Final Slide Deck - Foley & Lardner LLP · 2019-04-17 · 1/11/2017 2 ©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models

1/11/2017

1

©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500

©2017 Foley & Lardner LLP

Today’s Agenda

■ Welcome» Jay Rothman, Foley & Lardner LLP

■ Overview of Emerging Automotive Technologies» Joe Kwederis, Deloitte & Touche LLP

■ IP and Data Protection» Pavan Agarwal, Foley & Lardner LLP» Chanley Howell, Foley & Lardner LLP

■ Break

■ Supply Chain» Neil Steinkamp, Stout Risius Ross» Kiran Nayee, JLT Specialty

■ Q&A

■ Program Concludes

1/11/2017

2


WelcomeJay Rothman, Foley & Lardner LLP


Automotive Cybersecurity OverviewJoseph Kwederis, Deloitte & Touche LLP

1/11/2017

3

Automotive Cyber Security OverviewJoe Kwederis, Principal, Deloitte & Touche LLP

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

Copyright © 2017 Deloitte Development LLC. All rights reserved.

The future of mobility is here…

Extent to which vehicles are personally owned or shared:

• Depends upon personal preferences and economics

• Higher degree of shared ownership increases system-wide asset efficiency

Personal Shared

Auto

nom

ous*

Driver

Assis

t

Future states of mobility

Vehicle ownership

Veh

icle

co

ntr

ol

A new age of accessible autonomy

A world of carsharing

The driverless revolution

Incremental change1 2

3 4

Asset efficiency

PHASE 1

PHASE 2 PHASE 2

1/11/2017

4


OwnershipAlternate ownership models (Zip-car, peer-to-peer rentals, car sharing, etc.)

Product transformationSmart materials, powertrain technologies, autonomous vehicles, connectivity

Risk and complianceRegulatory and global influences, e.g., China, Europe, US. Connected vehicle ecosystem impacts on consumer safety and security

New services and competitorsCar parking, valet on demand, telematics, connected services, car sharing

ConnectivityConnectivity and convergence

Customer expectationsChanging customer expectations, such as Gen Y’s preferences about information, ownership, consumer trust, etc.

Changes in the automotive market are presenting new opportunities and challenges for automakers

Information security and cyber risk need to be considered for each new product

and service in the context of shifting consumer and regulatory expectations.


Energy

$573B

Current extendedautomotive industry

revenues

~$2T1

Finance

$101BTransportation

$59B

Automotive

$735B

Media

$16B

Insurance

$205B

Retail

$24B

Medical& Legal

$35B

Publicsector

$251B

Auto insurance

Auto financing

Radio advertising; outdoor advertising

Oil companies and gas stations

Fuel, licensing, and auto sales taxes; traffic enforcement; tolls; public transportation; parking

Rental vehicles; taxi and limo services; private parking garages

Emergency services and hospital costs; legal fees associated with accidents

Wholesale and dealer vehicle sales and service; suppliers; and mechanics

Aftermarket parts and service channel

Stakes are high – with approximately $2 trillion in revenues collected annually by the current extended auto industry

1Total revenue is $1.99T. Source: Deloitte analysis based on IBISWorld Industry Reports, IHS, DOT, US Census, EIA, Auto News, TechCrunch. Current revenue represents 2014 figures (or earlier if 2014 data not available) in the United States.

1/11/2017

5


There are a number of forces that will influence the rate at which the new mobility ecosystem takes shape

Forces of delay or acceleration

Regulation & Government

Public Attitudes

Human-machine interface, safety, shared economy

Wall Street Valuations

Technology Development Employment Changes

Privacy and Security

Early experiments, pilot programs

Federal, state and local policies Cyber-security, communication protocols

Technology investments, cost of capital projections

Dislocation effects, reactions, job retraining

Source: Deloitte analysis, based on publicly available information.


Breach through mobile apps or Wi-Fi

Malware through console OS

Loss of integrity ofcontrolunits

Exploit GPS and navigation data

Malicious vehicle apps

Breach of telematics

Malicious or accidental breach of vehicle systems

Negative advertising due to breach

Online defacements through advocacy groups

Cyber incident impact to insurance

Activity by foreign governments

Non-compliance to regulations

Organized crime

Competitors

Counterfeit suppliers

Vulnerabilities created through dependencies on external entities

Breach of data through alliance partners

Reputational damage through social media

Tampering of parts and accessories

Dealer data breach

Counterfeit warranty parts

Breach of Manufacturing IP

Breach or leakage of product IP, marketing data, customer data

Malicious employees

Threats posed to and by internal entities

Disruption in purchasing and supply chain channels

Exploitation of Financial data

Information technology incidents

Reputational damage impacting customer experience

Loss of integrity of on-board diagnostics

Connected vehicles and services face a myriad of threats

1/11/2017

6


ICS security environments should be reviewed in terms of a standard security framework and with consideration of the primary domains that exist in the security infrastructure

Industrial control systems (ICS) are highly inter-connected

Security Domains

Access & Privilege

Management

Intrusion Detection & Monitoring

Cyber Intelligence

Network Security

Awareness & Policy Adoption

Configuration & Vulnerability Management

Incident Response &

Recovery

Physical Security

Access & Privilege ManagementReview and management of default, privileged, and user

accounts with access to ICS systems

Intrusion Detection &

MonitoringDeep packet inspection of

network traffic for indicators of compromise or analogous

communications

Cyber IntelligenceIntelligence gathering on

relevant cyber-attack

mechanisms as on-going

input to security safeguards

Network SecurityNetwork architecture designed

and configured to protect

critical assets while allowing

required business communications

Configuration & Vulnerability Management

Proactive management and monitoring of patches and

configuration settings

Incident Response &

Recovery Policies and procedures that

define incident triage, response, containment, remediation, and

recovery

Physical SecuritySafeguards which appropriately

restrict, control, and monitor

physical access to critical assets

Awareness & Policy ManagementPolicies, training, and guidance that mandate and promote secure

behavior by end-user groups


Automotive IT Environments

Enterprise SystemsIndustrial Control System (ICS)

/Production Systems

Connected Vehicles Customer Experience Services

Mobile Apps

Console OS

On-board Diagnostics

Vehicle ControlUnits

GPS and Navigation

Vehicle Apps

4G Hotspot

Telematics

Cameras

Self ParkingCollision

Avoidance

Fleet Management

CarsharingTelematics

Financing/Leasing

Insurance

Concierge Services

RADAR, LASER and Ultrasonic Sensors

Enterprise Applications

Local Applications

Mobile Applications

Web-based Applications

Third-Party Applications

Data Warehouses Databases

Operating Systems

Connectivity is expanding the cyber risk profile

1/11/2017

7


Cyber risk themes

2016 Cyber risk in advanced manufacturing study with MAPI


Be Secure.Vigilant.Resilient.™

Cyber risk in advanced manufacturing.

Traditional

board

report ing

Industrial Control Systems

50%isolate orsegment ICS

networks

31%have notconducted an

ICSassessment

Be Secure.Take a top down, risk based

approach to implementingsecurity strategies for the

most critical networks,

systems, and data

Be Vigilant.Implement routine monitoringmechanisms for high risk

networks, systems, and data

that will alert the company toabnormal activity and enable

prompt action

Lack skilled resources75%

4 of top 10 threats involve employees

Talent and Organizational Management

IT/ OTgap drives behavior

36%cited IPprotection

as top concern

Enterprise Network &Business Systems

Connected Products

use sensors,

smart products,

and mobile apps

Governance and Leadership Engagement Nearly 50% of executives lack

confidence they are protected48%lack adequate funding

Cyber Risk Programs: A Framework for Leading Practice Board Reporting

35-45%

encrypt the data55%

50%perform ICSvulnerabilit y

testing less often

than once a month

A top executive

concern is

increasing

sophistication/

proliferation of

threats

77%Had performed end toend product assessment

27%do notinclude ICS in

incident

response plans

Be Resilient.Plan ahead before a breachoccurs so the organization is

prepared to respond in order toneutralize threats, prevent

further spread, and recover

from business impacts

only

12%

39%experienced

a breach

currently employ tacticssuch as

wargamingexercises

38%had losses

$1 - 10m+

37%do not includeconnectedproducts toincident responseplans

Sources: Cyber risk in advanced manufacturing; Deloitte and MAPI, Deloitte CISO Labs.

1/11/2017

8


‘Intellectual Property’ remains the top sensitive data protection concern among surveyed advanced manufacturing firms

‘Intellectual Property’ is the top data protection concern…

Q6. Which of the following do you believe are the top three (3) sensitive data protection concerns for your organization?

36%

32%

29%

26%

25%

22%

22%

21%

20%

17%

17%

16%

16%

Intellectual property

Consumer data

Unauthorized or accidental disclosure of personal information

Web-enabled systems and services

Managing third-party information sharing

Compliance with privacy statutes

Protecting access to big data stores and advanced analytics

Lack of consistent review process

Internal privacy awareness and training

Aligning operational practices and with policies

Managing individual business unit privacy requirements

Cross-border flows of personal information

Unauthorized access to personal information

Top 3 sensitive data protection concerns

Note: Sample size, N = 228


The second most cited motive behind recent cyberattacks is intellectual property theft, across organizations of all sizes

…and a prominent motive behind recent cyberattacks

Q12. What do you think was the motive for the cyber attack(s) your organization experienced in the past 12 months? (select all that apply)

45%

35%

29%

26%

22%

20%

19%

16%

15%

Financial theft

Intellectual property theft

Access to sensitive informationof specific senior executives

Access to regulatorycompliance information

Access to sensitive financialinformation

Safety / personal harm /facility damage

Access to plant operationsinformation

Access to key businesspartners

Access to strategic plans

39%

26%

35%

39%

30%

13%

17%

22%

17%

44%

40%

26%

23%

21%

14%

21%

12%

12%

53%

37%

26%

11%

16%

37%

16%

21%

21%

Financial theft

Intellectual property theft

Access to sensitive informationof specific senior executives

Access to regulatorycompliance information

Access to sensitive financialinformation

Safety / personal harm /facility damage

Access to plant operationsinformation

Access to key businesspartners

Access to strategic plans

< $500 mn $500 mn to $5 bn >$5 bn

According to more than a third of companies surveyed (35%), ‘Intellectual property theft’ is the primary motive behind many of the recent cyberattacks

Overall Across organizations of all sizes (by revenues)

Only among small companies, ‘Intellectual property theft’ is the third most cited motive behind recent cyberattacks according to the survey

1/11/2017

9


Cyber Security Strategy & Roadmap

• Current state maturity assessment• Strategic objectives & roadmap of approved initiatives

Cyber Security Transformation & Cosourcing

• Focus on high value activities• Cosource areas of low risk with operational requirements

Cyber Security Strategic Program

• Build / mature information security capabilities• Execute assessments on high risk environments• Remediate high risk vulnerabilities

Operational Sustainability

• Further developing the maturity of basic cyber security capabilities, with a greater focus on standardization, integration & consistency

• Positioned to evolve towards the next level of maturity & business partnership

Building a broad, sustainable cyber security capability takes leadership, commitment and focus

Cyber security roadmaps can help communicate plans and priorities


Cyber security program requirements continue to grow…

2000

2010

2020

• Data Protection

• Policies, Procedures and Standards

• Identity and Access Management

• Network Vulnerability Management

• Anti-Virus/Malware

• SOX/Regulatory Requirements

• Application Vulnerability Management

• Data Loss Prevention

• Privacy

• Incident Management

• Insider Threats

• Privileged User Management

• Security Operations Center (SOC)

• Third-Party Risk Management

• Governance, Risk and Compliance

• Threat Intelligence

• Cyber Reconnaissance

• Cyber Analytics (security information and event management or SIEM)

• War Gaming

• Crisis Management

1/11/2017

10


UnderstandInformation

Assets

Leverage ISO 27001/

27002 SecurityDomains

Program Governance and Oversight

Intellectual Property

Product Design

Consumer Data

Business Strategy, M&A etc…

Protect and Enable Information Security

Benchmark Peers

Standards-Based Maturity Evaluation

Understand the current level of maturity against ISO 27002, measured by ISO domain to help drive IT Security program priorities

Competitive Positioning

Evaluate robustness of IT Security Program with respect to its industry peers and likely competitors

Actionable Recommendations

Develop IT Security Program enhancement recommendations to effectively manage risks to its business data, intellectual property, and information assets

Scope of Assessment Benefits and Outcomes

A typical cyber assessment

1. Security Policies 8. Operations Security

2. Security Organization 9. Communications Security

3. HR Security 10. Systems Acquisition,Development andMaintenance

4. Asset Management 11. Supplier Relationships

5. Access Control 12. Incident Management

6. Cryptography 13. Business Continuity for Information Security

7. Physical and Environmental Security

14. Compliance

Map Business Units,

Regions, Environments

Sales & DistributionCaptive Finance

Enterprise SystemsConnected Vehicle ICS

Customer Experience ServicesR&D

Manufacturing

Automotive and technology peers


OEMs and suppliers need to establish the relevant set of people, process and technology to align security practices with connected vehicle requirements

Cybersecurity program maturity is an important consideration

1 - Initial 2 - Repeatable 3 - Defined 4 - Managed

Security Awareness

Technology purchased but not implemented

5 - Optimized

Security has become an organizational goal

Security technology implemented, not standardized

Security Strategy, vision and objectives are drafted with limited communication

Processes understood and defined

Security technology implemented with limited integration

Enterprise Strategy objectives exist with 3- to 4-year plan and roadmap

Market Leader in Security

Leading Practices are followed, use of sophisticated reporting

Direct links to IT, Automotive Security and corporate policy

Integrated security workflow and quality improvement pipeline

Processes drive quality improvements

Clear Strategy and Vision are established and communicated across the organization

Effective security technologies deployed

Clear metrics for governance, policy and procedures

Processes under constant improvement

2000

2010

2020

• Data Protection

• Policies, Procedures and Standards

• Identity and Access Management

• Network Vulnerability Management

• SOX/Regulatory Requirements

• Application Vulnerability Management

• Data Loss Prevention

• Privacy

• Incident Management

• Privileged User Management

• Governance, Risk and Compliance

• Security Operations Center (SOC)

• Threat Intelligence

• Cyber Reconnaissance

• Cyber Analytics (SIEM)

• War Gaming

• Crisis Management

1/11/2017

11


Top 10 next steps

Be Secure.Vigiliant.Resilient.™

Set the toneEngage leadership in the managing cyber risks01Assess risk broadlyInclude enterprise, ICS and connected products02Socialize the risk profileShare the results with leadership and the board03Build in securityHarmonize investments with the cyber risk program04Remember data is an assetConnect business value with data and strategies to protect it05

Assess third-party riskInventory mission critical ecosystem relationships and evaluate related risks

06Be vigilant with monitoringDetermine whether and how quickly a breach in key areas of the company would be detected

07Always be preparedFocus on incident and breach preparedness using wargaming simulations

08Clarify organizational responsibilitiesIdentify clear ownership with a leader to bring it together

09Drive increased awarenessGet employees on board and ensure they know their role in protecting the organization

10

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed

description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of

public accounting.


36 USC 220506

1/11/2017

12


IP Issues Surrounding Auto Emerging TechPavan Agarwal, Foley & Lardner LLP


Exemplary Areas of Emerging Technologies

TOPIC AREA DEFINITION CATEGORY

Fuel Economy Also known as fuel efficiency, or the maximization of the distance traveled on a unit of fuel

Propulsion

Telematics Global Positioning System technology integrated with computers and mobile communications technology in automotive navigation systems

Navigation

Autonomous Driving

Automobiles that are capable of driving themselves without input from a human passenger

Handling

Driver Assistance Various systems such as auto braking, lane departure warning, and traffic sign recognition that help the driver become aware of and avoid road hazards

Safety & Security

Heads-Up Displays (HUDs)

Systems for displaying data from a smartphone to the windshield of an automobile so a driver can keep his/her eyes on the road

Entertainment

Source: Thomson Innovation & Thomson Reuters Derwent World Patents Index

1/11/2017

13


Advanced Driver Assistance Systems(ADAS)

V2V connectivity (e.g., 5G)

ADAS

V2V Connectivity

Carsharing

Illustrative Examples: ADAS and V2V Connectivity


Illustrative Example: ADAS and V2V Connectivity

Multiple Levels of Integration

Hardware• Processor• Sensors

(LIDAR)• Heads-Up

Display (HUD)

Software• Control• Apps• Artificial

intelligence

System Integration• CAN• Post-

Installation Updates

1/11/2017

14


Common IP Issues for ADAS and Other Integrated Products

Competitive Landscape Disruption

IP Ownership from Joint

Collaboration

Obligation to Defend and Indemnify

Trolls Levy Tolls

IP Protection Mix


Mix of IP Protection

Patents (including designs)

Trade Secrets

Copyright

Common IP Issues for ADAS and Other Integrated Products – Protection Mix

1/11/2017

15


Traditional Auto Industry Model

Gone

Large Tech and Small Tech

No Clear Vertical and Horizontal

Chains

Common IP Issues for ADAS and Other Integrated Products – Landscape



Source: https://www.cbinsights.com/blog/autonomous-driverless-vehicles-corporations-list/

1/11/2017

16



Source: https://cbi-blog.s3.amazonaws.com/blog/wp-content/uploads/2016/05/1-unbundling-car.png


Competitive Landscape Disruption: Each Has Own Vision and Experience in IP

Entirely New

Players

Traditional Auto

Players

Large Tech/Small

Tech


1/11/2017

17



Source: Thompson Reuters “The 2016 State of Self-Driving Automotive Innovation”


IP Ownership and Right to Use

•Freedom to Use Technology• With other customers?

•Later Improvements by Collaborators• Freedom to use?

•Retaining Background IP• Share what you bring to the table?

•Conditions for enforcement• Who needs to be involved?

Common IP Issues for ADAS and Other Integrated Products – IP Ownership

1/11/2017

18


Defend and

Indemnify

Ability and ResourcesAbility and Resources

Accusation Spans Parts or HW/SW

Accusation Spans Parts or HW/SW

Going layers up in supply

chain

Going layers up in supply

chain

Don’t Know Actual

Supplier

Don’t Know Actual

Supplier

Common IP Issues for ADAS and Other Integrated Products - Indemnification

* Approximate doubling in patent infringement cases in most recent 5-year blocks


Special Case: Standard

Essential Patents

Tougher to Counterattack

Just Want MoneyDifferent Levels of Sophistication

Trolls Levy Tolls

Common IP Issues for ADAS and Other Integrated Products: NPEs

* In recent years, non-practicing entity (NPE) patent infringement cases are outnumber competitor cases by over 5:1

1/11/2017

19


Common IP Issues for ADAS and Other Integrated Products – NPEs

Common Auto NPEs in Recent Years• American Vehicular Sciences• Beacon Navigation GmbH• Cruise Control Technologies• Signal IP• PJC Logistics• Norman IP• Innovative Display Technologies• Delaware Radio Technologies• Novelpoint Tracking• Affinity Labs of Texas• Advanced Silicon Technologies• Diamond Coating Technologies, LLC• Digital Stream IP


Taking Control of CybersecurityChanley Howell, Foley & Lardner LLP

1/11/2017

20


Regulators

FTC

FCC

NHTSA


Best Practices

GovernanceGovernance

Risk AssessmentRisk Assessment

Security by DesignSecurity by Design

Threat Detection / PreventionThreat Detection / Prevention

Incident Response / RecoveryIncident Response / Recovery

Training / AwarenessTraining / Awareness

CollaborationCollaboration

1/11/2017

21


Source: Verizon 2016 Data Breach Investigations Reporthttp://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

Sources of Security Incidents


Source: Verizon 2016 Data Breach Investigations Reporthttp://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

Sources of Security Incidents

1/11/2017

22


Corporate Information Assets


DNC Hacking

1/11/2017

23


DNC Hacking


Victims of Chinese Cyber Espionage

1/11/2017

24


Action Steps


Evolving Standard of Care

2006 2016

1/11/2017

25


Managing Risks


Information Security Policy Library

1/11/2017

26


Information Security Policy Library


1/11/2017

27


BREAK20 minutes


The Connected Car – Supplier Risk AssessmentsExternal Data – Insights and Integration

Neil Steinkamp, Stout Risius Ross

1/11/2017

28

Global Financial Advisory Services

The Connected Car – Supplier Risk AssessmentsExternal Data – Insights and Integration

Suppliers of Advanced Driver Assistance Systems (“ADAS”) and related components are presented with unique opportunities as the adoption of these technologies increases.

Suppliers also face unique risks of recall and excess warranty resulting from defects related to advanced components supplied into these platforms:

Defects related to new designs or manufacturing processes

Integration of components into complex systems

Reliance on software

Lack of history / experience related to components and assemblies

Unique Opportunities and Risks

1/11/2017

29

Adoption of ADAS technology is occurring during a period of enhanced regulatory scrutiny, as well as increased OEM sensitivity to, and customer awareness of automotive safety defects.

Automotive AI and ADAS were of significant interest at CES just last week.

“CES has become an evermore automotive focused trade-show, and this year's Media Day was no exception….[T]here were two main themes: First, AI is becoming an increasing focus of autonomous driving development; Second, there is mounting sentiment that Level 4 ADAS is still a few years out, and that Level 5 ADAS may be much further out.” – SunTrust CES Media Day Recap

Identifying Risks

What does that mean though? A few considerations from CES Media Day:

Mobileye partnering with Intel and BMW “announced plans to have a fleet of approximately 40 autonomous BMW 7 Series vehicles on the roads in the US and Europe by 2H17.”

NVIDIA announced 6 AI based automotive partnerships with:

Audi to put a fully autonomous vehicle on the road by 2020;

VW to develop an AI cockpit;

HERE (Private) to develop AI for HD mapping;

ZF for AI-based self-driving systems;

Zenrin for HD mapping for Japan; and

Bosch for AI driven self-driving computers.

Continental announced it is using its 3D Flash LIDAR to construct a complete 3D model of the vehicle surroundings up to 200 meters away and as close as a few centimeters.

Valeo, Toyota, Hyundai and others made significant announcements regarding AI and ADAS at Media Day as well.

-Source: SunTrust CES Media Day Recap – January 5, 2017

Identifying Risks

1/11/2017

30

Suppliers and OEMs must identify the risk of defect associated with the adoption and integration of ADAS technologies, and consider the potential consequences:

What features give rise to risks?

How to analyze risks with little or no production history?

What is the potential magnitude of a recall or field service action?

How can these risks be mitigated?

–Engineering / Process / Quality Feedback and Improvement?

–Pricing Mitigation?

–Legal / T&C Mitigation?

–Insurance?

Identifying Risks

Certain data limitations inhibit suppliers’ ability to asses the risks related to ADAS components:

Limited production and defect history

Disjointed, unstructured sources of data

Available data requires refinement and analysis

Analysis of the data therefore requires consideration of multiple sources of information with an appreciation of the unique features of each.

Interpretation of the results also requires a comprehensive understanding of the industry, supply chain, regulatory environment, and insight into forthcoming trends.

Challenges to Identifying Risks

1/11/2017

31

Risk assessment methodologies can utilize data from many publically available sources, as well as proprietary datasets, including:

NHTSA Recall Data

Technical Service Bulletins (TSB)

NHTSA Defect Investigations

NHTSA Complaints

Early Warning Reporting (EWR)

Motor Vehicle Defect Petitions

Petitions for Inconsequential Noncompliance

International Recall Data

Vehicle Production and Sales

Component Adoption and Fitment

Suppliers Identified in Recall Notices

Data regarding manufacturing, assembly and design defects

Recall Completion Rate Data

FARS Data

Other indicators or risk such as consumer feedback through blogs and other sites as well as litigation arising from defects.

Identifying Data

A comprehensive risk assessment considers the following:

Historical defect incidence rates;

Relevant vehicle population characteristics, including component fitment and market penetration; and

Analysis of costs associated with recall and excess warranty.

Based upon this analysis, a supplier is better able to estimate:

Defect incidence rate and number of defects per thousand vehicles;

Probability weighted cost of recall or field service action; and

Relative risk profile of individual components.

Such information is valuable to risk management, and can provide insights into other sales, engineering, and legal considerations.

Supplier Risk Assessment Methodology

1/11/2017

32

Example Risk Profile – Crash Imminent Braking

Risk Indicators – Regulatory Developments - Crash Imminent Braking

ADAS equipment, including crash imminent braking, has been a topic of increased regulatory focus for NHTSA:

“In 2012, one-third of all police-reported crashes involved a rear-end collision with another vehicle as the first harmful event in the crash, and NHTSA believes that advanced crash avoidance and mitigation technologies like AEB systems could help in this area. NHTSAs extensive research on this technology and on relevant performance measures showed that a number of AEB systems currently available in the marketplace are capable of avoiding or reducing the severity of rear-end crashes in certain situations.” – www.safercar.gov

“Crash Avoidance technology has continued to progress, and NHTSA is aggressively pursuing research related to technologies that, in addition to warning drivers of a collision threat, can take active control of the vehicle to help mitigate or avoid the crash (if warnings are not heeded by the driver, or the driver’s reaction is insufficient to avoid the crash). In particular, NHTSA is focusing its efforts on dynamic brake system (DBS) and collision imminent braking (CIB) technologies being offered by light vehicle OEMs. ” – www.nhtsa.gov

In July 2012, NHTSA published a Request for Comments seeking feedback regarding its observations about dynamic brake systems and collision imminent braking technologies, as well as consideration of test protocols. NHTSA is in the process of evaluating this feedback and continuing research into safety benefits, test procedures, and reliability of these systems.

1/11/2017

33



On October 16, 2015 NHTSA announced that it was granting “the petition for rulemaking submitted by the Truck Safety Coalition, the Center for Auto Safety, Advocates for Highway and Auto Safety, and Road Safe America on February 19, 2015, to establish a safety standard to require automatic forward collision avoidance and mitigation systems on certain heavy vehicles.” The Federal Register notes: “For several years, NHTSA has researched forward collision avoidance and mitigation technology on heavy vehicles, including forward collision warning and automatic emergency braking systems. The agency will continue to conduct research and to evaluate real-world performance of these systems through track testing and field operational testing.”

–“Considering the information before the agency, including the information referenced in the petition, NHTSA grants the February 19, 2015 petition in accordance with 49 CFR part 552 and initiates a rulemaking proceeding with respect to forward collision avoidance and mitigation systems on vehicles with a GVWR greater than 10,000 pounds.”



On January 28, 2015, NHTSA published a notice requesting comments on the agency's intention to recommend various vehicle models that are equipped with automatic emergency braking (AEB) systems that meet the agency's performance criteria to consumers through the agency's New Car Assessment Program (NCAP). On November 11, 2015 NHTSA announced the “agency's decision to update the U.S. New Car Assessment Program (NCAP) to include a recommendation to motor vehicle consumers on vehicle models that have automatic emergency braking (AEB) systems that can substantially enhance the driver's ability to avoid rear-end crashes. NCAP recommends crash avoidance technologies, in addition to providing crashworthiness, rollover, and overall star ratings. Today, 3 crash avoidance technologies—forward collision warning, lane departure warning, and rearview video systems—are recommended by the agency if they meet NHTSA's performance specifications. NHTSA is adding AEB as a recommended technology, which means that we now have tests for AEB. AEB refers to either crash imminent braking (CIB), dynamic brake support (DBS), or both on the same vehicle.”

1/11/2017

34



Twenty-one comments were received. Most of the comments were from the automobile industry—vehicle manufacturers, associations of vehicle manufacturers, suppliers, and associations of suppliers. In addition, comments were received from another Federal government entity, an organization of insurance companies, and an association of motorcycle interests. Those in support included Advocates, Alliance, AGA, ASC, Bosch, CU, Continental, DENSO, Ford, Infineon, IIHS, Malik, MBUSA, MEMA, NADA, NTSB, Tesla, and TRW. Advocates supported using NCAP to encourage vehicle safety technologies, but indicated its preference for requiring AEB systems on new vehicles by regulation. Honda expressed its support for NCAP generally, but did not specifically support the addition of AEB systems to NCAP. Honda stated that it would like these systems to be rated. IIHS said that its research on the effectiveness of Volvo's City Safety system and Subaru's Eyesight system indicates that NHTSA may have “vastly underestimated the benefit of AEB.” Bosch said a 2009 study it conducted indicated DBS “may be effective” in reducing injury-related rear-end crashes by 58 percent and CIB by 74 percent. The ASC, Bosch, IIHS, MEMA, and, TRW addressed the desirability of NHTSA harmonizing its AEB NCAP test procedures and other evaluation criteria with other consumer information/rating programs, particularly Euro NCAP. Other commenters urged harmonization with Euro NCAP with respect to specific details.

Other Risk Indicators – Complaints - Crash Imminent Braking

1/11/2017

35

Risk Indicators – Investigations - Crash Imminent Braking

Risk Indicators – Investigations - Crash Imminent Braking

1/11/2017

36

Risk Indicators – International Recalls - Crash Imminent Braking

Risk Indicators – U.S. Recalls - Crash Imminent Braking

1/11/2017

37



1/11/2017

38

Risk Indicators – Crash Imminent Braking

Risk Indicators – TSBs

1/11/2017

39

Forward Collision and Lane Departure categories included in EWR reporting beginning in 2015. As of Q2 2016:

9 incidents involving Forward Collision

– 5 of these involve 2015 and 2016 model year Subaru vehicles; 2 were Volvo vehicles

– Including 1 fatalities

1 incident involving Lane Departure

– 2015 Lincoln MKC

Other Risk Indicators – Early Warning Reporting

Crash Imminent Braking exhibits a relatively low risk of defect based upon the primary indicators described, specifically:

Few instances of relatively small recalls in the U.S. (fewer than 50k units);

Very limited TSB history, with small population of vehicles affected;

A supplier was identified in one recall;

Limited NHTSA investigation history;

Crash imminent braking has been the focus of increased regulatory scrutiny which may indicate additional enforcement action as the technology matures.

Among the other indicators of defect analyzed, Crash Imminent Braking demonstrates:

Few instances of recall from international jurisdictions, consistent with U.S. recall activity;

Increase in number of related customer complaints as consumer adoption increases.

Crash Imminent Braking – Overall Conclusion

1/11/2017

40

It is important to appreciate that Crash Imminent Braking is a relatively new technology, with consumer adoption rates increasing.

This technology is integrated into ADAS systems that are also relatively young in the product cycle.

As the number of vehicles incorporating Crash Imminent Braking and other ADAS technologies increases, so too may the risk of defect related to these components.

However, the risk indications that are observed at this time are primarily integration risks – a theme likely to be evident in many ADAS components

Crash Imminent Braking is a technology that has, and will continue to attract increased attention from NHTSA for a variety of reasons.

Therefore, the risk profile associated with Crash Imminent Braking may continue to evolve as the component matures; additional periodic assessment can identify other trends as they emerge.


The review, analysis and consideration of all of these data sets enable suppliers to consider which risks can be quantified. In addition, this data, when combined with internal knowledge and data will enable a process of frequent review and consideration of the latest information, until a more robust risk analysis can be completed.

For new technologies such as AI and autonomous features, the development of mechanisms to enable prompt reaction to the identification of risks and defects presents a clear opportunity to mitigate risks during development, engineering and production.

When longer term data trends can be assessed refinement of the analysis can be completed in order to provide for the quantification and monetization of risk.


1/11/2017

41

The approach described herein provides a robust analysis of the external indicators of recall and excess warranty. Suppliers should also leverage internal institution knowledge of their products, customers, and the marketplace to enhance findings and develop a comprehensive risk assessment.

While internal assessment can provide valuable insights into the risk assessment process, an external, independent review of the data is critical to minimizing the influence of potential institutional bias on the results.

A Comprehensive Approach


Automotive Products RecallKiran Nayee, JLT Specialty Limited

1/11/2017

42

AUTOMOTIVE PRODUCTS RECALLKiran NayeeJLT Specialty Limited

• Takata Air bag inflators

− 26 million vehicles recalled (2015/16)

− USD 3 billion in estimated recall costs

− Biggest ever civil fine (NHTSA) - “Largest and most complex in U.S. history”

• Toyota Gas Pedals (2009-11) - $billions in fines and jury awards

• GM Ignition-Switch recall (2014) - 172 lawsuits alleging death or injury in 2014

• 51,000,000 vehicles recalled by NHTSA (2015)

• ‘Toyota recall another 5.8m cars worldwide’ (Oct 2016)

• ‘GM allowed to delay recall to try to avoid huge financial loss’ (Nov 2016)

HIGH PROFILE LOSSES

Recalling an automotive product costs more than 5 times the original distribution…..

1/11/2017

43

• Increased regulatoryscrutiny (NHTSA)

• Technological advances (testing)

• Technological advances (vehicles)

• Socio-economic landscape

• Social media

• Consumer awareness

• OEM pressure

• Scale of productionand distribution

• Supply chain complexity

AUTOMOTIVE RECALLS ACCELERATING

0

10

20

30

40

50

60

70

80

2011 2012 2013 2014

Mill

ion

s o

f V

eh

icle

s A

ffect

ed

Source: NHTSA

Product liability policies specifically exclude losses arising from recalls

• Competition - increased appetite

• Capacity

• Affordability

• Broader, sector specific wordings

• Worldwide coverage

• Specific contracts

• Retro dates

• Software exclusions being removed

INSURANCE MARKET TRENDS

Can recall insurance products remain relevant with the pace of change within the automotive industry?

1/11/2017

44

KEY COVERAGE

POLICY TRIGGERS LOSSES COVERED*

• Product Safety

− Bodily Injury / Property Damage

− NHTSA

− Government recall

• Product Guarantee

− Failure to perform

• Recall & replacement costs

− Recall, inspection, destruction

− Repair & replacement

− Slotting / Re-slotting fees

• Defence costs

• Consultants costs

• Rehabilitation of brand

• Financial Loss

− Business interruption

− Contractual liability

*Not covered under a standard products liability policy

“Uber blames humans for self-driving car traffic offenses as Californiaorders halt”

“Google driverless car involved in ‘worse crash yet’ after van runs a red light”

“Tesla driver killed whilst using autopilot was also watching Harry Potter”

• In 2020, 30 million cars are expected to be sold withembedded technology

• More than 20 car brands have announced plans to offer vehicles with higher levels of automation by 2020

• More than 50% of new cars will be connected in some way by 2020

• Cyber-attacks are expected to expose the automotive industry to $70 billion of liability by 2020

• Over 50 attack points in the Connected Car Ecosystem

CONNECTED CARS

Shift of emphasis from driver error to products error

1/11/2017

45

• Balance Sheet Protection

• First and third party recall costs

• Customer financial loss

• Covers contractual and legal liability

• Helps protect trading relationships

• Strategic competitive advantage

• Aligned Crisis Management consultancy and incident response

• Plug ‘gaps’ in General Liability covers

• Tailored policies, bespoke to automotive parts manufacturers

BENEFITS

• Independent crisis consultancy firm

• Business resilience & crisis preparedness assessments

• Review manufacturing procedures

• Risk workshops / staff training on quality

• Policies & procedures development & embedding

• Crisis simulations

• Crisis media training

• 24/7 live crisis strategy & response

• Fault analysis post incident

• Work hand-in-hand dealing with customers / regulators / media

RISK IDENTIFICATION & CRISIS CONSULTANCY

1/11/2017

46

Happening Now

• Growing frequency of recalls

• Spiraling costs of managing recalls

• Complexity of claims

• Escalation in penalties

The future

• Technological, ethical and legal challenges

• Shift of risks from human to product errors?

• Increasing shift from motor insurance to product liability and recall

RISK PROFILING?

Can you afford not to have recall insurance…..?


Q&A

1/11/2017

47


Thank You

Thank you for attending today’s program – we hope you found the discussion to be beneficial.

And we hope to see you at next year’s program!

Speaker Contact Info:

Joe Kwederis, [email protected]

Pavan Agarwal, [email protected]

Chanley Howell, [email protected]

Neil Steinkamp, [email protected]

Kiran Nayee, [email protected]

Documents

Final Slide Deck - Foley & Lardner LLP · 2019-04-17 · 1/11/2017 2 ©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models