Analysis: Home, sweet connected home

With Christmas approaching, connected devices probably top many wish lists. Voice-controlled gadgets can play music, provide information, place online orders and connect to other smart objects, thus building a somewhat automated home. The Amazon Echo speaker, powered by the Alexa voice service, is one of many examples.

McKinsey & Company predicts every home in the US will be connected by 2026. Connected devices with the highest market penetration deal with security and safety (smoke and leak detectors, remote video). These are followed by facilities management (thermostat, lighting); wellness monitoring; appliances; and entertainment.

The idea behind the Internet of Things is often to make everyday life easier, with your fridge telling you when to buy milk, or even ordering it itself. But what if your smart devices get hacked? After all, they are connected to the internet. Criminals could gain entry to your home networks and steal your personal data or actually gain physical access to your house.

Ethar Alali, CEO of Axelisys, an innovation engineering firm catering to the insurance sector, says that a lot of smart devices have been distributed without first being made secure. “As is often the case with new technology, many of the products were sold to a market before they were necessarily security-ready,” he says.

“We have a seen a number of issues related to hacked devices, in part due to customer apathy. For example, leaving default passwords on devices or maintaining otherwise open wifi networks, allowing access to the devices and exposing any such vulnerabilities to the world for hackers to exploit.

“We’ve seen high-definition internal cameras allowing hackers access right into people’s homes, where they can harvest card details and other information from anyone leaving their bank cards or statements lying around. Connected devices include cars and bluetooth devices, which can be exploited in extremely simple ways, allowing car thieves with the necessary knowhow to simply drive away with your car, despite never having touched or seen the key.”

Risks posed

As consumers become more connected, the risks of falling prey to attacks is increasing. However, some believe insurers are merely at the stage where they are pulling together knowledge on the risks posed and how they can insure for them.

Plum Underwriting recently embedded cyber cover into its high-net-worth home insurance policy as a way of protecting customers against malicious attacks.

Covéa also included cyber cover in a policy giving customers up to £100,000 of cover and access to expert advice, in the event of a breach. Sara Simmons, head of HNW at Covéa, says that cyber risks are rocketing because customers are more connected. Home insurers are becoming increasingly concerned about the possibility of property damage as a result of malicious attacks.

“As consumers become increasingly digitally connected, the chances of becoming a victim of some kind of cyber attack increases dramatically,” she says.

“The great fear for home insurers is the prospect of hackers accessing sophisticated home networks to either access or damage property or, even worse, the clients themselves. In attaching basic conditions to cyber cover, the fundamentals of cyber security will become as second nature and intuitive as locking your front door or keeping batteries in your smoke alarm.”

Sophisticated hacking of connected devices brings a range of possibilities for damage. Hackers might switch on smart kettles, toasters and tumble dryers in order to overheat them, which could lead to a fire. Criminals could also hack into CCTV cameras and monitor when homeowners aren’t in their property.

“A compromised device can be the breach point to allow access to the whole network,” warns Mark Hawksworth, global technology specialist practice group leader at Cunningham Lindsey. “For example, in July, hackers used a connected fish tank as a platform within a casino network to scan for vulnerabilities.

“Devices such as connected hubs, fridges, printers or thermostats could be used in a similar capacity to access domestic network devices to steal data or personal information. Connected home insurance is already being offered by companies such as Neos and cyber policies are already being written for the general public, but currently they tend to focus on their online exposures and not the risk posed by connected devices.”

How hackable a smart device is depends on the software that’s installed in it – some editions are older than others, leaving the device more vulnerable. But owners aren’t usually made aware of software vulnerabilities by the manufacturer. When setting up their smart device, it is common for users to not change the initial password, leaving a window of opportunity for hackers.

Alex Haynes, information security manager at CDL, says: “There is currently no quality seal for a secure connected device, so a lot of it is down to research. There are a few things an end user can do. The key one is to change the default password if the device has one and also to update the device regularly.

“Manufacturers should ensure the device is hardened at every possible level, from providing encryption on data in transit, to having a simple, easy to use interface for the end user.

“The device should not have a default password and should generate one at random when it is first connected, as many users don’t change initial passwords. This is one of the most common problems of the Internet of Things and is critical to the protection of the overall device.”

No standards on devices

As it stands, there is no standard for the safety and security of connected devices, which means that they are being distributed without their resilience to attacks being guaranteed.

James Tucker, manager of smart technologies at Allianz, says this lack of standard among manufacturers of smart devices is leading to questionable cyber security.

“There are a lot of issues around security of IoT devices. The cause of this is the lack of standardisation and regulation of device manufacturers,” he says.

“Because there is no mandated security standard, there are a lot of items in the market that, from a cyber security perspective, are below par in the way that they have been made. Some vendors will not have the ability to update vulnerable devices so that they are secure, so you then are left with perpetually vulnerable devices.

“There needs to be pressure on the government to make sure that manufacturers are properly regulated. This probably will happen, but it will take a while before we get there. The more people use these devices, the more at risk they will be but as standards improve, hopefully these risks will begin to diminish.”

While connected devices pose significant threats to customers and are a source of concern for insurers, they can also help predict risk and stop damage before it occurs. Some insurers are offering discounted policies to customers who have smart devices installed in their homes.

“Connected devices, such as leak detection sensors, security cameras or smoke detectors, offer significant benefits in terms of risk prevention and, therefore, mean potential for reduced insurance premiums,” Haynes says.

“A number of new entrants to the market are recognising this by giving discounts where policyholders have installed these items. While some connected devices offer potential to anticipate accidents before they happen and, therefore, reduce claims, insurers also need to be mindful that individuals could potentially access these devices for malicious purposes.”

Kurt Rowe, associate at Weightmans, says that the large uptake in IoT will benefit household underwriters.

“The IoT makes it easier than ever for insurers to accurately calculate risk profiles for home insurance customers,” says Rowe.

“This is particularly true for devices such as smart meters, which build up a picture of how much time customers spend in their home. Over time, this increased accuracy should make insurance premium pricing more transparent. As a result, while some households may see a welcome drop in their home insurance premiums, others with a higher-risk profile may see an increase.”

Wising up

With cyber vulnerabilities and risks emerging, large insurers are beginning to draft cyber policies that target retail customers. Insurers are becoming wise to the ways in which consumers will need protecting as they use these devices more frequently in their homes – and the risks could bring with them some commercial opportunities.

Julian Miller, partner at DAC Beachcroft, says there is a gap in the cyber insurance market that insurers are eager to penetrate.

“The cyber insurance market has developed over the last couple of years and insurers are only just thinking of how it can be offered commercially,” says Miller.

“We will start to see more cover emerging because insurers have been investing heavily in the area. There has been some movement in the drafting of cyber products that target retail customers. There’s definitely a gap in the market that insurers are wishing to fill. There are two ways the exposures can be insured, either through standalone policies or through extending home and contents to protect against cyber attacks.”

Miller predicts start-ups will be quicker than incumbent insurers to seize these opportunities.

“Start-ups will begin to seize this space because they can move quickly and are alive to the risks posed by evolving technology,” says Miller.

“But we shouldn’t disregard traditional insurers, they are conscious of the opportunities in this space and are investing heavily to create products. Protecting customers against IoT hacks is a highly fluid space and it’s changing rapidly. We won’t see a widespread distribution of policies in the next few months, but it will happen in a matter of years.”

These policies are currently being drafted and the space, from an insurance perspective, is still in its infancy, so it is uncertain what IoT claims will look like.

“As this space becomes more popular, there will be discussion surrounding who is responsible in the event of something going wrong with a device or it being hacked,” says Matthew Rogers, partner at Keoghs.

“As things become more connected, the insurance market will mature and there will be clarity over how claims will be pursued. Claims could be brought against the device manufacturer or the broadband provider. It’s a new area, therefore, it is difficult to see how it will develop.”

The IoT is proving to be a tricky beast to tackle. Insurers are presented with commercial opportunities as the demand for cover increases, as well as benefiting from a bolstered accuracy of risk profiling. But there is uncertainty regarding who will be at fault in the event of a cyber hack. While insurers will be there to insure the risks brought about by connected devices, manufacturers could be forced to set a standard so that these risks are mitigated.