A cybercriminal hijacks an autonomous vehicle. Who’s responsible for a crash?

Vehicle manufacturers are likely going to be on the hook for damages following autonomous car crashes in which no human being is controlling the vehicle, a cyber insurance specialist says.

“Certainly, one of the more dramatic ways of thinking about that is: What if a car is attacked in a way that allows the criminal to get access to the systems that actually control the steering, or how fast the car goes, or braking?” Tim Zeilman, vice president of global products-cyber at HSB, told Canadian Underwriter in an interview.

“I think in today’s world, the answer is fairly clear that it’s the driver who is responsible [for an auto collision]. Most vehicles, even those with semi-autonomous driving kinds of systems, require the driver — at least in theory — to be at the wheel and active and paying attention and ready to take over at a moment’s notice.”

However, he noted, we’re in a transition phase towards fully automated vehicles. Increasingly, vehicles are taking over vehicle navigation, leaving less for the driver to do. Think adaptive cruise control, in which the vehicle speeds up or slows down based on traffic.

“Vehicles have a whole range of features that run anywhere from some assistance with driving to something close to full autonomy,” Zeilman reported.

How long will this transition phase last? That’s hard to say. Predictions of fully autonomous vehicles moving from fringe to mainstream range from somewhere between the next 10 to 30 years.

iStock.com/Chesky_W

“I think it becomes a very interesting question when you start thinking down the road to a point where most vehicles are somewhat fully autonomous,” Zeilman said, adding that at that point, auto liability “becomes a much more interesting and less clear picture.”

If a driver is no longer a driver, but instead an occupant in a fully-automated vehicle, who would be responsible for a crash? “It seems fairly obvious that the party you would think of would be the manufacturer in some way,” Zeilman said.

When assessing a collision, experts will need to figure out what other factors could be at play. Weather and road conditions might play a part. But perhaps there a design flaw in the vehicle? Or a cyberattack hijacked the vehicle?

There are a number of interesting questions, Zeilman said, “but I think the manufacturer is probably the obvious person that parties would turn to in that sort of a situation.”

In the case of a cyberattack, it’ll be up to car manufacturers to ensure their security is top-notch, he added.

For the insurance industry, how insurers would cover a cyberattack on an autonomous vehicle might be a question going forward.

“In today’s world, from an insurance perspective, it’s fairly clear that auto insurance covers accidents, regardless of whether it’s the driver’s fault or whether there was a hacking event or whatever,” Zeilman said.

But that may be a result of the industry not yet wrapping its arms around the issue and changing course. And, as Zeilman pointed out, ripple effects may follow from a vehicle cyberattack that insurance doesn’t cover.

“If a car is attacked and disabled, if there is a ransom attack on a car, things like that — things we don’t really see a lot of today but are certainly theoretically possible,” he said. “Those things are not necessarily covered by insurance.”

Feature image by iStock.com/Tom Merton