Cybersecurity best practices for connected vehicle and dealership systems
Cybersecurity best practices for connected vehicle and dealership systems
Publish Date: 2026-06-02 01:35:00
Source Domain: www.marsh.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
As connected and automated vehicles (CAVs) become increasingly prevalent in Canada, dealerships face growing cybersecurity risks that extend beyond traditional information technology (IT) systems to include operational technology (OT) and vehicle software.
Protecting these complex ecosystems requires a comprehensive approach that addresses supply chain vulnerabilities, secure software update management, IT and OT convergence, and evolving insurer expectations.
Supply chain vulnerabilities
The automotive supply chain is global and multifaceted, involving OEMs, Tier 1 suppliers, software vendors, and dealerships. A single weak link can expose the entire ecosystem to cyber threats.
For example, compromised software components or unauthorized third-party access can introduce malware or backdoors into vehicle systems or dealership networks.
Software update management systems (SUMS) and over-the-air (OTA) updates security
Canadian regulations, aligned with UNECE R155 and FMVSS 155, require secure management of OTA updates to vehicles. SUMS must confirm that software updates are authenticated, integrity-checked, and securely deployed to prevent malicious code injection or rollback attacks. Dealerships play a critical role in validating these updates during servicing to maintain vehicle cybersecurity.
IT/OT convergence exploitation
Dealerships increasingly integrate IT systems, such as customer databases and sales platforms, with OT systems, including vehicle diagnostic tools and service bay equipment. This convergence expands the attack surface, as vulnerabilities in IT can be exploited to access OT systems controlling vehicle functions or sensitive data. Segmentation and strict access controls are essential to mitigate these risks.
Evolving insurer expectations
Marsh Canada, as a global broker and risk advisor, and the Insurance Bureau of Canada (IBC), as an industry association representing Canadian insurers, emphasize that insurers, brokers, and industry bodies each have distinct but complementary cybersecurity expectations for dealerships. These include implementing robust cybersecurity frameworks aligned with international standards such as ISO/SAE 21434, ensuring data privacy compliance under Canadian laws like PIPEDA, and adopting best practices in AI ethics and transparency.
With their focus on underwriting criteria and risk mitigation, insurers encourage dealerships to proactively manage emerging cyber and operational risks associated with AI-driven customer engagement. Through advice and guidance, Marsh helps dealerships meet insurers’ risk management expectations.
