Cybersecurity Risk Management with Munich Re: "Building-in surety and confidence"

#beyondthenow IoT security Podcast


In this episode of the #beyondthenow podcast, we host a panel session with industry leaders: Peter Armstrong, Cyber-insurance Expert at Munich RE, and Duncan Jones, former Senior Product Manager at Pelion, join David to examine cybersecurity risk management, where liability falls, and how trusted components can build confidence in connected devices.

Listen on Your Platform of Choice

It's important for the technology environment to lead and continue to embrace the requirement for compliance in this evolving environment.
Peter Armstrong
I would encourage companies to do what they do best. I would encourage the companies listening to turn to device management vendors, who build on certification schemes like PSA Certified, and solve many of these deployment issues for them.
Duncan Jones


Key talking points in this episode:

  • Introducing the panelists from Arm, Arm Pelion, and Munich Re. [1:05]: “Hello everyone. I'm Anurag Gupta Director of Business Development for IoT Security within the Architecture and Technology group at Arm, working with original equipment manufacturers and their ecosystem to raise the bar of security within their products based on secure design principles and this fire chart, we will discuss the relationship between device security deploying at scale and delivering assurance. We will also discuss in what ways the new connected value chains impact the risk portfolio and risk capital along with how the responsibility and liability for failure be defined and managed in these complex value chains. For this. Today, we have three amazing panelists with us, Peter Armstrong, the Senior Cyber Subject Matter Expert with Munich Re, David Maidment, who is the Director of Secure Devices Ecosystem within the Architecture and Technology group at Arm, then Duncan Jones is Senior Product Manager, at Pelion IoT platform.”
  • An insurer's view on digital transformation, and how new hyperconnected devices are impacting the insurance world. [2:39]: “Digital transformation, as we might call it, has spawned loads of new devices, new levels of connectivity, new companies, even, and certainly many new value propositions. These new, and in some cases hyper-connected value chains are already hugely significant and in turn, are significantly changing the risk profile of our client’s risk portfolio. So what do I mean by that? Well, let's take big oil: Digitization of remote operations management and remote condition monitoring of processes and the equipment that enables that has transformed the long-established cost and investment models in exploratory drilling, for example. If we think about the relative levels of cost of these activities, historically, they have run into hundreds of millions within two years. The levels of efficiency and recovery of cost and time as a consequence of digitization are tremendous, meaning that the real benefits of digitization have associated levels of risk that are much greater than in historical processes.”
  • The evolving portfolio of risk and supply chain responsibility. [4:25]: “The portfolio of risk has changed dramatically, and an insurer needs to be able to quantify the risk and understand the quality of that risk in order to be able to underwrite it. Understanding the roles and responsibility of multi-party desegregated information supply chains- what this means is many organizations involved in the processes, providing services, microservices, information devices in that value chain impact upon the delivery of the value to the client- understanding that is a task for clients themselves.”
  • Understanding liability across the value chains involved in delivering IoT services. [5:25]: “Risk managers need to understand the expectations that they have of partners both up and down the value chains that are already here, and insurers will need to be able to break down liability in these value chains in order to ensure both visibility of the quality of the risk. And also to be able to disaggregate the liability responsibility, to reflect the complex mix of service providers, original equipment manufacturers and so on, that are involved in delivering the services in the value chain.”
  • The importance of the Root of Trust in enabling the trusted deployment of technologies. [6:05]: “We need the risk equivalent of trusted components in a value process. Why? Imagine a process stack adjacent to an open system, interconnection, and OSI stack. As the levels of aggregated information increase vertically in the process stack, these risk-equivalent trusted components will need to be built upon Roots of Trust at all levels in this process stack. And these components will need to embrace trusted devices and the protocols associated with Roots of Trust that enable the trusted deployment of these new technologies. Now this challenge also creates an opportunity for innovations, and we have the opportunity of being able to generate warranties for product process equipment, equipment performance, and so on. We can ensure product recall. And of course, that’s the task of cyber risk quantification and Roots of Trust, compliance, and certification. I think bringing these themes together, viewing risk and liability from a client's perspective as they seek to establish hyper-connected value chains will need to become a standard approach to reviewing the viability and relevance of technology deployment.”
  • Broadening the thinking about IoT products to data and services. [7:35]: “What we, as an industry, rarely do is think about spanning from the product to the service. In the electronics industry, we think about products a lot, but, with the internet of things and with digital transformation, the product actually drives the acquisition of data, which is then used to deliver new services or new efficiencies into multiple industries. So that link between product and service is something that, from a digital transformation and IoT point of view, I think as an industry, we need to think about a lot more. Particularly as the electronics industry is building the physical devices that are being deployed in the field.”
  • Digital transformation across industries - a mass deployment of devices beyond the traditional IoT model. [8:40]: “Digital transformation spans across all markets. You can think about industrial transport, logistics, building, it's all about scale, it's all about deploying an order of magnitude, a large number of devices that can then create these new services and efficiencies. I think it's a massive deployment of devices. It actually goes beyond the traditional IT model where you're deploying in a somewhat managed environment. I think with IoT you have a massive scale of deployment.”
  • New technologies driving digital transformation - An individual product has to be trusted. [9:30]: “You have a huge number of devices that require installation probably with zero-touch. They need to be able to connect. And that connection goes beyond what you see in traditional broadband and cellular networks today, this is where we see technologies such as 5G coming in to allow a massive number of devices to connect. Once you've connected all those devices, you need to make sense of all that data and turn it into a valuable service. And that's where we see technologies such as artificial intelligence coming in. An individual product has to be trusted. And Peter spoke very well around the fact that it needs a Root of Trust. Effectively you are establishing a chain of trust all the way through the device. It's the acquisition of the data and all the way through to the service. So, effectively if you trust the device, you trust the data and you're establishing that chain of trust. I think that's essential. Particularly back to the insurance world where at the end you have business-critical services that are being delivered. So establishing that chain of trust is what it's all about.”
  • Customer challenges, building business applications high up the stack. [11:25]: “Customers that we speak to want to focus on building their business applications. So, Peter already gave the analogy of the OSI stack. Our customers want to be very high up the stack. They understand their end domain, whether it's wind turbines or waste disposal, but they don't necessarily understand public key infrastructure particularly well or down at the chip level, knowing what trust loan is or how to protect Roots of Trust. And unfortunately, as we scale the number of IoT solutions and the number of devices in those solutions we can't necessarily scale the expertise needed to secure those solutions.”
  • Realizing the true potential of the IoT. [12:26]: “I think, because of this, device management platforms are now recognized as a necessary part of any sizable IoT solution. And this is ultimately how we can realize this opportunity. It's to let the different parties do what they do best. So, our customers understand their business and they know what they need to achieve, and we need to enable them to do that. And device management vendors, such as Arm, can focus on keeping the solution secure. I think that's the way that we make this happen.”
  • An overview of the insurance market, the role of capital availability, and trust. [13:30]: “We need to have a semblance of understanding of the insurance market. An insurance one for example, like the one for cyber insurance, depends upon the availability of capital and capital availability depends upon trust and believability of risk. There are two types of insurance. There's direct insurance and reinsurance. Direct insurance is typified by Chubb writing and deriving a risk either with a client or with you as an individual for your motor car. And reinsurance is how Chubb spreads their risk across a broader insurance market. So they will sell buckets of like risk. So loads of cyber risks for retailers or loads of car insurance for homeowners and so on to a reinsurer who will then retain some of that risk. And then in turn spread that risk to alternative sources of capital. What we mean by that is just other sources of capital other than insurance capital.”
  • Confidence in the 'worst-case scenario' and the challenges this brings for cyber-risk. [14:55]: “Direct insurance and the ability to write premiums is wholly dependent upon their ability to spread their risk to reinsurers and reinsurers require a level of confidence in understanding the worst-case scenario. That's not straightforward for something like cyber insurance and to attract other sources of capital, they have to be able not only to persuade themselves but others. Knowing what the worst-case scenario is for cyber risk is hard because of the almost infinite variability at the front end of the risk. If we can't quantify cyber risk in a meaningful way, then there isn't going to be enough capital available, and I'll draw a comparison here. Political violence and terrorism. 10 years ago, you couldn't get capital to provide insurance until someone came up with the idea that the worst-case scenario was probably a dirty bomb on London and a dirty bomb on wall street at the same time. Whilst the damage that that causes is a big number, you can quantify it, and as a consequence billions of dollars of capital became available. It's really hard to do that for cyber risk.”
  • The importance of surety and confidence in the embedded processes and devices. [16:42]: “The hyperconnectivity makes it all harder to quantify because of the massive desegregation of technology down to embedded devices that are enabling these value chains means it's really difficult to get sight of all of the different aggregation factors. That means capital is somewhat constrained and only those organizations who can point to surety and confidence in the embedded processes and devices will be able to attract capital at a meaningfully and affordable quantity and price. This means that we do need to be able to model and quantify the risk, and it means that we need to try to minimize the front-end risk variables that I have to deal with to quantify and qualify a risk.”
  • The role of the Root of Trust in modeling quantified risk, minimizing the front-end variables with sufficient transparency. [17:24]: “We need the risk equivalent of trusted components to be built upon the Roots of Trust to make this sufficiently transparent, to be a viable outcome. Without it, we won't be able to identify the breakdown of liability in these value chains, and we won't be able to offer the necessary insurance capital. The implications of that for the technology industry is that it will slow down deployment and adoption, and there'll be a level of uncertainty around the new value propositions that IoT seeks to enable.”
  • Challenges that come with scaling the IoT. [18:30]: “There's a lot of complexity when you get into a real-world IoT deployment. It tends to be quite a mix of devices that you have to work with. Both in terms of their size and capability, but also whether they're brand-new devices that are being built for this solution or whether they are legacy devices that are being kind of embraced in some kind of digital transformation process. When you deal with legacy devices, you have to think about how you are going to integrate them and that often means thinking about how you can translate their existing protocols at a kind of low level into something that can work with your solutions and ultimately connect to the internet securely. And when you're trying to do this stuff at scale, obviously all these problems are magnified.”
  • Building trust in data to base business decisions upon. [19:37]: “We keep coming back to this idea of trust in data and our customers need confidence that their devices are running the software. They expect that they are operating correctly as well so that they can be sure that the data they're getting is something they can base business decisions on. And that brings a lot of security and health monitoring requirements. And that's just some of the stuff that a device management platform must deliver.”
  • Regulation and standardization: a help or a hindrance? [20:03]: “We, as in the electronics industry, need to drive best practice. And in part, we will do that through self-organization. We have initiatives such as PSA certified, which Arm is a co-founder of, and we're working across the electronics industry to drive best practice, but also governments are waking up to this as well, through regulation and standardization. I think that until that comes together you’re kind of in this chicken and egg scenario where the electronics industry delivers devices that have an unquantifiable risk. We hear these examples of security cameras getting hacked, they're shipped with default passwords, they don't have a Root of Trust, and so on and so forth. As an industry, we need to do better in solving those problems, because until we do that, you don't enable those services at scale.”
  • The responsibility from chip to OEMs to show compliance locally but ship globally. [22:00]: “We also see regulations coming along trying to drive at least a minimum level of best practice. We see NIST 8259A and Californian State Law driving regulations around IoT. In Europe, there is ETSI EN 303 645. These are complicated documents and the electronics industry has to be able to track those, understand them and also ship at scale, but conform locally- these regulations often target particular territories. So that's another challenge we face is how do you show compliance, have an audit trail of compliance, drive best practice, to satisfy Peter's risk modeling for the deployment scale.”
  • The need for a framework and infrastructure for a black and white view of responsibility. [24:15]: "The insurance sector is a follower in relation to regulation rather than a leader and a driver. I wanted to reflect on David's observation about maybe responsibility being a better word for liability. In the insurance world, that's a nuance that we won't embrace readily, for us responsibility all too straightforwardly means liability. The regulatory environment needs to provide the framework and the infrastructure within which we could apply that rather black and white view of responsibility. There are geographical variations in terms of legislation and that makes it problematic for an insurer. How can you take a coherent view of liability if the regulatory environment in different jurisdictions is different? In Europe, we would see GDPR as yesterday's news, whereas in South Africa, we're seeing the enactment of POPI, which is the protection of personal information act being deployed with mandated compliance in a year. So, there's a variability of regulations that impact our assessment here, but by and large, insurance reacts quickly to mandate. So, if there is something that is mandated, and that's why initiatives like PSA certified are key, as is the integration of those initiatives with government employees, that's how we get the opportunity of being able to measure and judge compliance.”
  • The technology industry needs to lead and embrace the requirement for compliance in this evolving environment. [26:29]: “The technology industry needs to lead and continue to embrace the requirement for compliance in this evolving environment. True insurance is a follower, not a leader here but the leadership of the technology environment is a help, not a hindrance.”
  • Peter’s advice to the electronics industry is to embrace standardized components. [27:05]: “I think the overriding issue is that the availability of risk capital is going to be a critical issue in technology-driven cyber risk. And it's going to demand real enterprise risk management competence within client organizations and the supply chain. Without it a company’s valuations will be affected, cost and availability of risk capital will be affected. This matters because as the hyper-connected value chains evolve, the inter-dependence of the wellbeing of the organizations in those value chains is much more interdependent upon the surety and the confidence of the quality of performance of organizations within those value chains. So, understanding multiple Roots of Trust allows insurers to break down liability into bite-sized chunks so that meaningfully we can get to a place where we can understand where segmented liability resides. Root of Trust protocols are critical in this complex environment.”
  • David recommends working with IoT security framework programs such as PSA Certified. [28:41]: “So, I encourage everybody to have a look at It's an industry security assurance scheme for IoT. Arm is a co-founder along with four leading security labs PSA certified is based on 10 security goals and drives best practice across the industry. Including in areas such as having a Root of Trust, having secure storage, and having secure updates. Crucially it maps to the emerging regulatory landscape, and it gives an audit trail of compliance based on the certified products. So, insurers like Peter can look at PSA Certified and see a registry of certified devices.”
  • Duncan’s suggestion for OEMs is to make use of the ecosystem when implementing security. [29:50]: “I would encourage companies to do what they do best. I would encourage the companies listening to turn to device management vendors, like Arm who build on certification schemes, like PSA Certified, and solve many of these deployment issues for them. And then they can focus that on delivering their business value and getting to market faster.”

Related Links

Discover more about the regulatory landscape

Find out the true cost of IoT insecurity

Share this page

The PSA Certified name, PSA Certified logos, PSA Functional API Certified logo featured on this website are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. Other brands and names mentioned on this website may be the trademarks of their respective owners.

Copyright © 2021 Arm Limited (or its affiliates). All rights reserved.

Sign Up To Stay Up to Date With Our Latest Podcasts Episodes