Key Takeaways
- Dealerships face significant cybersecurity risks due to sensitive customer data and digital operations.
- Many dealerships have not yet met the complex requirements of the FTC Safeguards Rule, even though it went into effect June 9, 2023.
- Building a culture of security and preparedness reduces vulnerabilities and strengthens overall cybersecurity posture.
Dealerships are adopting various digital tools to manage inventory, process sales, and provide after-sales services — all with the goal of streamlining operations, enhancing customer experiences, and driving growth.
However, with this digital transformation comes a heightened risk of cyber threats. While 90% of surveyed dealers view cybersecurity as “very important” relative to other operational areas, sophisticated attackers and widespread technology adoption make adequate security difficult.
Understanding Cybersecurity Risks for Dealerships
Dealerships handle a vast amount of sensitive information. From employee data and customer contact information in your CRM to the bank information and social security numbers collected by your finance and insurance departments, the scope of private data managed daily is extensive.
This data collection is integral to your operations, enabling efficient transactions and personalized customer service, but it also presents significant risks. With cyberattacks on the rise, dealerships are coming to one major conclusion: cybersecurity is a critical business practice.
Dealerships are prime targets for cybercriminals because they are considered easy targets.
Characteristics that make dealerships vulnerable to attacks include:
- Open Wi-Fi networks
- Outdated IT infrastructure
- Insufficient login protection
- Low cybersecurity awareness
The FTC Safeguards Rule
The Safeguards Rule aims to strengthen data security and help protect your customers’ financial data.
The FTC hopes to achieve three primary goals through the Safeguards Rule:
- Ensure the security and confidentiality of customer information
- Protect against threats to the security or integrity of customer information
- Protect against unauthorized access to information
Complying with the Safeguards Rule takes time and effort. Though the deadline for compliance was June 9, 2023, many dealerships have not yet met the complex requirements.
Eight Steps to Comply with the FTC Safeguards Rule
To meet the objectives established by the FTC, eight elements must be addressed:
Designate a qualified individual to oversee cybersecurity efforts.
Selecting a qualified individual who understands the technology and security measures required to protect customer information is crucial.
This person will be held accountable for the cybersecurity program's effectiveness. They will ensure policies are followed, vulnerabilities are addressed, and security events are managed. The qualified individual can be an internal staff member or a managed service partner with expertise in cybersecurity.
Conduct regular risk assessments.
A risk assessment is a systematic process for identifying, evaluating, and documenting the potential risks to customer information. It involves analyzing various aspects of your dealership’s operations, technology, and methods to identify vulnerabilities that could be exploited.
Elements of an Effective Risk Assessment:
- Collect assets
- Identify threats
- Assess vulnerabilities
- Evaluate impact
- Determine likelihood
- Document findings
- Develop action plans
- Monitor and review
Implement safeguards to mitigate identified risks.
Dealerships must implement security measures and practices to protect sensitive data from threats. These safeguards should include:
- Access control
- System inventory
- Data encryption
- Multi-factor authentication
- Data disposal procedures
Test and monitor the effectiveness of the various security controls.
Regular testing verifies that your security controls are functioning as intended and can effectively protect customer information.
In 2023, only one-third of data breaches were discovered through internal security teams.
Continuous monitoring helps detect vulnerabilities and potential threats early, enabling you to identify and stop attacks before they wreak havoc.
Two effective strategies for assessing your controls are:
Penetration Testing: A proactive and simulated attack on your systems, applications, and network to identify and exploit vulnerabilities. The primary goal is to uncover security weaknesses that malicious attackers could exploit.
Tabletop Exercises: Discussion-based sessions where key stakeholders and team members walk through simulated security incident scenarios in a structured manner. The primary goal is to evaluate and improve the organization’s incident response plan, communication strategies, and decision-making processes.
Train and educate your employees.
Employees are often the first line of defense against cyber threats. Training helps them recognize suspicious activities, phishing attempts, and other tactics used by cybercriminals.
Training also ensures employees understand and adhere to cybersecurity policies and regulatory requirements — like the FTC Safeguards Rule. This reduces the risk of non-compliance and potential legal consequences.
- Creating a culture of security within your dealership requires a multifaceted approach. Download our guide on Best Practices in Cybersecurity to get started.
Monitor third-party service providers.
External vendors frequently possess sensitive customer data or access essential systems. If these vendors experience a security breach or fail to implement adequate security measures, it can directly impact your dealership’s security and reputation.
Conduct initial and ongoing risk assessments of third-party vendors before engaging their services. Evaluate factors such as the sensitivity of data they will handle, their security practices, and their history of security incidents.
Establish an Incident Response Plan (IRP).
An Incident Response Plan (IRP) is a structured approach that outlines what steps to take when a cybersecurity incident occurs.
Dealerships with an incident response plan are better prepared to investigate and remediate attacks because they have designated people (employees, management, and third parties), processes, and technology to expedite an investigation.
Organizations with a tested IRP identified breaches 54 days faster than those without.
Effective IRPs include plan objectives, a process for responding to the security event, clearly defined roles, communication strategies, remediation steps, and documentation related to incident response activities.
Require the qualified individual to report to your Board of Directors.
The FTC requires someone within your organization to report the state of security annually to your dealership’s Board of Directors. The report must include a performance assessment of your cybersecurity strategy as well as your dealership’s compliance status with the FTC Safeguards Rule.
Open and transparent communication with key stakeholders can benefit your dealership beyond compliance. Board members can provide strategic guidance and support for cybersecurity initiatives. They can prioritize investments in cybersecurity, endorse policy changes, and align cybersecurity efforts with overall business goals.
Next Steps for Dealerships
Implementing a comprehensive cybersecurity program is about more than compliance — it’s a critical investment in protecting customer information and maintaining operational resilience.
Those who want to stay ahead of the competition will not turn away from new technologies for fear of attacks but rather work to become more informed and better prepared to navigate the landscape effectively. If you’re looking for a trusted partner to help your dealership thrive in today’s digital-first world, we can help.
Best Practices in Cybersecurity
Cybersecurity
Eide Bailly’s cybersecurity team provides guidance, strategic direction, and prioritization of business objectives and cyber risks.
Dealerships
A comprehensive approach to planning puts you in the driver's seat.
