Auto Hacking Coverage for Commercial Vehicles

Modern cars and trucks work in concert with telematics for safer driving, increased fuel economy and fewer delays. But connected vehicles are also bringing cybersecurity and cyber liability coverage into focus. Electric vehicles (EVs) have highly computerized systems that need updates and repairs, making them vulnerable to cyberattacks. And software-defined vehicles have exposed a host of new loss liability areas like vehicle bricking, which can render a vehicle a total loss.

According to Upstream’s 2023 Global Automotive Cybersecurity Report, in 2022:

  • Application programming interface (API) attacks rose by 380%.
  • Telematics and application servers (apps) led the auto cyberattack vectors at 35%.
  • Remote keyless entry systems were the second-most-popular attack mechanism at 18%.
  • EV charging stations were valuable exploitation points for ransomware and charging management attacks (e.g., disrupting electric charge flow).
  • Dark web discussions about modern vehicles and their software components increased by 35%.

In response, insurance companies have added coverage for commercial auto hacking.

Coverage for auto hacking expenses

You can add auto hacking coverage to your commercial auto insurance policy. It’s currently limited to passenger, light and medium trucks. (But ask your agent about this emerging risk area, even if your vehicle is a heavier duty EV. They might have other solutions.)

Auto hacking policies define an auto hacking incident as any malicious code, virus or otherwise harmful code designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of the vehicle. This includes denial-of-service attacks that disrupt, prevent or limit the use of (or access to) your vehicle.

Auto hacking insurance helps with damage resulting directly from a hacking incident:

  • Covers costs to determine if a hack occurred or is occurring
  • Covers costs to restore the computer system to the way it was immediately before the attack
  • Covers costs to install security or software updates required by the manufacturer
  • Covers costs to restore or replace the vehicle’s operational data
  • Reimburses temporary transportation expenses while your vehicle is being repaired (Limits apply.)
  • Covers fees for towing your vehicle to a service or repair facility if it’s disabled or unsafe to drive
  • Reimburses ransom payments (This costs extra.)

A word on ransom coverage

Coverage for ransom payments is an add-on to auto hacking coverage, so don’t assume you’re covered for reimbursement unless it’s on your declarations page. Ransom payments may include reimbursement for interest on bank loans you take out for ransom demands. Many insurance companies have specific protocols you must follow to be reimbursed, including notifying them.

When a hack causes property damage, injury or liability

Auto hacking coverage isn’t a comprehensive auto or cyber insurance solution. It’s an added layer to your auto protection. It doesn’t cover:

  • Damages to your vehicle
  • Bodily injury or medical expenses
  • Property damage

Your commercial auto policy would respond to property damage, bodily injury or liability claims.

Insurance limits

You decide the amount of coverage you want for expenses related to a hack. The limit you name is separate from your business auto insurance limits. Occurrence limits for a hacking incident are the maximum an insurance company will pay for a single occurrence, and aggregate limits are the total amount they’ll pay in a policy period (usually one year).

What auto hacking insurance doesn’t cover

The typical exclusions apply, such as:

  • Wars, insurrections, rebellions, revolutions and usurped power
  • International travel (Canada is usually covered. Mexico requires a separate policy for auto insurance and may not offer hacking coverage.)
  • Costs to diagnose, repair or restore your car if you install software designed to modify or manipulate its computer system beyond what the manufacturer intended (Unauthorized software could invalidate parts of your policy.)
  • Breakdown, malfunction or inadequacy of your vehicle, unless you can prove it was related to the hacking incident
  • Hacking incidents that you were aware of before your auto policy’s start date or renewal
  • Personal data breaches
  • Enterprise system cyberattacks

Telematics and enterprise systems

As telematics and onboard assistive technology become the norm, the risk of cyberattacks increases. Auto hacking expenses insurance applies to the individual autos listed in your policy. But your transportation and logistical systems, including systemwide telematics, require an additional cyber liability policy to protect your overall operations.

Unauthorized upgrades

Consumers have hacked their cars to access features the manufacturer hasn’t authorized, like heated seats or infotainment. However, they might cause cybersecurity holes, making the car more vulnerable to hacks. Unauthorized additions or upgrades to your vehicle may invalidate your vehicle warranty and auto hacking insurance policy.

Personally identifiable data 

You’ll need a separate cyber liability policy to cover personal data breaches extending beyond the vehicle. For example, if a hacker uses your EV’s telematics to infiltrate your company’s servers and steal client data, your separate cyber liability policy would respond, not your auto hacking policy. A cyber liability policy would help with identity theft monitoring expenses. An auto hacking policy would help repair the vehicle computer systems damaged by the hack.

A single breach can trigger multiple policies

Imagine criminals inject your car with malware while you’re powering up at an EV charging station. You see some decline in your charging time, but you don’t notice anything wrong with your car. Later, cybercriminals take over your vehicle, causing you to lose control of your car and crash into another vehicle. The insurance company investigates the accident, including onboard diagnostics, which reveal the malicious code. Four months later, your company discovers a data breach that exposed the personal and financial data of clients and vendors.

  • Your standard auto insurance policy pays for the other person’s auto damage and medical injuries.
  • Your auto hacking endorsement covers diagnostics, and repairing and replacing your onboard computer systems.
  • Your cyber liability policy helps with expenses related to the data breach, identity theft monitoring, enterprise system restoration, legal fees and public image consultants.

The confidentiality clause in auto hacking coverage

As with most cyber liability, auto hacking coverage includes a confidentiality clause. This clause requires you to make every reasonable effort not to divulge your coverage. Hackers may target you if they know you have insurance to pay their ransom demands.

If someone requests proof of coverage, tell them you’ll need to get back to them. Do not tell them who your agent or insurance company is either; it could be part of a phishing scheme to gain information on you for a future hack. The same goes for publications. Don’t mention your auto hacking policy in your company newsletter.

Always get written permission from your insurance company before you disclose anything about your auto hacking coverage. You could be liable for a breach of contract or nullify your coverage if you break your confidentiality clause.

Call your CBM agent

The insurance ecosystem isn’t static; it changes as threats emerge. Insurance companies will continue to respond to the effects of cybersecurity on vehicle manufacturers and consumers, evaluating technology as it develops. Connect with your insurance agent, especially if you have EVs in your fleet. And remember to get annual coverage reviews. They’ll help you determine the best way to protect your operations, which might require a more robust, stand-alone cyber liability policy.