Enhancing risk management by leveraging Connected Car Cybersecurity Consulting Service in a comprehensive manner with key risks addressed

Company: Top domestic new energy auto manufacturer
Sector: Auto

The market background - The auto industry is undergoing tremendous technological transformations while also facing unprecedented cybersecurity challenges

In recent years, the worldwide new energy vehicle subsidy policies, and the domestic policies such as the "14th Five-Year Plan", have strongly promoted the rapid popularisation of intelligent connected and autonomous vehicles. At the same time, it has also brought huge cyber security challenges to the Auto industry. According to statistics, the number of Connected Car cybersecurity incidents has increased by 7 times in the past five years.

In this context, the regulations on Connected Car cybersecurity area have become increasingly strict. The United Nation World Forum for Harmonisation of Vehicle Regulations (WP29) issued R155 – the UN Regulation on vehicle cyber security management system, R156 - the UN Regulation on vehicle software update management system. These regulations were enforced in the European Union, Japan and other places in July 2022. China is also establishing corresponding mandatory national standards for market access, which are expected to be enforced in mid-2024. Auto manufacturers must pass the regulation's specific requirements otherwise they could not sell their vehicle models in the local market.

Due to lack of the well-established management system and technical capabilities to meet the mandatory requirements of these new regulations, our client engaged PwC to support them to build resilience in the new business transformation, by helping them to comply with new regulations, and enhancing their security capabilities in a comprehensive manner.

Our Connected Car Cybersecurity solution

PwC cyberteam developed an innovative technical consulting solution - Connected Car cybersecurity service, which could interconnect all of the core business units of Auto manufacturers to enhance the security capabilities across the organisation, and address the vehicle cyber risk management requirements in the business processes and each vehicle product. With this innovative solution, PwC assisted our client to successfully obtain the Vehicle Cybersecurity Certificates, which is the First Successful case in Asia.

This service is divided into two aspects:

At the company level: Assisting core business sectors such as vehicle R&D, production, quality management and procurement to establish vehicle cybersecurity management system (CSMS) and vehicle software update management systems (SUMS) which could cover the whole vehicle lifecycle and to obtain corresponding management system certificates as well.
At each vehicle model level: Assisting auto manufacturers to analyse and implement specific technical requirements for vehicle cybersecurity and vehicle software update management and to obtain corresponding vehicle type approval certificates (VTA) as well.

Four fundamental differences from traditional cybersecurity solutions

Comprehensively covered and interconnected all core business sectors: Traditional cybersecurity management is usually handled by a single IT department, while in the emerging Connected Car cybersecurity area, new regulations require the identification and control of cybersecurity risks to be embedded in the entire lifecycle of vehicles, which means that all core business sectors such as R&D, production, after-sales, procurement, etc. must be involved, interconnected with each other to build a company-wide cybersecurity capability.
Bring diverse thinkers with new skill sets together: Traditional cybersecurity skills can no longer meet the needs in Connected Car Cybersecurity area. Consultants not only need to be familiar with the client’s core business, but also must have in-depth professional skills in vehicle engineering. PwC have hired multiple industry experts from leading automobile companies to lead project delivery and team capability development, meanwhile collaborated with PwC Japan and PwC Germany to form an expert network, with skill sets of both vehicle engineering and cybersecurity.
A new service model based on each vehicle model: Traditional cybersecurity services typically only target "companies" or "information systems". In addition to management system consulting at the "company" level, the Connected Car cybersecurity service also provides technical landing services based on each "vehicle model ". Due to the high complexity of vehicle development, the project cycle required for each vehicle model is usually around one year.
The Connected Car cyber-Lab: Completed in 2021, the Connected Car Cybersecurity Laboratory in Guangzhou office, is the first technical platform in this field among Big4 in China, which can help us to verify our technical recommendations and deliver relevant penetration tests under the new cyber security landscape

Key takeaways: How our client benefit from PwC’s Connected Car Cybersecurity consulting service

Having the richest successful experience in obtaining certification in China, we can assist the auto clients to interconnect their R&D, production, and after-sales sectors more efficiently, to complete the construction of the compliance capabilities
Have groomed a skilled consultant team with expertise in both vehicle engineering and cybersecurity, capable of assisting automobile companies in the analysis and technical landing for any type of vehicle products.
Have established a complete ecosystem in Connected Car Cybersecurity area, which can assist automotive industry clients in efficiently identifying and linking all external stakeholders during the initiation and implementation of the projects, effectively ensuring the acquisition of relevant certifications.