New auto insurance policies cover not just fender benders, but a new class of car trouble—let’s call it data eradicators, PII-PII bye-byes, or information annihilations.
The proposed HSB Cyber for Auto coverage, announced this week for policy holders and available through an endorsement to the policies of insurance companies that partner with specialty insurance provider HSB, aims to safeguard private information stored in increasingly connected cars.
“Just like computer attacks against a personal desktop, laptop, or personal computing device, we see the car as another area of exposure, relative to hackers looking to do damage or otherwise alter data within the car,” James Hajjar, chief product and risk officer of HSB’s treaty division, told IT Brew.
What’s covered
- Vehicle damage related to the installation of malware, as well as system-recovery efforts if a malicious hacker takes over the vehicle, according to a policy primer from the company.
- The HSB coverage also supports collisions with cyberextortion and money demands based on credible threats to the vehicle’s data.
- “We are covering damage to the computer systems within a vehicle,” Hajjar said.
Are these attacks happening?
While most of us haven’t been both stuck in traffic and intense “pay or not pay the ransom” dilemmas, vehicle compromises have occurred, with disruptive consequences. A ransomware attack reported by BleepingComputer in September 2023 prevented one truck company from managing its fleet.
Vehicle connectivity allows manufacturers to add on-demand services, over-the-air updates, and cybersecurity patches. Today’s drivers can sync their phones to their cars, control vehicle functions via tablet, and store personal information in a vehicle’s computer system.
The smartphone synching offers points of entry for malicious hackers: “The result could be theft of personally identifiable information (PII) that could lead to victims’ bank and credit card information being stolen and even their identities. It also gives hackers the opportunity to take control of the vehicle until a ransom is paid,” a 2024 HSB report said.
Cyberattackers: Pull up!
- In 2015, Wired memorably recorded security researchers taking remote control of a Jeep Cherokee.
- This January’s inaugural bug-bounty contest, Pwn2Own Automotive, showcased exploitable vulnerabilities in vehicle infotainment systems and the Tesla modem.
- Researchers from the automotive, cloud-based cybersecurity provider Upstream analyzed 295 automotive and smart mobility cybersecurity incidents in 2023. The proportion of incidents with a “High” risk (incidents with potential to disrupt thousands of assets) or “Massive” impact (able to disrupt millions) doubled from 2022 to 2023, according to the report.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The road so far
For auto insurers providing “comprehensive,” non-collision coverage, an incident like car theft may involve digital components—a threat large enough, perhaps, to convince the insurers themselves to take out some form of additional cybersecurity coverage down the road.
What if a spoofed app allows hundreds of vehicle break-ins, wondered Mike Ramsey, VP team manager, Automotive, Transportation and Cross-Manufacturing at market-intelligence firm Gartner. (HSB’s Cyber for Auto covers policyholders, not the insurers, according to the company.)
Ramsey hasn’t seen other insurance companies offering this specific kind of automotive cybersecurity support, but he sees the insurance market shifting to the increasingly digital driving experience.
“Adding the ability to add new software into the cars or control the car using digital means: very convenient for me and you and for the manufacturers to upgrade and change them. But by the same token, it's very convenient for the bad guys to do a lot of damage all at once. And so the insurance market is responding to that,” he told IT Brew.