2 minute read
DOING IT DIFFERENTLY
by Sai Honig, Engagement Security Consultant at Amazon Web Services
Recently, I received my car insurance renewal documents. Normally I do not really read the policy document. I just make a note of the amount and the renewal date. However, the email I received had a statement that caught my eye.
“Your policy document now explains what happens if there is a cyber act or incident. We’ve updated the ‘What you are not covered for’ section of your policy to include new information about ‘cyber events’. This update explains that there are some losses and costs arising from a cyber act or incident that may not be covered by your policy.”
The policy (available publicly online) states:
“Cyber
Events
This policy does not cover loss, cost or liability, directly or indirectly caused by, arising from, contributed to, by or in any way connected to a cyber act or cyber incident. However, we will not apply this exclusion for any of the following:
• an event otherwise covered by this policy that causes a cyber incident.
• loss resulting from an event otherwise covered by this policy that has been caused by a cyber incident or cyber act.
I did ask for clarification of what this really means. This is what came back from my insurance provider.
“Some loss and damage we intend to exclude under our motor products are:
1. A vehicle that can connect to the internet is having issues with a new software update that has been downloaded to it by the manufacturer.
This means the vehicle needs to be looked at by a repairer to remedy the issue. The cost for the repair in this case will not be covered under the policy.
2. A computer virus has caused a vehicle system to malfunction. There is no physical damage to the vehicle, but the key to access the vehicle no longer works. The cost of a repairer to resolve this issue will not be covered under the policy.”
I certainly did not expect to see my car insurance discuss cyber events. So why is this disclaimer in the policy? As we have seen, our cars are becoming more like our laptops and mobile phones. In many vehicles, Bluetooth and Internet connectivity are becoming standard features. Because of this, insurers are putting in disclaimers such as the above.
This needs to be understood. Software in many automotive systems may have vulnerabilities that could allow vehicles to be hacked, customer data to be stolen or even enable complete vehicle takeovers Because the software rather than the hardware is affected, these are considered ‘cyber events’ and may not be covered by the insurer.
Even Tesla’s ‘self-driving’ capabilities come with flaws. A senior engineer at Tesla is reported to have said that, when Tesla tried to show the Model X could park itself with no driver, it crashed into a fence in Tesla’s parking lot. The US Department of Justice launched a probe following more than a dozen crashes, some of them fatal, involving Tesla’s driver assistance system, Autopilot, which was activated during the accidents.
I think we can agree that the “more than a dozen crashes” of Tesla’s Autopilot could have been caused by cyber incidents. I think we can also agree that complete vehicle takeovers can be caused by cyber attacks.
However, with all the software currently in vehicles (and more to come), can we ignore these cyber events? If our car insurance policies do not cover cyber events, what recourse do we motorists have?
ELMI
