Federal regulations, like hurricanes, can have costly consequences. And like hurricanes, they can be seen from a long way — if you know where to look.
In the case of hurricanes, we can follow their progress on Wunderground. In the case of federal regulations, we consult the Federal Register — specifically, the April 4, 2019, edition (84 FR 13158, for those who wish to dig deeper at home). That edition contained the Federal Trade Commission’s Notice of Proposed Rulemaking with respect to the Safeguards Rule.
The proposed revisions to the Safeguards Rule are extensive and, as this article’s title suggests, potentially expensive.
It’s hard to believe, but the original Safeguards Rule was less than three pages long. Its proposed expansion would push it to almost 14 pages. And within that expanded heft are a number of changes that will hit dealerships hard — and make the original version look like a friendly little puppy.
Covered entities — and that explicitly includes most automobile dealerships — must designate a chief information security officer, or “CISO.” Designating an employee isn’t necessarily hard. But actually having a qualified employee already on the payroll may prove to be problematical.
In the alternative, the CISO may be an outside service provider, but a senior manager at the dealership must oversee that service provider and the service provider must run an information security program that satisfies the FTC’s rule.
Let’s consider the cost impact of those two approaches.
Insource vs. Outsource
While it is easy to say “Abracadabra!” and designate Bill from Parts as your new CISO, that probably won’t cut it. Bill would need to be educated and experienced enough to credibly take on the duties of a CISO, and those are significant. Put another way, anyone qualified to be a CISO probably wouldn’t be working at a dealership in a nontechnical role anyway.
This fact will inevitably lead dealers to choose between hiring a full-time CISO or engaging an outside resource as a service provider in that role. How much does an in-house CISO cost? According to people in the computer security industry I’ve spoken to, $100,000 to $150,000 is a reasonable range. For a single-point dealer, that is a tall order.
The other option is to hire an outside contractor to perform the CISO duties. These people do not come cheap. My sources say one can expect to pay $4,000 to $10,000 per month for such services. What, exactly, would that sum buy?
The first — and essential — element is the CISO. Among the CISO’s duties is to ensure that either continuous monitoring or periodic penetration testing and vulnerability assessments occur. Neither is cheap.
A robust and continuous network monitoring program is typically priced according to the number of networked devices in your IT environment and can quickly escalate to four- or five-figure price points per month. For that princely sum, you could expect 24/7 live network monitoring within a vendor’s security operations center, where analysts are constantly monitoring the health of your network.
Compared to building this function in-house, this is a bargain. But it is expensive however you slice it.
In the alternative, a dealership may conduct periodic penetration testing and vulnerability assessments. How often? The new rule calls for annual internal and external network penetration testing and vulnerability assessments every six months.
While network vulnerability assessments (“NVAs”) can be somewhat automated (which helps keep prices down), penetration tests take heavy human involvement and therefore are not easily scalable (read: “expensive”).
Prices vary due to the size and complexity of each individual dealership’s IT environment, but per-test costs can easily exceed $8,000. Penetration tests require an “ethical hacker” to conduct a range of manual tests to emulate a real-life cyberattack, then develop a report listing all the vulnerabilities found — and how to fix them.
Returning to the cost of the outsourced CISO, the $4,000 to $10,000 monthly cost can be expected to include at least some of the NVA and pen test expenses. And that does not include the internal cost of the “senior member of your personnel” required to be responsible for the direction and oversight of the CISO.
And what are CISO duties that need to be overseen? Here’s a partial list:
- Access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of customer information and to periodically review such access controls.
- Identification and management of the data, personnel, devices, systems, and facilities necessary to achieve your business purposes.
- Restricting access at physical locations containing customer information only to authorized individuals.
- Protecting by encryption all customer information held or transmitted by you both in transit over external networks and at rest.
- Adopting secure development practices for in-house developed applications utilized by you for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store customer information.
- Implementing multifactor authentication for any individual accessing customer information.
- Including audit trails within the information security program designed to detect and respond to security events.
- Developing, implementing, and maintaining procedures for the secure disposal of customer information in any format that is no longer necessary for business operations or for other legitimate business purposes.
- Adopting procedures for change management.
- Developing and implementing policies, procedures, and controls designed to monitor the activity of authorized users and detecting unauthorized access or use of, or tampering with, customer information by such users.
Not only must the CISO perform the duties contained in the Safeguards Rule, he must document the steps taken to satisfy it. That written report must be made at least annually and submitted to senior management. The report must demonstrate security efforts; overall level of risk must be measured through some sort of tangible method in order to track progress. A “check the box” report simply won’t do.
The bottom line here is that what has always been best practices under the original Safeguards Rule is about to become mandatory.
The proposed new rule has not been finalized yet, so its requirements may still change. But change is coming, and it will require a significant effort on the part of dealerships to comply. That effort will not come cheap.
James S. Ganther Esq. is the co-founder and CEO of Mosaic Compliance Services. He is a dealer compliance expert and a prolific writer and speaker. Email him at [email protected].