Thales | Cloud Protection & Licensing Solutions
In a world undergoing digital transformation, everything is connecting. In February of this year, Gartner forecasted that 8.4 billion connected IoT devices will be in use worldwide in 2017, and will reach 20.4 billion by 2020. To say there are ample business opportunities – and some new risks – would both be colossal understatements.
As companies start on their IoT journey, or look to define their next step, it is not uncommon for them to face organizational issues with regards to team membership and structure, as well as challenges with setting and prioritizing goals. Depending on what type of company it is, and where they are in their IoT maturity, their goals can range from internal process efficiency/optimization to revenue generation to customer engagement, just to name a few.
Broadly speaking, we can put IoT projects into two buckets: ones that are designed to benefit the business, and ones that are designed to benefit the customer. It’s pretty easy to imagine cross-functional IoT teams having some challenges reaching consensus on IoT project goal setting and priorities – the chief operating officer and the VP of customer success are two that might not naturally see eye to eye. However, if the initiative stands to benefit both internal operations AND the customer, that win/win can be the ultimate uniting factor. And one market where that win/win is very apparent is the insurance industry. Across auto, home, health and life insurance, connected devices – and most importantly, the data they collect – have great potential to revolutionize everything from risk assessment and claims processing to the delivery of tailored policies that improve customer satisfaction.
IoT for Insurance
IoT devices have already begun to make their mark on the insurance industry. Take auto insurance, for example. Many companies now offer tailored policies including usage-based insurance, which allows customers to pay based on the miles they drive – a very cost effective option for those who do not drive frequently. More auto insurers also now offer discounts for safe drivers via a device attached to the car’s OBD-II port, which records driving habits that the insurer can use to calculate safe driving discounts (if appropriate). In an era where competition is fierce and customers are often happy to dump their insurance company for a better deal, IoT devices like this give the insurer the data to offer a personalized policy and hence improve customer retention.
When it comes to home insurance, we’re all familiar with standard discounts for having things like smoke detectors and alarms installed. However, as we move into an era where internet-connected cameras, door locks, leak sensors and more offer a stronger home security profile from a detection perspective, homeowners will expect similar types of discounts, and insurers will need to evaluate risk and be able to set rates based on these new data points.
As for the health and life insurance industries, data from wearables stands to reinvent the insurer’s ability to track an individual’s activities and assess his or her overall health. This access to additional data points can potentially lead to rate reduction for the insured individual, as long as he or she is willing to share this personal information. Clearly, this is an area where different individuals will draw the line at different places regarding what they are willing to share, and what they would consider a violation of privacy.
The Critical Role of Security and Trust
The IoT is already bringing significant impact to the insurance industry. However, as businesses and individuals alike begin to enjoy the benefits, they also must recognize and account for the vulnerabilities that are introduced.
As we’ve seen many times, connected devices that were not designed with security in mind are easy targets – everything from children’s toys like CloudPets, to video cameras and DVRs that were used to launch a massive distributed denial of service attack (DDoS) that took major internet sites such as Netflix, Spotify, Twitter and Amazon offline in late 2016, disrupting internet users for hours. Until something changes, we’ll see more of the same.
And lack of security by design for devices that are the source of IoT data leads to another critical point. If you can’t trust the data, there’s no point collecting it, analyzing it or making business decisions based on it. And that’s ultimately what the IoT is all about. The concept of trust for IoT data requires proper levels of security for data – based on risk – from the time is it collected/created and then everywhere it goes (in transit and at rest) throughout the IoT ecosystem.
Security Recommendations for Insurers
As we’ve repeatedly seen, today’s IoT devices can be laden with security problems – default administrative passwords that users aren’t required to change, firmware with unaddressed vulnerabilities, and the inability to securely update that firmware, just to name a few. The opportunity to introduce malicious code via a software update process that does not ensure the authenticity and integrity of that update using technology like code signing has often been exploited, and will continue to be until this basic weakness is addressed.
Since trust starts at the device, organizations would be wise to leverage proven technology to be able to uniquely identify IoT devices, ensure that they have a process in place to securely receive firmware updates and security patches, and protect sensitive on-board data. The answers to the first two lie in leveraging public key infrastructure (PKI) technology, to issue “digital birth certificates” to devices so they can be positively identified, as well as utilizing digital signatures to ensure that the authenticity and integrity of firmware updates can be cryptographically verified, preventing potential introduction of malware. Finally, PKI technology can be used to generate session keys to protect data as it is transmitted from the device to a point of collection such as an IoT gateway, or simply to derive keys to encrypt local data at rest. These capabilities, coupled with associated policy management and control capabilities, provide a foundational layer of security and trust for any IoT deployment.
How Much Security Is Enough?
Like everywhere else in the world of security, it’s ultimately risk that drives your choice of mechanisms and the level of security needed in a particular situation. Insurance companies will in most cases draw data from devices they do not control or own, and therefore will need to account for the certainty (or lack of certainty) they have in specific data based on what they know about its source. As an example, say an insurer in settling an accident claim is seeking to correlate weather data, traffic camera video, and data drawn directly from the involved cars. Weather data is obviously not sensitive or private, however the insurer needs authentic weather data from the precise date and time of the accident. Since the insurer does not own the weather sensor and may not be able to guarantee the authenticity of this data, that information needs to be taken into account as the claim is settled. The same holds true for the camera video and the car data – authenticity is a critical consideration.
The potential for sustained and increased value of the IoT to the insurance industry is unquestioned. Personalized policies, better risk assessment, faster claims resolution are just a few of the many benefits. But for them to be fully realized, a foundation of security and trust is needed and must get the attention that it deserves sooner rather than later.
To learn more about how Thales is bringing trust and security to the IoT, click here.