It is no coincidence that the automotive sector is amongst the best covered against cyber risk. Caarea has interrogated its three partners – Scor, Swiss Re and Munich Re – on the emergence of this new risk affecting OEMs, manufacturers and drivers alike. The three European reinsurers underline manufacturers’ maturity vis-à-vis cyber risk. However, maturity is not always synonymous with security. This risk is evolving, as shown by the sharp rise in ransomware over the last two years. And new flaws could appear in connected vehicles today and in autonomous cars tomorrow.
“At the corporate level, car manufacturers have a keen understanding of their exposure to cyber risk, and of the cost that this threat could represent, if it were to materialize”, explains Thomas Schnitzer, Senior Cyber Risk Analyst at Swiss Re. Their main concerns: an attack or ransomware that could interrupt production lines and lead to high financial losses. Manufacturers have been covering themselves against these risks for almost a decade, with dedicated insurance products. “The cyber risk that industrial players face today is relatively well identified. It is covered by an insurance offering that has become standardized over the years, while remainingadapted to the internal particularities of each company,” explains Andreas Schlayer, Senior Cyber Underwriter at Munich Re.
Yet, a standardized offer cannot cover the entire spectrum of threats. “The most mature risks are also the most difficult to insure, such as data or intellectual property theft. And that, today, is a concern for manufacturers”, adds Andreas Schlayer. Manufacturers are becoming increasingly aware of the need to protect their data, as their offering evolves. “Premium players now offer mobility-related services which, in essence, collect drivers’ data. This type of risk could become more prevalent, as we move towards a shared economy and shared vehicle fleets”, confirms Camille Baldeck, Engineering and Cyber Underwriter at Swiss Re. And the list of uninsurable – or hardly insurable – risks does not end there. Reputational risk, theft of intellectual property or research developments but also the risk of interconnection between IT systems, are all points of vulnerability that cannot be covered by standardized protection and need specific answers.
Today, insurers and reinsurers are therefore mainly assisting car manufacturers in dealing with the threat of business interruption, ransomware or data theft, and in restoring their operations. “As of now, manufacturers prefer catastrophic coverage, with high responsibility limits, rather than frequency coverage. American players were the first to underwrite such insurance, followed by Europeans, while Asians are a bit behind”, says Andreas Schlayer from Munich Re. Once again, behind the apparent standardization of cyber insurance, flexibility is the key. There is no multi-year policy; each year, manufacturers’ risk exposure is re-evaluated. The transverse, sometimes aggregated, aspect of cyber risk also disrupts the way insurers work, as they are used to managing risks in silos. “We adapted our experience in industrial risks and property and casualty insurance to cyber risk. We base our work on scenarios, both to initiate dialogue with manufacturers and to establish cost estimates. The dialogue with the manufacturer is, therefore, essential. It takes place both at board level, where cyber risk is managed, and with the IT and OT teams”, explains Andreas Schlayer. Thomas Schnitzer, from Swiss Re, now expects higher standardization in the risk assessment process and documentation. Although cyber insurance is reviewed annually, the process is far from being standardized. A third-party auditor might identify undetected flaws and facilitate risk prevention.
“The democratization of connected – and then autonomous – vehicles is the next major challenge in terms of cyber risk. A risk not yet well apprehended by car manufacturers”, says Florian David-Spickermann, Business Analyst at Scor. This risk poses an additional complexity,
since it directly involves the users of the vehicles. Since the early 2010, connected vehicles are gradually making their way into the market, although “level 5” autonomous cars driving on European roads are far from becoming a reality. “It is not only a matter of technology, but rather of regulation. The legal environment is lagging behind innovation,” notes Camille Baldeck, from Swiss Re.
For the time being, regulation governs protection in the event of an accident caused by a vehicle, including connected ones. If there is no legal amendment in place, connected vehicles can be considered as “traditional” vehicles and, hence, covered under the domestic law. However, this needs clarification. “In Europe, regulation aims at protecting the victim. The damage is, therefore, borne by the vehicle owner and will be covered by a third party liability. This is also the case in South Korea, for example, under the « Compensation Guarantee Act » from October 2020 “, stresses Florian David-Spickermann. The real challenge is to see what will happen when regulation evolves, opening the market to autonomous vehicles. “China can change its regulation quickly. The first cyber insurance needs for vehicle fleets could emerge in Asia, continues the Scor representative. Moreover, on the road to broadening the cover to include some degree of cyber exposure, we shall have a challenging situation in the industry, to manage various exposures to connectivity of vehicles, i.e. forms of liability, blending traditional vehicles and autonomous vehicles for a fairly long time.”
A risk coverage offering for autonomous and connected vehicles has yet to be designed, as damages can be very significant for both the driver and his/her property. “We still need to define the scope of this risk. Of course, malicious software can be installed in a vehicle to facilitate its theft, for example. But the risk is not always where you expect. For instance, a sticker on a sign is enough to distort its interpretation by an autonomous vehicle. Finally, the risk perimeter is larger than primarily assessed. It can affect individual vehicles – and I believe in criminalization in this area – but it can also take the form of larger-scale attacks on an entire fleet”, explains Florian David-Spickermann.
The scope of cyber risk scenarios that insurers are working on is constantly evolving. Moreover, the question of damage liability is a major challenge, as the response varies according to the market. Europe has, for the time being, the merit of being governed to a certain extent. Due to the predominance of strict liability, the owner of the vehicle will be liable in the event of a claim involving a cyber-attack or a technological fault if a third-party is damaged. The fact remains that no regulation is set in stone and innovation inevitably leads to change over time. It is now up to us, Caarea, alongside our reinsurance partners, to continue to innovate to protect policyholders against these new risks. And to provide a solution for manufacturers of increasingly efficient cars, while offering complete peace of mind to their drivers.