Cyber Risk Is Compounding. Automotive Governance Is Still Linear.

VicOne 2026 Automotive Cybersecurity Report

Automotive cyber risk no longer follows a clean sequence. Traditional platforms, software-defined systems, connected services, and AI-enabled functions now operate simultaneously inside the same vehicle ecosystem. Risk overlaps. It compounds. It accelerates. Most automotive organizations still govern risk as if these systems were separate. This report explains why continuing to govern cyber risk the same way is becoming a critical business exposure.

The automotive industry has reached a crossroads.

DOWNLOAD FULL REPORT SEE KEY INSIGHTS ↓
Download VicOne 2026 Automotive Cybersecurity Report

Overlap Era

Why Automotive Cyber Risk No Longer Fits a Single Governance Model

This report does not describe future threats. It explains why today’s automotive cyber incidents already create business impact that traditional security structures can no longer contain. The findings are grounded in real-world incidents, Pwn2Own Automotive zero-day discoveries, dark and deep web intelligence, and open-source intelligence.

Accountability
ATTACK SURFACE IS EXPANDING.
ACCOUNTABILITY IS NOT KEEPING UP.

ATTACK SURFACE IS EXPANDING.ACCOUNTABILITY IS NOT KEEPING UP.

From isolated systems to overlapping risk domains

Compared to 2024, attacks now routinely span enterprise IT systems (e.g., ransomware attacks and data leakage), off-board systems, and in-vehicle systems at the same time. This is not a shift in attacker behavior. It is a shift in how automotive systems are built.

Governance still manages risk as if these systems were separate. Ownership, accountability, and decision authority remain fragmented.

Systems have converged. Accountability has fractured.

CyberIncidents
CYBER INCIDENTS NO LONGER STAY INSIDE ONE ORGANIZATION.

CYBER INCIDENTS NO LONGER STAY INSIDE ONE ORGANIZATION.

From local incidents to global impact

Compared to 2024, incidents impacting multiple subsidiaries or business units have more than tripled. In 2025, 161 of 610 cases became global incidents.

Automotive cyber risk is no longer a technical problem. It is a cross-region, cross-supply-chain governance challenge.

As software platforms and OTA infrastructures become more centralized, the impact of a single security failure expands rapidly across the entire organization.

DriverExperience
33% OF CYBER RISK NOW DIRECTLY IMPACTS DRIVER EXPERIENCE.

33% OF CYBER RISK NOW DIRECTLY IMPACTS DRIVER EXPERIENCE.

Recent data confirms a structural shift. Attackers still target enterprise IT systems. They are now extending attacks into user-facing integration layers, moving upward in the vehicle architecture. This signals a new level of attacker maturity.

In-vehicle systems have emerged as the primary target, accounting for nearly 40% of observed attacks. These are the systems drivers interact with every day.

As cyber risk moves closer to the driver, failures become visible incidents that directly shape trust, buying decisions, and brand value. As insurance coverage lags behind system complexity, more losses shift back to manufacturers.

OUTSIDE
11% OF CYBER RISK LIVES OUTSIDE WHAT YOU CAN GOVERN.

11% OF CYBER RISK LIVES OUTSIDE WHAT YOU CAN GOVERN.

A false sense of governance

89%
of automotive vulnerabilities are visible through CVEs. That creates confidence. But it creates blind spots.
11% live outside the CVE system.
They come from zero-day discoveries, independent research, and internal testing. Since 2024, 174 zero-day vulnerabilities have been uncovered through Pwn2Own Automotive. These risks existed in production environments before governance systems were aware of them.
When vulnerabilities fall outside governance, executives are forced into reaction mode. Decisions follow incidents, not risk.
This demands a governance model that connects risk across domains, accounts for vulnerabilities beyond CVEs, and turns technical signals into accountable decisions.
OUTLIVES
WHEN CRITICAL RISK OUTLIVES PRODUCTS, EXPOSURE BECOMES STRUCTURAL.

WHEN CRITICAL RISK OUTLIVES PRODUCTS, EXPOSURE BECOMES STRUCTURAL.

Critical and high-severity vulnerabilities are not just increasing. They are accumulating.

These are the hardest issues to fix. They require long engineering cycles and limited update windows. As their number grows, remediation capacity is compressed. The backlog expands faster than it can be reduced.

In an industry built on long product lifecycles and shared platforms, high-severity risk does not disappear. It carries forward across generations—becoming long-term operational and financial drag rather than a one-time security cost. Over time, this drag constrains investment flexibility and product strategy.

Risk will outlive products. Accountability must outlive releases.

Maintain the Old, Defend the New

How Automotive Cyber Risk Has Shifted Across Vehicle Domains.

Automotive organizations are now required to manage risk across traditional vehicle platforms, software-defined systems, and AI-defined technologies simultaneously. The Past, Present, and Future framework helps leaders identify where risk concentrates today and how it shifts as vehicle technologies continue to evolve across major vehicle functional domains.

IVI AND SMART COCKPIT SYSTEMS: Infotainment Threats

PAST

PAST
  • Insecure Bluetooth/Wi-Fi
  • USB-based exploits
  • Browser vulnerabilities

PRESENT

PRESENT
  • Supply chain attacks
  • OTA-based exploits
  • Cloud API attacks

FUTURE

FUTURE
  • AI-powered attacks
  • V2X exploitation
  • Prompt injection attacks

ADVANCED DRIVER ASSISTANCE SYSTEMS: ADAS Threats

PAST

PAST
  • Hardware and software weaknesses
  • Unpredictable human behavior

PRESENT

PRESENT
  • LiDAR and camera attacks
  • GNSS spoofing

FUTURE

FUTURE
  • Distributed AI risks
  • V2X exploitation

POWERTRAIN: Powertrain Threats

PAST

PAST
  • Jailbreaking
  • Diagnostics abuse
  • Hardware isolation

PRESENT

PRESENT
  • BMS manipulation
  • Spoofing battery sensor feedback

FUTURE

FUTURE
  • Adversarial grid manipulation
  • Powertrain model decision bias

BODY CONTROL AND ACCESS SYSTEMS: Body Control Threats

PAST

PAST
  • Replay and relay attacks
  • CAN injection

PRESENT

PRESENT
  • Rolling jam
  • Key programming

FUTURE

FUTURE
  • Cryptanalysis
  • Positioning and timing spoofing

EV CHARGING INFRASTRUCTURE

PAST

PAST
  • Brokenwire attacks
  • USB-based exploits

PRESENT

PRESENT
  • OTA update hijacking
  • API and entry point exploits
  • Charging station management system (CSMS) vulnerabilities

FUTURE

FUTURE
  • Botnet-driven grid destabilization
  • Insecure by design

AI-DEFINED VEHICLES (AIDV): Emerging AI Threats

A Practical Path Forward in the Overlap Era

The automotive industry is entering an unprecedented era of overlapping risk domains. Success in the Overlap Era will depend on how well accountability is aligned across domains.

Ensuring OEMs can make decisions under pressure

Governance can no longer be structured around individual systems or organizational silos. As risk increasingly spans vehicle domains, enterprise IT, supply chains, and dealer environments, accountability must align with how risk propagates in practice. This enables faster, more consistent decision-making when incidents escalate.

Ensuring risk can be recalculated in real-time

Static risk models and periodic assessments are insufficient for event-driven, cross-domain attacks. Organizations need the ability to continuously recalculate risk by integrating threat intelligence, operational telemetry, and exposure data. This creates a shared, up-to-date view of risk that supports informed prioritization as conditions change.

Ensuring OEMs evolve faster than attackers

As attackers increasingly leverage automation and AI, defensive capabilities must evolve at the same pace. AI-enabled testing and red teaming transform point-in-time assessments into continuous learning loops. Insights from real attack paths feed back into risk computation, enabling organizations to adapt faster and reduce time-to-response.

Your cybersecurity decisions today will shape the next decade of vehicle trust.

DOWNLOAD FULL REPORT

THE FUTURE OF
AUTOMOTIVE
CYBERSECURITY

The Predictions for 2026

Cyber Incidents Become Leadership Stress Tests

Cyber incidents are no longer judged as technical failures. They are leadership stress tests, where public trust is defined by the speed and clarity of executive response.

AI Training Data Becomes the New Supply Chain Risk

As vehicles become AI-defined, compromised training data introduces a persistent risk that can shape vehicle behavior across generations and cannot be easily remediated.

Ransomware Becomes A Fleet Shutdown Weapon

Ransomware is evolving from data theft to fleet-level operational paralysis. Cyber risk will be measured by availability and revenue continuity, not just data loss.

One OTA Breach Becomes A Boardroom Crisis

Centralized OTA trust means a single breach can impact fleets at scale. Under pressure, slow decisions can rapidly escalate into mass recalls and substantial operational cost.

DOWNLOAD FULL REPORT