IJAPP

Article

Cyber Risk for Vehicles

The fast-paced evolution of vehicle automation, combined with increased reliance on internet-connected technologies in critical operations, has the potential to give rise to an increased number of cyber incidents.

Technology & Risks

To date, the overwhelming majority of cyber incidents have related to information technology (IT) rather than physical-based processes of operational technology (OT). We now find ourselves at an inflection point where the potential for cyber threats arising from the prolific use of digital systems to control physical processes will bring IT and OT risks closer together.

As vehicles evolve, three different categories of “intelligent” vehicles can be distinguished:

·Connected vehicles use technology to communicate with each other, connect with traffic signals, signs and other road items, or obtain data from a cloud.

·Automated vehicles use technology to steer, accelerate and brake, with little to no human input.

·Autonomous/self-driving vehicles: the difference between automatic (or automated) and autonomous is the degree of human intervention.

To meet the well-known expectations of Elon Musk, who said, “Self-driving cars are the natural extension of active safety and obviously something we should do,” there is still a long journey ahead for the motor industry. All this new technology creates emerging risks to road users.

Based on the top 10 security risks for connected cars [as shown below], we can identify three main categories of risks:

1.Privacy: The risk of third parties listening in to private conversations while driving–access to personal data.

2.Security: The risk of attackers remotely seizing control of a vehicle while in motion.

3.Safety: The risk of technology failure, for instance relating to algorithms dictating the application of the brakes.

Various vehicle manufacturers point out the increasing risk of car hacking and admit to vulnerabilities in their software:

·    Motor-vehicle software is often provided by external partners who themselves externalise parts of the software.

·    Car manufacturers also use open-source systems such as Linux, Android and FreeRTOS.2 to avoid cost pressures.

·    A large number of vehicles often make use of the same software, which increases the concentration of the risk.

In addition, vehicle manufacturers report the cyber risk as realistic with a growing probability of occurrence, particularly with the increasing number of connected cars. According to Statista, the percentage of connected-car stock should increase from 5.7% in 2017 to 22% by 2023:

Cyber issues and motor coverage

There are two key types of cyber risk exposures:

1. Loss to tangible property including the financial consequences

Liability and property-damage policies take into account exposure to physical loss, bodily injury and consequential damage that result from a covered physical loss. Standard reinsurance programmes protect for this—for the moment.

2. Pure financial loss

Liability and property-damage policies take into account exposure to physical loss, bodily injury and consequential damage that result from a covered physical loss. Standard reinsurance programmes protect for this—for the moment.

Motor insurance is primarily concerned with non-affirmative (or silent) cyber. Most motor losses that can be expected are:

·    Physical damage to the car–theft and vandalism.

·    Physical damage and bodily injury through third-party liability

Legally, we have to distinguish between types of insurance when talking about bodily-injury accident: motor third-party liability (MTPL) versus product liability. We expect a move from third-party to first-party insurance with the increase of technology in cars.

With these points in mind, we set out in the following table the direct impact of these changes for the insurance industry in terms of frequency, severity and accumulations: