Yesterday, the Automotive Industry Team of Foley & Larnder LLP (yes, us), hosted its annual event at the North American International Auto Show in Detroit, MI. Eschewing narrow or small topics, we charged into 2017 by trying to predict just what would happen with connected cars in 2017.
Our day started with Joseph Kwederis, Automotive Cyber Security Leader, Deloitte & Touche LLP. Suffice to say, the risk profile for the Auto Industry is ever expanding. Just in one vehicle, companies need to worry about their own enterprise systems, the vehicle’s systems, the consumer’s connected systems in the infotainment center (and any connected devices), and the interconnectedness of all those systems with the immediate environment. The risks grow exponentially, not linearly, with every connection. What to do? Mr. Kwederis advises companies to be secure, be vigilant and be resilient. In other words, what systems are in place to protect all these systems at your company. With those in place, do you simply set them up and forget them, or maintain them and monitor them? Finally, when something goes wrong – which is inevitable – what is your plan to deal with it?
Mr. Kwederis noted that one of the top motives behind cyber attacks was intellectual property theft, regardless of industry. Thus, our next speakers, Pavan Agarwal and Chanley Howell, discussed how to protect a company’s intellectual property. One of the first issues addressed was: Who owns the IP? With vehicles and controls so integrated, and often jointly developed, companies are best advised to address this early in their relationship. This can help determine who has the responsibility for building cybersecurity protection. Another issue was the confusing regulatory framework. Everyone reading this knows that NHTSA regulates the industry. But with cybersecurity, do not forget the FCC or FTC. They have regulations that your company must adhere to as well.
Moreover, when considering your cybersecurity, you definitely have to be secure today. But, if you are not thinking about 5 years from now, or 10 years, or more, you are already behind. Think about cybersecurity concerns from just 2006. How were programs, computers, or phones protected? 10 years ago, the iPhone came out. Now, passwords are biometric. Do your current systems protect against this? What will be passwords in 2021? Facial recognition, eye scanners and more are all closer than most people realize. Will business be conducted through the infotainment center of a personal or corporate vehicle, and how will it be stored, accessed and protected?
Neil Steinkamp of Stout Risius Ross identified multiple risks to automotive suppliers. A renewed focus from NHTSA was the first risk. Not just on cybersecurity, but directly on suppliers themselves. He recommended that suppliers take a renewed approach to identifying risks. Technology is evolving so quickly that many companies have not even paused to know what risks they are getting into. Start to identify unknown risks by looking at your data. NHTSA data, warranty data, sales data, industry data, etc. Collect it, analyze it, find risks that your company did not even know exist. For example, when it comes to crash imminent braking, part of the risk assessment includes knowing how many accidents involve rear end collisions – the more rear end collisions, the more risk in this technology. Similarly, how many NHTSA complaint on this issue exist: that data is publicly available.
Kiran Nayee of JLT Specialty noted that the pace and cost of automotive recalls for all reasons was accelerating. These recalls typically cost five times (5x!) the original cost of distribution for the same products. As NHTSA increases its scope from just hardware to software, the risk and costs of recalls is only going higher.