Key Takeaways:
• Many auto dealerships were impacted by the CDK global cyber attack.
• Auto dealerships need to pay close attention to the FTC’s Safeguards Rule.
• Dealerships that don’t comply with the FTC’s Safeguards Rule may not be protected from future cyber attacks.

The CDK cyberattack continues to impact auto dealerships nationwide.  Understanding the FTC’s new Safeguards Rule is crucial. Cyberattacks are increasingly hitting companies that once thought they would never be the victim of an attack. To help combat this, dealerships are forced to comply with the Safeguard Rule and enhance their cybersecurity programs to match this industry standard.

Video Summary of FTC Safeguards for Dealerships with Gardner Lee

CDK Global Cyberattack: Another Case in a Long Line of Similar Incidents

A Serious Threat

CDK Global, a software-as-a-service company that many dealerships use, suffered a ransomware attack from the foreign hacker group BlackSuit. This attack exposed private customer data and significantly diminished the software services that dealerships rely on to perform essential business operations.

Dealerships Face Financial Struggles

The attack has led to a chain reaction, resulting fewer cars being sold. As a result, many auto dealerships are suffering financially and are not able to recover quickly from the losses.

Third-party Vulnerabilities Exposed

This incident is just another example of how cybercriminals do not discriminate based on the size of the company, revenue, and type of business. In the case of the BlackSuit attack, the cybercriminals were able to breach systems through a third party, taking advantage of vulnerabilities that were not protected.

Introducing the Safeguards Rule

Navigating Cybersecurity Challenges

Navigating cybersecurity for companies is challenging and can appear daunting for businesses that are just now stepping into the world of information security. Make sure you understand what is required to keep your business and customer data safe. Invest the time and resources into cybersecurity now will pay off in the long run.

FTC Safeguards Rule

The Federal Trade Commission (FTC) put in place the Safeguards Rule to protect businesses against cyber risks and provide a baseline of security. The Safeguards Rule introduces several important requirements to ensure that all businesses that are “engaging in activity that is financial in nature” are compliant with the same security regulations as other financial institutions.

Who Must Comply

The FTC has mandated that all non-banking financial organizations comply with the rule. This includes automotive dealers, lenders, brokers, account servicers, check cashers, collection agencies, credit counselors, and travel agencies. By doing so, these businesses align with the security standards expected of financial institutions.

Exceptions for Small Businesses

It should be noted, however, that some exceptions do exist for companies that interact with customer information with fewer than 5,000 customers (16 CFR 214.6). Specifically, sections 314.4(b)(1), (d)(2), (h), and (i) do not apply which outline specific requirements as part of the requisite risk assessment and incident response plan.

Consequences of Non-Compliance

Failure to comply with the Safeguards Rule can result in fines and reputational damage with penalties able to reach $100,000 per violation. In addition, customers, employees, and third parties can sue businesses for violating a compliance standard that could have prevented a cyber incident.

How the Safeguards Rule Works

Protecting Customer Data

The Safeguards Rule’s primary purpose is to protect customer information. First and foremost, the rule requires that a “qualified individual” must be appointed to manage the information security program. This could be an employee or a third-party service provider. This individual is responsible for establishing and maintaining the information security program.

Cybersecurity Strategy

The rule also requires companies to conduct risk assessments to identify internal and external risks to the security, confidentiality, and availability of customer data to prevent any unauthorized use of the data. In other words, risk assessments are a highly effective way to evaluate the overall status of a business’s information security program. They identify risks that you face and provide the foundation for establishing a strong information security strategy and mitigating risks that were identified.

Components of a Risk Assessment

The FTC instructs that a Risk Assessment shall include the following (according to 16 C.F.R. Part 314.4(b)(1)):

  • The Risk Assessment must include criteria for the evaluation and categorization of identified security risks or threats you face.
  • The Risk Assessment must include criteria for the assessment of the confidentiality, integrity, and availability of your information systems and customer information. This includes the adequacy of the existing controls in the context of the identified risks or threats you face.
  • The Risk Assessment must outline requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the information security program will address the risks.

Implementing Protective Measures

Based on the Risk Assessment, organizations should implement the appropriate protective measures in place. Guidelines for organizations:

  • Implement access controls for both technical and physical applications.
  • Use an inventory management tool to identify and manage data and assets.
  • Encrypt all customer information.
  • Employ secure development practices for all systems and applications that store, access, or transmit customer information.
  • Require multi-factor authentication (MFA) for employees accessing information systems.
  • Utilize secure disposal/destruction methods of customer information after two years from the last date the information was used with exceptions allowed for necessary business purposes or legal reasons.
  • Adopt change management procedures.
  • Monitor and log unauthorized user activity to detect and notify IT personnel of unauthorized access attempts of customer information.

8 Protective Measures for Dealerships Implementing FTC Safeguards

Penetration Testing and Vulnerability Assessment

Penetration Testing

The rule outlines that companies are also required to perform an annual penetration test. Penetration tests simulate a cyber-attack by actively attempting to find vulnerabilities within your cyber infrastructure and exploiting them to gain an idea of how susceptible your environment is to hackers.

Vulnerability Assessment

A vulnerability assessment will entail a comprehensive scan and review of systems that work with customer information. This assessment identifies vulnerabilities and provides high-level information about the level of risk associated with the vulnerability, what systems it affects, and other valuable information used to remediate the risk.

Correcting any Vulnerabilities

Once the vulnerability assessment is complete, the organization will be notified of any weaknesses and potential impacts. As a result, the business will be have a better understanding the risks, how grave they are, and how to protect against them.

Getting Started with a Risk Assessment

Importance of Conducting a Risk Assessment

Conducting a risk assessment is crucial for your ability to identify risks affecting your organization and evaluate the overall status of the company’s information security program. It allows you to establish the groundwork for creating a strong information security program to protect customer information and become compliant with the Safeguards Rule.

Challenges for First-Time Assessments

Risk assessments are difficult to carry out for organizations doing it for the first time and who operate with limited resources and experience. Furthermore, the more in-depth the assessment is, the more difficult it becomes to successfully dive deep and identify risk comprehensively without professional help.

Professional Assistance

If your company is looking to implement these controls and become compliant, LBMC Cybersecurity specializes in performing risk assessments and penetration tests among other advisory services that will help you establish your baseline information security program.

Contact Us

Contact us today to ensure your company meets the necessary security standards and protects customer information effectively.

Content provided by Gardner Lee, LBMC Senior Cybersecurity Consultant. Gardner Lee works as a cyber security consultant at LBMC working various service offerings including risk assessments, HIPAA gap assessments, vendor risk management, and security program development.