Supplier cyber risk concerns auto industry

Dive Brief:

  • In a new study by Synopsys and SAE International, 73% of respondents expressed concern about the cybersecurity of third-party providers, yet only 44% said their organization imposes cybersecurity requirements for products from upstream providers.
  • Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices also found 30% of organizations don’t have an established cybersecurity program or team, and 63% test less than half of the automotive technology they develop for security vulnerabilities.
  • “This study underscores the need for a fundamental shift — one that addresses cybersecurity holistically across the systems development lifecycle and throughout the automotive supply chain,” Andreas Kuehlmann, co-general manager of the Synopsys Software Integrity Group, said in the release.

Dive Insight:

The automotive supply chain is long and complex. A break in the chain at a small, tier 3, single-part producer can be disastrous.

There are plenty of portals and opportunities for “bad guys” to breach security. According to the EY Global Information Security Survey 2018-19, 1.95 billion records containing personal information and other sensitive data were compromised between January 2017 and March 2018, and 550 million phishing emails were sent out by a single campaign during the first quarter of 2018. The average cost of a data breach last year, EY reported, was $3.62 million.

Opportunities do exist for automotive supply chains to protect themselves. One organization, the 3,000-member Automotive Industry Action Group (AIAG), last year released the Cyber Security 3rd Party Information Securitypublication to support industry efforts to protect sensitive data by outlining a unified set of cybersecurity guidelines for automotive trading partners.

Its strategies are based on industry best practices and standards. The National Institute of Standards and Technology (NIST) helped create the document. Also participating were security leaders from General Motors, Ford, Honda and Fiat-Chrysler, with additional input from Toyota, Nissan, Caterpillar, Bosch, Continental and Magna International.

The guide covers such areas as access controls, data encryption, vulnerability management, security audits of suppliers/third parties, data retention and disposal and security investigations. Along with this framework, each original equipment manufacturer (OEM) can take additional measures to increase security of its suppliers and their supply chains.

“Over the course of the past 25 years, we have seen a remarkable shift in enterprise value from tangible to intangible assets. Data is the new currency,” J. Scot Sharland, executive director of AIAG, said when the publication was announced. “As such, more effective command and control of data has become an enterprise risk management priority.”

07 February 2019 | Barry Hochfelder | Supply Chain Dive

How to manage warranty, regulatory and 
commercial litigation risks in the auto supply chain

Editor’s Note: The following is a guest post written by Partner Mark Aiello and Senior Counsel Andrew Fromm of Foley & Lardner.

Elevated warranty charges for Original Equipment Manufacturers (OEMs) are expected to continue in 2018, and automotive suppliers can expect to continue paying a higher share of these expenses. Because OEM purchase orders and corresponding terms and conditions contain terms that are highly OEM-favorable, exceptions and limitations to supplier warranties are difficult to negotiate.

Start warranty risk management right away

Warranty risk management should begin prior to contracting. Product design and/or manufacturing specifications should clearly be set forth in the contract documents, and any inapplicable warranties, including those outside the scope of design responsibility, should be disclaimed.

Consider documenting suggested alternative designs for a more robust or superior performing product that is declined by the OEM.  Furthermore, the key documents relating to product testing and acceptance criteria, as well as to which party is responsible for which level of testing, should always be preserved and readily accessible in the event of a dispute.

Warranty risk can be managed during the contracting phase through the use of contractual provisions relating to insurance, indemnification, and dispute resolution.

When a warranty issue arises, the supplier needs to react quickly to identify the root cause(s), contain the problem, and establish clean points (the exact points in the supply chain that the product was last known to be conforming).

To move through this process efficiently, suppliers should have clear strategies in place from the start to determine protocols for analyzing root causes for product failure, dealer repair codes and additional OEM warranty data that could implicate the product.

They should similarly establish a protocol for handling warranty claims, including product return and inspection. Finally, it’s also important that suppliers understand the warranty period that will apply to the product, when the warranty period will begin to run, and what obligations the supplier has to the OEM under the warranty claim.

If the claim involves multiple parties, the tier 1 supplier should work closely with the OEM to identify and document quality issues early, and to promptly communicate responsibilities relating to the warranty claim. If the claim involves a downstream supplier, notice of the warranty claim and a breach of applicable agreements, documentation of the root cause(s), and documentary evidence supporting the supplier’s damages are essential should litigation arise.

These steps are key to ensuring that the supplier has the ability to later demonstrate that it should only be responsible for paying a certain portion of the total recall costs, that it is able to pass through any costs that are the responsibility of the tier 2 supplier, and that it is able to recover its own damages.

How to navigate NHTSA recalls and investigations

In the event a supplier identifies a safety defect that must be reported to the National Highway Traffic Safety Administration (NHTSA), it’s important that automotive suppliers have internal safety review procedures in place.

Where a potential defect may involve components supplied by lower-tier suppliers, the supplier must review all relevant purchasing contracts for provisions relating to recalls, decision-making, reporting, cooperation, design responsibility, and allocation of cost recoveries.

Suppliers also should update their purchase order terms and conditions to ensure that they contain the appropriate contractual protections from lower-tier suppliers.

If NHTSA commences a defect investigation, it is likely the OEM will be asked to submit confidential supplier information relating to design and engineering documents, and test data. The supplier should request that the OEM seek confidential treatment of such information in accordance with NHTSA’s regulations.

In many cases, this will require an affidavit by the supplier setting forth the basis for the confidentiality of the information under relevant Freedom of Information Act (FOIA) exemptions.

The supplier should consider past NHTSA recalls and investigations involving similar products to develop its own position on whether or not the component or the vehicle contains a safety-related defect within the meaning of the Highway Safety Act and NHTSA’s regulations.

The supplier should also monitor new recalls and investigations that may affect the supplier or its products, such as proposals for new safety standards or guidelines, or amendments to existing standards. It should also track OEM submissions and regulatory developments.

How to reduce risk of litigation

While litigation is sometimes unavoidable, automotive suppliers also can take other basic steps prior to contracting to reduce the risk of litigation.

For example, companies should confirm the specific corporate entity that will be the counter-party in the contract. The counter-party’s domicile, litigation history, credit history, and reputation should be reviewed. Companies should also confirm that the written contract accurately defines all prior oral promises, negotiated rights, and obligations.

If the contract involves a party outside of the United States, a forum selection or arbitration clause should be considered. Additionally, for long-term agreements, the party should confirm that the risks of early termination by the counter-party have been addressed.

During performance of the contract, the company should ensure that a point of contact has been tasked with ensuring compliance with the contract, and that applicable documents and relevant communications are readily accessible when needed.

When a dispute arises, important conversations or meetings on the subject should be carefully documented, and confirming emails or meeting minutes should be sent to the counter-party. If the dispute escalates into a claim, a point of contact should be designated as the lead and an early assessment of the validity and accuracy of the claim should be performed.

The company should also ensure that it has gathered all documents relating to damages, including all travel and employee time the supplier spends addressing the dispute.

While the above steps cannot eliminate the risk of litigation, they can reduce the likelihood of litigation, and better position the supplier for success when it is unavoidable.

02 May 2018 | Mark Aiello and Andrew Fromm | Supply Chain Dive