Insurers face accelerating cyber risks

The auto industry is changing rapidly and with enhanced connectivity comes higher risk to security. Connecting more aftermarket devices to vehicles only adds to this conundrum as security threats increase and insurers scratch their heads. We explore the processes and innovation that will affect the future insurance ecosystem.

Prevention rather than cure

Integrating cybersecurity processes into the product development cycle, such as defensive software solutions for ECU’s at their source, could minimise hackable surfaces, protect consumers personal data and help to obtain a ‘banking security level’ but it won’t be easy –  modern cars have up to 100 ECU’s sourced from different suppliers.

Clearly standardisation is required, as Ben Miners, vice-president of innovation at IMS, explains: “When systems are designed end-to-end, from the ground-up, leveraging industry-leading security processes and best practices, the result is modular, maintainable and secure systems with minimised potential attack and proactive monitoring options. We found the systematic approach to security employed in the DriveSync connected car platform to be essential to enable the secure delivery of solutions globally, including protecting personal data as the trusted custodian on behalf of government agencies and financial institutions. In my opinion, the integration of best practices in cybersecurity is essential not only in the product development cycle but also throughout an organization’s end-to-end operational processes.”

The main attack surfaces are the data link connector and the telematics unit, says Bob Gruszczynski, OBD communication expert, Volkswagen Group of America. Any other connect points will add to the complexity of securing that vehicle from attack but a concerted effort is starting to be made to secure higher levels of security. “Currently, there are discussions and standardisation efforts in progress in the industry to provide ‘banking security level’ within all aspects of the vehicle.”

Focus will move to carmakers as embedded systems and modems evolve, as Robin Harbage, director, Willis Towers Watson, explains: “As development progresses, more and more of the telematics data extracted from vehicles will come through either OEM developed Bluetooth connection to smartphones or embedded modems. The security of these applications will be within the control of OEM’s and security considerations will be an important factor in their development. This will shift the security issue somewhat to the OEM’s. Since ADAS and other systems in the vehicle will be subject to the same security risks, the cybersecurity development will impact not just consumer privacy but also the safety of the vehicle operation.”

Product innovation

Cyber coverage could potentially generate a new revenue stream by offering new products designed to protect the consumer from service attacks, hacking and viruses. That said, it is essential security systems are inbuilt and robust enough on their own, not as an optional add on for the end consumer to pay for, says Miners. “Solution providers that can successfully incorporate best practices in security processes and deliver a safer and more secure connected car product portfolio will thrive in the connected car space. Cybersecurity is an integral aspect of successful services in the connected car space, with the security responsibility resting on the solution provider. In my opinion, I do not consider cyber coverage as a source of new revenue streams for connected car solution providers but as an important area for solution providers to help protect and grow existing revenue streams.  From the perspective of cybersecurity organisations, however, the consulting and delivery of security services to connected car solution providers may be considered as new or opportunities to increase revenue streams – notably given the gap in security focus across many vendors to-date.”

It remains to be seen what these product offerings will be. The main reason being that neither carmakers nor aftermarket product manufacturers have led the way yet, says Gruszczynski. “In my opinion, it remains to be seen as to whether the OEMs handle this within their vehicle connectivity and network subsystems or allow aftermarket products to be integrated into this space.”

Insurance ecosystem

The car insurance industry is entering a hugely challenging time as V2I, V2V, V2IoT and connected internal automotive systems become integral to insurance product development. Cyber security firms will have a significant impact on how insurance companies use telematics and software as they become more active across all automotive industries, comments Gruszczynski.

“Cybersecurity firms provide a positive impact on the overall industry by raising awareness of potential security risks and emerging security developments,” adds Miners. “As independent organisations, cybersecurity firms are optimally positioned to handle objective reviews of the broader connected car ecosystem as the integration between insurance telematics, intelligent transportation systems and connected cars continues. The positive impact of independent cybersecurity firms will help to further strengthen the overall connected car industry including insurance telematics.”


Leave a comment

Your email address will not be published. Required fields are marked *