Automobile dealerships collect and store large amounts of consumer data, including Social Security numbers, bank account information, and credit applications, so it’s no wonder that they’re prime targets for cyberattacks. The average ransomware payout for a dealership is $228,125, up 8% from first quarter of 2021, according to a 2022 CDK Global cybersecurity study. The threat of costly attacks weigh heavily on dealerships as they take the necessary steps to become compliant with the Standards for Safeguarding Customer Information (Safeguards Rule) part of the Gramm-Leach-Bliley Act.
The Safeguards Rule has imposed compliance regulations on financial institutions since 2003 to protect consumer data from misuse and reduce the risk of a data breach. The federal law requires financial institutions — including auto dealerships that offer financing or leasing agreements to consumers — to develop, implement, and maintain a cybersecurity program with safeguards in place to protect consumer data. In December 2021, the Federal Trade Commission amended the Safeguards Rule to mandate new, more complex cybersecurity standards and procedures for financial institutions by the Dec. 9, 2022, deadline. The CDK Global cybersecurity study shows that only 47% of dealerships are well prepared to be compliant.
The Safeguards Rule requires that dealerships complete nine specific steps for their cybersecurity programs:
Step 1: Designate a qualified individual
Your dealership must identify a “qualified individual” who is responsible for the oversight, implementation, and enforcement of the cybersecurity program. The qualified individual can be an employee, such as a chief information security officer (CISO), or an employee of an affiliate or a service provider, such as a virtual CISO.
Step 2: Conduct a risk assessment
Your dealership should conduct a written risk assessment that identifies the internal and external risks to consumer data and assesses the safeguards currently in place to control those risks. A risk assessment allows your dealership to pinpoint and analyze every asset on your network that may be vulnerable to cyber threats. The rule also requires that your dealership follow up by performing periodic risk assessments to reexamine and reassess those risks as the cyber landscape evolves.
Step 3: Implement controls
Once the risk assessment is complete, your dealership must design and implement safeguards to control the risks identified. The rule specifies eight different ways to implement controls, such as using data encryption, adopting multifactor authentication, and employing policies and procedures to monitor and log the activity of users.
Step 4: Monitor and test effectiveness
Your dealership must regularly test or monitor the effectiveness of the key controls. And for information systems, your dealership must either perform continuous monitoring or conduct annual penetration testing and biannual vulnerability assessments.
Unpatched vulnerabilities are one of the primary sources of access for cyberattackers to steal consumer data, harm systems, install malware, and more. In fact, 60% of all breaches are the result of unpatched vulnerabilities.
Step 5: Train employees
Your employees need to know how to execute your cybersecurity program and what they can do to keep consumer data safe from cyberattackers. Your dealership must provide security awareness training, keep employees updated and informed about changing cyber threats, and use qualified employees, affiliates, or service providers to manage and oversee the program. Currently, only 54% of dealerships offer employee training, according to the CDK Global cybersecurity survey. However, that number is up from 31% in 2021.
Step 6: Oversee service providers
Your dealership must choose skilled and experienced service providers to safeguard your consumer data. The rule requires that your dealership take care in selecting and contracting with capable service providers and periodically assess the risk and adequacy the providers may pose to your dealership.
Many organizations are turning to managed detection and response (MDR) service providers to protect their data against the threat of cyberattacks. Technological research and consulting firm Gartner projects that 50% of all organizations will use MDR services by 2025.
Step 7: Stay current
As the cyber landscape changes, your dealership must change with it. The rule requires that your dealership evaluate and adjust its cybersecurity program based on the results of your monitoring and testing.
Step 8: Create an IR plan
Your dealership should have a written incident response (IR) plan in place, and the rule now requires it. An IR plan is a set of instructions that prepares your dealership to rapidly respond to a threat, minimize damage and loss, and prevent future compromise. The IR plan must include detailed information about your goals, internal response processes, roles and responsibilities of personnel, internal and external communications, remediation process, documentation and reporting of an incident, and evaluation and revision following an attack.
Step 9: Report to the board
Your qualified individual must regularly or annually report to your board of directors or governing body. The written report must include the overall status of the cybersecurity program, your compliance with the law, and any material matters related to the cybersecurity program.
Learn more about proactive cybersecurity solutions
Your dealership collects and stores large amounts of consumer data, and compliance with the Safeguards Rule can help assure that the data stays safe in the event of a cyberattack. Take the steps needed to get in compliance, and if you need assistance with the requirements, you can partner with a qualified security service provider for help.
Pondurance can perform a risk assessment to evaluate your cybersecurity risk and recommend policies and procedures to address your risk. We also can supplement or function as your cybersecurity team with our MDR and IR services. We operate as an expert partner to our clients to help them reduce their exposure to risk with services designed to prioritize their most critical risks at implementation and evolve with their business needs.