Cyber more than IT issue in automotive industry, report finds

Cyber is more than an IT issue in the auto industry

APMA’s Institute for Automotive Cybersecurity and KPMG in Canada help suppliers close cybersecurity gaps


At a time when the automotive industry is increasingly focused on connected cars and information services, less than half (42 per cent) of Canadian auto parts manufacturers recognize how today's vehicles are potential hotbeds for cyber security threats, finds a new report by the Automotive Parts Manufacturers' Association's (APMA) Institute of Automotive Cybersecurity (apmaIAC) and KPMG in Canada.

The joint apmaIAC / KPMG report, Canadian automotive cyber preparedness survey, finds that many auto parts suppliers have yet to embrace the elements of security, privacy, and cyber safety in their operations because they feel their individual product offering is not technologically advanced. Yet, today's vehicles are micro-communities in themselves with vehicle-to-everything technology. And, cyber threats also extend to the manufacturers themselves and they need to guard all parts of their operations including supply chain systems, the hardware and software facilitating manufacturing equipment, robotics, customer channels, and back-office operations from attacks.

"Cyber has many faces in today's automotive industry and pose significant risks if left unchecked," says Flavio Volpe, president, APMA. "The reality is that now, more than at any other time in manufacturing, companies must safeguard their products, operations, and systems no matter the type of components, parts, systems, and assemblies they produce."

The report notes automobile original equipment manufacturers (OEMs) and their suppliers in Canada need to prepare for several domestic and international vehicle cybersecurity-related regulations – from Transport Canada's Vehicle Cyber Guidance to the Working Party (WP) 29 United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations. The U.N. regulation, for example, will require companies to document how they will prevent specific kinds of incidents, report information on cyberattacks and inform authorities at least once a year on whether their cybersecurity measures have been effective.

As well, the forthcoming IS021434 Road Vehicles Cybersecurity Engineering standard has set cybersecurity risk management requirements for road vehicle systems, components, and interfaces throughout all stages of their development from engineering, production, operation and maintenance to decommissioning, the report says.

OEMs are holding suppliers at every tier more responsible for protecting their contributions to the supply chain, underscoring the urgency to shift the mindset on cybersecurity, the report says.

"Building a cyber secure culture means keeping security awareness top of mind for all individuals in the organization – not just IT," says KPMG's John Heaton, partner, cybersecurity services. "Every company – no matter the product - has cyber 'digital crown jewels' that must be secured. Companies at every link in the supply chain must identify and protect these and ensure the partners they share data with are taking the same steps."

Closing the cybersecurity gap

The report highlights six key considerations to help the industry close its cybersecurity gaps and embed cyber governance throughout the organization:

  • Embrace a new cyber culture: Everyone in the supply chain must take cybersecurity into consideration. It only takes one weak link to expose the entire chain.
  • Identify your cyber leader: Every organization needs to identify a senior leader, who is accountable for cyber. They should not be an IT executive, but somebody senior, who is accountable for cyber across the enterprise and equipped with the skills and knowledge to do so effectively.
  • Understand your crown jewels: You can't protect your operations effectively if you don't know what needs protecting.
  • Look beyond IT: Your IP and operational technologies are your competitive edge. Failure to protect them from theft, damage, or leaks could mean losing your market position.
  • Consider your lifecycle: Cybersecurity isn't all about the final product. Effective cyber governance covers the entire process, from design and engineering, to production and distribution, post-sale service and beyond. Each step comes with its own cyber considerations.
  • Don't wait to lead: While there are many good examples of Canadian companies taking charge with cyber, the sector tends to wait on directions from their OEMs or customers to make a culture shift. It's important to take that lead now, both within your enterprise and among your supply chain, because anything that happens will inevitably impact you.

About APMA

The Automotive Parts Manufacturer's Association (APMA) is Canada's national association representing OEM producers of parts, equipment, tools, supplies, advanced technology, and services for the worldwide automotive industry. The Association was founded in 1952 and its members account for 90% of independent parts production in Canada. In 2018, automotive parts shipments were over $35 Billion, and the industry employment level was over 100,000 people.

About APMA's Institute of Automotive Cybersecurity

Automotive Parts Manufacturers' Association (APMA) of Canada and Vehiqilla Inc. launched the APMA Institute of Automotive Cybersecurity (apmaIAC). The institute will assist in providing guidance and best practices to Canadian automotive parts manufacturers, helping support the privacy/safety/security culture. The apmaIAC will focus on the following four areas: Governance, Assessments, Education and Technology.

About KPMG in Canada

KPMG LLP, a limited liability partnership, is a full-service Audit, Tax and Advisory firm owned and operated by Canadians. For over 150 years, our professionals have provided consulting, accounting, auditing, and tax services to Canadians, inspiring confidence, empowering change, and driving innovation. Guided by our core values of Integrity, Excellence, Courage, Together, For Better, KPMG employs nearly 8,000 people in over 40 locations across Canada, serving private- and public-sector clients. KPMG is consistently ranked one of Canada's top employers and one of the best places to work in the country.

The firm is established under the laws of Ontario and is a member of KPMG's global organization of independent member firms affiliated with KPMG International, a private English company limited by guarantee. Each KPMG firm is a legally distinct and separate entity and describes itself as such. For more information, see

For media inquiries:

Flavio Volpe
Automotive Parts and Manufacturers' Association of Canada
(416) 856-0345

Caroline Van Hasselt
Corporate Communications
KPMG in Canada
(416) 777-3328

© 2022 KPMG LLP, an Ontario limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit

Connect with us

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today