Connected devices and the Internet of Things: What insurers need to know


Connected insurance is not only about data protection (see here our previous post). When dealing with connected devices and technologies, it is obviously necessary to fully assess the device, including its marketability standards.


In fact, devices must meet essential requirements and safety characteristics set out by the EU harmonization legislation. For instance, all equipment that uses the radio frequency spectrum must comply with the requirements of the Radio and Telecommunication Terminal Equipment Directive 1999/5/EC (“R&TTE Directive”) which was revised in 2014 to become the Radio Equipment Directive 2014/53/EU (“RED Directive”).

Furthermore, electrical and electronic equipment must comply with Directive 2011/65/EU (“RoHS Directive”) on the restriction of the use of certain hazardous substances.The above mentioned requirements are particularly important when a product, albeit manufactured by third parties, is marketed with insurance companies’ trademarks.

This is because the responsibilities of the manufacturer apply also to any natural or legal person which assembles, packs, processes or labels ready-made products and places them on the market under its own name or trademark.

As a consequence, companies will be required, among other things, to ensure that devices have been designed and manufactured in accordance with the essential requirements set out by the applicable legislation, including drawing up the required technical documentation to be kept for 10 years.

Each device should be accompanied by a copy of the EU declaration of conformity, with a type, batch or serial number and other specific labelling requirements (including CE marking). The devices will have to be compliant through their production and distribution lifecycle.

Should there be any issue, it will be necessary to take corrective measures to ensure the devices conform – where necessary or appropriate withdrawing them from the market and cooperating with the national authorities on any other remedial action.

Other issues to consider relate to the actual “location” of the device, ensuring that all required parties are adequately involved (including, for instance, the manufacturer of the machine where the connected device is installed). This should prevent subsequent challenges from third parties that justify (or refuse to take responsibility for) certain damages because the device was installed in the wrong place.

When dealing with connected devices and technology, it is also necessary to assess whether they are protected by any intellectual property rights (“IPRs”). Particular care will also have to be exercised with regard to underlying patents (and other IPRs), also when a new technology is devised internally or acquired (or licensed) from third party.

Furthermore, the underlying software policies and architectures will have to be reviewed, addressing also which type (or portion) of open source software is used so as to ensure that there will be no issues for future usages and that the same software will be supported by an adequate community, also from a cybersecurity compliance perspective.

This may require a review of the whole process that led to the creation of a software. This review will also be particularly important in addressing other intellectual property issues. In this respect, formal copyright assignments, patent clearance and warranties from commercial partners are useful risk management practices.

Other legal issues to consider relate to the usage of mobile channels for communication, registration, payment of premiums and claims processing, which will have to be carefully assessed. Sector regulators have shown varying levels of enthusiasm, as they balance the need for dynamic insurance management processes and required regulatory controls.

For instance, in Italy, the insurance sector regulator (IVASS) actively promoted the use of digital documents and other online tools to manage the relationship with the clients. A number of legal and regulatory requirements will have to be addressed when dealing with electronic documents (including policies), which will increasingly be executed through mobile devices.

A recent change to the Italian digital signature regulation states that any electronic signature may be equivalent to a standard written signature, but its evidence value would be assessed by the courts on a case-by-case basis. Strong authentication options may accordingly avoid the risk that documents signed through electronic signatures are considered as not enforceable.

Within this scenario, insurance companies will further interact also with pure technology or Insurtech start-ups. Forms of collaborations may vary, and particular care will have to be exercised taking into account the role played by all parties involved, such as software developers and device manufacturers, to ensure that all parties are fully aware of risk implications (and hold their share of responsibility).

To fully address the new technological environment, insurance companies may also implement scalable and agile strategies to simplify business processes. This may also imply a review of contract standards, including standards for “agile” software or technology development, and of other supply agreements to avoid vendor lock-in. When contracting with a supplier, the usage of artificial intelligence systems will also have to be adequately taken into account.

All the above are fundamental legal issues that when properly addressed will allow companies to fully benefit from digital transformation and the new environment of connected technology, allowing greater visibility in the marketplace, smoother customer journeys and better value for customers and shareholders.

Let ut know if you want to discuss this topic!