Why Auto Cyber Is Now a Boardroom Problem

VicOne's 2026 report finds cross-org auto cyber incidents tripled, as OTA and cloud links erase old boundaries

30 Mar 2026

A landmark cybersecurity report released in February 2026 found that cyber incidents targeting the automotive sector no longer stay contained within individual companies, but instead cascade across supply chains, cloud platforms, and vehicle fleets, fundamentally altering the security calculus of the software-defined vehicle era.

VicOne, an automotive cybersecurity firm, tracked 610 security incidents and 1,384 vulnerabilities across the industry in 2025. The most significant finding was a more-than-threefold year-over-year increase in cross-organization attacks, with 161 incidents spanning multiple companies and regions. Analysts attributed the spread to centralized over-the-air update infrastructure, shared cloud backends, and interconnected software platforms, architecture that allows a single compromised entry point to ripple from a Tier 2 supplier through to an automaker's global fleet.

The report frames the current moment as an "Overlap Era," a period in which legacy vehicles and next-generation software-defined platforms coexist within the same connected ecosystem. Risk, the report argues, does not diminish as new technology arrives; it compounds. VicOne's chief executive, Max Cheng, said vehicles, cloud platforms, and enterprise IT now function as a single operational fabric, making siloed governance approaches untenable. Cybersecurity, the report concludes, has become a board-level accountability issue.

For the first time on record, in-vehicle systems surpassed enterprise IT as the primary target category, accounting for nearly 40 percent of all observed incidents. Infotainment systems and electronic control units, which store location data, contacts, and connected device credentials, drew particular attention from attackers. A third of all cyber risk in 2025 directly affected driver-facing systems, moving security failures out of server rooms and into vehicles on public roads.

EV charging infrastructure emerged as a distinct vulnerability. Chargers link vehicles, cloud services, and the power grid, yet no single regulatory framework currently governs that full attack surface. VicOne identified gaps across several international standards, including ISO 15118-20 and UN R155, when mapped against observed charging attack paths. For automakers and their supplier networks, the findings suggest that standards compliance alone is no longer sufficient. Whether the industry moves toward unified lifecycle governance, or remains fragmented across regulatory jurisdictions, may determine how quickly cross-organizational risk can be contained.