Financially motivated hackers escalated their focus on the automotive and smart mobility sector in 2025, with ransomware now accounting for nearly half of all recorded cybersecurity incidents – a rate that more than doubled year over year, according to an annual industry report by Upstream. The 2026 Global Automotive and Smart Mobility Cybersecurity Report, published May 26, drew from 494 publicly disclosed incidents within the global automotive ecosystem during 2025.
The data indicates that the sector is contending with a more organized class of attacker, a widening set of digital entry points, and an attack pattern that is no longer limited to back-office systems. For underwriters, claims teams, and risk managers with exposure to connected mobility, the trend raises questions about how current cyber policy structures hold up against a threat environment that is increasingly physical in its consequences.
The report found that black hat actors – those operating for financial or criminal gain – were responsible for 71% of incidents in 2025, up from 65% the prior year. The shift reflects a pattern of organized groups directing resources toward a sector that manages large volumes of personal data, operates critical infrastructure, and depends on uninterrupted connectivity. Attacks were conducted remotely in 92% of cases. Of those, 86% did not require any physical access to the targeted vehicle or system, meaning threat actors could execute an incident from anywhere with an internet connection.
Telematics platforms and cloud environments were the most common vectors, involved in 67% of cases, while APIs – the connective tissue linking vehicle software, manufacturer backends, and third-party services – played a role across a broad share of incidents. The financial and operational fallout was substantial. Sixty-eight percent of incidents resulted in data or privacy breaches, and 34% caused business or operational disruption. Sixty-one percent of cases carried the potential to affect thousands to millions of individual mobility assets simultaneously; 20% were classified as massive-scale.
Upstream identified the proliferation of AI-driven architectures across vehicle systems as a structural factor in the escalating threat environment. As automakers integrate AI more deeply into safety systems, fleet management, and over-the-air update mechanisms, the network of potential vulnerabilities expands correspondingly. “The automotive industry is an early adopter of Physical AI, and as AI capabilities rapidly expand across markets, it now serves as the reference architecture for safety-critical, highly connected systems. However, AI is also enabling attackers to move faster, at greater scale, and with more automation while the industry is still relying on security models built for a far more static world. Our 2026 report shows that AI significantly expands the cybersecurity attack surface, as traditional perimeter defences no longer suffice when AI systems adapt dynamically and directly influence physical outcomes,” said Yoav Levy, co-founder and CEO of Upstream.
Among the developments with the clearest insurance implications is a documented shift in how ransomware is being deployed. Rather than locking corporate networks or encrypting enterprise files, attackers in at least one mid-2025 case went further – gaining access to a vehicle’s remote command-and-control functions through a consumer-facing mobile app, then seizing control of physical systems such as ignition and door locks before demanding payment. The incident illustrates a blurring boundary between traditional cyber risk and physical loss – one that existing policy language may not cleanly address. Underwriters handling cyber, motor, or connected device lines may find it necessary to re-examine how coverage responds when a ransomware attack results in loss of vehicle use, rather than loss of data.
Separate research published in December 2025 by Marsh, based on a survey of more than 2,200 cyber risk leaders across 20 countries, indicates that the industry is responding to pressure from all sides. Two-thirds of organizations surveyed said they planned to increase cybersecurity budgets in 2026, and more than a quarter intended to raise spending by 25% or more. Ransomware was not an abstract concern for respondents. Twenty-nine percent ranked it alongside privacy breaches as their primary cyber worry – lending broader industry corroboration to what Upstream’s automotive-specific data shows. Third-party risk also emerged as a persistent gap, with 70% of organizations reporting at least one material incident tied to a vendor or supply chain partner in the past year. In automotive terms, that supply chain includes the telematics providers, cloud platforms, and API-dependent services that featured in the majority of incidents Upstream catalogued. The convergence of these data sets points to a sector in transition – one where the scope of insurable loss is expanding at roughly the same pace as the attack surface itself.
