Summary: ISO has been working on a new Auto Hacking Expense Coverage form that will be available under the Business Auto, Auto Dealers and Motor Carriers Coverage Forms. An effective date has not been established, nor has ISO yet made a filing for the coverage. A draft of the endorsement and corresponding rule has been released to ISO subscribers for advanced planning purposes.

|

Background:

With today's auto connectivity and technology advancements, vehicles are now able to communicate and share data with other devices or platforms, such as smartphones, with the installed auto manufacturer's mobile app.

The technology continues to advance, allowing more vehicles to connect to the Internet and with other components and devices in or near the vehicle. Connected car technology can provide many advantages and is anticipated to be at the core of self-driving, aka autonomous, cars. On the flip side, the numerous access points increases the risk of malicious hackers to be able to penetrate the systems and potentially shut down, disrupt, avert or take over a vehicle.

While ISO is not currently aware of real-world malicious auto hacking scenarios, other than what has been discovered through testing and research, there is no doubt that the potential  exposure to malicious auto hacking attacks exists to the extent that it represents a significant exposure to be addressed.

|

Auto Hacking Expense Coverage

For a covered "auto" that you own that is a private passenger type/"private passenger type", light truck or medium truck, which is described in the Schedule and where a premium is shown:

Analysis:

Eligibility for the coverage provided by this endorsement will only apply to owned private passenger auto types and light and medium trucks; however it is possible the endorsement may be expanded to additional vehicle types in the future.

The vehicles to be covered must be shown in the endorsement Schedule, and will be subject to a deductible that will apply to each auto hacking incident. An auto hacking incident is a defined term which includes any type of malicious or harmful code or virus introduced into the auto's computer system that is designed to in any way destroy, prevent or restrict access to or use of any part of the auto's computer system; or a denial of service attack directed at the auto's computer system; or ransom demand payments made, and any interest paid if the insured has to take out a loan to pay the ransom demand. No first party physical damage losses or third-party liability damages are covered by the endorsement.

A. Auto Hacking Expense Coverage

1. We will pay for "auto hacking expenses" resulting directly from an "auto hacking incident".

However:

  1. The amount we will pay for "auto hacking  expenses" is limited as described in Paragraph C. Limit Of Insurance; and
  2. The amount we will pay for "auto hacking  expenses" is limited as described in Paragraph C. Limit Of Insurance; and
  3. Coverage for "auto hacking expenses" ends when the Auto Hacking Expense Aggregate Limit shown in the Schedule has been exhausted.

Analysis:

The limit of insurance applies in much the same way as the limit of insurance applies for a commercial auto CSL limit; there is one aggregate limit that applies to all auto hacking expense incidents regardless of the number of autos or the number of incidents. Refer to the Limits of Insurance analysis below for more detailed information.

Auto Hacking Expense Coverage (continued)

2. No other obligation to pay sums is covered unless explicitly provided for in the definition of "auto hacking expenses" contained in Paragraph E.1. of this endorsement.

3. This insurance applies only if the "auto hacking incident" is "discovered" within the coverage territory and:

  1. During the policy period; or
  2. Within 30 days after the end of the policy period if no subsequent insurance is available to cover "auto hacking expenses" associated with such "auto hacking incident".

Analysis:

As with any policy, the defined terms have special meanings that apply to the coverage. Coverage under the endorsement is predicated upon a auto hacking incident that meets the definition, and only those expenses that are described in the definition of auto hacking expenses will be covered.

Similar to a crime policy written on a discovery basis, the auto hacking incident must be discovered within the coverage territory either during the policy period; or within thirty days of policy expiration or termination if no other coverage is available to cover the auto hacking incident. The term discover is also defined as being the time when the insured is first made aware of facts which would cause a reasonable person to assume that an auto hacking incident has occurred, even if all details of the incident aren't yet made known. Refer to the Definitions analysis for more detailed information on the defined terms.

B. Exclusions

This insurance does not apply to:

1. Any of the following:

  1. War, including undeclared or civil war or civil unrest;
  2. Warlike action by military force, including action hindering or defending against an actual  or expected attack, by any government, sovereign or other authority using military personnel or other agents; or
  3. Insurrection, rebellion, revolution, usurped power or action taken by  government authority in hindering or defending against any of these.

2. "Loss" to a covered "auto" or its equipment, excluding its "computer system" and "operational data", and any resulting loss of use.

3. Liability arising out of "bodily injury" or "property damage" because of an "auto hacking incident".

Analysis:

As with any coverage, certain exclusions apply that preclude coverage. There are nine exclusions that apply to this coverage, several of which are exclusions found in all policies, but others are specific and further delineate the coverage being provided by excluding what is not covered. As such, war, military action, or action taken by a governmental authority are typical exclusions found in a liability policy.

Bodily injury and property damage are general liability coverages and thus are not covered here.

However, exclusion 2. requires further analysis. If an auto hacking incident results in loss to a covered auto's equipment, computer system and operational data, even if it results in loss of use to the auto, this endorsement does not provide coverage. Only auto hacking expenses as defined are covered by this endorsement, no other loss or damage is covered. For example, if a hacker causes the covered auto to crash into another vehicle or person, this endorsement will not provide coverage for the physical damage and liability that would be covered by the business auto policy.

Exclusions (continued)

4. Any costs to diagnose, repair or restore software designed to modify or manipulate your covered "auto's" "computer system" in a manner not intended by the covered "auto's" manufacturer.

5. Any costs due and confined to the breakdown, malfunction or inadequacy of a covered "auto" unless such breakdown, malfunction or inadequacy is caused directly by an "auto hacking incident" covered under this endorsement.

Analysis:

Exclusion 4. precludes coverage for software installed in the auto's computer system, even to the extent of diagnosing any damage. Even though coverage is provided for auto hacking expenses, the expenses associated with diagnosing, repairing or restoring software that has been modified or manipulated is not a covered expense.

Exclusion 5. excludes auto breakdown, malfunction or inadequacy unless the auto breakdown, malfunction or inadequacy is a direct cause of an auto hacking incident otherwise covered by the endorsement. This exclusion would seem to conflict with exclusion 2 which excludes coverage for loss of use. What is important to understand here is that what the endorsement is covering is auto hacking expenses, not damage to the auto itself. What is covered is what is defined as an "auto hacking expense". For example, if a hacker gets into the covered auto's computer system via a denial of service  attack that restricts access to the covered auto's computer system, rendering it disabled, those expenses would be covered, including expenses to tow the auto to a repair service and have the auto's computer system restored to the same functionality it had prior to the hack.

Exclusions (continued)

6. Based upon, arising out of or attributable to any "auto hacking incident" that you became aware of prior to the effective date of the Policy.

7. Based upon, arising out of or attributable to the same facts or "auto hacking incident" or in any circumstances, of which notice has been given under any insurance policy of which this Policy is a renewal or replacement

Analysis:

In exclusions 6. and 7. the coverage will not extend to any hacking incident that the insured knew of before the policy takes effect, or one in which prior notice has been given.

Excluison 6. example:  Let's say the insured's auto suddenly stops working and a hacking incident has been suspected so he adds the endorsement right away. He waits a week or so before reporting the incident. This incident would not be covered because the insured, as a reasonable person would have, was made aware of the incident prior to the coverage inception.

Exclusion 7. example:  The insured switches carriers at renewal and adds this endorsement at renewal. The car had a virus that affected the computer's operations and the insured had reported it under the expiring policy; albeit coverage was denied. After replacing that coverage and adding the endorsement, the insured reported the discovery of the virus to the new carrier. The coverage will be denied because it had been reported to the previous carrier so the insured had prior knowledge of the incident.

Exclusions (continued)

8. Any costs or expenses associated with upgrading, maintaining, repairing, remediating, replacing or improving a covered "auto's" "computer system" from its original manufactured condition, regardless of the reason, except as provided in Paragraph E.1.b.(2).

9. Based upon arising out of or attributable to any unauthorized or unsolicited transmission or dissemination of electronic mail, text message, telefacsimile, or telephone call.

Analysis:

Exclusion 8. precludes coverage for any other expenses associated with a covered auto's computer system except as provided for by E.1.b.(2) in the definition of "auto hacking expense". E.1.b.(2) includes the costs to restore or repair a covered "auto's" "computer system" to the level of operational capability that existed immediately before a covered "auto hacking incident", including security or other software updates that are deemed necessary for normal operation or use by the covered auto's manufacturer. For example, if the auto's manufacturer offers an upgrade to the functionality or an enhancement that can be added as part of the restoration of the computer system, but the upgrade would cost additonal money, the coverage will not pay the additional cost for these upgrades, even if it improves the value of the auto or improves efficiency or is considered a safety enhancement.

Exclusion 9. precludes coverage for anything to do with a telephone, mail or message system, even if it is installed in the auto's computer system. These would all be considered ancillary systems not required for the normal operation or performance of the auto.

C. Limit of Insurance

|
  1. The Auto Hacking Expense Aggregate Limit shown in the Schedule is the most that we will pay for all "auto hacking expenses" because of all "auto hacking incidents" covered by this endorsement.
  2. Regardless of the number of covered "autos", involved in the "auto hacking incident", the most we will pay for all "auto hacking expenses" attributable to any one covered "auto" shall not exceed the actual cash value of such covered "auto" at the time an "auto hacking incident" was "discovered".
  3. Our obligation to pay "auto hacking expenses" because of any one "auto hacking incident" applies only to the amount of such expenses in excess of any deductible amount  shown in the Schedule. The Auto Hacking Expense Aggregate Limit will not be reduced by the amount of this deductible.
  4. The Auto Hacking Expense Aggregate Limit applies separately to each consecutive annual period and to any remaining period of less than 12 months, starting with the beginning  of the policy period shown in the Declarations, unless the policy period is extended after issuance for an additional period of less than 12 months. In that case, the additional period will be deemed part of the last preceding period for purposes of determining the Auto Hacking Expense Aggregate Limit.

Analysis:

These paragraphs spell out the limits that the insurer will pay for auto hacking expenses for covered autos, less the deductible. All auto hacking expenses for any one auto will be limited to the actual cash value of that auto at the time the auto hacking incident is discovered, less the deductible. The Auto Hacking Expense Aggregate Limit will be the maximum payable for all auto hacking expenses from all auto hacking incidents covered by this endorsement. The aggregate limit applies to each consecutive annual period and any remaining period of less than twelve months. If the policy period is extended for a period less than twelve months, the extended period will be part of the last preceding period with regards to the aggregate.

D. Changes in Conditions

For the purposes of the coverage provided by this endorsement the Conditions Section is amended as follows:

1.  Other Insurance Condition is replaced by the following:

This insurance is excess over any other collectible insurance. When this insurance and any other insurance covers on the same basis, either excess or primary, we will pay only our share. Our share is the proportion that the Limit of Insurance of this insurance bears to the total of the limits of all insurance covering on the same basis.

Analysis:

The coverage provided by this endorsement is excess over any other insurance. In the case of dual coverage, the carrier will pay only the proportion that this insurance bears to the total limits of insurance of all other contributing insurance, aka contribution by equal shares.

Changes in Conditions (continued)

2. The Duties Condition is replaced by the following:

Duties In The Event Of an "Auto Hacking Incident"

We have no duty to provide coverage under this policy unless there has been full compliance with the following duties:

In the event an "auto hacking incident" is "discovered", you must give us or our authorized  representative prompt notice. Additionally, you must:

a. Cooperate with us in the investigation of the "auto hacking incident".

b. Promptly notify the police.

c. Agree to examination under oath at our request and give us a signed statement of your answers.

d. Give us detailed, sworn proof of any "auto hacking expenses".

e. With respect to demands for ransom payments, as described in Paragraph E.2.c.:

(1) Make every reasonable effort to remediate the cause of the ransomware;

(2) Make every reasonable effort to immediately notify us before making any ransom payment  based upon the "auto hacking incident"; and

(3) Approve any ransom payment based upon the "auto hacking incident".

Analysis:

In addition to the standard conditions of cooperating with the carrier in the investigation of the auto hacking incident and notifying police of the incident, and providing a detailed sworn proof of the auto hacking expenses, the insured must also agree to examination under oath if requested by the carrier, and attest to the statement in writing.

With respect to any demand for ransom payments, the insured must comply with the conditions to use reasonable efforts to remediate the cause of the ransomware, and make reasonable efforts to notify the carrier before making a ransom payment to get approval of the ransom payment.

If the insured fails to comply with any condition of the policy, the carrier may deny coverage.

Changes in Conditions (continued)

3. The Policy Period, Coverage Territory Condition is replaced by the following:

The coverage territory is:

a. The United States of America;

b. The territories and possessions of the United States of America;

c. Puerto Rico; and

d. Canada.

4. The following Conditions are added:

a.  Security Updates or Recalls

You must make every reasonable effort to promptly install or respond to any software security updates or recalls that are recommended for your vehicle by the "auto" manufacturer.

b.  Confidentiality Condition

You must make every reasonable effort not to divulge the existence of this insurance.

Analysis:

This is the same coverage territory that is in the commercial auto policy.

Overall, the number one cause of cyber breaches is phishing emails coming through outdated, unpatched, technology. Therefore, it is not surprising that there is a condition added requiring the insured to make reasonable effort to keep the auto's computer system up-to-date by installing software security updates recommended by the auto manufacturer; and responding to auto recalls from the manufacturer. Failure to install these updates could leave the auto more vulnerable to a cyber attack and jeopardize the coverage provided by the endorsement.

In no other policy have we seen a condition requiring an insured not to divulge the existence of insurance, but in this case it makes sense. Anyone could be a silent hacker, even a family member. Some people hack just to see if they can accomplish the hack without getting caught and age, status, or educational level doesn't seem to play a part in determining who might or might not be a hacker. In addition, if a third party assigned the repair and restoration of the computer system once it has been hacked is made aware of insurance coverage, it is possible the service costs may be inflated beyond what might otherwise be charged if there was no insurance in place. Since adherence to the conditions could mean the difference between coverage payment or denial, it will behoove the insured to comply with this and all other conditions.

E. Definitions

For the purposes of the coverage provided by this endorsement, Definitions is amended as  follows:

1. "Auto hacking expenses" means the costs to establish whether an "auto hacking incident" has occurred or is occurring.

If an "auto hacking incident" has occurred, the following are also included:

  1. Costs incurred to tow a covered "auto" to a service or repair facility in the event an "auto  hacking incident" disables, prevents entry into or exit from, or prevents the normal operation or  use of a covered "auto". We will pay under this endorsement only that amount of towing costs which are not already provided under this Coverage Form's Physical Damage Coverage Extension, if applicable.
  2. Costs to:

(1) Investigate the cause, scope and extent of an "auto hacking incident"; and

(2) Restore or repair a covered "auto's" "computer system" to the level of operational capability  that existed immediately before the "auto hacking incident". This includes any subsequent  "computer system" security or other software updates that are deemed necessary for your covered "auto's" normal operation or use by the covered "auto's" manufacturer.

(3) Restore or replace "operational data" stored within the covered "auto's" "computer system".

c.  Temporary transportation expenses incurred by you up to $30 per day, to a maximum of  $900, while your covered "auto" is being serviced or repaired because of an "auto hacking incident". We will pay transportation expenses incurred during the period beginning 48 hours after it has been established that an "auto hacking incident" has occurred and ending, regardless of the Policy's expiration, when the covered "auto" is returned to use.

d. Ransom payments made by you, including payments made in the form of virtual currency such as, but not limited to bitcoin, as a result of an "auto hacking incident"; or

e. Interest costs paid by you for any loan from a financial institution taken by you to pay a ransom demand.

Analysis:

Auto hacking expenses, being the subject of coverage under this endorsement, is initiated at the time the insured first becomes aware of a known or suspected hacking incident to the covered auto's computer system. The expenses to determine if the auto has been hacked will be covered, regardless if there is an actual hack or not, and whether the hack has already occurred or is in the process of occurring.

Once an auto hacking incident has been determined, the following expenses will also be covered:

  • Towing costs for the hacked nonfunctioning auto to a service or repair facility. However, if towing for the auto is included in the Physical Damage Coverage Extension, the amount of towing costs to be covered will be only that amount that exceeds the existing coverage.
  • Investigative and repair/restoration costs for the hacked covered auto. For example, the auto's computer system will need to be investigated as to the extent and cause of the hacking, and then repaired or restored to its original prehack capability, including any subsequent computer system security or other software updates to the system if deemed necessary for the covered auto's normal operation or use by its manufacturer. In addition, any data that has to be restored for the operation of the auto will be a covered expense if it meets the definition of "operational data".
  • If the insured needs transportation while the covered auto is being serviced or repaired from a covered hacking incident, the coverage allows for up to $30 per day, to a maximum of $900 for expenses incurred after the first forty-eight hours of the hacking incident. This coverage will not be cut short by the policy's expiration, so if the hacking incident is discovered for example thirty days prior to policy expiration and the insured needs transportation for the full thirty days, then the remaining thirty days following the policy expiration will be covered.
  • The covered auto hacking expenses include ransom payments made by the insured, including payments made in a virtual currency, such as bitcoin.
  • If the insured is required to take out a loan from a financial institution to cover the ransom demand, covered auto hacking expenses will include the incurred interest costs by the insured for such loan.

Definitions (continued)

2. "Auto hacking incident" means any:

  1. Malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into the covered "auto's" "computer system" (including "operational data") and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or  prevent or restrict access to or the use of any part of the covered "auto's" computer system" (including "operational data") or otherwise disrupts the normal operation or use of a covered "auto".

  2. Denial of service attack specifically directed at you, which disrupts, prevents or restricts access to or use of the covered "auto's" "computer system" (including "operational data") or otherwise disrupts the covered "auto's" normal operation or use.

  3. Demand for ransom payments made to you in connection with the actual or threatened perpetration of any of the events described in Paragraphs E.2.a. or E.2.b.

Analysis:

An auto hacking incident as defined will include most any type of an attack that is malicious or damaging to the covered auto's "computer system", as defined.

Definitions (continued)

3. "Computer system" means the covered "auto's" computers, and any related peripheral components, any embedded original manufacturer systems and applications software, or any related communications networks connected to or used in connection with such computers.

5. "Operational data" means the information, facts, images or sounds stored, processed, created, collected, transmitted, recorded or used by a covered "auto's" "computer system" in connection with the normal operation, use, navigation or monitoring of your covered "auto" or its physical operating environment. "Operational data" does not include "personal or confidential information", or other audio, visual or data files uploaded to, downloaded from or streamed to a covered "auto's" "computer system", unless such information, data or files are deemed necessary for the covered "auto's" normal operation or use by the covered "auto's" manufacturer.

6. "Personal and confidential information" means any person's or organization's confidential or personal information, including but not limited to customer or contact lists, financial information, credit card information, security codes, passwords, PINs associated with credit card, debit or charge card numbers which would permit access to financial accounts, driving behavior or preferences, health or biometric information or any other type of nonpublic information.

Analysis:

Today's autos are largely made operational by computer systems and embedded software that makes the auto intuitive in nature. While these systems provide many driver efficiencies, the integration of these systems makes them more susceptible to hacking.  A covered auto's "computer sytem" includes any embedded original manufacturer computer systems and applications software, or any related communications networks connected to or used in connection with the such computers.

Operational data" is basically anything used by a covered auto's computer system that has a connection with the normal operation, use, navigation or monitoring of the covered auto or its physical operating environment. However, it does not include personal or confidential information or streaming content of any type, unless such streamed data is deemed necessary by the covered auto's manufacturer for operation of the auto. For example, if the covered auto is virtually the insured's workspace, and company data can be streamed to/from the insured's cell phone through the auto's computer system, if the auto is hacked and the insured is unable to retrieve any of the company data, this would not meet the definition of "operational data" in that the information is not necessary for the operation of the auto.

"Personal and confidential information" includes virtually any information connected with a person or organization that is not public information. It can include among other things customer or contact lists, financial information, credit card information, security codes, PINs, or passwords whereby someone could get access to financial accounts, driving behavior or preferences, health or biometric information or any other type of nonpublic information.

Definitions (continued)

4. "Discovered" means the time when you first become aware of facts which would cause a reasonable person to assume that an "auto hacking incident" has occurred, regardless of when the "auto hacking incident" occurred, even though the exact amount of the "auto hacking expenses" or details of the "auto hacking incident" may not then be known.

Analysis:

Coverage under this endorsement is triggered by the insured's discovery of an "auto hacking incident". As such, the term "discover" has a special defined meaning. A discovery occurs when the insured first becomes aware of facts which would cause a reasonable person to assume that an auto hacking incident has occurred, even if they are not sure that it was a hacking or regardless of when the hacking might have taken place. The extent of an auto hacking incident may not be fully known for some time, so even if the insured has only partial information leading them to think an auto hacking incident has occurred, this will meet the definition of "discovered".

Includes copyrighted information of Insurance Services Office, Inc., with its permission.