As fleets become more integrated with emerging technologies, they become vulnerable to hackers, making a solid cybersecurity policy essential for operational resilience.  

To provide insight into how fleets can better navigate these challenges and strengthen their cybersecurity stance, we spoke with Amar Singh, CEO of Cyber Management Alliance Ltd. 

In this Q&A, Singh explains why fleet cybersecurity requires a different approach than traditional corporate IT security and outlines practical steps organizations can take to build more effective, enforceable policies for fleets. 

CM Alliance is a transportation safety and compliance consulting firm that works with fleets across North America. The company provides services including safety audits, collision investigations, training, and fleet risk management support. 

This interview has been edited for length and clarity. 

AF: Who should ultimately own cybersecurity policy within a fleet organization, and how should responsibilities be divided between fleet operations, IT, and leadership? 

Singh: The person who owns cybersecurity should be senior and experienced enough to accept responsibility if a cybersecurity incident occurs.  

Concerning policy specifically, the question I would ask is, what is the outcome? What is the risk of a violation of the policy? And consequently, what is the business impact of the risk? 

There is NO hard-and-fast rule about who the owner is.  

In fleet companies, many organizations assign the responsibility to the CIO, CTO, or VP of Operations. 

The logic behind this is that fleet cyber risk straddles IT and operational technology (OT). I have seen one customer in this sector give that ownership to the General Counsel. 

Key deciding factors should also include whether the person filling the role has the acumen to own the policy violation and their ability to understand the business impact of a policy breach. 

AF: What are the key elements that make a cybersecurity policy truly effective for fleet operations, as opposed to a generic corporate IT policy? 

Singh: An effective fleet policy must consider and cover things a corporate IT policy simply doesn't think about.  

For example, your "endpoints" are moving down the highway, and often with a driver who isn't a technology user in the traditional sense. The policy must address that reality.  

These are all attack surfaces that a standard IT policy typically would not cover: 

1. Driver behavior in the cab, connecting personal phones, USB charging, and using public Wi-Fi at truck stops; these are all small things, but each one is a potential entry point. 
2. Have it written in plain language. A driver is not going to read a 40-page policy document. If a driver can't understand it in five minutes, it won't be followed. 

Every policy statement should pass the test: "Can we technically monitor a violation of this?" If the answer is no, the policy is merely decorative. 

Policy must explicitly cover the vehicle itself, the telematics units, ELDs, dashcams, and any aftermarket devices plugged into the OBD-II port. 

AF: Where do you see the biggest gaps between written cybersecurity policies and what happens in day-to-day fleet operations? 

Singh: Often, the policy statement does not reflect the reality on the ground, hindering the monitoring of violations. 

AF: What types of cybersecurity policies should fleets implement specifically for 

drivers, and how can companies ensure those policies are followed in the field? 

Singh: This could be a very long list, so I will outline a few I would say are most important. 

1. Drivers should not be allowed to disable any restrictions enforced by the company (speed, speed limiters, geofencing, etc.) 
2. There should be no installation of unauthorized tracking devices or aftermarket hardware in the vehicle. 
3. There should be no tampering with telematics units, ELDs, or dashcams — these are part of the vehicle, not optional accessories. 
4. No plugging unauthorized devices into the OBD-II port. A cheap dongle off the internet can open the entire vehicle network. 
5. Enforcement is where most fleets struggle. A policy in a binder is worthless. 

In practice, it comes down to three things:  

1. Technical monitoring through the telematics platform to flag tampering or unauthorized connections.  
2. Periodic vehicle inspections to catch what telematics can't see. 
3.  Tying policy compliance into driver performance reviews so there is a real consequence for ignoring it. 

AF: What policies should fleets have in place to manage cybersecurity expectations and accountability with vendors, telematics providers, and service partners? 

Singh: This is a very good question. 

Vendors can introduce many risks (also termed Supply Chain Risk), and the actual impact of these risks can often be significantly disruptive. 

Here is an example of what a vendor policy should include: 

“Vendor must not knowingly or unknowingly introduce any process or digital weakness to the vehicle and or fleet management system.” 

This is a great open-ended policy because it captures the many ways a vulnerability can be introduced. 

AF: How often should fleet cybersecurity policies be updated and reinforced through 

training to remain effective against evolving threats? 

Singh: Threats are constantly evolving, and so should policies.  

To that end, it is my professional opinion that the policies should be thoroughly reviewed and updated (if necessary) at least once a year. 

Securing the Modern Fleet  

As fleet technology continues to evolve, cybersecurity can no longer be treated as a secondary IT concern. From connected vehicles and telematics systems to driver behavior and vendor partnerships, fleets face a growing range of operational risks that require practical, enforceable policies.  

Strong cybersecurity management starts with accountability, continuous oversight, and policies grounded in the realities of day-to-day fleet operations.