify this risk in the financial market. However, unlike traditional catastrophic bond markets, where the (natural) catastrophe does not affect financial stability, a cyber-catastrophe can affect financial stability. Hence, more information is needed by bond writing parties to screen cyber-risk exposure to guarantee no threat to financial stability.
By Ranjan Pal (MIT Sloan School of Management) and Bodhibrata Nag (Indian Institute of Management Calcutta)
First Published: Mar 22, 2024, 10:39
Subscribe Now