1/11/2017
1
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
©2017 Foley & Lardner LLP
Today’s Agenda
■ Welcome» Jay Rothman, Foley & Lardner LLP
■ Overview of Emerging Automotive Technologies» Joe Kwederis, Deloitte & Touche LLP
■ IP and Data Protection» Pavan Agarwal, Foley & Lardner LLP» Chanley Howell, Foley & Lardner LLP
■ Break
■ Supply Chain» Neil Steinkamp, Stout Risius Ross» Kiran Nayee, JLT Specialty
■ Q&A
■ Program Concludes
1/11/2017
2
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
WelcomeJay Rothman, Foley & Lardner LLP
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Automotive Cybersecurity OverviewJoseph Kwederis, Deloitte & Touche LLP
1/11/2017
3
Automotive Cyber Security OverviewJoe Kwederis, Principal, Deloitte & Touche LLP
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
Copyright © 2017 Deloitte Development LLC. All rights reserved.
The future of mobility is here…
Extent to which vehicles are personally owned or shared:
• Depends upon personal preferences and economics
• Higher degree of shared ownership increases system-wide asset efficiency
Personal Shared
Auto
nom
ous*
Driver
Assis
t
Future states of mobility
Vehicle ownership
Veh
icle
co
ntr
ol
A new age of accessible autonomy
A world of carsharing
The driverless revolution
Incremental change1 2
3 4
Asset efficiency
PHASE 1
PHASE 2 PHASE 2
1/11/2017
4
Copyright © 2017 Deloitte Development LLC. All rights reserved.
OwnershipAlternate ownership models (Zip-car, peer-to-peer rentals, car sharing, etc.)
Product transformationSmart materials, powertrain technologies, autonomous vehicles, connectivity
Risk and complianceRegulatory and global influences, e.g., China, Europe, US. Connected vehicle ecosystem impacts on consumer safety and security
New services and competitorsCar parking, valet on demand, telematics, connected services, car sharing
ConnectivityConnectivity and convergence
Customer expectationsChanging customer expectations, such as Gen Y’s preferences about information, ownership, consumer trust, etc.
Changes in the automotive market are presenting new opportunities and challenges for automakers
Information security and cyber risk need to be considered for each new product
and service in the context of shifting consumer and regulatory expectations.
Copyright © 2017 Deloitte Development LLC. All rights reserved.
Energy
$573B
Current extendedautomotive industry
revenues
~$2T1
Finance
$101BTransportation
$59B
Automotive
$735B
Media
$16B
Insurance
$205B
Retail
$24B
Medical& Legal
$35B
Publicsector
$251B
Auto insurance
Auto financing
Radio advertising; outdoor advertising
Oil companies and gas stations
Fuel, licensing, and auto sales taxes; traffic enforcement; tolls; public transportation; parking
Rental vehicles; taxi and limo services; private parking garages
Emergency services and hospital costs; legal fees associated with accidents
Wholesale and dealer vehicle sales and service; suppliers; and mechanics
Aftermarket parts and service channel
Stakes are high – with approximately $2 trillion in revenues collected annually by the current extended auto industry
1Total revenue is $1.99T. Source: Deloitte analysis based on IBISWorld Industry Reports, IHS, DOT, US Census, EIA, Auto News, TechCrunch. Current revenue represents 2014 figures (or earlier if 2014 data not available) in the United States.
1/11/2017
5
Copyright © 2017 Deloitte Development LLC. All rights reserved.
There are a number of forces that will influence the rate at which the new mobility ecosystem takes shape
Forces of delay or acceleration
Regulation & Government
Public Attitudes
Human-machine interface, safety, shared economy
Wall Street Valuations
Technology Development Employment Changes
Privacy and Security
Early experiments, pilot programs
Federal, state and local policies Cyber-security, communication protocols
Technology investments, cost of capital projections
Dislocation effects, reactions, job retraining
Source: Deloitte analysis, based on publicly available information.
Copyright © 2017 Deloitte Development LLC. All rights reserved.
Breach through mobile apps or Wi-Fi
Malware through console OS
Loss of integrity ofcontrolunits
Exploit GPS and navigation data
Malicious vehicle apps
Breach of telematics
Malicious or accidental breach of vehicle systems
Negative advertising due to breach
Online defacements through advocacy groups
Cyber incident impact to insurance
Activity by foreign governments
Non-compliance to regulations
Organized crime
Competitors
Counterfeit suppliers
Vulnerabilities created through dependencies on external entities
Breach of data through alliance partners
Reputational damage through social media
Tampering of parts and accessories
Dealer data breach
Counterfeit warranty parts
Breach of Manufacturing IP
Breach or leakage of product IP, marketing data, customer data
Malicious employees
Threats posed to and by internal entities
Disruption in purchasing and supply chain channels
Exploitation of Financial data
Information technology incidents
Reputational damage impacting customer experience
Loss of integrity of on-board diagnostics
Connected vehicles and services face a myriad of threats
1/11/2017
6
Copyright © 2017 Deloitte Development LLC. All rights reserved.
ICS security environments should be reviewed in terms of a standard security framework and with consideration of the primary domains that exist in the security infrastructure
Industrial control systems (ICS) are highly inter-connected
Security Domains
Access & Privilege
Management
Intrusion Detection & Monitoring
Cyber Intelligence
Network Security
Awareness & Policy Adoption
Configuration & Vulnerability Management
Incident Response &
Recovery
Physical Security
Access & Privilege ManagementReview and management of default, privileged, and user
accounts with access to ICS systems
Intrusion Detection &
MonitoringDeep packet inspection of
network traffic for indicators of compromise or analogous
communications
Cyber IntelligenceIntelligence gathering on
relevant cyber-attack
mechanisms as on-going
input to security safeguards
Network SecurityNetwork architecture designed
and configured to protect
critical assets while allowing
required business communications
Configuration & Vulnerability Management
Proactive management and monitoring of patches and
configuration settings
Incident Response &
Recovery Policies and procedures that
define incident triage, response, containment, remediation, and
recovery
Physical SecuritySafeguards which appropriately
restrict, control, and monitor
physical access to critical assets
Awareness & Policy ManagementPolicies, training, and guidance that mandate and promote secure
behavior by end-user groups
Copyright © 2017 Deloitte Development LLC. All rights reserved.
Automotive IT Environments
Enterprise SystemsIndustrial Control System (ICS)
/Production Systems
Connected Vehicles Customer Experience Services
Mobile Apps
Console OS
On-board Diagnostics
Vehicle ControlUnits
GPS and Navigation
Vehicle Apps
4G Hotspot
Telematics
Cameras
Self ParkingCollision
Avoidance
Fleet Management
CarsharingTelematics
Financing/Leasing
Insurance
Concierge Services
RADAR, LASER and Ultrasonic Sensors
Enterprise Applications
Local Applications
Mobile Applications
Web-based Applications
Third-Party Applications
Data Warehouses Databases
Operating Systems
Connectivity is expanding the cyber risk profile
1/11/2017
7
Copyright © 2017 Deloitte Development LLC. All rights reserved.
Cyber risk themes
2016 Cyber risk in advanced manufacturing study with MAPI
Copyright © 2017 Deloitte Development LLC. All rights reserved.
Be Secure.Vigilant.Resilient.™
Cyber risk in advanced manufacturing.
Traditional
board
report ing
Industrial Control Systems
50%isolate orsegment ICS
networks
31%have notconducted an
ICSassessment
Be Secure.Take a top down, risk based
approach to implementingsecurity strategies for the
most critical networks,
systems, and data
Be Vigilant.Implement routine monitoringmechanisms for high risk
networks, systems, and data
that will alert the company toabnormal activity and enable
prompt action
Lack skilled resources75%
4 of top 10 threats involve employees
Talent and Organizational Management
IT/ OTgap drives behavior
36%cited IPprotection
as top concern
Enterprise Network &Business Systems
Connected Products
use sensors,
smart products,
and mobile apps
Governance and Leadership Engagement Nearly 50% of executives lack
confidence they are protected48%lack adequate funding
Cyber Risk Programs: A Framework for Leading Practice Board Reporting
35-45%
encrypt the data55%
50%perform ICSvulnerabilit y
testing less often
than once a month
A top executive
concern is
increasing
sophistication/
proliferation of
threats
77%Had performed end toend product assessment
27%do notinclude ICS in
incident
response plans
Be Resilient.Plan ahead before a breachoccurs so the organization is
prepared to respond in order toneutralize threats, prevent
further spread, and recover
from business impacts
only
12%
39%experienced
a breach
currently employ tacticssuch as
wargamingexercises
38%had losses
$1 - 10m+
37%do not includeconnectedproducts toincident responseplans
Sources: Cyber risk in advanced manufacturing; Deloitte and MAPI, Deloitte CISO Labs.
1/11/2017
8
Copyright © 2017 Deloitte Development LLC. All rights reserved.
‘Intellectual Property’ remains the top sensitive data protection concern among surveyed advanced manufacturing firms
‘Intellectual Property’ is the top data protection concern…
Q6. Which of the following do you believe are the top three (3) sensitive data protection concerns for your organization?
36%
32%
29%
26%
25%
22%
22%
21%
20%
17%
17%
16%
16%
Intellectual property
Consumer data
Unauthorized or accidental disclosure of personal information
Web-enabled systems and services
Managing third-party information sharing
Compliance with privacy statutes
Protecting access to big data stores and advanced analytics
Lack of consistent review process
Internal privacy awareness and training
Aligning operational practices and with policies
Managing individual business unit privacy requirements
Cross-border flows of personal information
Unauthorized access to personal information
Top 3 sensitive data protection concerns
Note: Sample size, N = 228
Copyright © 2017 Deloitte Development LLC. All rights reserved.
The second most cited motive behind recent cyberattacks is intellectual property theft, across organizations of all sizes
…and a prominent motive behind recent cyberattacks
Q12. What do you think was the motive for the cyber attack(s) your organization experienced in the past 12 months? (select all that apply)
45%
35%
29%
26%
22%
20%
19%
16%
15%
Financial theft
Intellectual property theft
Access to sensitive informationof specific senior executives
Access to regulatorycompliance information
Access to sensitive financialinformation
Safety / personal harm /facility damage
Access to plant operationsinformation
Access to key businesspartners
Access to strategic plans
39%
26%
35%
39%
30%
13%
17%
22%
17%
44%
40%
26%
23%
21%
14%
21%
12%
12%
53%
37%
26%
11%
16%
37%
16%
21%
21%
Financial theft
Intellectual property theft
Access to sensitive informationof specific senior executives
Access to regulatorycompliance information
Access to sensitive financialinformation
Safety / personal harm /facility damage
Access to plant operationsinformation
Access to key businesspartners
Access to strategic plans
< $500 mn $500 mn to $5 bn >$5 bn
According to more than a third of companies surveyed (35%), ‘Intellectual property theft’ is the primary motive behind many of the recent cyberattacks
Overall Across organizations of all sizes (by revenues)
Only among small companies, ‘Intellectual property theft’ is the third most cited motive behind recent cyberattacks according to the survey
1/11/2017
9
Copyright © 2017 Deloitte Development LLC. All rights reserved.
Cyber Security Strategy & Roadmap
• Current state maturity assessment• Strategic objectives & roadmap of approved initiatives
Cyber Security Transformation & Cosourcing
• Focus on high value activities• Cosource areas of low risk with operational requirements
Cyber Security Strategic Program
• Build / mature information security capabilities• Execute assessments on high risk environments• Remediate high risk vulnerabilities
Operational Sustainability
• Further developing the maturity of basic cyber security capabilities, with a greater focus on standardization, integration & consistency
• Positioned to evolve towards the next level of maturity & business partnership
Building a broad, sustainable cyber security capability takes leadership, commitment and focus
Cyber security roadmaps can help communicate plans and priorities
Copyright © 2017 Deloitte Development LLC. All rights reserved.
Cyber security program requirements continue to grow…
2000
2010
2020
• Data Protection
• Policies, Procedures and Standards
• Identity and Access Management
• Network Vulnerability Management
• Anti-Virus/Malware
• SOX/Regulatory Requirements
• Application Vulnerability Management
• Data Loss Prevention
• Privacy
• Incident Management
• Insider Threats
• Privileged User Management
• Security Operations Center (SOC)
• Third-Party Risk Management
• Governance, Risk and Compliance
• Threat Intelligence
• Cyber Reconnaissance
• Cyber Analytics (security information and event management or SIEM)
• War Gaming
• Crisis Management
1/11/2017
10
Copyright © 2017 Deloitte Development LLC. All rights reserved.
UnderstandInformation
Assets
Leverage ISO 27001/
27002 SecurityDomains
Program Governance and Oversight
Intellectual Property
Product Design
Consumer Data
Business Strategy, M&A etc…
Protect and Enable Information Security
Benchmark Peers
Standards-Based Maturity Evaluation
Understand the current level of maturity against ISO 27002, measured by ISO domain to help drive IT Security program priorities
Competitive Positioning
Evaluate robustness of IT Security Program with respect to its industry peers and likely competitors
Actionable Recommendations
Develop IT Security Program enhancement recommendations to effectively manage risks to its business data, intellectual property, and information assets
Scope of Assessment Benefits and Outcomes
A typical cyber assessment
1. Security Policies 8. Operations Security
2. Security Organization 9. Communications Security
3. HR Security 10. Systems Acquisition,Development andMaintenance
4. Asset Management 11. Supplier Relationships
5. Access Control 12. Incident Management
6. Cryptography 13. Business Continuity for Information Security
7. Physical and Environmental Security
14. Compliance
Map Business Units,
Regions, Environments
Sales & DistributionCaptive Finance
Enterprise SystemsConnected Vehicle ICS
Customer Experience ServicesR&D
Manufacturing
Automotive and technology peers
Copyright © 2017 Deloitte Development LLC. All rights reserved.
OEMs and suppliers need to establish the relevant set of people, process and technology to align security practices with connected vehicle requirements
Cybersecurity program maturity is an important consideration
1 - Initial 2 - Repeatable 3 - Defined 4 - Managed
Security Awareness
Technology purchased but not implemented
5 - Optimized
Security has become an organizational goal
Security technology implemented, not standardized
Security Strategy, vision and objectives are drafted with limited communication
Processes understood and defined
Security technology implemented with limited integration
Enterprise Strategy objectives exist with 3- to 4-year plan and roadmap
Market Leader in Security
Leading Practices are followed, use of sophisticated reporting
Direct links to IT, Automotive Security and corporate policy
Integrated security workflow and quality improvement pipeline
Processes drive quality improvements
Clear Strategy and Vision are established and communicated across the organization
Effective security technologies deployed
Clear metrics for governance, policy and procedures
Processes under constant improvement
2000
2010
2020
• Data Protection
• Policies, Procedures and Standards
• Identity and Access Management
• Network Vulnerability Management
• SOX/Regulatory Requirements
• Application Vulnerability Management
• Data Loss Prevention
• Privacy
• Incident Management
• Privileged User Management
• Governance, Risk and Compliance
• Security Operations Center (SOC)
• Threat Intelligence
• Cyber Reconnaissance
• Cyber Analytics (SIEM)
• War Gaming
• Crisis Management
1/11/2017
11
Copyright © 2017 Deloitte Development LLC. All rights reserved.
Top 10 next steps
Be Secure.Vigiliant.Resilient.™
Set the toneEngage leadership in the managing cyber risks01Assess risk broadlyInclude enterprise, ICS and connected products02Socialize the risk profileShare the results with leadership and the board03Build in securityHarmonize investments with the cyber risk program04Remember data is an assetConnect business value with data and strategies to protect it05
Assess third-party riskInventory mission critical ecosystem relationships and evaluate related risks
06Be vigilant with monitoringDetermine whether and how quickly a breach in key areas of the company would be detected
07Always be preparedFocus on incident and breach preparedness using wargaming simulations
08Clarify organizational responsibilitiesIdentify clear ownership with a leader to bring it together
09Drive increased awarenessGet employees on board and ensure they know their role in protecting the organization
10
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed
description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of
public accounting.
Copyright © 2017 Deloitte Development LLC. All rights reserved.
36 USC 220506
1/11/2017
12
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
IP Issues Surrounding Auto Emerging TechPavan Agarwal, Foley & Lardner LLP
©2017 Foley & Lardner LLP
Exemplary Areas of Emerging Technologies
TOPIC AREA DEFINITION CATEGORY
Fuel Economy Also known as fuel efficiency, or the maximization of the distance traveled on a unit of fuel
Propulsion
Telematics Global Positioning System technology integrated with computers and mobile communications technology in automotive navigation systems
Navigation
Autonomous Driving
Automobiles that are capable of driving themselves without input from a human passenger
Handling
Driver Assistance Various systems such as auto braking, lane departure warning, and traffic sign recognition that help the driver become aware of and avoid road hazards
Safety & Security
Heads-Up Displays (HUDs)
Systems for displaying data from a smartphone to the windshield of an automobile so a driver can keep his/her eyes on the road
Entertainment
Source: Thomson Innovation & Thomson Reuters Derwent World Patents Index
1/11/2017
13
©2017 Foley & Lardner LLP
Advanced Driver Assistance Systems(ADAS)
V2V connectivity (e.g., 5G)
ADAS
V2V Connectivity
Carsharing
Illustrative Examples: ADAS and V2V Connectivity
©2017 Foley & Lardner LLP
Illustrative Example: ADAS and V2V Connectivity
Multiple Levels of Integration
Hardware• Processor• Sensors
(LIDAR)• Heads-Up
Display (HUD)
Software• Control• Apps• Artificial
intelligence
System Integration• CAN• Post-
Installation Updates
1/11/2017
14
©2017 Foley & Lardner LLP
Common IP Issues for ADAS and Other Integrated Products
Competitive Landscape Disruption
IP Ownership from Joint
Collaboration
Obligation to Defend and Indemnify
Trolls Levy Tolls
IP Protection Mix
©2017 Foley & Lardner LLP
Mix of IP Protection
Patents (including designs)
Trade Secrets
Copyright
Common IP Issues for ADAS and Other Integrated Products – Protection Mix
1/11/2017
15
©2017 Foley & Lardner LLP
Traditional Auto Industry Model
Gone
Large Tech and Small Tech
No Clear Vertical and Horizontal
Chains
Common IP Issues for ADAS and Other Integrated Products – Landscape
©2017 Foley & Lardner LLP
Common IP Issues for ADAS and Other Integrated Products – Landscape
Source: https://www.cbinsights.com/blog/autonomous-driverless-vehicles-corporations-list/
1/11/2017
16
©2017 Foley & Lardner LLP
Common IP Issues for ADAS and Other Integrated Products – Landscape
Source: https://cbi-blog.s3.amazonaws.com/blog/wp-content/uploads/2016/05/1-unbundling-car.png
©2017 Foley & Lardner LLP
Competitive Landscape Disruption: Each Has Own Vision and Experience in IP
Entirely New
Players
Traditional Auto
Players
Large Tech/Small
Tech
Common IP Issues for ADAS and Other Integrated Products – Landscape
1/11/2017
17
©2017 Foley & Lardner LLP
Common IP Issues for ADAS and Other Integrated Products – Landscape
Source: Thompson Reuters “The 2016 State of Self-Driving Automotive Innovation”
©2017 Foley & Lardner LLP
IP Ownership and Right to Use
•Freedom to Use Technology• With other customers?
•Later Improvements by Collaborators• Freedom to use?
•Retaining Background IP• Share what you bring to the table?
•Conditions for enforcement• Who needs to be involved?
Common IP Issues for ADAS and Other Integrated Products – IP Ownership
1/11/2017
18
©2017 Foley & Lardner LLP
Defend and
Indemnify
Ability and ResourcesAbility and Resources
Accusation Spans Parts or HW/SW
Accusation Spans Parts or HW/SW
Going layers up in supply
chain
Going layers up in supply
chain
Don’t Know Actual
Supplier
Don’t Know Actual
Supplier
Common IP Issues for ADAS and Other Integrated Products - Indemnification
* Approximate doubling in patent infringement cases in most recent 5-year blocks
©2017 Foley & Lardner LLP
Special Case: Standard
Essential Patents
Tougher to Counterattack
Just Want MoneyDifferent Levels of Sophistication
Trolls Levy Tolls
Common IP Issues for ADAS and Other Integrated Products: NPEs
* In recent years, non-practicing entity (NPE) patent infringement cases are outnumber competitor cases by over 5:1
1/11/2017
19
©2017 Foley & Lardner LLP
Common IP Issues for ADAS and Other Integrated Products – NPEs
Common Auto NPEs in Recent Years• American Vehicular Sciences• Beacon Navigation GmbH• Cruise Control Technologies• Signal IP• PJC Logistics• Norman IP• Innovative Display Technologies• Delaware Radio Technologies• Novelpoint Tracking• Affinity Labs of Texas• Advanced Silicon Technologies• Diamond Coating Technologies, LLC• Digital Stream IP
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Taking Control of CybersecurityChanley Howell, Foley & Lardner LLP
1/11/2017
20
©2017 Foley & Lardner LLP
Regulators
FTC
FCC
NHTSA
©2017 Foley & Lardner LLP
Best Practices
GovernanceGovernance
Risk AssessmentRisk Assessment
Security by DesignSecurity by Design
Threat Detection / PreventionThreat Detection / Prevention
Incident Response / RecoveryIncident Response / Recovery
Training / AwarenessTraining / Awareness
CollaborationCollaboration
1/11/2017
21
©2017 Foley & Lardner LLP
Source: Verizon 2016 Data Breach Investigations Reporthttp://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
Sources of Security Incidents
©2017 Foley & Lardner LLP
Source: Verizon 2016 Data Breach Investigations Reporthttp://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
Sources of Security Incidents
1/11/2017
22
©2017 Foley & Lardner LLP
Corporate Information Assets
©2017 Foley & Lardner LLP
DNC Hacking
1/11/2017
23
©2017 Foley & Lardner LLP
DNC Hacking
©2017 Foley & Lardner LLP
Victims of Chinese Cyber Espionage
1/11/2017
24
©2017 Foley & Lardner LLP
Action Steps
©2017 Foley & Lardner LLP
Evolving Standard of Care
2006 2016
1/11/2017
25
©2017 Foley & Lardner LLP
Managing Risks
©2017 Foley & Lardner LLP
Information Security Policy Library
1/11/2017
26
©2017 Foley & Lardner LLP
Information Security Policy Library
©2017 Foley & Lardner LLP
1/11/2017
27
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
BREAK20 minutes
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
The Connected Car – Supplier Risk AssessmentsExternal Data – Insights and Integration
Neil Steinkamp, Stout Risius Ross
1/11/2017
28
Global Financial Advisory Services
The Connected Car – Supplier Risk AssessmentsExternal Data – Insights and Integration
Suppliers of Advanced Driver Assistance Systems (“ADAS”) and related components are presented with unique opportunities as the adoption of these technologies increases.
Suppliers also face unique risks of recall and excess warranty resulting from defects related to advanced components supplied into these platforms:
Defects related to new designs or manufacturing processes
Integration of components into complex systems
Reliance on software
Lack of history / experience related to components and assemblies
Unique Opportunities and Risks
1/11/2017
29
Adoption of ADAS technology is occurring during a period of enhanced regulatory scrutiny, as well as increased OEM sensitivity to, and customer awareness of automotive safety defects.
Automotive AI and ADAS were of significant interest at CES just last week.
“CES has become an evermore automotive focused trade-show, and this year's Media Day was no exception….[T]here were two main themes: First, AI is becoming an increasing focus of autonomous driving development; Second, there is mounting sentiment that Level 4 ADAS is still a few years out, and that Level 5 ADAS may be much further out.” – SunTrust CES Media Day Recap
Identifying Risks
What does that mean though? A few considerations from CES Media Day:
Mobileye partnering with Intel and BMW “announced plans to have a fleet of approximately 40 autonomous BMW 7 Series vehicles on the roads in the US and Europe by 2H17.”
NVIDIA announced 6 AI based automotive partnerships with:
Audi to put a fully autonomous vehicle on the road by 2020;
VW to develop an AI cockpit;
HERE (Private) to develop AI for HD mapping;
ZF for AI-based self-driving systems;
Zenrin for HD mapping for Japan; and
Bosch for AI driven self-driving computers.
Continental announced it is using its 3D Flash LIDAR to construct a complete 3D model of the vehicle surroundings up to 200 meters away and as close as a few centimeters.
Valeo, Toyota, Hyundai and others made significant announcements regarding AI and ADAS at Media Day as well.
-Source: SunTrust CES Media Day Recap – January 5, 2017
Identifying Risks
1/11/2017
30
Suppliers and OEMs must identify the risk of defect associated with the adoption and integration of ADAS technologies, and consider the potential consequences:
What features give rise to risks?
How to analyze risks with little or no production history?
What is the potential magnitude of a recall or field service action?
How can these risks be mitigated?
–Engineering / Process / Quality Feedback and Improvement?
–Pricing Mitigation?
–Legal / T&C Mitigation?
–Insurance?
Identifying Risks
Certain data limitations inhibit suppliers’ ability to asses the risks related to ADAS components:
Limited production and defect history
Disjointed, unstructured sources of data
Available data requires refinement and analysis
Analysis of the data therefore requires consideration of multiple sources of information with an appreciation of the unique features of each.
Interpretation of the results also requires a comprehensive understanding of the industry, supply chain, regulatory environment, and insight into forthcoming trends.
Challenges to Identifying Risks
1/11/2017
31
Risk assessment methodologies can utilize data from many publically available sources, as well as proprietary datasets, including:
NHTSA Recall Data
Technical Service Bulletins (TSB)
NHTSA Defect Investigations
NHTSA Complaints
Early Warning Reporting (EWR)
Motor Vehicle Defect Petitions
Petitions for Inconsequential Noncompliance
International Recall Data
Vehicle Production and Sales
Component Adoption and Fitment
Suppliers Identified in Recall Notices
Data regarding manufacturing, assembly and design defects
Recall Completion Rate Data
FARS Data
Other indicators or risk such as consumer feedback through blogs and other sites as well as litigation arising from defects.
Identifying Data
A comprehensive risk assessment considers the following:
Historical defect incidence rates;
Relevant vehicle population characteristics, including component fitment and market penetration; and
Analysis of costs associated with recall and excess warranty.
Based upon this analysis, a supplier is better able to estimate:
Defect incidence rate and number of defects per thousand vehicles;
Probability weighted cost of recall or field service action; and
Relative risk profile of individual components.
Such information is valuable to risk management, and can provide insights into other sales, engineering, and legal considerations.
Supplier Risk Assessment Methodology
1/11/2017
32
Example Risk Profile – Crash Imminent Braking
Risk Indicators – Regulatory Developments - Crash Imminent Braking
ADAS equipment, including crash imminent braking, has been a topic of increased regulatory focus for NHTSA:
“In 2012, one-third of all police-reported crashes involved a rear-end collision with another vehicle as the first harmful event in the crash, and NHTSA believes that advanced crash avoidance and mitigation technologies like AEB systems could help in this area. NHTSAs extensive research on this technology and on relevant performance measures showed that a number of AEB systems currently available in the marketplace are capable of avoiding or reducing the severity of rear-end crashes in certain situations.” – www.safercar.gov
“Crash Avoidance technology has continued to progress, and NHTSA is aggressively pursuing research related to technologies that, in addition to warning drivers of a collision threat, can take active control of the vehicle to help mitigate or avoid the crash (if warnings are not heeded by the driver, or the driver’s reaction is insufficient to avoid the crash). In particular, NHTSA is focusing its efforts on dynamic brake system (DBS) and collision imminent braking (CIB) technologies being offered by light vehicle OEMs. ” – www.nhtsa.gov
In July 2012, NHTSA published a Request for Comments seeking feedback regarding its observations about dynamic brake systems and collision imminent braking technologies, as well as consideration of test protocols. NHTSA is in the process of evaluating this feedback and continuing research into safety benefits, test procedures, and reliability of these systems.
1/11/2017
33
Risk Indicators – Regulatory Developments - Crash Imminent Braking
ADAS equipment, including crash imminent braking, has been a topic of increased regulatory focus for NHTSA:
On October 16, 2015 NHTSA announced that it was granting “the petition for rulemaking submitted by the Truck Safety Coalition, the Center for Auto Safety, Advocates for Highway and Auto Safety, and Road Safe America on February 19, 2015, to establish a safety standard to require automatic forward collision avoidance and mitigation systems on certain heavy vehicles.” The Federal Register notes: “For several years, NHTSA has researched forward collision avoidance and mitigation technology on heavy vehicles, including forward collision warning and automatic emergency braking systems. The agency will continue to conduct research and to evaluate real-world performance of these systems through track testing and field operational testing.”
–“Considering the information before the agency, including the information referenced in the petition, NHTSA grants the February 19, 2015 petition in accordance with 49 CFR part 552 and initiates a rulemaking proceeding with respect to forward collision avoidance and mitigation systems on vehicles with a GVWR greater than 10,000 pounds.”
Risk Indicators – Regulatory Developments - Crash Imminent Braking
ADAS equipment, including crash imminent braking, has been a topic of increased regulatory focus for NHTSA:
On January 28, 2015, NHTSA published a notice requesting comments on the agency's intention to recommend various vehicle models that are equipped with automatic emergency braking (AEB) systems that meet the agency's performance criteria to consumers through the agency's New Car Assessment Program (NCAP). On November 11, 2015 NHTSA announced the “agency's decision to update the U.S. New Car Assessment Program (NCAP) to include a recommendation to motor vehicle consumers on vehicle models that have automatic emergency braking (AEB) systems that can substantially enhance the driver's ability to avoid rear-end crashes. NCAP recommends crash avoidance technologies, in addition to providing crashworthiness, rollover, and overall star ratings. Today, 3 crash avoidance technologies—forward collision warning, lane departure warning, and rearview video systems—are recommended by the agency if they meet NHTSA's performance specifications. NHTSA is adding AEB as a recommended technology, which means that we now have tests for AEB. AEB refers to either crash imminent braking (CIB), dynamic brake support (DBS), or both on the same vehicle.”
1/11/2017
34
Risk Indicators – Regulatory Developments - Crash Imminent Braking
ADAS equipment, including crash imminent braking, has been a topic of increased regulatory focus for NHTSA:
Twenty-one comments were received. Most of the comments were from the automobile industry—vehicle manufacturers, associations of vehicle manufacturers, suppliers, and associations of suppliers. In addition, comments were received from another Federal government entity, an organization of insurance companies, and an association of motorcycle interests. Those in support included Advocates, Alliance, AGA, ASC, Bosch, CU, Continental, DENSO, Ford, Infineon, IIHS, Malik, MBUSA, MEMA, NADA, NTSB, Tesla, and TRW. Advocates supported using NCAP to encourage vehicle safety technologies, but indicated its preference for requiring AEB systems on new vehicles by regulation. Honda expressed its support for NCAP generally, but did not specifically support the addition of AEB systems to NCAP. Honda stated that it would like these systems to be rated. IIHS said that its research on the effectiveness of Volvo's City Safety system and Subaru's Eyesight system indicates that NHTSA may have “vastly underestimated the benefit of AEB.” Bosch said a 2009 study it conducted indicated DBS “may be effective” in reducing injury-related rear-end crashes by 58 percent and CIB by 74 percent. The ASC, Bosch, IIHS, MEMA, and, TRW addressed the desirability of NHTSA harmonizing its AEB NCAP test procedures and other evaluation criteria with other consumer information/rating programs, particularly Euro NCAP. Other commenters urged harmonization with Euro NCAP with respect to specific details.
Other Risk Indicators – Complaints - Crash Imminent Braking
1/11/2017
35
Risk Indicators – Investigations - Crash Imminent Braking
Risk Indicators – Investigations - Crash Imminent Braking
1/11/2017
36
Risk Indicators – International Recalls - Crash Imminent Braking
Risk Indicators – U.S. Recalls - Crash Imminent Braking
1/11/2017
37
Risk Indicators – U.S. Recalls - Crash Imminent Braking
Risk Indicators – U.S. Recalls - Crash Imminent Braking
1/11/2017
38
Risk Indicators – Crash Imminent Braking
Risk Indicators – TSBs
1/11/2017
39
Forward Collision and Lane Departure categories included in EWR reporting beginning in 2015. As of Q2 2016:
9 incidents involving Forward Collision
– 5 of these involve 2015 and 2016 model year Subaru vehicles; 2 were Volvo vehicles
– Including 1 fatalities
1 incident involving Lane Departure
– 2015 Lincoln MKC
Other Risk Indicators – Early Warning Reporting
Crash Imminent Braking exhibits a relatively low risk of defect based upon the primary indicators described, specifically:
Few instances of relatively small recalls in the U.S. (fewer than 50k units);
Very limited TSB history, with small population of vehicles affected;
A supplier was identified in one recall;
Limited NHTSA investigation history;
Crash imminent braking has been the focus of increased regulatory scrutiny which may indicate additional enforcement action as the technology matures.
Among the other indicators of defect analyzed, Crash Imminent Braking demonstrates:
Few instances of recall from international jurisdictions, consistent with U.S. recall activity;
Increase in number of related customer complaints as consumer adoption increases.
Crash Imminent Braking – Overall Conclusion
1/11/2017
40
It is important to appreciate that Crash Imminent Braking is a relatively new technology, with consumer adoption rates increasing.
This technology is integrated into ADAS systems that are also relatively young in the product cycle.
As the number of vehicles incorporating Crash Imminent Braking and other ADAS technologies increases, so too may the risk of defect related to these components.
However, the risk indications that are observed at this time are primarily integration risks – a theme likely to be evident in many ADAS components
Crash Imminent Braking is a technology that has, and will continue to attract increased attention from NHTSA for a variety of reasons.
Therefore, the risk profile associated with Crash Imminent Braking may continue to evolve as the component matures; additional periodic assessment can identify other trends as they emerge.
Crash Imminent Braking – Overall Conclusion
The review, analysis and consideration of all of these data sets enable suppliers to consider which risks can be quantified. In addition, this data, when combined with internal knowledge and data will enable a process of frequent review and consideration of the latest information, until a more robust risk analysis can be completed.
For new technologies such as AI and autonomous features, the development of mechanisms to enable prompt reaction to the identification of risks and defects presents a clear opportunity to mitigate risks during development, engineering and production.
When longer term data trends can be assessed refinement of the analysis can be completed in order to provide for the quantification and monetization of risk.
Crash Imminent Braking – Overall Conclusion
1/11/2017
41
The approach described herein provides a robust analysis of the external indicators of recall and excess warranty. Suppliers should also leverage internal institution knowledge of their products, customers, and the marketplace to enhance findings and develop a comprehensive risk assessment.
While internal assessment can provide valuable insights into the risk assessment process, an external, independent review of the data is critical to minimizing the influence of potential institutional bias on the results.
A Comprehensive Approach
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Automotive Products RecallKiran Nayee, JLT Specialty Limited
1/11/2017
42
AUTOMOTIVE PRODUCTS RECALLKiran NayeeJLT Specialty Limited
• Takata Air bag inflators
− 26 million vehicles recalled (2015/16)
− USD 3 billion in estimated recall costs
− Biggest ever civil fine (NHTSA) - “Largest and most complex in U.S. history”
• Toyota Gas Pedals (2009-11) - $billions in fines and jury awards
• GM Ignition-Switch recall (2014) - 172 lawsuits alleging death or injury in 2014
• 51,000,000 vehicles recalled by NHTSA (2015)
• ‘Toyota recall another 5.8m cars worldwide’ (Oct 2016)
• ‘GM allowed to delay recall to try to avoid huge financial loss’ (Nov 2016)
HIGH PROFILE LOSSES
Recalling an automotive product costs more than 5 times the original distribution…..
1/11/2017
43
• Increased regulatoryscrutiny (NHTSA)
• Technological advances (testing)
• Technological advances (vehicles)
• Socio-economic landscape
• Social media
• Consumer awareness
• OEM pressure
• Scale of productionand distribution
• Supply chain complexity
AUTOMOTIVE RECALLS ACCELERATING
0
10
20
30
40
50
60
70
80
2011 2012 2013 2014
Mill
ion
s o
f V
eh
icle
s A
ffect
ed
Source: NHTSA
Product liability policies specifically exclude losses arising from recalls
• Competition - increased appetite
• Capacity
• Affordability
• Broader, sector specific wordings
• Worldwide coverage
• Specific contracts
• Retro dates
• Software exclusions being removed
INSURANCE MARKET TRENDS
Can recall insurance products remain relevant with the pace of change within the automotive industry?
1/11/2017
44
KEY COVERAGE
POLICY TRIGGERS LOSSES COVERED*
• Product Safety
− Bodily Injury / Property Damage
− NHTSA
− Government recall
• Product Guarantee
− Failure to perform
• Recall & replacement costs
− Recall, inspection, destruction
− Repair & replacement
− Slotting / Re-slotting fees
• Defence costs
• Consultants costs
• Rehabilitation of brand
• Financial Loss
− Business interruption
− Contractual liability
*Not covered under a standard products liability policy
“Uber blames humans for self-driving car traffic offenses as Californiaorders halt”
“Google driverless car involved in ‘worse crash yet’ after van runs a red light”
“Tesla driver killed whilst using autopilot was also watching Harry Potter”
• In 2020, 30 million cars are expected to be sold withembedded technology
• More than 20 car brands have announced plans to offer vehicles with higher levels of automation by 2020
• More than 50% of new cars will be connected in some way by 2020
• Cyber-attacks are expected to expose the automotive industry to $70 billion of liability by 2020
• Over 50 attack points in the Connected Car Ecosystem
CONNECTED CARS
Shift of emphasis from driver error to products error
1/11/2017
45
• Balance Sheet Protection
• First and third party recall costs
• Customer financial loss
• Covers contractual and legal liability
• Helps protect trading relationships
• Strategic competitive advantage
• Aligned Crisis Management consultancy and incident response
• Plug ‘gaps’ in General Liability covers
• Tailored policies, bespoke to automotive parts manufacturers
BENEFITS
• Independent crisis consultancy firm
• Business resilience & crisis preparedness assessments
• Review manufacturing procedures
• Risk workshops / staff training on quality
• Policies & procedures development & embedding
• Crisis simulations
• Crisis media training
• 24/7 live crisis strategy & response
• Fault analysis post incident
• Work hand-in-hand dealing with customers / regulators / media
RISK IDENTIFICATION & CRISIS CONSULTANCY
1/11/2017
46
Happening Now
• Growing frequency of recalls
• Spiraling costs of managing recalls
• Complexity of claims
• Escalation in penalties
The future
• Technological, ethical and legal challenges
• Shift of risks from human to product errors?
• Increasing shift from motor insurance to product liability and recall
RISK PROFILING?
Can you afford not to have recall insurance…..?
©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Q&A
1/11/2017
47
©2017 Foley & Lardner LLP
Thank You
Thank you for attending today’s program – we hope you found the discussion to be beneficial.
And we hope to see you at next year’s program!
Speaker Contact Info:
Joe Kwederis, [email protected]
Pavan Agarwal, [email protected]
Chanley Howell, [email protected]
Neil Steinkamp, [email protected]
Kiran Nayee, [email protected]