Category: Cyber-physical risk · Reviewed by Jake Leat, Associate Director · Last reviewed 2026-06-10
Internet of Things insurance is the application of IoT telemetry to insurance underwriting, pricing, monitoring, claims and product oversight, with particular regard to FCA PROD 4 product governance and the Consumer Duty.
This entry is the long-form companion to IoT insurance and concentrates on product oversight, distribution and supervisory expectations. The shorter entry covers the high-level definition and regulatory base; this entry develops PROD 4, Consumer Duty fair-value and target market obligations in detail.
Definition
Internet of Things insurance encompasses any insurance product where IoT data is material to:
Underwriting and rating — telemetry-based risk segmentation and pricing;
Monitoring — continuous telemetry supporting risk mitigation during the policy period;
Claims — telemetry as evidence (location, vibration, temperature, network activity); and
Product oversight — assessment of target market, fair value and customer outcomes.
The product oversight dimension is especially important because IoT insurance products typically depend on third-party device manufacturers, mobile network operators and platform providers — each of which forms part of the “value chain” within the meaning of FCA PROD 4.
Legal / Regulatory basis
The product-governance and conduct framework is as follows:
FCA Handbook PROD 4 — Product Oversight and Governance for non-investment insurance products. Imposes obligations on manufacturers and distributors throughout the product lifecycle, including:
Identification of the target market;
Product testing;
Distribution strategy alignment;
Periodic value assessments; and
Information sharing along the distribution chain.
FCA Policy Statement PS21/5 — General Insurance Pricing Practices (May 2021), establishing the equivalent-renewal-price rule and product value reporting obligations.
FCA Policy Statement PS22/9 — Consumer Duty (July 2022), setting the Consumer Principle (PRIN 12) and the four outcomes (products and services; price and value; consumer understanding; consumer support).
FCA Handbook ICOBS — see ICOBS — for the conduct of business standards applicable at sale, mid-term and renewal.
FCA Handbook SYSC — particularly SYSC 8 (outsourcing) where IoT services are outsourced.
Data Protection Act 2018 and UK GDPR, with ICO guidance on IoT and on Automated Decision-Making.
Product Security and Telecommunications Infrastructure Act 2022 and PSTI Regulations 2023 — minimum security standards for the connectable products on which IoT insurance depends.
Network and Information Systems Regulations 2018.
IAIS Application Paper on Cyber Risk Underwriting (2020); IAIS Issues Paper on Cyber Risk to the Insurance Sector (2016).
How it works in practice
The product-governance lifecycle for IoT insurance is more complex than for conventional cover because the device manufacturer, the connectivity provider and the data platform are all integral. A typical PROD 4 mapping includes:
Manufacturer responsibilities — the insurer (as PROD manufacturer) defines the target market for the product, specifying the device prerequisites (e.g., compatible router, smart hub) and the customer characteristics for whom the product is suitable.
Value assessment — annual, considering both the price and the non-monetary value (e.g., leak prevention savings, premium discount, peace of mind), and explicitly including the cost of telemetry collection.
Distributor responsibilities — brokers and embedded sellers must understand the target market and distribute consistent with it.
Information flows — manufacturers must provide distributors with target market and value information; distributors must feed back sales and complaints data.
Periodic review — at least annually, with greater frequency where significant changes occur (e.g., device firmware updates that change functionality).
The Consumer Duty overlay requires the insurer to monitor outcomes — for example, whether the IoT-enabled product is delivering the expected reduction in claims for the target market.
Common variations / Subsequent developments
Manufacturer-distributor arrangements — where the device manufacturer (e.g., Hive, Nest, Tado) is a distributor of insurance, additional considerations apply.
Embedded sales — see embedded insurance; the insurer must ensure the distribution journey complies with PROD 4 and the Consumer Duty.
Telemetry-led pricing — particular care under PS21/5 to avoid discriminatory renewal pricing.
Data minimisation and DPIA — ICO guidance requires a UK GDPR Article 35 DPIA where IoT telemetry is used at scale.
PSTI compliance — non-compliant devices cannot lawfully be supplied; insurers should require manufacturer attestations.
The Cyber Security and Resilience Bill 2024–25 is expected to expand the NIS regime to additional digital service providers, with implications for IoT platform operators.
Example
A UK general insurer launches a connected home insurance product bundling a leak detector and smart smoke alarm. The PROD 4 target market is specified as homeowners aged 30–65 with broadband-connected homes and the technical inclination to install consumer IoT devices. The annual value assessment finds that the device-related premium discount of 7%, against an estimated device-related claims reduction of 14%, delivers proportionate value. A UK GDPR Article 35 DPIA is conducted prior to launch. Manufacturer attestation of PSTI compliance is obtained. Distribution is via the insurer’s own direct channel and one aggregator, both of which receive the PROD 4 target market information and report sales and complaints back.
FCA, General Insurance Pricing Practices — PS21/5 (May 2021).
FCA, A new Consumer Duty — PS22/9 (July 2022) and PRIN 12.
FCA Handbook, ICOBS and SYSC.
Data Protection Act 2018; UK GDPR.
ICO, Internet of Things guidance; Automated Decision-Making guidance.
Product Security and Telecommunications Infrastructure Act 2022 and SI 2023/1007.
Network and Information Systems Regulations 2018, SI 2018/506.
IAIS, Issues Paper on Cyber Risk to the Insurance Sector (2016) and Application Paper on Cyber Risk Underwriting (2020).
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.
Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.