Mitigating the Cyber Risks of IoT: Strategies and Insurance Solutions

Over the past decade, the Internet of Things (IoT) has transformed every industry, thanks to rapid advances in distributed networking. McKinsey & Company projects that by 2025 the world will own 50 billion networked devices—a 400% increase from 2010—and that IoT will contribute a staggering US$11 trillion (€10 trillion) to global GDP.

While this explosive growth unlocks new efficiencies for businesses, governments and consumers, it also introduces fresh cyber threats that demand proactive mitigation. As IoT devices proliferate, the attack surface expands, exposing individuals and organizations to escalating risks.

Andrea Gaglione, IoT specialist and Technology Lead at Brit Insurance, and cyber underwriter Ben Maidment discuss the most pressing risks and outline concrete steps that users, developers, and insurers can take to safeguard their ecosystems.

Key IoT Risks

Understanding IoT vulnerabilities remains an evolving science. Often, weaknesses are only identified after a breach, underscoring the need for pre‑emptive assessment and robust defenses.

• Data Loss & Privacy Breaches – With 26.66 billion active devices in 2019 and 127 new connections per second, the volume of data generated is immense. This scale amplifies the risk of personal and customer data exposure, especially as GDPR fines climb to €20 million or more.
• Business Disruption – Supply chains now rely heavily on IoT for real‑time optimization. A single compromised device can halt operations, erode revenue, and damage brand trust.
• Distributed Denial‑of‑Service (DDoS) Attacks – Compromised devices can be weaponized to launch large‑scale DDoS campaigns. In 2016, attackers leveraged over 25,000 CCTV cameras to disrupt Dyn’s DNS services, pulling down high‑profile sites such as Twitter, Netflix, GitHub, and Reddit.
• Cyber‑Physical Threats – Malicious actors can manipulate networked medical devices (e.g., insulin pumps) or autonomous vehicles, posing direct physical harm. The FDA’s 2023 alert warned that certain insulin pumps could be remotely hijacked to alter dosage settings.

Mitigation Strategies

• Security & Privacy by Design – Manufacturers must embed robust security from the outset, rather than treating it as an afterthought. Continuous updates and patches are essential to protect both new and legacy devices.
• Adopt Best‑Practice Cybersecurity – End‑users—including individuals, enterprises, and the public sector—should implement industry standards: strong, regularly updated credentials; real‑time monitoring; and timely firmware updates.
• Policy and Governance – Organizations should treat IoT management like traditional IT, developing clear policies, risk assessments, and incident response plans that reflect the unique characteristics of connected devices.

Insurance as a Risk Management Layer

Cyber insurers play a pivotal role by educating clients, offering tailored coverage, and providing pre‑incident support. Policies can cover:

• First‑party losses: investigation, recovery, business interruption, reputational rehabilitation, and extortion payments.
• Third‑party liabilities: settlements, legal defense, and regulatory fines.

Top insurers, including Brit, now provide value‑added services such as online portals with incident response templates, risk‑assessment checklists, and readiness frameworks—transforming insurance from a product into a strategic partner.

Authors: Andrea Gaglione, Technology Lead, Brit Insurance; Ben Maidment, Cyber Underwriter, Brit Insurance.