Category: Cyber-physical risk · Reviewed by Simon Temme, Account Executive · Last reviewed 2026-06-10
Connected building insurance is commercial property insurance integrating Building Management Systems (BMS) data — typically over BACnet, KNX or Modbus — for leak, fire, intrusion, HVAC and energy monitoring, with associated cyber and operational risk implications.
Commercial real estate operators have long maintained BMS for HVAC, lighting and security. As these systems have been internet-connected, their data has become useful for insurance monitoring — and the systems themselves have become cyber risks within the property’s exposure.
Definition
A connected building insurance proposition typically integrates one or more of the following Building Management System protocols and devices:
BACnet (ANSI/ASHRAE Standard 135; ISO 16484-5) — the dominant protocol for commercial BMS;
KNX (ISO/IEC 14543-3) — common in continental Europe;
Modbus — widely used in industrial and commercial control;
MQTT and OPC UA — increasingly used in modern stacks;
Specialist devices — leak detection (e.g., HiTechCover and equivalents), fire alarm panels (NSI Gold listed), smart access control and CCTV.
Use cases include:
Continuous monitoring for leaks, fires, intrusion;
Risk-engineering visits replaced or supplemented by remote inspection;
Premium credits for accredited installations;
Pre-loss intervention; and
Loss adjustment with corroborating telemetry.
Legal / Regulatory basis
The relevant frameworks are:
FCA Handbook ICOBS, PROD 4, SYSC; Consumer Duty (PS22/9) — for the underlying commercial property contract.
PRA SS1/21 and PS6/21, Operational Resilience — for PRA-authorised insurers; relevant when an insurer’s own building uses BMS that the insurer relies upon for important business services.
PRA SS2/21, Outsourcing and Third Party Risk Management — for service providers operating BMS on behalf of insurers and their tenants.
Network and Information Systems Regulations 2018 — for operators of essential services, including certain critical infrastructure operators.
Product Security and Telecommunications Infrastructure Act 2022 and SI 2023/1007 — applies to relevant connectable products supplied to UK consumers; commercial BMS components are largely outside the consumer-product perimeter but adjacent.
Computer Misuse Act 1990 — for unauthorised access to BMS.
Data Protection Act 2018 and UK GDPR — where personal data is processed (e.g., access control, CCTV, occupancy sensing).
ICO, CCTV and Surveillance guidance.
NCSC, Building Management System Security Guidance; ENISA publications on smart buildings.
IAIS Application Paper on Cyber Risk Underwriting (2020).
EU Cyber Resilience Act (October 2024) — for products with digital elements placed on the EU market.
How it works in practice
A typical connected building underwriting workflow:
Risk assessment — pre-bind survey identifies the BMS architecture, protocols, internet exposure and segmentation from the corporate network.
Premium credit — discount for accredited leak detection, fire detection and BMS monitoring (typically 5–15%).
Monitoring integration — events flow from the BMS or third-party monitoring provider to the insurer’s risk-engineering team via API.
Pre-loss intervention — leak or fire alerts trigger contact with the building manager and dispatch of a contractor.
Claims — telemetry is used as corroborating evidence at loss adjustment.
Smart city overlap — connected building data feeds into smart city platforms.
The PRA’s operational resilience framework (SS1/21; PS6/21) is increasingly applied by PRA-authorised insurers to their own building infrastructure, requiring identification of important business services and impact tolerances even for the insurer’s premises.
Example
A UK-based REIT insures a portfolio of 28 commercial properties under a London-market programme. Sixteen of the buildings have BMS integrated with leak, fire and CCTV monitoring routed to a single SOC. The insurer’s risk-engineering team accesses dashboards under a strict data-sharing agreement. Annual premium credit is 9%. When a chiller plant in one office develops abnormal current draw, the BMS alerts the building manager, who dispatches an engineer; a £40,000 plant failure is averted. Separately, the REIT purchases a cyber-physical policy covering loss arising from BMS compromise; the policy excludes LMA cyber war exclusion events.
PRA, SS1/21 and PS6/21 on Operational Resilience; SS2/21 on Outsourcing and Third Party Risk Management.
Network and Information Systems Regulations 2018, SI 2018/506.
Computer Misuse Act 1990.
Data Protection Act 2018; UK GDPR.
ICO, CCTV and Surveillance guidance.
NCSC, Smart buildings guidance, ncsc.gov.uk.
IAIS, Application Paper on Cyber Risk Underwriting (2020).
ANSI/ASHRAE 135 (BACnet); ISO 16484-5; ISO/IEC 14543-3 (KNX).
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.
Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.