1. Prioritize ransomware resilience and escapes from extortion: Build incident response plans that address production shutdowns, fleet immobilization, and coordinated multi-site attacks. Clarify the decision-making authority for ransom and extortion payments in supplier contracts.
2. Harden AI-powered systems: Secure backend APIs, OTA update pipelines, and cloud platforms that support AI features. These are now primary attack vectors for sophisticated threats.
3. Navigate state privacy patchwork: Connected vehicle data is now subject to comprehensive privacy laws in multiple states. Implement frameworks that satisfy varying notice, consent, and deletion requirements across jurisdictions.

As we head deeper into 2026, hackers are a greater concern than ever. Ransomware and extortion (50%) now lead as the top concern, up 5 percentage points from 2025. Recent sector data show that ransomware accounts for 40-45% of publicly reported automotive cyber incidents, more than double the share a year ago. Attacks have evolved beyond IT networks to target telematics backends and vehicle command-and-control systems, creating a threat in which attackers remotely lock drivers out and demand payment for access. This was foreshadowed in Russia, where a suspected attack on Porsche satellite-enabled immobilizers and a confirmed attack on a car alarm service provider immobilized thousands of cars. In addition, many traditional “ransomware” attacks have morphed into extortion attacks in which the threat actor does not disable systems but instead quietly steals information and threatens to expose it.

New cybersecurity regulations and standards (47%) have declined as a concern by 11 percentage points from last year, but they remain elevated as companies operationalize frameworks such as UNECE WP.29 (UN R155/R166) and adapt to evolving requirements. The drop suggests the industry emphasis will go from understanding new rules to implementing compliance programs, though the burden remains substantial. Regulatory and standardization activity has, in fact, accelerated, including data processing regulations like the EU Data Act (effective September 2025); operational and HMI standards, such as ISO/TS 20003:2026 (governing OTA updates); and privately proposed software security standards such as Automotive-CIS.

AI-driven cyberattacks (44%) were up from 37% last year, reflecting the growing sophistication of adversaries who use AI to facilitate social engineering, automate reconnaissance, generate new exploits, and carry out large-scale campaigns that outpace traditional defenses. Backend APIs, OTA update pipelines, and cloud platforms supporting AI-enabled features are now prominent targets, with most automotive cyber incidents conducted remotely through API misconfigurations.

Supply chain and tech stack vulnerabilities (32%) have increased 3 percentage points from 2025, indicating persistent concern about third-party software and hardware components that create exposure across entire networks. EV charging infrastructure attacks (9%) rank lowest, declining 19 percentage points from 28% last year, suggesting either improved security or that this threat has been deprioritized relative to more immediate concerns.

State privacy law compliance (49%) now rivals worries about ransomware, proving that legislative fragmentation can be as disruptive as malicious code. This elevation reflects the proliferation of comprehensive state privacy laws and the recognition that connected vehicles are now explicit enforcement priorities for state regulators.

The challenge is structural. OEMs now face a patchwork of state laws governing connected vehicle data, a dramatic shift for a sector historically oriented toward federal safety and emissions standards. California, Colorado, Virginia, Connecticut, and other states have enacted comprehensive privacy laws with varying requirements for notice, consent, data minimization, and consumer rights. Some states are going further with vehicle-specific requirements that impose unique obligations beyond general privacy frameworks.

Inconsistency across state laws creates operational complexity: a single nationwide vehicle platform must comply with the strictest requirements in every state (which may inhibit features that would otherwise be available in some states) or implement geofencing and differentiated data practices by jurisdiction (a measure that can be complicated and unreliable). Notice/consent mechanisms, data sharing and commercialization, data retention policies, and deletion processes are affected in different ways by different states’ laws. One state might only require opt-outs in relation to processing geolocation data; others may want explicit opt-ins. Finally, applying notice-and-consent principles may prove difficult under various state laws when it comes to passengers rather than vehicle owners or drivers.

Recent enforcement actions demonstrate that compliance is not a theoretical problem. State attorneys general have investigated automakers and telematics providers for data-sharing practices. States are using both comprehensive privacy statutes and unfair trade practice laws to pursue enforcement, deploying multiple legal theories to challenge the same underlying data practices.

For legal teams, the challenge is building compliance frameworks that scale across jurisdictions without creating dozens of state-specific programs or exceptions. This requires identifying the common denominators across state laws (affirmative consent for sensitive data, clear opt-out mechanisms, data access and deletion rights) and implementing those as baseline practices, then layering state-specific requirements where laws diverge. The alternative is a fragmented, ad hoc compliance approach that becomes unmanageable as more states enact privacy legislation and enforcement intensifies.