Category: Cyber-physical risk · Reviewed by Amy Price, Account Executive · Last reviewed 2026-06-10
IoT insurance is property and casualty insurance whose underwriting, monitoring or claims handling makes substantive use of telemetry from Internet of Things (IoT) connected devices — including sensors for leak detection, smoke detection, vibration, temperature, location and intrusion.
IoT insurance is a workflow distinction rather than a separate insurance class. The underlying contract remains a contract of insurance governed by ICOBS and the Consumer Duty. What changes is the data inputs to underwriting, pricing and incident response.
Definition
The Internet of Things refers to the network of physical objects embedded with sensors, software and connectivity that enables data collection and exchange. The IAB/IEEE definition and ENISA’s IoT taxonomy classify devices by function: home automation; industrial control; vehicular; healthcare; and consumer wearables.
Logistics and cargo cover — temperature and shock sensors.
Legal / Regulatory basis
The principal UK materials applicable to IoT-enabled insurance products are:
Product Security and Telecommunications Infrastructure Act 2022 (the PSTI Act). Part 1 imposes security requirements on manufacturers, importers and distributors of relevant connectable products supplied to UK consumers. The substantive obligations came into force on 29 April 2024 via the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, SI 2023/1007.
Network and Information Systems Regulations 2018 (NIS Regs), SI 2018/506, implementing the EU NIS Directive in UK law. Apply to operators of essential services and relevant digital service providers; partially relevant to IoT platform operators.
Computer Misuse Act 1990 — criminalising unauthorised access to and impairment of computer material; relevant to IoT exploitation events.
Data Protection Act 2018 and UK GDPR — for personal data collected by IoT devices, particularly Articles 5 (principles), 6 (lawful basis), 22 (automated decision-making), 25 (data protection by design) and 35 (DPIA).
ICO, Internet of Things guidance, and Connected devices and data protection.
Cyber Security and Resilience Bill 2024–25 (introduced under the King’s Speech 2024) — proposes to expand and update the NIS Regs.
IAIS Application Paper on Cyber Risk Underwriting (2020) — directly relevant to cyber-physical underwriting.
EU comparator: the Cyber Resilience Act (EU) of October 2024, addressing essential cybersecurity requirements for products with digital elements.
How it works in practice
A consumer IoT insurance proposition typically combines:
Device supply or recommendation — the insurer supplies (or partners with manufacturers to supply) a leak detector, smoke alarm or environmental sensor.
Premium discount — for installation and continued connectivity.
Real-time alerting — leaks, smoke or temperature anomalies trigger alerts to the customer and, with consent, to the insurer’s claims team.
Pre-loss intervention — the insurer may dispatch a plumber, electrician or restoration contractor before serious damage occurs.
Data handling — under a UK GDPR-compliant privacy notice; the lawful basis is typically contract or legitimate interest, with explicit consent for any special category data.
Commercial and industrial deployments scale this model, with additional cover for business interruption mitigation.
Consumer duty considerations — fair value assessments under PS22/9 require that the data-collection cost is proportionate to customer benefit.
The PSTI Act 2022 regime materially affects underwriting because it codifies minimum security expectations (no universal default passwords; vulnerability disclosure policy; minimum defined support period). Devices not compliant with PSTI cannot lawfully be supplied to UK consumers and present elevated risk to insurers.
Example
A UK SME purchases commercial property insurance with a leak-detection sensor system installed in three branch offices. The annual premium is reduced by 8%, conditional on the sensors remaining connected. When a sensor in a back-office basement detects rising humidity overnight, the insurer’s monitoring partner contacts the SME’s facilities manager; a plumber attends and replaces a failing inlet valve before any escape of water occurs. No claim is made; the premium discount is honoured at renewal. Personal data of staff is collected only insofar as access logs are processed, with a UK GDPR Article 35 DPIA in place.
Product Security and Telecommunications Infrastructure Act 2022.
Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, SI 2023/1007.
Network and Information Systems Regulations 2018, SI 2018/506.
Computer Misuse Act 1990 (legislation.gov.uk).
Data Protection Act 2018; UK GDPR.
ICO, Internet of Things guidance and Connected devices guidance, ico.org.uk.
FCA, Consumer Duty — PS22/9 (July 2022).
IAIS, Issues Paper on Cyber Risk to the Insurance Sector (2016) and Application Paper on Cyber Risk Underwriting (2020).
ENISA, Baseline Security Recommendations for IoT (2017) and follow-up reports.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.
Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.
Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.