Even though ISO positions the definitions at the end of the endorsement, we will review them here as the definitions are many and analyzing them initially will aid in understanding the coverages.

Section F. Definitions:

For the purposes of the coverage provided by this endorsement, the Definitions section is amended as follows:

1. "Auto hacking expenses" means the costs to establish whether an "auto hacking incident" has occurred or is occurring.

If an "auto hacking incident" has occurred, the following are also included:

1. Costs incurred to tow a covered "auto" to a service or repair facility in the event an "auto hacking incident" disables, prevents entry into or exit from, or prevents the normal operation or use of a covered "auto". We will pay under this endorsement only that amount of towing costs which are not already provided under this Coverage Form's Physical Damage Coverage Extension, if applicable.

Analysis:

"Auto hacking expenses" is a coverage definition that first includes costs to determine whether there is an occurrence of an "auto hacking incident", and if so, identifies the types of costs that will be covered in connection with that incident.

Paragraph 1.a. provides for additional towing costs not already covered under the Physical Damage Coverage extension. If the covered auto is disabled, cannot be entered into or exited from, or cannot be used in its normal operating capacity, this coverage will cover costs to tow the covered auto to a service or repair facility.

b.    Costs to: 

(1) Investigate the cause, scope and extent of an "auto hacking incident"; 

(2) Restore or repair a covered "auto's" "computer system" to the level of operational capability that existed immediately before the "auto hacking incident". This includes any subsequent "computer system" security or other software updates that are deemed necessary for your covered "auto's" normal operation or use by the covered "auto's" manufacturer; and

(3) Restore or replace "operational data" stored within the covered "auto's" "computer system".

Analysis:

Paragraph 1.b. of the endorsement covers three aspects of an "auto hacking incident": the investigative costs, restoration of the auto's "computer system", and restoration of the auto's "operational data" stored within the "computer system".

To determine the cause, scope and extent of an "auto hacking incident" requires an investigation and these costs can be extensive, depending upon the sophistication and scope of the hacking. For example, the hack could simply be a nuisance such as the hacker taking over the auto's radio communications system, or it could be extensive such that the auto is being controlled by the hacker rather than the driver, or perhaps the entire auto is disabled and the computer system has to be totally replaced. An investigation is required before any corrective action can be taken to restore the auto to its pre-hacking condition.

The second part of covered costs, once the investigation is complete, is to cover the restoration or repair of the auto's "computer system" to its pre-hacking operational capability. Any security or other software updates that are determined to be necessary to bring the auto back to its normal operation or use by the auto's manufacturer will be included in these covered costs. The cost of having the manufacturer reset the vehicle to its original condition is what is covered.

The last part of paragraph 1.b. covers the costs to restore or replace the "operational data" that is stored within the auto's "computer system".  For example, restoration of the auto's navigational components required to operate the vehicle.

c.   Temporary transportation expenses incurred by you up to $30 per day, to a maximum of $900, while your covered "auto" is being serviced or repaired because of an "auto hacking incident". We will pay transportation expenses incurred during the period beginning 48 hours after it has been established that an "auto hacking incident" has occurred and ending, regardless of the Policy's expiration, when the covered "auto" is returned to use.

Analysis:

Paragraph 1.c. provides for limited transportation reimbursement during the temporary period beginning 48 hours after it is determined that a hacking incident has occurred and continuing until the auto is returned to use, even if the policy terminates before the auto is back in use. The transportation reimbursement applies if the auto is being serviced or repaired due to the "auto hacking incident". 

2. "Auto Hacking Incident" means any:

1. Malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into the covered "auto's" "computer system" (including "operational data") and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of the covered "auto's" "computer system" (including "operational data") or otherwise disrupts the normal operation or use of a covered "auto".

2. Denial of service attack specifically directed at you, which disrupts, prevents or restricts access to or use of the covered "auto's" "computer system" (including "operational data") or otherwise disrupts the covered "auto's" normal operation or use.

Analysis:

Paragraph 2.a. and b. defines an "auto hacking incident" in much the same manner as a "cyber  incident" is defined for an organization in the ISO Commercial Cyber Insurance Policy, CY 00 02. https://www.nuco.com/fcs/2021/06/25/cy-00-02-11-21-commercial-cyber-insurance-policy/

While the terms hacker or hacking are not included within the definition, the activities described in the definition are activities commonly used by hackers to infiltrate a computer system.

3. "Computer system" means the covered "auto's" computers, and any related peripheral components, any embedded original manufacturer systems and applications software, or any related communications networks connected to or used in connection with such computers.

Analysis:

The definition of "computer system" aims to include anything that could have application to a computer's algorithm, components, software applications, or communications and its networking capabilities. Vehicles operating as part of a semi-autonomous fleet may be programmed to navigate to certain locations and those software applications may be vulnerable to being hacked so that the vehicle is directed to a different location. 

4. "Discovered" means the time when you first become aware of facts which would cause a reasonable person to assume that an "auto hacking incident" has occurred, regardless of when the "auto hacking incident" occurred, even though the exact amount of the "auto hacking expenses" or details of the "auto hacking incident" may not then be known.

Analysis:

The coverage provided under the endorsement is on a discovery basis, applying the reasonable person standard. The definition of discovered sets forth the requirement that the "auto hacking incident" has been discovered whenever the insured first becomes aware of facts that would cause a reasonable person to assume that an incident has occurred, even though all of the details of the incident may not be known at that time, nor the exact amount of the "auto hacking expenses" be able to be determined. In other words, the insured goes out to get in his covered auto, only to discover that he cannot enter his vehicle, and none of his keys will fix the problem. That would be an example of "discovered". 

5. "Operational data" means the information, facts, images or sounds stored, processed, created, collected, transmitted, recorded or used by a covered "auto's" "computer system" in connection with the normal operation, use, navigation or monitoring of your covered "auto" or its physical operating environment. "Operational data" does not include "personal or confidential information", or other audio, visual or data files uploaded to, downloaded from or streamed to a covered "auto's" "computer system", unless such information, data or files are deemed necessary for the covered "auto's" normal operation or use by the covered "auto's" manufacturer.

Analysis:

This definition aims to spell out anything that is required to operate a covered vehicle. If it is data that is used or deemed necessary to operate, use, navigate, or monitor the auto or its operating environment, then it is "operational data". 

6. "Personal or confidential information" means any person's or organization's confidential or personal information, including but not limited to customer or contact lists, financial information, credit card information, security codes, passwords, PINs associated with credit card, debit or charge card numbers which would permit access to financial accounts, driving behavior or preferences, health or biometric information or any other type of nonpublic information.

Analysis:

The definition of "personal or confidential information" is necessary to distinguish that operational data does not include any such information, as none of this information would be necessary to operate, navigate, or monitor a covered auto. 

Section A. Auto Hacking Expense Coverage

For a covered "auto" that you own that is a private passenger type/"private passenger type", light truck or medium truck, which is described in the Schedule and where a premium is shown:

A.   Auto Hacking Expense Coverage

1.   We will pay for "auto hacking expenses" resulting directly from an "auto hacking incident".

However:

1. The amount we will pay for "auto hacking expenses" is limited as described in Paragraph C. Limit Of Insurance; and
2. Coverage for "auto hacking expenses" ends when the Auto Hacking Expense Aggregate Limit shown in the Schedule has been exhausted.

2. No other obligation to pay sums is covered unless explicitly provided for in the definition of "auto hacking expenses" contained in Paragraph F.1. of this endorsement.
3. This insurance applies only if the "auto hacking incident" is "discovered" within the coverage territory and:

   a.   During the policy period; or 

   b.   Within 30 days after the end of the policy period if no subsequent insurance is available to cover "auto hacking expenses" associated with such "auto hacking incident".

Analysis:

Refer to the Definitions section for the meaning of "auto hacking expenses", "auto hacking incident", "discovered".

In the definition of "auto hacking expenses" It is interesting to note that there is no distance requirement, nor does the coverage specify that the service or repair facility must be the nearest one to the covered auto. There is also no set limit for this coverage, therefore, the amount will be included within and subject to the total aggregate limit. 

The endorsement will provide coverage for certain expenses to diagnose, restore, or repair an auto following a hacker attack, including an option to also include demands for ransom payments. The provisions contained in the endorsement are based in part on the ISO Commercial Cyber Insurance Policy, CY 00 02.

Paragraph 1. provides coverage for the expenses associated with a hacking incident, up to the aggregate limit of insurance shown in the declarations as described in Section C. Limit of Insurance.

Paragraph 2. explains that the insurer's obligation only applies to the specific expenses defined within the definition of "auto hacking expenses", as discussed above.

Paragraph 3. describes the coverage to apply on a discovery basis, triggering the coverage only if the "auto hacking incident" is discovered during the policy period or up to 30 days after the end of the policy period if there is no other insurance covering the same expenses. The incident must occur during the coverage territory.

B.    Exclusions

This insurance does not apply to:

1. "Loss" based upon, arising out of or attributable to any of the following:

1. War, including undeclared or civil war or civil unrest; 
2. Warlike action by military force, including action hindering or defending against an actual or expected attack, by any government, sovereign or other authority using military personnel or other agents; or
3. Insurrection, rebellion, revolution, usurped power or action taken by government authority in hindering or defending against any of these.

Analysis:

The exclusions are designed to completely bar recovery under the endorsement for the 10 types of loss described, the first of which is war in all its various forms. War is an exclusion found in all standard policies, requiring little explanation. Civil war or civil unrest is excluded. Civil unrest is typically defined by law enforcement as a gathering of three or more people, in reaction to an event, with the intention of causing a public disturbance in violation of the law. For example, if a group of hackers prevent the entry and exit of all autos owned by a nonprofit insured in direct response to that insured's association with and support of a specific minority group, then coverage for those hacking expense costs could fall within this exclusion.

Loss attributable to any other government or military authority action is also excluded. For example, in retaliation to government sanctions if Russia were to hack into the computer systems of all vehicles in an auto manufacturer's final production stage, preventing the vehicles from being able to be operated, the expenses associated with this hacking incident could fall under the war exclusion.

2. "Loss" to a covered "auto" or its equipment, excluding its "computer system" and "operational data", and any resulting loss of use. 

3. "Loss" based upon, arising out of or attributable to "bodily injury" or "property damage"  because of an "auto hacking incident".

Analysis:

The next two exclusions are designed to exclude losses that are expenses that should be covered under the commercial auto policy rather than under the auto hacking endorsement. The physical loss to an auto or its equipment, including its loss of use, should be covered under the commercial auto policy. Also, any loss of bodily injury or property damage should be covered under the commercial auto policy, regardless if its cause was an auto hacking incident. For example, if a hacker accesses the navigational systems of a covered auto and causes it to crash into a tree, the physical damage to the auto should be covered under the collision coverage of the commercial auto policy. Expenses to determine if a hacking incident caused the collision and expenses associated with restoring the navigational systems to the manufacturer's specifications would be covered under the commercial auto hacking expense coverage endorsement.

4. Any costs to diagnose, repair or restore software designed to modify or manipulate your covered "auto's" "computer system" in a manner not intended by the covered "auto's" manufacturer.

5. Any costs due and confined to the breakdown, malfunction or inadequacy of a covered "auto" unless such breakdown, malfunction or inadequacy is caused directly by an "auto hacking incident" covered under this endorsement.

Analysis:

Exclusions 4. and 5. serve to restrict the coverage provided under the endorsement to that of an "auto hacking incident" as described in the definitions. Exclusion 4. excludes the coverage if the diagnostics or repair of the auto's computer system are to repair software that has been added to the vehicle other than by the manufacturer.  Exclusion 5. excludes costs that are not directly caused by an "auto hacking incident". For example, the insured's auto was hacked causing a malfunction of the auto's braking system. While having the braking system restored, the insured also replaced the auto's radio system which was not working. The endorsement would cover the costs associated with the restoration of the auto's braking system to its original function, but any costs associated with the radio's replacement would not be covered since its damage was not a direct result of the hacking incident.

6. "Loss" based upon, arising out of or attributable to any "auto hacking incident" that you became aware of prior to the effective date of the Policy. 

7. "Loss" based upon, arising out of or attributable to the same facts or "auto hacking incident" or in any circumstances, of which notice has been given under any insurance policy of which this Policy is a renewal or replacement.

Analysis:

Exclusions 6. and 7. are the prior and pending loss exclusions. If the insured discovers an auto hacking incident, and then purchases the endorsement to cover that incident, the coverage will be barred as the insured must discover the auto hacking incident during the policy term, or within its immediate 30 days upon termination. If the insured's policy has been renewed, the discovered hacking incident should be covered under the renewal policy, unless the endorsement was not added to the renewal policy. For example, the insured's policy with the endorsement expires on January 31, but was renewed on February 1. On February 2, the auto hacking incident is discovered. The "auto hacking incident" was "discovered" within the 30 days of the policy period's expiration; however since the insured has a renewal policy with the endorsement, this incident will be covered under the renewal policy. If the insured did not add the endorsement at renewal, then the auto hacking incident could be covered under the expiring policy since its discovery meets the 30 day limitation.

8. Any costs or expenses associated with upgrading, maintaining, repairing, remediating, replacing or improving a covered "auto's" "computer system" from its original manufactured condition, regardless of the reason, except as provided in Paragraph F.1.b.(2).

Analysis:

Exclusion 8. serves to restrict coverage to the costs or expenses necessary to restore or replace the covered auto's computer system to its manufactured condition, except to include expenses that are necessary to bring the auto's computer system to the level of operational capability that existed immediately before the hacking incident. The provisions of paragraph F.1.b.(2) allow for system upgrades to the computer's software systems that are deemed necessary for the auto's normal operation. For example, if certain security upgrades were made since the manufacturer installed the computer system, this will allow for those security upgrades to be included in the costs to restore the computer system to its pre-hacking operational capability.

9. "Loss" based upon, arising out of or attributable to any unauthorized or  unsolicited transmission or dissemination of electronic mail, text message, telefacsimile, or telephone call.

Analysis:

Exclusion 9. bars coverage for loss due to or arising out of unauthorized or unwanted emails, texts, faxes, or phone calls. For example, an insured receives numerous calls from an unknown person stating that the insured must provide them with their email and password to the car's manufacturer, or pay the unknown person $50,000, 'or else'. If the insured ultimately gives in and provides the unknown person with their email and password, ultimately resulting in the hacker accessing and causing damage to the insured's auto computer system, exclusion 9 would bar coverage under the endorsement. In this type of situation, the insured should immediately notify the police and if they have cyber coverage in place, notify that insurer as well.

10. "Loss" based upon, arising out of or attributable to:

1. The failure of, reduction in or surge of power from an external utility service; or 
2. Any disruption or failure of communication services including, but not limited to, service relating to Internet access or access to any electronic, cellular or satellite network;

not under your operational control.

Analysis:

Note the last words of exclusion 10., 'not under your operational control'. Therefore the losses described in the exclusion only apply if the excluded loss is within the insured's operational control; otherwise the coverage will apply. The first excluded loss is for power failure or surge from a utility service company. It is doubtful that the insured would have operational control of such a facility. If a hacker accesses the utility service, causing a power surge that damages the insured's computer system, the expenses associated with that hacking incident would be covered. 

The second part of the exclusion bars coverage for lack of communication services within the insured's operational control. For example, if the insured cuts off their access to the auto manufacturer's satellite network and that somehow results in an auto hacking incident, this exclusion will bar coverage for the expenses associated with that hacking. However, if a hacker accesses the manufacturer's satellite network and causes an auto hacking incident, there would be coverage for the costs associated with that hacking.

C.   Limit Of Insurance

1. The Auto Hacking Expense Aggregate Limit shown in the Schedule is the most that we will pay for all "auto hacking expenses" because of all "auto hacking incidents" covered by this endorsement. 
2. Regardless of the number of covered "autos", involved in the "auto hacking incident", the most we will pay for all "auto hacking expenses" attributable to any one covered "auto" shall not exceed the actual cash value of such covered "auto" at the time an "auto hacking incident" was "discovered". 
3. Our obligation to pay "auto hacking expenses" applies only to the amount of such expenses in excess of any deductible amount shown in the Schedule. The Auto Hacking Expense Aggregate Limit will not be reduced by the amount of this deductible.  
4. The Auto Hacking Expense Aggregate Limit applies separately to each consecutive annual period and to any remaining period of less than 12 months, starting with the beginning of the policy period shown in the Declarations, unless the policy period is extended after issuance for an additional period of less than 12 months. In that case, the additional period will be deemed part of the last preceding period for purposes of determining the Auto Hacking Expense Aggregate Limit.

Analysis:

The limit of insurance section describes that the limit that applies to coverage under this endorsement is a single aggregate limit that applies to "auto hacking expenses" for the policy term, regardless of how many "auto hacking incidents" occur during the term or how many autos are covered by the endorsement. The deductible amount, if any, shown in the endorsement schedule will apply to "auto hacking expenses", and payment of such expenses will be reduced by the deductible amount. The aggregate limit shown in the declarations will not be reduced by the deductible amount. 

The aggregate limit applies on an annual basis, and to any endorsement extension of less than 12 months, beginning with the policy period shown in the declarations, unless the policy has been extended. If the policy is extended for less than 12 months, the additional period will be part of the last preceding period in determining the aggregate limit.

D.   Changes In Conditions

For the purposes of the coverage provided by this endorsement, the Conditions section is amended as follows:

1. The Other Insurance Condition is replaced by the following:

Other Insurance

This insurance is excess over any other collectible insurance. When this insurance and any other insurance covers on the same basis, either excess or primary, we will pay only our share. Our share is the proportion that the Limit of Insurance of this insurance bears to the total of the limits of all insurance covering on the same basis.

Analysis:

The coverage provided by the endorsement is excess of any other insurance providing coverage on the same basis. In the case of duplicate insurance, the insurer will pay only their proportional share of the limit.The Duties Condition is replaced by the following:

2.    Duties In The Event Of An Auto Hacking Incident

We have no duty to provide coverage under this Policy unless there has been full compliance with the following duties:

In the event an "auto hacking incident" is "discovered", you must give us or our authorized representative prompt notice. 

Additionally, you must:

1. Cooperate with us in the investigation of the "auto hacking incident".
2. Promptly notify the police.
3. Agree to examination under oath at our request and give us a signed statement of your answers. 
4. Give us detailed, sworn proof of any "auto hacking expenses".

Analysis:

The insured has specific duties that must be complied with for coverage to apply under the endorsement, the first of which is  to promptly notify the insurer or their representative upon discovery of an "auto hacking incident". Once notified, the insured must cooperate with the insurer in all respects and of course notify the police since auto hacking may be a  criminal act. The insured must provide a detailed list of all expenses associated with the hacking and swear to its accuracy.

3.   The Policy Period, Coverage Territory Condition is replaced by the following:

Policy Period, Coverage Territory

The coverage territory is:

1. The United States of America;
2. The territories and possessions of the United States of America;
3. Puerto Rico; and
4. Canada.

Analysis:

Coverage applies only to "auto hacking incidents" that take place in the coverage territory of the United States and its territories and possessions, Puerto Rico, and Canada. This is the standard territory for many policies. 

4. The following conditions are added:

a.   Security Updates Or Recalls

You must make every reasonable effort to promptly install or respond to any software security updates or recalls that are recommended for your vehicle by the "auto" manufacturer. 

b.   Confidentiality Condition

You must make every reasonable effort not to divulge the existence of this coverage.

Analysis:

Two additional conditions are added to the policy that are specifically applicable to this endorsement: first, the insured must perform the software security updates and recalls as recommended by the auto's manufacturer; and second, to not divulge the existence of this coverage. The first condition is simply a maintenance item, but it is vital to maintain the security of the auto's computer system as the manufacturer becomes aware of security deficiencies, the software must be updated to address these security compromises. The second condition may seem unusual, but if a hacker is aware that the insured has insurance to cover the incidents, they are more likely to target that individual or company. Cyber criminals are known to hack companies that they know have insurance coverage because they know the ransom may be paid by the insurance. 

E.   Ransom Coverage

If the Schedule indicates that Ransom Coverage applies, then the following provisions also apply:

1. The definition of "auto hacking expenses" is amended by the addition of the following:

d.   Ransom payments made by you, including payments made in the form of virtual currency such as, but not limited to bitcoin, as a result of an "auto hacking incident".

e.   Interest costs paid by you for any loan from a financial institution taken by you to pay a ransom demand.

2. The definition of "auto hacking incident" is amended by the addition of the following:

c.   Demand for ransom payments made to you in connection with the actual or threatened perpetration of any of the events described in Paragraph F.2.a. or F.2.b.

Analysis:

Note that the ransom coverage is only extended if the coverage is selected on the schedule. For ransom coverage, the "auto hacking expenses" is amended to include the costs of ransom payments made by the insured at the amount shown in the declarations. The ransom payment can be in any monetary form, including virtual currency, and will include interest costs if the insured had to assume a loan from a financial institution in order to pay the ransom demand.

3. The Duties In The Event Of An Auto Hacking Incident Condition is amended by the addition of the following:

e.   With respect to demands for ransom payments, as described in Paragraph E.2.,you must: 

(1) Make every reasonable effort to remediate the cause of the ransomware;

(2) Make every reasonable effort to immediately notify us before making any ransom payment based upon the "auto hacking incident"; and

(3) Approve any ransom payment based upon the "auto hacking incident".

Analysis:

If ransom coverage is added, the insured must comply with an additional three-part condition that applies to that coverage, which is to do whatever they can reasonably do to remediate the cause of the ransomware, to immediately notify the insurer before making any ransom payment, and to obtain the insurer's approval for such ransom payment.

Includes copyrighted material of Insurance Services Office, Inc., with its permission.