The Internet of Things is blazing trails like nothing before. But as data privacy and safety concerns set in, regulation is hot on its heels. Our industry must be up to speed with this fast-moving new world.

Your business has been redesigned to incorporate ‘smart’ devices that constantly monitor the operations of the business. One device, a thermostat, collects data and sends it to the device’s company, including your premises’ temperature. One day, a fire occurs and the thermostat registers a dramatic spike in temperature. The thermostat is not designed to work as a smoke detector and the manufacturer claims it has no obligation to inform you of danger. However, just because it doesn’t have to, does that mean it shouldn’t? Herein lies one of the most serious risks clouding this tech revolution.


The Internet of Things (IoT) is a data-driven revolution that could rid us of many of the inefficiencies and unsafe practices of modern business and domestic life. The transformation deals with the steady but inexorable rise of connected and sensorised objects in our home – in short, the online digitisation of our physical world.


According to industry analysts, there are 10–20 billion things connected to the internet today. This ecosystem of connected objects forms the foundation of IoT. And yet, we’re only in the very earliest stages. The number of connected objects today pales in comparison to how many will be connected in just five years.

Estimates vary, but the range of connected objects by 2020 will be 40–50 billion, and includes everything from cups and pens to homes, cars and industrial equipment.

Combined with other technological developments such as cloud computing, smart grids, nanotechnology and robotics, the world of IoT we are about to enter represents a giant stride towards an economy of greater efficiency, productivity, safety and profits.

Autonomous objects can constantly acquire, analyse and transmit reams of data captured from their surroundings. In turn, economies, cities, businesses and people will respond to this flow of information – opening an unprecedented array of opportunities, and challenges, for risk managers.


AIG Asia’s head of financial lines, David Ho, explains why risk managers globally need to get up to speed on this issue quickly. “Data privacy and use has come squarely into focus with the implementation of GDPR.

Many IoT devices may collect, store and use personal data such as auto telematics, smart speakers, health biometric data, among others. Producers of IoT devices, and the software they run on, need to ensure that they meet the regulatory requirements to avoid costly fines and penalties.”

“In the US, California is leading the charge on the regulatory provisions for collection and use of personal data. The California Consumer Privacy Act was signed into law in June 2018 and companies will need to meet the requirements by January 1, 2020. Further, California passed SB 327, which is specific to the collection and use of data from IoT devices.”

“Risks can extend beyond data privacy. Failure of IoT devices may cause property and bodily injury risks. The very concept of securing a facility or business, with respect to the protection of people and property, now has a cyber security component because of the proliferation of IoT devices and equipment.”


The IoT is giving rise to pervasive digital networks within the physical space - the networked lifeblood of the ‘smart city’. Not just a network of municipal services, such as electricity and water, truly ‘smart’ cities combine elements from all urban stakeholders, including citizens, government and businesses. A broad spectrum of implementation models is emerging in different parts of the world.

In South America, Asia and Europe, all levels of government are identifying the potential benefits of building smart cities, and are working to unlock significant investment in that area. Rio de Janeiro is building capacity at its Smart Operations centre; Singapore is about to embark on an ambitious Smart Nation effort; the EU’s Horizon 2020 program has earmarked €15 billion in 2014-2016 – a significant commitment of resources to the concept of smart cities, especially at a time of fiscal constraints.

While China is the biggest player in the IoT market, the entire Asia-Pacific region stands to gain greatly from recent IoT technology. The research firm IDC estimates that the IoT market size in Asia-Pacific, excluding Japan, will grow from $250 billion in 2013 to $583 billion in 2020. Meanwhile, the number of things connected to the internet in the Asia-Pacific market will grow from 2.59 billion in 2013 to 8.98 billion in 2020.


The insurance industry’s response to any emerging challenge is key to how businesses can optimise and manage this risk to their advantage, or disadvantage.

Ho says: “IoT provides valuable data that can be used to more effectively assess and price risk. An example that is quite dated now is the use of telematics in personal auto. We expect that more ‘telematic-like’ applications will emerge in other sectors – for example, heavy industry and manufacturing– to provide insureds and insurers with ‘real-time’ data on risk levels.

“For the insured, the value of the data lies in improving safety and thus reducing accidents and

the cost of risk. For the insurer, the value lies in more customised and accurate pricing that relies on hard data rather than more qualitative reports. Data collection through IoT should eventually provide a more effective underwriting process than heavy reliance on human- answered questions with limited data collection.”

One area of concern Ho notes that requires more significant adaptation is cyber security of IoT used in critical infrastructure. “Increasingly, sensors are used in sectors that provide critical and life-impacting services, such as power and energy, aviation, transportation and medical equipment. As such, insurers are faced with assessing the potential risk shifts from introducing connected technology and adjusting policy pricing, terms and conditions, and underwriting.”

“AIG’s strategy to move to affirmative cyber coverage in all products was in part related to the proliferation of connected devices and the potential for failure in such devices to result in physical and non-physical damage.”