A recall notice to fix critical control software on 1.4 million vehicles should raise concerns for companies, brokers and insurers across several business lines. The vulnerability of vital control systems to a remote hacking threat is a significant exposure that raises concerns for many industries and supply chains. As we learned late last year with a German steel mill cyber event, the threat of physical harm caused by a control system hack is no longer theoretical. Governments, companies, brokers and insurers must recognize and understand the risks, implement safety measures and consider loss contingencies. Emerging coverages for cyber exposures, automotive or components product recalls and supply chain risks can assist companies with surviving crisis cyber events.

Jeep Hack Exposure

Security experts teamed with Wired magazine to demonstrate the ability of anyone to wirelessly hack into and control a vehicle’s entertainment and control systems. An entertainment system, or head unit, is usually connected to numerous electronic control units (ECUs) found throughout a vehicle. Today’s vehicles can contain up to as many as two hundred ECUs. The experts showed how to wirelessly break into a car’s control systems and electronically operate vital vehicle functions. They advised that they could have easily demonstrated the same ability to hack ECUs found in hundreds of thousands of vulnerable vehicles traveling the world’s highways. 

Government Response to Vehicle ECU Cyber Threats

Two United States senators, Edward Markey and Richard Blumenthal, reacted quickly to the demonstrated threat and have introduced a bill in the Senate that would require automobile manufacturers to develop standards that secure drivers against vehicle cyber-attacks. The Security and Privacy in Your Car Act of 2015 (the Act) would require automakers to comply with cybersecurity standards and equip vehicles with software that would detect, report and stop attempts by hackers to intercept driving data or control the vehicle. The Act would also seek to incorporate isolation measures to separate critical software systems from non-critical software systems. However, under the proposed Act’s current language, the measures would not be implanted for several years.

Control System Exposure to Cyber Threats Is Widespread

Before late 2014, cyber events were thought to concentrate on the loss or theft of information or data. At the end of last year, we learned cyber events have evolved into a more dangerous and malicious threat as industrial control systems/supervisory control and data acquisition (ICS/SCADA) systems are being targeted. The use of malware to compromise and manipulate ICS/SCADA systems has raised the stakes for many business lines.

The emergence of this cyber threat is not surprising as more and more control systems become accessible directly from the Internet. By allowing employees to gain remote access to control systems networks, companies face an increased risk of cyber attacks gaining unauthorized access to control environments. Recent, though little noticed events have increased concerns about ICS/SCADA attacks.

For example, in late 2014, the control systems of a German steel mill were remotely manipulated causing significant plant damage. Using sophisticated spear-phishing (use of emails that appear to come from within an organization or from a trusted source) and social media engineering techniques, the attackers gained access to the plant’s business network. From there, the attackers were able to infiltrate the facility’s production network. As they explored the company’s networks, they were able to compromise a number of systems, including various industrial components on the facility’s production network. The manipulations of the company’s systems caused a number of internal failures and the company was unable to properly shut down a blast furnace, which resulted in massive damage to the facility.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the U.S. Department of Homeland Security, reported that U.S. ICS were hit by cyber attacks at least 245 times in 2014. Significantly, the ICS-CERT reported that the Energy and Critical Manufacturing sectors were the most sought-after targets. Other targeted sectors include Health Care, Communications, Water Supply and Transportation. The identified incidents included a range of threats and methods that successfully gained access to business and control systems infrastructure, including ICS/SCADA. The evolution and emergence of cyber events involving ICS/SCADA systems raises significant concerns in regard to damaged property and potentially to resulting bodily injuries.

Supply Chains May Deliver Hidden Cyber Threats

The Internet of Things, or the ability of conventional or everyday objects to connect to the web to send and receive data, continues to grow and spread into every aspect of our daily lives. See The Internet of Things: Liability Risks for Tech Cos.  All of these devices, appliances, gadgets, mechanisms and components reach companies and consumers in the same manner: the supply chain. Today, global supply chains are common and are fraught with vulnerabilities enhanced by cyber threats. The very nature of supply chains makes them inherently vulnerable and hard to protect against cyber threats. Supply chains are extended, complex and interconnected with various links that do not follow regular routes. The supply chains that will connect component parts and deliver finished goods can begin far, far away from the ultimate destination. Thus, various links in any supply chain may be vulnerable to the installation of malware. In other words, the product a company purchases for incorporation into its ICS may already be loaded with malware or a malicious code, which is impossible to remove. Understanding and protecting against such vulnerabilities is critical to auto, components and other supply chains.

Emerging Risk: Cyber Events Resulting in Bodily Injuries and Property Damage

Physical injury or damage arising from cyber threats is an emerging risk. Generally, it has been understood that the theft or corruption of data is not covered under standard general liability and property policies as data is not considered tangible property. However, as Wilson Elser advised in December 2014, cyber threats are evolving and the threat of physical damage and resulting losses must be considered and understood by companies, brokers and insurers. While exclusions contained in general liability and property policies have developed, especially recently, in regard to electronic data issues, the question raised is whether such exclusions would be applicable if a cyber event resulted in bodily injuries or property damage.

Cyberpolicies

Cyberpolicies emerged to assist companies with losses resulting from data theft and corruption. Because standard general liability and property policies generally do not cover or exclude coverage for data theft and corruption events, cyberpolicies have filled a gap in traditional insurance portfolios. The issue raised by the emerging threat of physical damage resulting from a cyber event is two-fold: Whether the losses are covered under cyberpolicies, and if so, to what  extent. Cyber-experienced brokers and insurers are able to properly analyze and enhance a company’s insurance portfolio to help ensure that the policies properly interact and respond, gaining a company extensive coverage when it incurs a cyber event.

Automotive and Component Parts Specialty Policies

Automotive product recall, automotive components product recall and component parts specialty policies generally provide coverage for Insured Events involving Product Safety and Product Guarantee recalls. Companies involved with automotive supply chains also must consider the risks raised by emerging threats. Malware or malicious code could be installed at various links in a global, extended vulnerable automotive supply chain. An expensive recall involving such a defect could be costly for many of the links or suppliers involved with the affected supply chain. Automotive suppliers and component parts manufacturers would be well-advised to consider enhancing their standard insurance portfolio with specialty recall coverages.

Conclusion

The Jeep ECU hack demonstration further exemplifies another control system emerging risk for companies, brokers and insurers across several business lines. Companies in all industries should analyze operations and understand the increased exposure when control systems face the Internet and are vulnerable from remote hacking risks. The threat of bodily injury or physical damage from a control system hack is no longer science fiction. The threat will continue to grow and companies are now aware of the potential exposures and liabilities. Companies would be well-advised to collaborate with brokers and insurers to enhance standard insurance portfolios and include emerging coverages so that they are able to survive the next cyber crisis event.