Does auto insurance protect you from cyber attacks?

Modern advancements have turned cars into places of leisure and convenience. You can settle into warm seats on a chilly winter day, call your spouse hands-free on the way to work, and navigate to a restaurant you’ve never been to before entirely through your car’s centre console.

But all these little luxuries come at the cost of your personal data. Because while your car is warming you up and playing navigator, it’s also tracking your driving habits, your list of contacts, the locations of your home and workplace, and just about everything else intimate to you.  

Most cars that hit the market are now kitted out with Bluetooth capability, key fobs and remote access, 360-degree cameras, media streaming, and even assisted driving.

But while all these techy conveniences were ostensibly developed to make driving safer and more seamless, they’ve also created new avenues for dangerous data breaches.

Keyless tech is making cars easier to steal

According to statistics released this past January by the Government of Canada, car thefts rose by 50% in Ontario and Quebec from 2021 to 2022. In Toronto, 9,600 vehicles were stolen in 2022 alone, marking an increase of 300% from 2015. Western provinces also seeing a rise, albeit at a slower pace.

As thefts continue to surge for certain car models and parts, advanced car technology has made it easier for thieves to get into the driver’s seat and peel off.

These days, most car thefts occur by thieves boosting a signal from a key fob to unlock a victim’s car before making off with it. In April 2022, thieves were able to break into a 2020 Lexus RX 350 by plugging into the diagnostics port under the dashboard, and downloaded information that allowed them to program a key fob. With that, they were able to start the car and ride off into the sunset, reported the Vancouver Sun.

However, more sophisticated thieves have set their sights on digital keys, which allow drivers to unlock their cars (along with performing other functions) with their phones’ Bluetooth signals. While safer than key fobs, digital keys are far from foolproof.

Multiple forms of keyless entry fashioned by hackers have recently been discovered, including a Bluetooth relay attack that remotely unlocked Tesla cars. In 2022, researchers at Montreal’s Concordia University found that the risk can be even greater for those who drive electric vehicles. They found countless instances when these drivers connected to popular charging stations, often through an app, only to be hit with countless security holes and malware infection.

“Cybersecurity has always been important,” says Kwasi Boakye-Boateng, a cybersecurity researcher at University of New Brunswick’s Canadian Institute for Cybersecurity. “If you have something that is connected to the internet, or has a means of connection like through Bluetooth, it’s at risk and it needs to be secured. “

Related: Touch screens in cars are distracting, so why do we keep putting them there?

Car theft is one concern, data breaches are another

Just about anything that’s connected to a car can store and expose details about the vehicle itself.

In a 2023 report, Mozilla analyzed 25 major car brands and their privacy policies, and found these automakers were collecting and storing tremendous amounts of data through sensors, radars, cameras, telematics, and third-party apps like GoogleMaps and Sirius XM.

The information stored by your car can range from your financial information, immigration status, race, genetic and health information, and even, in the case of Nissan, your sexual activity. The majority of these cars don’t even allow your data to be deleted.

As if that weren’t bad enough, many of these automakers were found selling this data to law enforcement, insurance companies and data brokers, and otherwise leaving it vulnerable to data breaches.

“More and more industries are now moving towards automation and digitization given the demand that's out there,” says Ady Sharma, senior vice-president of cyber solutions at Toronto’s Aon. “While that increases operational efficiency, that efficiency comes with heightened risk, because a lot of these devices are controlled by computers. And the moment you have network connectivity, you are opening yourself up to threat actors."

According to Upstream’s 2024 global cybersecurity report, the number and scale of cyber incidents has grown significantly. The report found that, in 2023, cyber security incidents increased by 2.5 times those in 2022. And a growing number of them – 37% of all cybersecurity automotive incidents in 2023 – took the form of data breaches.

Are data breaches and other cyber crimes covered by insurance?

Unlike auto theft, which is covered under comprehensive coverage, there are very few insurance protocols to protect against personal auto-related cybercrimes. In fact, the only cyber insurance policies on the market are only available for home and business.

This is because, at least according to insurance experts, auto-related cybercrime has not posed a significant enough risk to everyday drivers yet to warrant new precautions yet.

“From a personal car perspective, the risk is relatively fairly low when it comes to cyber-attacks,” says Sharma. “Where there is an exposure is out in the field, in mining sites and manufacturing facilities, where they're using autonomous trucks, haul trucks, etc. That's much more of an up-and-coming exposure.”

In response to rising incidents targeting physical infrastructure in manufacturing facilities, mining companies, and construction firms, insurers have policies for “property average exposure,” which covers anything non-physical, like the cost of restoring a network from a cyber attack, installing security, and providing credit monitoring, according to Sharma.

Coverage is also available for physical damage — say, if a hacker takes control of an autonomous vehicle proceeds to damage the facility or other heavy machinery and devices.

Read more: Running a business from home? The right insurance policy is crucial

How to keep your car safe from hackers

While insurance options are limited when it comes to our own automotive cyber protection, there are, however, several simple precautions you can take on your own, says Boakye-Boateng. He suggests:

• Ensuring your car’s software has been updated
• Limiting permission on your phone
• Reading privacy policies and online reviews of apps you’re connected to
• Securing your Wi-Fi password and avoiding public networks
• Turning off your Bluetooth when you’re not using it.

In addition to the above, try not to input every detail about yourself (like your address or birth date) into your car. You don’t even need to connect your phone to your car if you don’t feel comfortable. Ultimately, your car dealer is the one to go to with questions if you’re unsure about anything.

Until insurance companies get with the program, it no longer suffices to just regularly change your password. Finally, if you’re unhappy with the state of data collection on the part of automakers, take up the fight for your privacy rights — yes, terms and conditions are worth a read.