Skip to Main Content
(Press Enter)

Cybersecurity

ESG Governance

The freedom and opportunity that vehicles have provided over the past 100 years has come with often adverse effects in the form of injuries, emissions and congestion. Now, transformative innovations—self-driving vehicles, combined with electrification, sharing and connectivity—are changing the nature of transportation and our relationships to the vehicles that move us.

Cybersecurity Risks

Connectivity is a foundational enabler of a future that includes on-demand car sharing and AVs. GM’s quarter century of experience building our OnStar in-vehicle safety and security service, as well as our diagnostic, navigation and connectivity services, into millions of vehicles, makes us the most connected automaker on the planet. Today, we provide Connected Services and OnStar to more than 22 million members, with OnStar receiving an average of nearly 150,000 phone calls per day. We are balancing these advances in technology with attention to the potential risks they pose. For example, continued evolution of connected car technologies, the expansion of the vehicle ecosystem and advent of autonomous driving capabilities elevate cybersecurity concerns to another level of complexity and risk. In recognition of these developments and their potential impact on our business, GM has a cybersecurity governance structure at the highest levels of the company. Oversight responsibilities for cybersecurity programs and risks lie with the GM Board of Directors, which has a Risk and Cybersecurity Committee. At the operational level, cybersecurity management sits in a Global Cybersecurity organization that encompasses product, manufacturing and corporate cybersecurity functions across all areas of the business.

Vehicles that incorporate next-generation battery-electric technology, as well as active safety, infotainment and connectivity features, will require increased bandwidth and computing power. To meet these needs, GM has introduced an all-new electrical architecture consisting of software and hardware that will enable all advanced in-vehicle technologies to run seamlessly and in conjunction with each other. The platform went into production in 2019 and should be rolled out to most vehicles within GM’s global lineup by 2023. Cybersecurity is a pillar of the new architecture, with added protective features at both the hardware and software levels. GM’s Product Cybersecurity organization, one of the first such groups among major automakers, provides the necessary expertise to protect against unauthorized access to vehicles and customer data.

The goal of our collaborative privacy practice is to ensure that the collection, use and sharing of employee and customer personal information is secure and compliant, and that it reinforces employee and customer trust and confidence.

Privacy Protection

We rely upon information technology systems and networked products, some of which are managed by third parties, to process, transmit and store electronic information, and to manage or support a variety of our business processes, activities and products. Additionally, GM collects and stores sensitive data, including personally identifiable information of our customers and employees, in data centers and across information technology networks. Robust privacy policies and processes are critical to protecting our business and our stakeholders.

GM’s Privacy Center publishes a Global Privacy Policy that covers all operations, and we have a Third-Party Information Security Requirement Exhibit and Privacy Exhibit required for all contracts that involve personal information (PI) or sensitive GM information. Our contracts lay out requirements for lawful compliance with data protection and privacy laws and regulations, and for managing PI in a manner that reinforces customer and employee trust and confidence in GM and GM products and services. In addition, our Board of Directors has approved the adoption of Global Privacy Principles, and GM continues to be committed to the Auto Innovators Consumer Privacy Protection Privacy Principles for Connected Vehicles.

Privacy Program

The Privacy Center has a privacy program framework that focuses on policies, procedures, tools, guidance and training. This framework also includes a Privacy-by-Design program that requires all data-dependent initiatives to receive a privacy-focused consultation through their life cycle. The privacy center resides within our legal staff, and additional nonlegal resources are leveraged on a functional, regional and product/program basis to instill best practices in a consistent manner across the enterprise. In certain cases, external reviewers have been engaged to ensure use of industry best practices.

The goal of our collaborative privacy practice is to ensure that the collection, use and sharing of employee and customer personal information is secure and compliant, and that it reinforces employee and customer trust and confidence. Our greatest resource in protecting personal information is our employees. Privacy compliance is part of GM’s annual training, which emphasizes the importance of privacy to our business and the high priority the company places on employee and customer privacy.

Privacy Practices

Our Information Security program is aligned to the National Institute of Standards and Technology Cyber Security Framework and ISO Standards and includes elements to protect the confidentiality, integrity and availability of information. We have a robust, global Information Lifecycle Management (ILM) Policy and record retention schedule which applies globally to all GM employees and other individuals or entities (e.g., contract workers, purchased services, etc.) that create or manage GM records. The ILM Policy requires that we properly retain only those records needed to meet business, fiscal and legal requirements. GM requires an online Privacy Impact Assessment to be completed, reviewed and approved by a Privacy Center member prior to the implementation of any new product, service or process, or any change to the foregoing, involving the use of personal information. Additionally, Information Security Risk Management conducts a personal information risk score for systems containing personal information. Systems with high risk are required to have additional information technology controls.

Incidents

GM has a robust process for employees to report an incident involving possible wrongdoing, a violation of GM’s Code of Conduct—Winning with Integrity, an IT or other cybersecurity event, personal information incident or other concerns. This includes reporting through our toll-free GM Awareline hotline and a robust process for reviewing and investigating all alleged incidents. An employee who violates our Privacy Policy or Code of Conduct may be subject to discipline, including warnings, suspension with or without pay and/or termination of employment.

Customer Privacy

GM publishes privacy statements publicly, such as on our corporate, vehicle brand and OnStar websites. We utilize an opt-in approach, where legally required or appropriate, based on the nature of the data collected and its intended use. Customers have the ability to opt out. GM complies with all privacy regulations, such as General Data Protection Regulation and the California Consumer Privacy Act. We honor requests under these regulations to access data, make corrections and delete. In addition, we do not allow the use of customer personal information for secondary usage if it is not disclosed in the Privacy Statement or otherwise consented to by the customer. In 2020, we did not have any material customer privacy complaints.