Indeed, the risks to connected vehicles isn't limited to cyber and identity theft, but can be life-threatening. This was evidenced back in 2015 when Wired reporter Andy Greenberg's stunt allowed a pair of code-crackers to wirelessly infiltrate his jeep while driving down a busy highway outside St. Louis, Missouri. The hackers blasted the radio and air conditioning, killed the hazard lights, and cut the car's transmission, leaving Andy stranded in the middle of the road as a semi-truck weaved past him.

As private car ownership is expected to fall as more autonomous vehicles become available, many will depend on reliable and safe mobility services. If those services are compromised, it could leave consumers isolated and paralyzed until mobility is restored.

According to the National Highway Traffic Safety Administration (NHTSA), 94% of road incidents are linked to human error. Autonomous driving technology is deemed a viable solution, but while the technology has potential, there is at least one company that believes it must be tested responsibly.

The American Automobile Association (AAA) is leading the insurance industry in testing for autonomous vehicles (AVs). AAA Northern California, Nevada & Utah has been closely following the development of AVs for years, and in 2017 founded a dedicated AV Strategy division to better address industry trends. In October, 2018 it concluded a public self-driving shuttle pilot in Las Vegas with AV developer Navya, and also partnered with Waymo's 'Let's Talk Self Driving' campaign. AAA Northern California, Nevada & Utah has even snapped up a dedicated AV testing facility in California; in August, 2018 it acquired the GoMentum Station. That puts one of the largest not-for-profit member benefit organizations, nearly 60 million members strong, in charge of the largest AV test site in the nation. GoMentum features multi-lane carriageways, bicycle lanes, traffic circles (roundabouts), tunnels, fly-overs and fully-functioning traffic infrastructure where companies can test their AVs as well as deploy their technologies, such as programmable traffic lights. In the future, AAA also plans to launch a so-called 'digital twin' of the facility, which will allow developers to devise and simulate test procedures before taking to the track. A high definition (HD) map of the site will also be launched, which will help AVs to better understand their surroundings and plan ahead while driving.

AAA Nevada introduced the first and largest self-driving shuttle for public use in live traffic in busy downtown Las Vegas. The shuttle was also the first in the country to be fully integrated with smart city infrastructure to operate on open, public roads.

Ignacio Garcia, VP of Autonomous Vehicles Strategy at AAA Northern California, Nevada and Utah is quoted as saying, "Driven by a commitment to advance traffic safety towards zero fatalities and revolutionising mobility, AAA Northern California, Nevada & Utah is working with automakers, tech providers, and governments to shape a legislative and regulatory environment that ensures the safety of the public is at the center of taking self-driving vehicles mainstream on America's roads."

Boston-headquartered Affectiva is developing what it calls Emotion AI, which measures facial expressions using computer vision, as well as vocal analysis through speech science, to recognize the emotional and cognitive state of human drivers and passengers. The system works by identifying, isolating and tracking a human face. Algorithms based on human vision analyze and categorize the facial expressions to judge human emotions and states. Initial use will be to reduce driver distraction by highlighting when a driver is looking at his or her phone behind the wheel, or when the driver misuses a semi-autonomous driving feature. Numerous incidents have already occurred where drivers have abused highway pilot systems, and the start-up believes that Emotion AI could help encourage drivers to pay attention. The technology is also being honed for fully driverless vehicles of the future, to improve the in-vehicle universe when drivers become passengers and voice control becomes the norm. So, what will insurance cover with respect to cyber hacks and identity theft arising from autonomous vehicles?

For a manufacturer who makes, services or supplies parts for connectivity devices, the product liability risk is huge if personal data is released through the device. The ISO Products/Completed Operations Liability Coverage Form CG 00 38 04 13 provides coverage for bodily injury or property damage the insured is legally liable for within the defined products-completed operations hazard. The form defines products/completed operations hazard as "bodily injury" or "physical damage" arising out of "your product" unless the work is still in the insured's possession or the work is not completed. This form does not however provide coverage for cyber liability.

The Business Auto Coverage Form CA 00 01 10 13 provides coverage for sums an insured legally must pay as damages because of "bodily injury" or "property damage" caused by an "accident" and resulting from the ownership, maintenance or use of a covered "auto". An "accident" is defined to include continuous or repeated exposure to the same conditions resulting in "bodily injury" or "property damage". A cyber attack or identity theft would not be bodily injury or property damage covered by the policy.

ISO does have a Commercial Cyber Insurance Policy, CY 00 01 01 18, designed to provide coverage, including defense expenses, for discovery of a cyber incident, extortion threat, security breach or claim that falls under one or more of the six Insuring Agreements in the policy. The coverage is comprehensive and based specifically upon defined terms and conditions. An overview of the Cyber policy can be found here: ISO Commercial Cyber Insurance Policy. Coverage for a "cyber incident" includes any hacker attack, malicious code, or virus, and any denial of service attack that disrupts the computer's normal function or operation. However, there are a number of exclusions that apply in the policy. One of the exclusions in the policy excludes any unexplained or indeterminable failure, malfunction or slowdown of a computer system, or the inability to access or manipulate electronic data. Absent any defined "cyber incident", the policy excludes any disruption in normal computer function or network service or function due to insufficiency of capacity or due to activity overload. Also excluded are disruptions of internet service or external telecommunication network, however caused (except if the disruption is caused by a denial of service attack described in the definition of "cyber incident". These are just a few of the exclusions noted in the policy.

A "computer system" is defined by the policy to include devices owned, leased, or operated by an insured, owned an operated by an insured's employee, operated by an authorized third party (such as a cloud service provider), with respect to the insured's electronic data.

To address the identity theft exposure, the Commercial Cyber Insurance Policy includes a specific insuring agreement covering Security Breach Expense. Security breach expenses are defined to mean forensics costs to investigate the cause, scope and extent of a security breach, and to identify any affected parties as well as costs for remediation of the conditions that led to or resulted from the security breach including but not limited to, legal fees and professional advice on how to respond to the security breach. Security breach expenses also include notification costs to notify affected parties including but not limited to, notice to be transmitted through media as required by privacy regulations; overtime salaries of employees assigned to handle the breach; call center operational costs for affected parties; and post-event monitoring, which includes credit and identity monitoring services to affected parties for up to one year (longer if required by law), from the date of notification to the affected parties; as well as any other reasonable expenses incurred by the insured with the insurer's written consent. Excluded are any expenses associated with upgrading, maintaining, remediating, or improving a computer system as a result of a security breach.