Board of Directors’ Liability for Automotive Cybersecurity

Directors at UK manufacturers or vendors of connected cars are now liable for accidents they cause. On August 6, 2017, the UK Department of Transport issued “Guidance: Key Principles of Vehicle Cyber Security for Connected and Automated Vehicles”.

This regulation specifically states:

“Personal accountability is held at the board level for product and system security (physical, personnel and cyber) and delegated appropriately and clearly throughout the organisation.”

In other words, directors are now personally liable if the security system of a connected car is breached or malfunctions and goes on to cause damage. Further, directors must implement a security program and promote its adoption throughout the producer of connected cars. And directors must see that a training programme is initiated for all employees to embed a “culture of security” to ensure individuals understand their role and responsibility in Intelligent Transport System (ITS)/Connected and Automated Vehicle (CAV) system security.

These guidelines will lead to further specifics as court cases arise, but it is clear that directors at connected car companies must uphold their responsibilities or face the consequences.

Liability for Automotive Security – UK Legislative History

Cybersecurity issues in automobiles are regulated by laws that govern road accidents, according to UK law firm Allen & Overy.

In the UK, drivers, in the first instance, are liable for causing damage – in Europe, it is the car owner – but “where an accident is as a result of a fault or defect in the car, car owners/drivers may then look to others (e.g., the manufacturer of the car or any component part) for recovery of any losses,” Allen & Overy point out. Following transposition of Council Directive 85/374/EEC of 25 July 1985 into the UK Consumer Protection Act of 1987, strict liability is imposed on producers of defective products in automobiles.

There have thus far been no lawsuits of this type in the UK, but there is one already in the US. In 2016, a man was killed when his Tesla’s Autopilot system failed to recognise a truck turning in front of his car. The man’s family sued Tesla in April 2017, claiming that the Autopilot system was defective.

Enjoying what you are reading? Sign up now to receive more content from Diligent.

There could be many lawsuits of this type in the UK, now that the Department of Transport has issued guidelines on legal responsibility for cybersecurity in vehicles.

“Greater definition is a pressing issue,” commented Gail Gottehrer, partner with Axinn Veltrop & Harkrider LLP: “Today’s car is essentially a smartphone on wheels. As more technology and features are added to cars, more points of access for hackers are introduced and vehicles become more vulnerable to cyber threats. Consumers continue to demand more connectivity from, and while in, their vehicles, seeking to have their vehicles function as mobile hot spots that provide Internet access and infotainment services like the ones consumers have in their homes. Along with this level of connectivity come risks.”

With the demand for increased connectivity in cars comes the responsibility for providing solid defences against threats. The UK guidance calls for designing systems using a “defence in-depth approach,” meaning that before integrating technology, protection against threats must be integrated into it.

It is worth noting that there is no current legislation governing cybersecurity for the EU. The Commission has issued a directive (COM (2016) 766), “A European strategy on Cooperative Intelligent Transport Systems, a milestone towards cooperative, connected and automated mobility,” which lays out a strategy for both developing a connected-cars industry across the 28 Member States, and in regulating for cybersecurity protection specific to it.

The directive states: “A key challenge will therefore be to set up the necessary governance at EU, national and industry levels involving all main stakeholders, including public authorities (e.g., transport ministries and the responsible national security associations), road operators, vehicle manufacturers, C-ITS service suppliers and operators. Developing a common security solution for the deployment and operation of C-ITS in Europe will in turn lay the foundation for stronger security at higher levels of automation (including vehicle to vehicle and vehicle to infrastructure communication).”

While this directive may not figure in UK law post-Brexit, it will undoubtedly be influential in shaping UK law.

Managing Information on Cybersecurity in Connected Cars

The rapid evolution of regulation and practice regarding cybersecurity for connected cars means that directors must ensure that they are up-to-date on the latest developments.

There is no surer way to share such information securely than by using a board portal like Diligent. New data can be shared, and access to it can be controlled and adjusted for those who have the right to see it. The environment, thanks to the high-grade security on the portal, will always be safe for sharing.

Using the Diligent board portal, you will also have access to searchable libraries of corporate governance practice, as well as to all materials needed for board operations. Board books, for example, can be updated with a click, and all directors can access the latest information available in real time.

Governance for Cybersecurity

Cybersecurity threats fall into two basic categories: threats to the car’s information system and threats to data stored in the car’s applications.

While the industry is still in the process of developing best practices, some principles have already emerged. The Automotive Information Sharing and Analysis Center proposes:

“Effective governance aligns a vehicle cybersecurity program with an organisation’s broader mission and objectives. Furthermore, strong governance can help to foster and sustain a culture of cybersecurity. Best Practices do not dictate a particular model of vehicle cybersecurity governance but provide considerations for organisational design to align functional roles and responsibilities. Best Practices for Governance and Accountability include:

  • Define executive oversight for product security.
  • Functionally align the organisation to address vehicle cybersecurity, with defined roles and responsibilities across the organisation.
  • Communicate oversight responsibility to all appropriate internal stakeholders.
  • Dedicate appropriate resources to cybersecurity activities across the enterprise.
  • Establish governance processes to ensure compliance with regulations, internal policies and external commitments.

The organisation further recommends measures to control risk, including establishing standardised processes to identify, measure and prioritise sources of cybersecurity risk in connected cars. Remember that components provided by the supply chain must also be subject to control.

A number of risks are well identified, for example, the challenge of controlling data shared among individual cars. A decision process should be set up to develop protection for data, and to manage other identified risks.

To ensure that board members are kept informed, a process for reporting and communicating risks to directors should also be established.

Certainly, many of these best-practice recommendations derive from the general practice of corporate governance. But experts point out that, until now, there has been a purely consumeristic approach to connected cars. It will now be imperative, in the UK, to consider threat protection as well.

Featured Blog