Takeaways:
- Having both cyber and driving coverage can still leave risk gaps
- More data on AV risk is needed over time
- Collecting on claims can depend on what risks are covered
Insurers covering autonomous vehicles (AVs) have to address gray areas among risks including cyber breaches, business interruptions and traffic accidents, experts say.
Risks around
"Many policies were not originally designed with cyber-physical events in mind, which can lead to ambiguity around how coverage applies," said Loretta Worters, vice president at the Insurance Information Institute, in an email. "There can also be a disconnect between policies that cover cyber events and those that cover bodily injury, creating potential gray areas in claims."
"There is a lot more access, whether it's through the cloud or directly through the information system, because also the manufacturer has to have access to your auto to update the software," said Niami, who also previously chaired the organization's cyber risk committee.
As cyber risk models advanced, cybersecurity systems began compiling more data, Niami said. With AVs, actuaries get more data now than they did 10 years ago, when autonomous features were first added to vehicles — but there's still not enough data on higher-level AVs that operate without a human on board, he added.
"The biggest challenge for modeling and scenario analysis by actuaries is how relevant the data that they have is to what is going to happen next," he said. "It's going to be decades, because as with most technologies, companies are struggling with that last mile of having a car that can go on any road under any condition, at any time of the day, anywhere — even when that's not mapped."
Actuaries are experienced with determining or modeling risk, even with incomplete data, according to Niami.
"You have the actual data on what happened with an incident. Actuaries do a lot of modeling, whether it's scenario analysis, which might be less sophisticated, or catastrophic models, which originally were developed for weather-related events," he said. "We are used to asking what to do with this. What have I seen before that's similar? What is totally different that I have to think about and make some assumptions and study more?"
That modeling is best accomplished through model and scenario analysis, Niami added.
Even with the most complete data possible and the most comprehensive actuarial assessment of
"Let's say suddenly there is a cyber attack, and every single one of Waymo's thousands of cars become bricks and they're gone. That's a catastrophe. They might have some coverages for catastrophes," he said. Commercial business interruption coverage, if the parties involved have it, and depending on the risks it covers, could also be in force for such a cyber attack, Niami said.
AV operation is also influenced by multiple parties, a setup which complicates the picture of risks and responsibilities for cyber breach and AV coverages.
"With autonomous vehicles, especially in a cyber incident, responsibility can extend across multiple parties, including the vehicle manufacturer, software developer, component suppliers, and potentially fleet operators," said Worters of III. "Determining whether a loss was caused by a system defect, a failure to patch a vulnerability, or a malicious external attack adds complexity and can increase the likelihood of litigation."
Still, Worters sees progress on this issue.
"While the current insurance framework continues to evolve, insurers are actively adapting to better address these emerging risks and provide clearer, more comprehensive protection," she said. "This is an area where ongoing collaboration between insurers, manufacturers and technology providers will play an important role in supporting innovation while helping to ensure consumer confidence."
