Blog

How the New FTC Safeguards Rule Update Will Impact Auto Dealerships

BY eSentire

November 3, 2022 | 9 MINS READ

Cyber Risk

Regulatory Compliance

Sensitive Data Protection

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

On June 9th, 2023, new Federal Trade Commission (FTC) Safeguards Rule requirements will come into effect. By this date, auto dealerships throughout the United States are expected to have deployed and implemented an information security program with administrative, technical, and physical safeguards designed to:

The update to the Safeguards Rule extends the requirements first introduced in the 2003 Gramm-Leach-Bliley Act and coincides with a number of cyberattacks against auto dealerships around the world:

These cyberattacks aren’t contained to Europe – auto dealerships in the United States are also at severe risk. In fact, a study released in October 2022 by leading automotive retail software provider CDK Global revealed that 15% of dealers — nearly one out of every six — experienced a cybersecurity incident in the past year, resulting in sensitive data breaches, business interruptions, and loss of revenue.

So, what makes auto dealerships an attractive target for cybercriminals? There are two primary reasons:

  1. Auto dealers have a considerable amount of sensitive data on their customers and are even considered financial institutions by the FTC
  2. Many auto dealerships may not think of a cybersecurity incident as a real threat

Auto Dealerships are Financial Institutions with Highly Valuable Customer Data

First, automotive dealerships are considered financial institutions and as a result, they process and store an abundance of sensitive customer information. This data holds considerable value for attackers because it can be used to extort a payment from the victim and because it can be leveraged in additional cyberattacks.

In the Safeguards Rule’s terminology, “customer information” is defined as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” It also further defines personally identifiable financial information to mean any information:

Just to clarify the breadth of what’s covered by that list, the Safeguards Rule also provides the following specific examples:

Auto Dealerships May Not Prioritize Cybersecurity Programs

Many auto dealerships may think of themselves as a local small business within a community. In addition, their senior leadership team may understand the value of cybersecurity – in general – but may not see themselves as an attractive target. Therefore, it’s likely that cybersecurity is not top-of-mind for auto dealerships, rendering them poorly prepared to withstand or recover from a cyberattack.

For example, the CDK Global study found that only 37% of auto retailers reported being confident in their current level of protection against cyber threats. Interestingly, this is a 21% decrease in preparedness compared to the findings of their 2021 study.

As a result, cybercriminals, many of whom have the means to use Ransomware-as-a-Service (RaaS) or Malware-as-a-Service (MaaS), recognize the average car dealership as a fairly low-hanging fruit with the potential of a quick payday.

9 Elements That Must Be in Your Information Security Program

According to Section 314.4 of the Safeguards Rule, there are nine elements that your company’s information security program must include:

  1. Designate a Qualified Individual to implement and supervise your company’s information security program: The goal here is to engage an internal, or external, CISO-level expert who is familiar with your company, your industry, and the specific cyber threats that can impact your dealership. However, if you engage an external provider, you need to have a senior employee manage the program alongside the provider since you’ll be held responsible.
  2. Conduct a risk assessment: Given the large amount of critical data your dealership stores and has access to, you must conduct a full inventory of that data. Following the inventory, conduct a risk assessment so you can account for all potential cyber risks and threats that can impact your dealership.
  3. Design and implement safeguards to control the risks identified through your risk assessment: To ensure your information security program is effective at safeguarding your data, you’re expected to:
    1. Implement and periodically review access controls.
    2. Know what you have and where you have it.
    3. Encrypt customer information on your system and when it’s in transit.
    4. Assess your apps (if applicable).
    5. Implement multi-factor authentication (MFA) for anyone accessing customer information on your system.
    6. Dispose of customer information securely.
    7. Anticipate and evaluate changes to your information system or network.
    8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
  4. Regularly monitor and test the effectiveness of your safeguards: It’s not enough to simply onboard a set of tools and technologies and presume you have the necessary controls to limit cyber threats. Engaging a service like penetration testing will allow you to test your cyber defenses to ensure there are no gaps in your cybersecurity posture. The FTC also recommends conducting a vulnerability assessment to ensure there are no weaknesses in your applications, systems, and devices.
  5. Train your staff: Humans are by far the weakest link in cybersecurity so it’s critical that you’re continually educating, and empowering, your employees to recognize the signs of a phishing attack or business email compromise (BEC) scams as well as cyber threats that rely on drive-by social engineering tactics (e.g., SEO poisoning).
  6. Monitor your service providers: Third-party supply chain attacks are some of the biggest threats impacting businesses – no matter the size or industry. Therefore, it’s your responsibility to ensure that any contract you sign with a third-party service provider outlines your expectations for cybersecurity, especially if that third-party has access to your sensitive data.
    • Last year, Volkswagen suffered a significant data breach that exposed the contact information and personal details — including driver’s license numbers — of customers in the United States and Canada. This headline-grabbing incident impacted 3M+ customers – 90,000 of whom had especially sensitive information stolen. The source of the breach? A third-party company that worked with VW.
  7. Keep your information security program current: Cybercrime is constantly evolving; there are new threats in the market and cybercriminals are constantly evolving the tactics, techniques, and procedures (TTPs) to ensure they fulfill their objectives. Therefore, your information security program must also keep up with the changing pace. Continually assess to ensure you’re on top of your cyber risks, emerging threats, and any gaps in your program to stay ahead of the threat curve.
  8. Create a written incident response plan: No matter how strong your cyber defenses are, there is no guarantee you can prevent a cyberattack from happening. Therefore, you must maintain an incident response readiness plan that accounts for:
    1. The goals of your plan;
    2. The internal processes your company will activate in response to a security event;
    3. Clear roles, responsibilities, and levels of decision-making authority;
    4. Communications and information sharing both inside and outside your company;
    5. A process to fix any identified weaknesses in your systems and controls;
    6. Procedures for documenting and reporting security events and your company’s response; and
    7. A post-mortem of what happened and a revision of your incident response plan and information security program based on what you learned.
  9. Require your Qualified Individual to report to your Board of Directors: To ensure the success of your information security program, the Qualified Individual you engage must report to your Board of Directors, its equivalent, or to a senior officer at least annually. The report must cover an overall assessment of your dealership’s compliance with the program, specific topics related to the program (e.g., risk assessment, test results, risk management and control decisions, etc.) and recommendations for any changes to the program.

How eSentire Can Help You Achieve Compliance with the Safeguards Rule and Protect Your Auto Dealership Against Critical Cyber Threats

Complying with the Safeguards Rule’s updated requirements is a daunting challenge, and few dealerships will have the in-house skills, experience, and time to interpret the law and implement all the necessary information security program elements.

To help guide auto dealers make the necessary investments and changes, the National Automobile Dealers Association (NADA) published A Dealer Guide to The FTC Safeguards Rule, which contains a detailed explanation of the Safeguards Rule, its requirements, and a roadmap for achieving compliance.

Additionally, eSentire’s Managed Risk, Managed Detection & Response (MDR), and Digital Forensics and Incident Response portfolio offers many services that align with the Safeguards Rule’s requirements:

To learn how eSentire can help your auto dealership comply with the updated Safeguards Rule and put your business ahead of disruption, connect with an eSentire cybersecurity specialist today to get started.

eSentire
eSentire

eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.

Read the Latest from eSentire