Contents


    Executive Summary

    The Internet of Things (IoT) is a network of physical objects embedded with sensors, software, and connectivity capabilities that enable the collection and exchange of data over the internet. The IoT has connected the physical and digital worlds through advances in low-cost computing, cloud infrastructure, data analytics, and modern technologies. Together, these developments have enabled seamless communication among people, processes, and devices, allowing data to be collected, shared, and analyzed with minimal human intervention.

    IoT technologies are used across a broad range of industries, including transportation, manufacturing, healthcare, energy, agriculture, and critical infrastructure. Growth in IoT adoption has been driven by advances in artificial intelligence (AI), cloud computing, edge computing, and wireless connectivity, resulting in an estimated 20 to 25 billion active IoT devices worldwide and a projected 40 billion by 2034, according to Statistica.

    As IoT technologies further integrate into business operations and everyday life, they create opportunities and risks. Connected devices provide organizations with enhanced visibility into operations and improve automation, decision making, and overall efficiency. However, the growth of IoT has introduced cybersecurity, privacy, liability, and regulatory challenges. For the insurance and reinsurance industry, IoT is adapting traditional underwriting, risk management, and claims approaches while also creating obstacles from cyberattacks, device failures, and interconnected systems. As adoption continues to expand, organizations, insurers, and regulators face the ongoing challenge of balancing innovation with security and risk management.

    Background

    Internet of Things (IoT) refers to the interconnection of physical devices embedded with sensors, software, computing capabilities, and network connectivity that enable the collection, transmission, and exchange of data. IoT devices range from consumer products, such as smart thermostats and wearable devices, to industrial equipment, vehicles, medical devices, and critical infrastructure systems. IoT integrates physical objects with digital networks, allowing devices to monitor conditions, automate processes, and communicate data with minimal human intervention. While IoT devices operate within a broader connected ecosystem, individual devices or networks are not necessarily interconnected with one another. For example, one smart home system typically operates independently from another unless specifically integrated through a shared platform or service.

    Blockchain is a distributed digital ledger technology that records transactions across a network of participants. Rather than relying on a centralized intermediary, blockchain enables data to be validated and maintained through decentralized mechanisms. Transactions are grouped into blocks, which are cryptographically linked to preceding blocks, creating an immutable or highly tamper-resistant record. When combined with IoT, blockchain can enhance data integrity, device authentication, and traceability by creating verifiable records of device-generated transactions.

    IoT continues to expand as the number of connected devices and users increases. Recent growth has been driven by advances in 5G, edge computing, cloud infrastructure, AI, and machine learning. Increasingly, AI-enabled IoT (“AIoT”) systems can analyze data and make operational decisions in near real time, reducing latency and improving automation. According to IoT Analytics, the number of connected IoT devices reached approximately 18.8 billion in 2024, representing double-digit annual growth, and is projected to exceed 40 billion devices by the mid-2030s. Industrial IoT (IIoT), connected vehicles, smart buildings, healthcare applications, and energy infrastructure are among the fastest-growing segments.

    A functioning IoT ecosystem consists of four components. First, sensors or connected devices collect data from their environment. Second, communication networks transmit that data through wired or wireless connections. Third, cloud-based or edge-computing platforms process, analyze, and store data. Finally, user interfaces enable users and organizations to access data.

    Security and privacy risks remain among the most significant challenges associated with IoT deployment. As connected devices become more widespread, they expand the risk of cyber threats, including unauthorized access, ransomware, data breaches, and disruption of critical systems. The increasing integration of IoT devices into operational technology (OT) environments, healthcare systems, transportation networks, and critical infrastructure has heightened regulatory and cybersecurity concerns. Regulatory frameworks continue to evolve, often inconsistently across jurisdictions, creating compliance challenges relating to cybersecurity. Recent regulatory developments, including the European Union's Cyber Resilience Act, the NIS2 Directive, the Digital Operational Resilience Act (DORA), and emerging U.S. state-level IoT cybersecurity requirements, reflect a growing emphasis on cybersecurity management.

    Additional challenges include interoperability risks that create silos of data that are difficult to analyze due to different manufactures using different protocols and limiting “machine-to-machine" communication. IoT devices also create abundant amounts of data, risking data overload, and high costs.

    Injuries and Damages

    Cyberattacks are becoming increasingly common as IoT technology continues to be integrated into consumer products, vehicles, healthcare systems, and infrastructure.

    In 2016, Mirar botnet, a self-propagating malware that infects poorly secured IoT, comprised thousands of internet-connected devices, like cameras and routers. They exploited default passwords to launch denial-of-service attacks that disrupted major internet services and gained access to websites like Amazon, Netflix, PayPal, Redditt, and Twitter. In 2013, a Syrian Cyber Warfare group hacked into the Twitter account of the Associated Press and claimed that the White House was under attack. This led to a 1% decline in the US stock market, until the tweet was revealed to be a hoax.

    IoT incidents can also instigate injury, property damage, and product liability claims. In 2015, security researchers remotely accessed a Jeep Cherokee through its IoT systems and overtook its steering, braking, and accelerating functions. The event prompted the recall of over 1.4 million vehicles. Similarly, in 2018, an autonomous Uber vehicle struck and killed a pedestrian due to failures in the vehicle’s perception and safety features. Connected and autonomous vehicles rely on an ecosystem of IoT sensors, cameras, radar, lidar, GPS, telecommunications networks, and cloud-based software. Failures in any component of that ecosystem can contribute to losses.

    Additionally, regulators have issued recalls and safety advisories to internet-connected medical devices, including insulin pumps and cardiac devices, due to cybersecurity vulnerabilities that could affect device functionality and patient safety. In parallel, increasing connectivity within industrial control systems and operational technology environments has resulted in equipment failures.

    Legislation and Regulation

    Although the United States does not currently have a comprehensive federal IoT regulatory framework, a growing body of federal and state laws, regulatory guidance, and industry standards governs the development, deployment, and security of connected devices.

    United States

    Internet of Things Cybersecurity Improvement Act of 2020

    This is the principal federal IoT-specific statute in the U.S. and requires all IoT devices owned or controlled by the government to meet specific security standards. The Act directs the National Institute of Standards and Technology (NIST) to develop security standards and guidelines addressing device identification, configuration management, software updates, vulnerability disclosure, and secure development practices. Although the Act applies directly to federal procurement, its requirements have influenced cybersecurity expectations across the broader IoT marketplace.

    In April 2026, NIST expanded the cybersecurity standards across the full product lifestyle. It provides manufactures with updated guidelines to design devices from pre-market to post-market.

    Federal Trade Commission

    The Federal Trade Commission (FTC) does not have regulatory control over security. However, they influence IoT regulation by analyzing unfair or deceptive business practices. They have brought numerous enforcement actions against companies that failed to implement reasonable cybersecurity measures or misrepresented the security and privacy protections associated with connected devices. The commission has the authority to scrutinize manufacturers and service providers regarding their cybersecurity governance, software maintenance, vulnerability management, and consumer disclosures.

    California State Legislation

    Both of these Californian acts will enforce new rules for IoT device makers as well as businesses holding consumer information.

    The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides users with autonomy around the collection, use, sharing, and deletion of personal information. Consumers can determine how their information is being used and whether it is being sold or shared. In addition, California's Security of Connected Devices Law requires manufacturers of connected devices to equip products with "reasonable" security features appropriate to the nature and function of the device. Several other states have adopted comprehensive privacy statutes and cybersecurity requirements that may apply to IoT-related data and services.

    National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law

    Adopted in October 2017, this Model Law establishes data security standards and guidelines for investigations of possible cybersecurity events. It requires the reporting of cybersecurity events to the Commissioner. The Model Law helps to protect both the market and the consumer from fraud through regular system testing, audit trails, application security, multi-factor authentication, and staff training.

    Europe

    The Cyber Resilience Act (CRA)

    The CRA establishes mandatory cybersecurity requirements for products with digital elements, including many connected devices and software products. The CRA adopts a “secure-by-design” approach and requires manufacturers to address vulnerabilities throughout a product's lifecycle, provide security updates, and comply with vulnerability reporting obligations. Products that fail to meet applicable requirements may be restricted from the EU market. The CRA operates alongside the NIS2 Directive, which imposes cybersecurity risk management and incident reporting obligations on operators across the EU.

    Digital Operational Resilience Act (DORA)

    DORA became applicable across the EU in January 2025 outlining the protocol for managing information and communication technology (ICT) risks within the financial sector. DORA applies to a broad range of financial entities, including insurers and reinsurers, and requires organizations to implement robust governance, cybersecurity, incident reporting, testing, and third-party risk management practices. DORA is relevant to IoT because insurers rely on connected devices and other digital infrastructure to inform underwriting, claims handling, and risk management. This regulation focuses on operation practices and the ability of financial institutions to withstand, respond to, and recover from technology-related disruptions.

    Liability and Insurance

    There are two main problems that arise due to IoT technology: cyber-attacks and device malfunctions. However, there is still uncertainty about where the liability falls.

    Cyber Insurance

    According to Progressive, cyber insurance is protection against damages resulting from electronic threats to your computer systems or data. Cybersecurity insurance policies (also called cyber liability coverage) typically cover network and digital damage, business interruptions, cyber extortion, liability and the cost of forensic investigations, consumer notification, credit monitoring, media liability, public relations, legal defense, compensation, and regulatory fines.

    Litigation

    FTC v. TRENDnet, Inc.

    TRENDnet, an electronics manufacturer, sold Internet Protocol security cameras intended for the secure remote monitoring of homes, baby cribs, and small businesses. Despite claims of security, the software allowed unauthorized access to live video and audio streams without a password. A hacker exploited this vulnerability and released nearly 700 live camera feeds online. The FTC alleged that inadequate security measures exposed consumers to unsafe environments. This was the FTC’s first enforcement action involving IoT and established a standard around connected device liability and the misrepresentation of cybersecurity measures.

    Fatal Uber Autonomous Crash (2018)

    Following the fatal collision between an autonomous Uber test vehicle and a pedestrian in Arizona, multiple investigations and civil claims examined the role of automated driving systems, sensor technologies, software design, and operational oversight. Uber was not criminally responsible for the crash; however, the backup safety driver was charged with negligent homicide. Following the crash, Uber suspended and then restructured in autonomous operations.

    St. Jude Medical Device Litigation

    The FDA alleged cybersecurity vulnerabilities in implantable cardiac devices connected to the Merlin@home remote monitoring system that could affect patient safety. The FDA issued advisories to patients and informed St. Jude of systemic corrections required to fix the defects. More recently, claims involving remote monitoring systems have focused on whether manufacturers adequately assessed, disclosed, and remediated cybersecurity risks.

    FCA US LLC, Et Al. V. Flynn, Brian, Et Al.

    Flynn v. FCA US LLC arose from cybersecurity vulnerabilities in certain Jeep Cherokee vehicles equipped with FCA's Uconnect infotainment system. Security researchers demonstrated that attackers could remotely access vehicle systems through a cellular internet connection and potentially manipulate vehicle functions. Following the disclosure, FCA recalled approximately 1.4 million vehicles.

    The resulting class action lawsuit alleged that FCA failed to adequately address known cybersecurity vulnerabilities, reducing the value of the vehicles and exposing owners to safety risks. The case became one of the first major lawsuits involving cybersecurity defects in connected vehicles and highlighted the liability risks associated with IoT-enabled products.

    Future Outlook

    IoT continues to evolve alongside advances in AI, edge computing, cloud infrastructure, and wireless connectivity. Connected devices are being integrated into transportation systems, healthcare, manufacturing, energy infrastructure, and smart buildings, generating larger volumes of real-time data and enabling greater automation. Organizations will continue deploying connected technologies across all operations, making cybersecurity, interoperability, and data governance areas of focus for regulators, manufacturers, and users.

    Within the insurance industry, IoT technologies are integrated into underwriting, risk management, and claims operations. Connected sensors, telematics, wearable devices, and smart property technologies provide insurers with enhanced visibility into risk conditions and could help mitigate losses before they occur. Concurrently, the growing reliance on connected technologies could cause detrimental effects in the event of cyber-attacks or product malfunctions.

    Recently adopted frameworks in the U.S. and EU target the impact of cybersecurity and product development throughout the device's lifecycle to ensure safety among its users. As IoT adoption expands, new governance, risk management, and security considerations will need to be developed.

    By far and away the most well rounded and useful Cat-focused industry conference out there. Perfect for all levels within the industry. From the conference content, the presenters and the attendees, this conference is a can’t miss for those interested in expanding their knowledge and learning more about cat related insurance and reinsurance modeling topics Nick DiMuzio, Everest

    "Fantastic, enriching conference - brilliantly planned and run, illuminating talks and excellent opportunities for networking across multiple areas of catastrophic risk.” Gary Ackerman, University at Albany

    “From a treaty underwriter's point of view, RAA presented relevant topics related to today's macro events. Scientific presentations provided insight that I can incorporate in underwriting and share with my clients.” Eric B. Silberman, Munich Re

    "Great conference with some of the biggest names in the business presenting their work. What more could you ask for?” Ron Nash, Nash Consulting

    “A perfect introduction to the world of reinsurance. Relevant topics, great speakers and the opportunity to network with industry peers makes this a must go event.”
    Tom Barrett, Everest Re

    Demystifying Reinsurance was an excellent tool to clearly understand and break down the basics. Very good class and recommend it for beginners and even as a refresher course for the intermediate student.”
    Chenessia West, TransRe

    “Re Basics is the ideal opportunity whether an industry professional or student of insurance to understand the in and outs of reinsurance while being able to network with persons spread across the whole industry.”
    Darius Zuill, Bermuda Monetary Authority

    “This has been the best reinsurance seminar that I have been to! Whether a reinsurance seasoned vet or new to the field, this is an engaging seminar that addressed specific issues of the reinsurance market.”
    Michelle Thimm, Church Mutual Insurance 

    “Re Underwriting provided a comprehensive and interesting overview of underwriting in the current market with a major (and interesting) focus on trends. Very useful for underwriting and non-underwriting alike.”
    DeVika Bourne, PartnerRe

    “Very informative experience, and a great way to keep up to date on current underwriting events and trends.”
    Steven Whalen, Aspen Re

    “Time well spent in learning the updated underwriting business and networking!”
    Christine Chen,  Everest Re 

    “The panels and presentations were thought provoking and fascinating as numerous topics were covered affecting the industry. I’m leaving the conference with a greater insight of the future market.”
    Brittany de Frias, AXIS Capital 

     

    “RAA Re Finance was the first RAA seminar I attended, and I was thoroughly impressed with the speakers and content. I learned a great deal from the presentations and intend to bring some new ideas back to my company and share with the team!”
    Taylor Robinson, ICW Group

    “Fantastic slate of instructors who thoughtfully walked us through financial reporting and other aspects of reinsurance finance. They used terminology that non finance people (lawyers) could understand. Really great program.”
    Steven Bazil, The Bazil Group

    “If you are in Reinsurance Accounting/Finance, you need to take this course to help you with your job.”
    Frank Borawski, Markel  

    “The speakers were excellent! There is something to be said about a person, and in this case a group of people, who can take time away from their busy schedules and explain to everyone something they feel passionate about in a manner that's understandable. My only complaint is that I wish we had more time with them.”
    Jessica Mieles, Sompo International

    “The RAA ReContracts is the most comprehensive reinsurance contract wording training available in the U.S. market.”
    David Kragseth, Guy Carpenter   

    “The course was very helpful in addressing different viewpoints and important things to consider in contract design and review.”
    Andy Martin, AmericanAg 

    “The RAA contract course was very informative and interesting. It covered a wide range of Reinsurance Contracts Types. In my Reinsurance Career, I have had the opportunity to work on a limited type of contracts, so I learned a lot.”
    Vivian Castro, Arch Insurance Company 

    “The RAA Contracts course provides the opportunity to engage with relevant topics, taught by industry experts, in both seminar and small group environments. The course material and industry experts provide an understanding on a wide range of subjects.” 
    Kevin English, LMRe

    “Participation in Re Claims should be mandatory for all P&C reinsurance underwriters. It’s truly an eye-opener, providing an in-depth look from a claims manager’s perspective on what happens to the business that we underwrite. There are lots of do’s and don’ts to pay attention to. Re Claims answers all the hard questions."  Michael Delacruz, China Re P&C

    “I absolutely love this program. I learned so many new things. Reinsurance from the industry’s top executives, interactive activities, interesting panels, and innovating presentations makes for an intriguing few days. Well worth the time and money.” Chenessia West, TransRe

    “As a reinsurance attorney I find Re Claims highly valuable to stay abreast of emerging issues. Also, being walked through practical case studies is extremely helpful in creating a thorough understanding of how contracts work.” Steven Bazil, The Bazil Group

    Become a Re Scholar!

    The Re Ed Institute's Re Scholar Program seeks to recognize those who achieve a high standard of reinsurance education by completing the Re Scholar curriculum. Learn More.


    Become a Re Ed Sponsor

    The RAA’s Reinsurance Education Institute programs attract professionals from the world’s leading insurance/reinsurance companies, brokers, law firms and consulting firms. Interested in sponsoring? Contact Carolyn Fahey.