In 2015, nearly 30% of the total manufacturing-related cyberattacks occurred in the automotive industry.
Such attacks can be devastating, disrupt your business, damage your bottom line, compromise your brand and leave companies, as well as their directors and officers, liable for damages.
Negative publicity also is a significant concern, as any potential cyber-related safety issue can become an “accelerant” that heightens visibility and creates lasting brand damage. As connected and autonomous-vehicle technology begins to make its way to consumers, existing concerns about cybersecurity will become even more pronounced.
Automakers and suppliers must be familiar with cybersecurity best practices, including need-to-knows such as the risk of personal liability for cyberattacks and standard risk-management strategies and techniques. They also should understand the basic day-to-day elements involved in sound corporate governance.
Cyberattacks can take many forms, including social and phishing attacks that target individual users; user names and passwords leveraged to gain access to endpoint systems and servers; malware and botnets to establish backdoor access that can be used to infiltrate and control large networks of devices; smart and mobile hacking, allowing bad actors to gain access to sensitive data through vulnerable mobile operating systems and apps; distributed denial of service (DDOS) attacks targeting network and application infrastructure; brute-force terminal server access, and structured-query-language (SQL) injections aimed at database servers.
Protecting against these attacks requires a multipronged approach that includes people, processes and technologies. One of the most important pieces of the puzzle, however, is understanding where you are vulnerable. There are three general areas where an automotive company can face cyber liability risks:
Suppliers may receive sensitive/proprietary data from third parties, such as technical product data from an OEM, or personally identifiable information from automotive aftermarket customers. Failure to secure this information could result in fines, penalties, damages and loss of future business, and trade-secret and breach notification laws even may come into play.
From strategic plans to organization charts to supply-chain information to product and design specifications and concepts, these information assets need to be secured with at least basic safeguards (appropriate technical, physical and administrative safeguards such as password hygiene, personnel training on security practices, physically secure data centers and robust firewall/anti-virus protections [whitelisting/blacklisting]).
Also, the “Internet of things” creates potential cyber-related vulnerabilities in production facilities – shutdowns can result in substantial losses via lost profits as well as contractual penalties.
Connected and Autonomous Vehicles
With connected and autonomous vehicles getting more and more industry attention, cybersecurity surrounding the data used with such vehicles, and particularly data implicated in the actual operation of the vehicle, has become a front-and-center issue. About 75% of all shipped cars by 2020 will have Internet connectivity (up from about 13% in 2015). Consequently, NHTSA recently issued a Federal Automated Vehicles Policy that is out for consideration and comment. Among other things, the document addresses both privacy concerns and potential safety issues associated with increased vehicle connectivity.
Historically under the Vehicle Safety Act and its regulations, car manufacturers have “self-regulated” compliance with the Act’s requirements. NHTSA’s Automated Vehicles Policy introduces the potential for a future pre-market review or approval process for certain levels of autonomous technology. While this is nonbinding guidance at this juncture, the fact this is being suggested is worth noting.
Lastly, NHTSA’s guidance casts a wide net. In addition to vehicle manufacturers, the guidance also applies to any “individual or company that is not a (vehicle) manufacturer, involved with helping to manufacture, design, supply, test, sell, operate or deploy automated vehicles or equipment.”
Because this opens the possibility that even a small software coder at the end of the supply chain must comply, companies involved at all levels of highly automated-vehicle manufacturing should be aware of the policy and its guidance and on alert for any regulations or rulemaking that come out of this guidance.
The bottom line is safety and security in the automotive industry is no longer just about mechanical and physical soundness, but is increasingly about information systems and software. In this new paradigm, automotive manufacturers and suppliers need to familiarize themselves with the contours of that landscape if they want to protect their customers, their businesses, their brands and their bottom lines.
And now the bad news (as if the above issues weren’t bad enough): Directors and officers may be personally liable for cyberattacks.
Experienced legal counsel can assist directors and officers in developing and implementing appropriate safeguards to protect against personal liability for when (not if) a cyber breach occurs. While there is no cookie-cutter “to-do” list as every company is different, the bottom line is that directors and officers must engage in the everyday blocking and tackling of sound corporate governance and risk management when it comes to dealing with cybersecurity threats.
Directors and officers should start by learning the basics of cyber risks and the red flags that can warn of a problem. Oversight also should include establishing (and documenting) clear cyber-risk policies and procedures. The directors and officers need to make cyber-risk management a priority.
It’s not OK to dismiss it as “just an IT issue” or simply delegate cybersecurity to the IT department – cyber risks must be managed, reviewed and monitored at the board of directors level (i.e., it should be a recurring agenda item).
Properly preparing for (and responding to) cyber threats goes a long way toward reducing the risk of personal liability for directors and officers.
While specific questions regarding personal liability precautions should be directed to trusted legal counsel, the good news is sound corporate governance largely consists of common sense measures: You aren’t likely to get sick if you wash your hands early and often.
Bill Rosin and Brian Balow are members of Michigan-based Dawda, Mann, Mulcahy & Sadler, a law firm providing expert legal counsel to clients ranging from Fortune 500 companies to other publicly and privately owned businesses. Bill can be reached at [email protected] and Brian can be contacted at [email protected].