The Internet of Things will provide 50 billion new opportunities for interdependent devices to malfunction. The recent Marai botnet attack demonstrated that the Internet of Things is already capable of creating widespread interruptions in the Internet and the activities that depend on it.
Realizing the promise and positive benefits of the IoT will require not only technical innovation, but changes in how regulation, business, security, and risk in the system are handled. The current IoT ecosystem suffers from flaws that include vulnerability to cyberattack, technical system failures, and the problem of free riders who depend upon security and other safeguards in the network to compensate for their own insecure devices, protocols, and software. Cyberattacks and failures undermine confidence in the IoT and serve as a reminder that regardless of how much IoT security is improved, there will always be vulnerabilities and exploits. Networked failures can have significant socioeconomic consequences.
This paper proposes an insurance system for the Internet of Things. The intent is to address technical and market failures in the IoT ecosystem, propose a method of distributing risk more equitably, and examine ways to fund necessary responses to large scale incidents. Making insurance mandatory, or at least available and desirable, would promote security audits and formal internal procedures for the insured, leading to improved security, prevention, incident response, and recovery planning in the IoT ecosystem. An insurance model has not been widely adopted in the traditional Internet, but the increasing number and reach of IoT devices increases the risk and consequences of a network failure, and suggests the need for a risk management solution.
This paper applies the concept of insurance as an accepted method of risk management to the Internet of Things ecosystem. We take a constructivist approach to creating a new insurance business model framework, and a policy planning approach to creating policy and regulatory guidelines for IoT insurance. The proposed insurance business models would permit insurance to be offered by interested companies beyond traditional insurers, such as Internet service providers, telephone companies, cloud providers, or others with experience in assessing and managing security technology. Necessary regulation includes constructing a better defined liability framework to avoid the current "shell game" of responsibility. Also, disclosure requirements for companies that know of vulnerabilities or experience security incidents to assist in building actuarial data that would help insurance companies determine the actual risks, appropriate insurance products, and pricing structure. Regulation would also streamline the legal and procedural difficulties that currently exist when trying to make a claim, and assist in defining the rights and roles of insurers and claimants. Regulation would help establish what is currently an immature market, and could encourage standardization in products and procedures.
A regulatory framework for an IoT insurance system would help align the objectives of device manufacturers, network operators, services, and end users. With a proper insurance framework for the IoT, market solutions could develop that foster greater security, trust, and confidence in the IoT ecosystem.
