The aftermath of the June 19 cybersecurity attack on CDK Global, a car dealership software company used by nearly 15,000 dealerships nationwide, further highlighted the importance of compliance with the updated Federal Trade Commission (FTC) Safeguards Rule for auto dealerships.
The Safeguards Rule is intended to help better protect customer information in an environment where widespread data breaches are increasingly common. As seen in the CDK Global data breach, cyberattacks on dealerships can result in:
- Stolen consumer financial data
- Access to personally identifiable information (PII)
- Extortion
- Software outages and halted operations
- Lost revenue
Not only does a data breach significantly impact customer loyalty, a sizeable attack may also mean weeks of downtime and lost revenue. In the case of CDK Global, many dealerships experienced an almost two-week shutdown as CDK Global worked to restore its systems and safely bring the software back online.
While some dealerships were able to use the software sooner, due to a phased approach, research done by the Anderson Economic Group estimated companies collectively lost more than a billion dollars because of the software outage.
Understandably, auto dealerships are increasingly concerned with cybersecurity and the unique vulnerabilities their organizations face. For enhanced compliance with the amended Safeguards Rule, our professionals outline the necessity and requirements of adherence to FTC standards.
Although the deadline to meet compliance requirements was June 9, 2023, companies can still take action to enhance their cybersecurity efforts against future attacks.
Dealerships Face Increased Vulnerability Against Attacks
Dealerships are particularly vulnerable to cyberattacks due to several inherent characteristics of the auto dealer industry, such as high employee turnover, which was 33% in 2022, with a median tenure of just over three years. This rapid turnover exacerbates the challenges of maintaining consistent security training and compliance, increasing the risk of human error and insider threats.
Additionally, the use of open wireless networks for customer convenience introduces a significant vulnerability, as these unsecured networks can be exploited by hackers to gain unauthorized access to sensitive data.
Auto dealerships are often seen as prime targets due to their:
- Availability of financial data
- General lack of advanced cybersecurity awareness and protective measures
- Insufficient IT infrastructure
- Capacity to store large volumes of PII
These factors make dealerships attractive to cybercriminals looking to exploit weaknesses for financial gain, data theft or ransomware attacks.
The Basics of Safeguards Rule Compliance
The Safeguards Rule applies to all financial institutions, including non-banking financial institutions, such as auto dealers, online banking service providers or payday lenders. Businesses must develop, implement and maintain a comprehensive security plan intended to protect customer information.
The rule became law on January 10, 2022, and had an initial deadline of December 2022, but dealerships were granted an extension until June of 2023 to meet requirements. In order to come into compliance dealerships are required to:
- Designate a Qualified Individual (QI) to oversee the program
- Conduct a risk assessment, including a network vulnerability assessment (VA)
- Develop a Written Information Security Program (WISP)
- Implement safeguards to control risk
- Encrypt customer information, both in transit and at rest
- Implement multifactor authentication
- Review access controls
- Perform annual penetration testing and twice-annual VAs
- Monitor service providers
- Draft an incident response plan
- Provide an annual written report to management
Responsibilities of the Qualified Individual
The QI appointed to monitor and enforce a dealership’s information security program can be either an external advisory firm or internal employee. The role should be filled by someone who is capable of overseeing the execution and documentation of necessary duties.
Risk Assessments
A risk assessment is intended to evaluate security risks that could result in the misuse, alternation or destruction of customer information. The FTC requires periodic risk assessments but does not clarify exactly how often one should be conducted. Dealerships are recommended to create a predetermined schedule, recommended at least annually, to ensure assessments aren’t skipped or pushed off too long.
Written Information Security Program
A Written Information Security Program (WISP) is designed to detail an organization’s administrative, physical and technical safeguards for protecting sensitive information. The document typically includes the program’s objective and purpose, a comprehensive inventory of hardware and software assets, a list of implemented safety measures, and an implementation clause outlining the steps for enforcing the program.
Additionally, it may cover areas such as risk assessment procedures, employee training protocols, incident response plans and ongoing monitoring and compliance strategies.
The National Automobile Dealers Association (NADA) offers a free WISP template to its members, which can also be purchased by non-members. While this template provides a valuable foundation, it is essential for organizations to critically evaluate their own security practices to ensure that the controls and measures outlined in the WISP are accurately designed and implemented to address their specific risks and operational needs.
Implement Safeguards to Control Risk
Through a risk assessment, organizations can identify the suggested safeguards to implement to better control risks, such as data encryption, multifactor authentication and a customer information disposal policy. Regardless of risk assessment outcomes, the revised rule requires a number of safeguards be implemented into a security program, to include:
- Access controls
- System inventory
- Encryption
- Secure development practices
- Multifactor authentication (MFA)
- Disposal procedures
- Change management procedures
- Monitor and log authorized user activity
Monitor Service Providers
Compliance requires dealerships to periodically monitor and assess that service providers are adequately protecting any customer data they may possess. This can be done through requesting a copy of each service provider’s WISP and including contract provisions that require they maintain certain safeguards.
Draft an Incident Response Plan
An incident response plan is a required written document that outlines how a dealership plans to respond to, and recover from, an incident that risks data confidentiality and security.
Provide Annual Written Reports
Under the Safeguards Rule, companies must submit an annual report to their Board of Directors or governing body. The report should include an overall assessment of the information security program, with a focus on the effectiveness and compliance.
Optimize Cybersecurity Strategy With Cherry Bekaert
Cherry Bekaert’s Digital Advisory team drives transformation and helps middle-market companies grow by bringing together people, processes, technology, and culture to help businesses sustain and flourish in the digital age. Our Information Assurance & Cybersecurity practice offers a full range of cybersecurity, privacy, attest and risk mitigation services to help protect your business from cyber threats.
Our information professionals will work with you to right-size a solution of people, processes and technology based on your business requirements, industry, key stakeholders, compliance requirements and budget.
The Risks of Noncompliance
As seen with the CDK Global cyberattack, an insufficient information security program can result in significant damage far beyond an FTC fine. The Second Annual Global State of Cybersecurity Report by CDK Global found that roughly 84% of customers would not buy another vehicle from a dealership that experienced a data breach.
Along with damage to your business’s reputation, failure to comply could result in legal action as the FTC considers a violation to the Safeguards Rule to constitute a deceptive trade practice. While FTC enforcement actions, consent orders and fines are possible for noncompliant dealerships, businesses are more likely to face consumer class action lawsuits.
How Cherry Bekaert Can Help
Cherry Bekaert’s Information Assurance & Cybersecurity practice offers a range of cybersecurity services to help protect your information systems and data from cyber threats. We can help you identify relevant privacy risks and develop realistic solutions and strategies to help minimize the likelihood and impact of your systems, operations and data being impacted.
We ensure your cybersecurity program addresses a broad range of compliance, technology and program components, including:
- Risk, Governance and Audit
- Advanced Threat Protection
- Network Security
- Data Security
- Infrastructure Security
- System Security
- Application Security
- Mobile Security
Our experienced professionals help organizations defend their information assets by quickly assessing, auditing, transforming and securing their information technology (IT) environment. Utilizing a flexible and business-friendly approach, we collaborate with you based on your priorities, strategic plans and budget. Our experienced professionals utilize leading tools, processes, and frameworks to achieve your cybersecurity and privacy goals.