A cyberattack can wreak havoc on a business, disrupting regular operations, creating frustrating delays, and ultimately hurting your bottom line. Not only can a cyberattack damage your business, it can damage your brand. The lasting damage to a company’s public image can be devastating. Unfavorable media coverage can exacerbate an initial PR hit and turn a costly attack into an even more costly cycle of long-term negative publicity. In some cases, executives may even find themselves liable for damages.
For automotive decision-makers, these potential consequences are not an abstraction: in 2015, nearly 30 percent of all cyberattacks in the manufacturing sector occurred in the automotive industry. Today, the industry finds itself at a crossroads: as larger numbers of connected and autonomous vehicles begin to reach the broader consumer marketplace, cybersecurity and the public perception of vehicle safety and brand strength are more important than ever.
With that in mind, brands and businesses across the automotive industry would be wise to take the time to familiarize themselves with the range of cybersecurity threats – and the corresponding security protocols and best practices they can utilize to protect themselves from this new constellation of threats. That includes everything from basic risk management strategies, to strategic decision-making and sound corporate governance.
One of the things that makes protecting against cyberattacks such a challenge is the diversity of techniques and tactics used by malicious actors. Cyberattacks can take a number of forms, from phishing attacks aimed at individual users, to malware and botnets that can compromise and control large networks of devices, and mobile devices and company apps offer additional points of vulnerability. Companies may face distributed denial of service (DDOS) attacks aimed at their network and application infrastructure; and outside parties can use everything from brute force terminal server access to SQL code injections to attack data-driven applications. Today, the “Internet of Things” creates even more potential vulnerabilities, as production facilities that have been targeted by an attack can face costly downtime.
With such a wide range of threats, automotive companies must structure their defense in a way that addresses multiple vulnerabilities. There is no magic solution or single answer: decision-makers must embrace an integrated and comprehensive suite of protective measure that encompasses people, processes and technologies alike. Before those protective measures can be put into place, however, you first need to understand exactly how¬–and where–you are vulnerable.
Protecting sensitive or proprietary third-party information is vitally important. Suppliers routinely handle such information (ranging from an OEM’s product data to personal customer information). Companies that do not adequately protect this information can face everything from financial penalties to serious legal liability – not to mention the long-term damage to the business.
In-house proprietary data is also vulnerable. From strategy documents to tech and design specs, information is power, and should be treated like an asset that needs to be protected. Robust technical protection (such as firewalls and anti-virus protections –whitelisting/blacklisting) is essential, but physical and administrative safeguards are equally important.
Autonomous and connected vehicles
Cybersecurity has become a hot-button issue for the coming influx of connected and autonomous vehicles. Three quarters of all cars shipped by 2020 will have Internet connectivity. Public speculation about the vulnerability of these vehicles to hackers and other outside attacks should not be dismissed, and automotive manufacturers would be wise to take proactive steps to ensure that these concerns are addressed.
To address safety concerns (and privacy issues) the National Highway Traffic Safety Administration (NHTSA) issued a Federal Automated Vehicles Policy. Among other things, for certain technologies the Policy suggests the implementation of a pre-market approval process (perhaps akin to the FDA process). This is a significant change from the current post-incident self-regulation model under the Vehicle Safety Act, and bears watching.
The NHTSA Policy also identifies the pool of potentially liable parties responsible for cybersecurity as including “…any individual or company, that is not a [vehicle] manufacturer, involved with helping to manufacture, design, supply, test, sell, operate or deploy automated vehicles or equipment.” While the final contours of this definition remain unclear, this could potentially impact software developers residing at the very bottom of the supply chain. NHTSA’s Automated Vehicles Policy reflects the recognition that automotive safety and security is no longer just about nuts and bolts, but bits and bytes. Automotive manufacturers and suppliers who want to protect themselves and their customers and flourish in this new world of cybersecurity need to be cognizant of these issues–and fully aware of how to address them.
Personal liability and corporate governance
The bad news for directors and officers of automotive companies is that cybersecurity issues could impact them directly: they could be held personally liable for the damages resulting from a malicious hack or data theft.
The good news is that automotive decision makers can go a long way to protect themselves and their brands simply by using common sense and adhering to some basic best practices. Protecting against cyber threats and the resulting potential liability issues is, in many ways, as simple as asking the right questions and documenting your due diligence efforts.
Consulting with trusted legal advisors is, of course, an important first step in developing the risk management and security policies and practices that can mitigate these potential liability issues, but one of the most important things that any executive can do is to get involved: directors and officers should educate themselves about cybersecurity basics, including common red flags and potential vulnerabilities, developing and documenting cyber risk policies and procedures, and simply recognizing that cybersecurity responsibilities are no longer just an IT issue. Make sure that challenges and solutions are regularly brought up and addressed at board meetings. Executives who are actively and proactively involved can do as much to protect their interests as even the most sophisticated systems and technologies.
Co-authored by Bill Rosin and Brian Balow, members of Mich.-based Dawda, Mann, Mulcahy & Sadler, PLC, a law firm providing expert legal counsel to clients ranging from Fortune 500 companies to other publicly and privately owned businesses. Bill can be reached at email@example.com
and Brian can be contacted at firstname.lastname@example.org