Manufacturing companies account for almost 30% of all ransomware victims globally, and US companies account for more than half of all victims. The US auto industry can see the writing on the wall more clearly than anyone. Focusing on risk mitigation tactics like: carrying cyber insurance policies, cultural promotion of digital hygiene, and more critically, collaboration within the C-suite to correctly integrate systems with a secure, flexible infrastructure can help stem the tide permanently.
The lack of accurate threat modeling in the cyber insurance industry means coverage isn't perfect, or even adequate. While they may be able to cover some damage, they are reticent to assume all risk. Furthermore, there are some consequences that an insurer intrinsically can not provide coverage for; a loss of consumer confidence and/or data, viability after an IP leak, reputational hits, or any number of unpredictable outcomes surrounding ransomware payouts — there are catastrophic downsides to weak InfoSec strategy. This should be untenable, but many organizations feel confident in cloud security and their insurance policies and are curtailing security innovation — it is a false sense of security. The cloud infrastructure is ultimately what gets exploited, organizations are required to connect sensitive networks to the internet, and yet the businesses renting resources receive the most scrutiny.
As long as networks holding sensitive data are connected to the internet, they are potential targets. Insureds may not have any choice but to use public cloud, perhaps why they carry insurance, but they must accept they are exposing themselves to data breaches and ransomware with increased threat surfaces. Additionally, auto-design IP grows increasingly valuable as global automotive innovation is driven by changing consumer tastes; protecting novel engineering projects for EV and prototype designs is critical as the market trends away from combustion engines. Most pressing, however, is losing control of production. Instead of having to call an insurer to come do damage control or negotiate with threat actors, protect the data so no call has to be made in the first place.