New endorsement addresses auto hacking expenses
While currently only private passenger types and light/medium trucks are eligible for the coverage, there is a possibility that ISO will expand the eligibility to include other vehicle types in the future.
The electronic systems in vehicles today, while providing numerous conveniences to the driver and its occupants, also expose the vehicle owner or driver to sophisticated hackers who may be able to gain unauthorized access to the vehicle to control its functionality or get access to personal identifying information. The development of improved technology and autonomous capabilities increases the hacking risk, and commercial vehicles are apt to be the first to put newer technologies that offer autonomous features to use.
ISO recently filed a new endorsement, Auto Hacking Expense Coverage, CA 04 65 09 22, to address auto hacking expenses, with an optional add-on for ransom payments. While currently only private passenger types and light/medium trucks are eligible for the coverage, there is a possibility that ISO will expand the eligibility to include other vehicle types in the future. This article serves to highlight some coverages available in the endorsement and is not to be confused with an actual policy form analysis, which is available through our FC&S service.
The endorsement may be added to the Auto Dealers Coverage Form, the Business Auto Coverage Form, and the Motor Carrier Coverage Form. Coverage is applied on a scheduled basis, requiring that each auto to be covered show an associated aggregate limit, per-incident deductible, and premium for the Auto Hacking Expense Coverage. Ransom coverage must also be scheduled to be covered on a per-vehicle basis.
Coverage is applied on a discovery basis, meaning the auto hacking incident must be discovered by the insured during the policy period or within 30 days of the policy’s expiration as long as there is no other subsequent coverage available to cover the expenses. Of course, there is no coverage for any incidents the insured was aware of prior to the coverage being added. A deductible may apply, and the coverage is provided at a total aggregate limit. The coverage is excess of any other insurance applying on the same basis.
As with any policy, ISO forms rely heavily on defined terms and exclusions to make it easier for an insured to understand specifically what is and is not covered. While the terms hacker or hacking are not included within the definition, the activities described in the definition are activities commonly used by hackers to infiltrate a computer system.
Investigating the hack
Certain specified costs are covered by the endorsement, including investigative costs to determine if an auto-hacking incident has actually occurred, or is occurring. If such is the case, then associated costs will be covered; such as towing the covered auto to a service or repair facility should the vehicle be disabled or unable to perform its normal operation or use, if not already covered in the endorsement’s physical damage coverage extension.
The investigative costs can be extensive, depending upon the sophistication and scope of the hacking. For example, the hack could simply be a nuisance such as the hacker taking over the auto’s radio communications system, or it could be extensive such that the auto is being controlled by the hacker rather than the driver, or perhaps the entire auto is disabled and the computer system has to be totally replaced. An investigation is required before any action can be taken to restore the auto to its pre-hacking condition.
Of course, if the investigation reveals an auto hacking incident has occurred, the endorsement will provide coverage to restore the auto’s computer system to its level of operational capability that existed prior to the hacking, including any security or software updates required by the vehicle manufacturer.
During the auto’s repair process, the endorsement provides a limited amount for temporary transportation expense reimbursement. The expenses must be incurred during the period beginning 48 hours after it has been confirmed that an auto hacking incident has occurred and ending when the auto is returned to use. It is interesting to note that there is no distance requirement, nor does the coverage specify that the service or repair facility must be the nearest one to the covered auto. There is also no set limit for this coverage, therefore the amount will be included within and subject to the total aggregate limit.
Coverages that should already be provided for under a commercial auto policy are not covered here, and the endorsement makes use of exclusions to confirm this. The physical loss to an auto or its equipment, including its loss of use, should be covered under the commercial auto policy. Also, any loss of bodily injury or property damage should be covered under the commercial auto policy, regardless if its cause was an auto hacking incident. For example, if a hacker accesses the navigational systems of a covered auto and causes it to crash into a tree, the physical damage to the auto should be covered under the collision coverage of the commercial auto policy. Expenses to determine if a hacking incident caused the collision and expenses associated with restoring the navigational systems to the manufacturer’s specifications would be covered under the commercial auto hacking expense coverage endorsement.
Applying exclusions
One exclusion in the endorsement excludes coverage if the diagnostics or repair of the auto’s computer system are to repair software that has been added to the vehicle other than by the manufacturer. Another exclusion precludes coverage for costs that are not directly caused by a hacking incident. For example, the insured’s auto was hacked causing a malfunction of the auto’s braking system. While having the braking system restored, the insured also replaced the auto’s radio system which was not working. The endorsement would cover the costs to restore the auto’s braking system to its original function, but any costs associated with the radio’s replacement would not be covered since its damage was not a direct result of the hacking incident.
Additional exclusions are included in the endorsement.
The insured has specific duties that must be complied with for coverage to apply under the endorsement, the first of which is to promptly notify the insurer or their representative upon discovery the hacking incident. Once notified, the insured must cooperate with the insurer in all respects and notify the police, since auto hacking may be a criminal act. The insured must provide a detailed list of all expenses associated with the hacking and swear to its accuracy.
Two additional conditions are added to the policy that are specifically applicable to this endorsement: First, the insured must perform the software security updates and recalls as recommended by the auto’s manufacturer; and second, they must not divulge the existence of this coverage. The first condition is simply a maintenance item, but it is vital to maintain the security of the auto’s computer system as the manufacturer becomes aware of security deficiencies, the software must be updated to address these security compromises. The second condition may seem unusual, but if a hacker is aware that the insured has insurance to cover the incidents, they are more likely to target that individual or company. Cybercriminals are known to hack companies that they know have insurance coverage because they know the ransom may be paid by the insurance.
Ransom coverage is only extended if the coverage is selected on the schedule. The ransom payment can be in any monetary form, including virtual currency, and will include interest costs if the insured had to assume a loan from a financial institution in order to pay the ransom demand.
If ransom coverage is added, the insured must comply with an additional three-part condition that applies to that coverage, which is to do whatever they can reasonably do to remediate the cause of the ransomware, to immediately notify the insurer before making any ransom payment and to obtain the insurer’s approval for such ransom payment.
Christine G. Barlow, CPCU, (cbarlow@alm.com) is the executive editor of FC&S Expert Coverage Interpretation, the authority on insurance coverage interpretation and analysis for the P&C industry.
Includes copyrighted material of Insurance Services Office, Inc., with its permission.
Related:
Insurers must brace for catastrophic cyber risk