VicOne Releases Its 2026 Automotive Cybersecurity Report — and the Message Is Blunt: Your Breach Is No Longer Just Yours
There’s a comfortable fiction in cybersecurity that when something goes wrong, it stays inside your walls. Your breach. Your incident response plan. Your forensics team cleaning up your mess. That fiction just got demolished.
VicOne’s 2026 Automotive Cybersecurity Report, titled Crossroads: Automotive Cybersecurity in the Overlap Era, dropped February 11, 2026, and it documents what automotive CISOs have been feeling in their gut for the past eighteen months: cyber incidents in the connected vehicle ecosystem no longer respect organizational boundaries. They spread. They cascade. They hit the OEM, the Tier 1 supplier, the cloud provider, and the end consumer in a single campaign. And the industry’s governance structures — designed for a world where “our network” meant something — are not keeping up.
The numbers tell the story without any embellishment. VicOne recorded 610 automotive-related security incidents and 1,384 vulnerabilities in 2025. Cross-region, multi-business incidents more than tripled year-over-year, accounting for 161 of those cases. Data leakage costs between January and October 2025 reached $6.6 billion. These are not rounding errors. This is a structural transformation in how automotive cyber risk works.
5 Key Takeaways
- Automotive Cyber Incidents Have Broken Free from Organizational Silos. 610 incidents and 1,384 vulnerabilities in 2025. Cross-region, multi-business cases tripled to 161. Data leakage cost $6.6 billion. Attacks now span enterprise IT, cloud, and in-vehicle systems in a single campaign. Kiteworks provides unified governance across every data channel — with a consolidated audit log that captures every interaction regardless of boundary.
- The Vehicle Is Now the Primary Attack Surface — and It Holds Your Customers’ Most Sensitive Data. In-vehicle systems surpassed enterprise IT as the top attack target (39.7% vs. 37.7%). Infotainment, gateways, and ECUs broker contacts, location, voice recordings, and account tokens. Cockpit data is predicted to become ransomware leverage. Kiteworks’ attribute-based access controls enforce data-centric protection at every trust boundary.
- “Swiss Cheese” Compliance: Full Regulatory Coverage Still Leaves Gaps. ISO/SAE 21434, UN R155, IEC 62443, ISO 15118-20, and NIST IR 8473 together leave persistent gaps where domains intersect. No single standard covers the full attack surface. Kiteworks provides pre-configured templates for 50+ frameworks with real-time policy enforcement — closing the gap between documented controls and enforced ones.
- The Software Supply Chain Is the New Front Door for Automotive Attackers. VicOne calls for SBOMs and AI BOMs as compliance-grade assets, and event-driven “Dynamic TARA” replacing static risk assessments. The WEF ranks supply chain visibility as a top concern. Kiteworks’ audit trails, role-based controls, and hardened encryption architecture govern every supplier data exchange.
- Board-Level Accountability Has Arrived — Security Leaders Need Evidence, Not Excuses. VicOne CEO Max Cheng confirms cybersecurity is a board-level issue. Boards ask: What’s our regulatory exposure? What data is protected? What happens in a cross-boundary breach? Kiteworks delivers executive-ready compliance dashboards across 50+ frameworks, with FIPS 140-3 validated encryption and zero trust architecture that backs up what you report.
Welcome to the Overlap Era: Where Everything Touches Everything
VicOne’s framing concept — the “Overlap Era” — captures a reality that extends well beyond automotive. It describes a period in which traditional vehicle platforms remain in service at global scale while software-defined vehicles, cloud-connected ecosystems, and features that learn and adapt are being deployed at the same time. Vehicles, backend services, enterprise IT, and external infrastructure are tightly coupled by design. Cybersecurity ownership and governance, however, often remain fragmented.
The practical consequence: an attacker who compromises a cloud API can reach vehicle control systems. A weakness in a Tier 2 supplier’s over-the-air update backend can cascade into safety and privacy risks for entire fleets. A vulnerability in an EV charging station’s management console can expose customer identity, billing metadata, and charging session data across hundreds of thousands of users.
This is the same interconnection dynamic the WEF Global Cybersecurity Outlook 2026 describes across industries: a new generation of cyber incidents exposing the fragility of digital connections, where a single local fault or targeted attack can rapidly cascade into consequences at scale. The difference in automotive is that the consequences can be physical. When the system under attack is traveling at highway speed with a family inside, the stakes transcend data governance.
The Vehicle Is Now the Primary Target — and It Knows Everything About You
One of the report’s most striking findings is a crossing point: in-vehicle systems have surpassed enterprise IT as the largest observed targeting area, at 39.7% versus 37.7%. This is not a marginal shift. It’s a reorientation of where attackers see value.
The most targeted in-vehicle components — infotainment and head units, in-vehicle networks and gateways, ECUs and embedded software — are also the systems that handle or broker the most sensitive personal data: contacts, location history, microphone and voice recordings, paired phone data, navigation destinations, and account tokens. The report characterizes these systems as integration hubs where user inputs and external services converge. In privacy terms, they are data aggregation layers with expanding attack surfaces.
VicOne identifies three specific risk vectors within this space. First, the third-party app ecosystem — including Android Automotive and CarPlay integrations — introduces supply chain risk through unvetted code that can harvest location and microphone data. Second, companion apps and backend APIs suffer from authentication flaws, broken object-level authorization, and injection vulnerabilities that enable cross-tenant data exposure. Third — and this is the one that should make privacy officers lose sleep — the report predicts that cockpit data will become ransomware leverage, with attackers threatening to expose driving behavior and personal information.
The Dragos 2026 OT/ICS Cybersecurity Report documents a parallel pattern in industrial environments: threat groups like VOLTZITE are no longer just collecting data from IT networks but directly interacting with operational technology devices and stealing sensor and operational data. The convergence is clear: whether you’re protecting a power grid or a connected vehicle, attackers are going where the most valuable data lives — and that’s increasingly on the edge, in the physical systems themselves.
EV Charging Infrastructure: The Expanding Attack Surface Nobody Owns
The report gives significant attention to EV charging infrastructure as a growing source of cyber exposure. Charging stations connect vehicles, backend services, mobile applications, and the power grid at scale. They process customer identity, charging session data, billing and payment metadata, and operational telemetry. And the vulnerabilities VicOne documents — authorization bypass and injection flaws — can scale across customers and fleets.
The compliance problem here is acute. VicOne maps multiple standards against EV charging security and finds that no single standard covers the full attack surface. ISO 15118-20 secures EV-to-charger communications but does not fully cover operating systems, management planes, or firmware. IEC 62443 addresses industrial control security but leaves gaps for IT components. ISO/SAE 21434 focuses primarily on vehicle-centric cybersecurity engineering. UN R155 references areas outside vehicles, but EV charging infrastructure is covered only indirectly. NIST IR 8473 serves as an integrative reference but is not itself a conformance artifact.
The bottom line: checking every compliance box across these standards does not guarantee you’ve covered real attack paths — especially those crossing charger, cloud, and vehicle boundaries. For organizations that handle sensitive data across similarly fragmented regulatory environments, this pattern is familiar. Kiteworks addresses it by providing unified governance across all data communication channels, with automated compliance reporting that maps controls to specific regulatory requirements rather than treating compliance as a standalone exercise disconnected from operational security.
When the Car’s AI Assistant Becomes a Phishing Channel
The report introduces a risk pattern it calls assistant-mediated content injection, where an in-vehicle AI assistant can be manipulated into surfacing malicious links, phone numbers, or destinations through poisoned listings, ads, or metadata. Because the assistant operates as a high-trust interface — drivers expect it to be authoritative — it becomes a vehicle-native social engineering channel.
If the assistant can initiate actions — calls, navigation, payments — the risk extends into transaction integrity and user consent. This is the automotive equivalent of a problem the enterprise data security world has been grappling with: what happens when a trusted interface processes untrusted content, and the user cannot tell the difference?
The WEF Global Cybersecurity Outlook 2026 captures this dynamic at an industry level: only 40% of organizations assess the security of tools before deploying them, and the gap between organizations that do and those that don’t correlates directly with resilience levels. Kiteworks’ Secure MCP Server provides a model for how trusted-but-verified governance should work: every operation by an external agent — including LLM-based applications — is subject to role-based and attribute-based access controls, with comprehensive audit logging of every interaction. The principle applies whether the agent is a corporate chatbot or a car’s voice assistant: trust the interface, verify the action, log everything.
What Automotive CISOs — and Every CISO in a Connected Ecosystem — Should Do Now
Move from system-based security to cross-domain governance. The report recommends governance that assigns clear ownership and escalation paths and measures risk by service, fleet, and impact radius — not by individual component. Because incidents span IT, cloud, vehicle, and charging infrastructure, the governance model must match. Kiteworks provides this cross-domain governance for sensitive data: unified policy enforcement across every communication channel, with a single consolidated audit log that eliminates the visibility gaps that fragmented tools create.
Make risk assessment continuous, not periodic. VicOne calls for replacing static risk assessments with event-driven “Dynamic TARA,” triggered by code changes, SBOM updates, zero-day disclosures, and threat intelligence. This maps to the broader industry shift from periodic audit readiness to continuous compliance. Kiteworks’ real-time policy enforcement and automated evidence collection deliver exactly this: continuous proof that controls are active, not just documented.
Treat SBOMs and AI BOMs as compliance-grade assets. Traceability is foundational for audits, incident investigations, and supplier accountability. Organizations need live software supply chain visibility, not static inventory documents. Kiteworks’ comprehensive audit trails — tracking every file, every user, every action across every channel — provide the traceability model that the automotive industry now requires for software components.
Harden every trust boundary where personal data flows. The report recommends stronger memory safety, privilege isolation, input validation, and continuous behavioral monitoring for infotainment and AI systems. These are the same principles that Kiteworks applies to enterprise data: zero trust architecture where all IP addresses are blocked by default except those explicitly allowed, embedded network firewalls, intrusion detection, and customer-owned encryption keys that ensure no outside party can access protected data.
Equip boards with evidence, not dashboards full of alerts. The WEF reports that board members at highly resilient organizations hold personal liability for cyber breaches at nearly three times the rate of insufficiently resilient organizations (30% versus 9%). Boards want to know: what percentage of sensitive data is encrypted, what controls were enforced, and which regulatory requirements are satisfied. Kiteworks provides compliance status across 50+ frameworks, data risk posture visualization, and regulatory reporting automation that generates GDPR Article 30 records, HIPAA audit reports, NIS2 incident notifications, and CMMC evidence — in the language boards can act on.
Cross-Domain Risk Requires Cross-Domain Governance
The VicOne 2026 report’s core message is that privacy and compliance outcomes are now determined by cross-domain cybersecurity governance. Data exposure risk does not live only where personally identifiable information is stored. It emerges where vehicles, cloud services, OTA pipelines, dealer systems, AI supply chains, and EV charging infrastructure intersect — often across regulatory boundaries, and almost always across organizational boundaries.
This is not an automotive-specific problem. It is the same systemic risk the WEF identifies across every interconnected industry. It is the same supply chain vulnerability that CISOs in financial services, healthcare, manufacturing, and critical infrastructure face when they cannot assure the integrity of third-party software, hardware, and services flowing through their ecosystems.
The organizations that will manage this risk effectively are the ones that stop governing security in silos and start governing it across every domain where sensitive data moves. Kiteworks is the platform that makes this operational: unified data governance, real-time policy enforcement, comprehensive audit trails, executive reporting that proves compliance, and the encryption architecture that ensures the security you report is the security that actually exists.
The Overlap Era is not a phase. It is the permanent operating condition for every organization whose data, systems, and partners are interconnected. The question is not whether your security program will face cross-domain risk. The question is whether your governance infrastructure is built to handle it.
To learn how Kiteworks can help, schedule a custom demo today.
Frequently Asked Questions
ISO/SAE 21434 requires organizations to implement a cybersecurity management system covering risk assessment (TARA), concept-phase threat analysis, and post-development monitoring throughout a vehicle’s lifecycle. Its gap: it is vehicle-centric and does not govern cloud backends, EV charging infrastructure, or third-party app ecosystems. When an attack crosses from a companion app API into vehicle systems, 21434 compliance on the vehicle side doesn’t address the exposure origin. Cross-domain audit trails and unified policy enforcement fill what 21434 leaves ungoverned.
Dynamic TARA replaces point-in-time threat assessment with event-triggered analysis — running automatically on code merges, SBOM changes, zero-day disclosures, and threat intelligence updates. Static TARA fails because software-defined vehicles receive continuous OTA updates, meaning the attack surface changes between assessments. A vulnerability disclosed the day after a static TARA won’t be evaluated until the next scheduled review — potentially months later — giving attackers a structural window. Continuous audit logging and real-time policy enforcement provide the equivalent for data governance.
Companion apps hold long-lived OAuth tokens granting access to vehicle state, location history, remote commands, and account data. Broken object-level authorization — where API endpoints don’t verify the requesting user owns the resource — enables cross-tenant exposure at scale: one compromised account can enumerate other users’ data through the same endpoint. Unlike in-vehicle exploits requiring physical proximity, API flaws are remotely exploitable at volume. These are the same token abuse patterns documented by Unit 42 in enterprise SaaS environments — same architecture, same supply chain risk, vehicle-scale personal data exposure.
Cockpit data — location history, voice recordings, contacts, driving behavior, paired device information — constitutes personal data under GDPR, CCPA, and equivalent frameworks. Unauthorized exfiltration triggers breach notification obligations regardless of whether the attacker encrypts systems. Under GDPR, that’s a 72-hour supervisory authority notification window. For fleet operators processing employee driving data, the exposure extends to employment privacy obligations. Data governance controls that limit what cockpit data is retained, how long, and under what access restrictions are the only pre-breach mitigation.
Liability allocation depends on contractual data processing agreements and applicable regulation. Under GDPR, if the OEM is the data controller and the Tier 2 supplier processes personal data on its behalf, the OEM bears primary notification and accountability obligations — even if the breach originated upstream. UN R155 places cybersecurity management system obligations on vehicle manufacturers, including supply chain oversight. OEMs that cannot demonstrate supplier access controls, audit trails of data exchanges, and contractual security requirements face both regulatory and civil liability when cascading incidents expose end-user data.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video Microsoft GCC High: Disadvantages Driving Defense Contractors Toward Smarter Advantages
- Blog Post How to Secure Classified Data Once DSPM Flags It
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video The Definitive Guide to Secure Sensitive Data Storage for IT Leaders