In November, the FTC hit the pause button on its updated Safeguards Rule, but dealers must continue to beef up cybersecurity before the new deadline.
The automotive retail industry breathed a sigh of relief after the Federal Trade TCommission granted a six-month reprieve to its updated Safeguards Rule.
The FTC pushed back its deadline after industry associations successfully argued against the updates. Their arguments were, “this is too much to ask and too little time,” says Steven Brown, vice president of sales for Airiam, a firm that provides managed IT services and cybersecurity compliance support to automotive dealerships.
Their arguments are not far off, according to Anu Roberts, senior director of product marketing for CDK Global, which helps dealerships with secure automotive commerce platforms. “Our second annual “State of Cybersecurity Report” showed 35% of our dealers are not fully understanding the FTC Safeguards Rule, and less than half are well-prepared,” she says.
The FTC extended the Safeguards Rule deadline by a month after CDK conducted its survey. At that time, dealers still thought they had until Dec. 9, 2022 to comply.
“There is a lengthy list of amendments for dealers to complete,” Roberts says. "It takes time to understand what needs to be done and to put security measures in place.”
Still, many dealerships are taking a wait-and-see approach, which is not the best course of action. “In the last six months, we have called 6,000 dealerships. Around 25% have taken action,” Brown says. “The remaining 75% have said, ‘I’ll deal with that later. I’m still shopping around for service, or screw the FTC, who is really going to check on this?’” Brown says.
The Need for Better Cybersecurity
The updated FTC Safeguards Rule sets standards to protect customer information. The new rules affect all financial institutions, which must take steps to protect consumer data online and in IT systems.
The measure is vital, Roberts says. “Cybercriminals are getting craftier as auto retailers continue to fall victim to well-disguised attacks,” reported CDK in its “State of Cybersecurity in the Dealership” report.
According to the CDK survey, 15% of dealers experienced a cybersecurity incident in the year before the report. Of those impacted, 85% of occurrences resulted from sophisticated phishing attempts concealed as legitimate emails that led to data breaches, IT-related business interruptions, and loss of revenue.
“We have seen a rise in cyberattacks across all industries. The auto industry is not immune to these attacks,” Roberts says. “Dealerships have something really valuable to hackers. They have personal data and identifiable information that hackers can sell on the dark web to make a lot of money.”
Dealerships are also vulnerable to attack because they often lack cybersecurity know-how. “A lot of them have aging infrastructure and lack internal cybersecurity expertise, which creates a perfect storm of exposure for cyberattacks,” she says.
The FTC ruling is designed to safeguard consumer data, but the steps required by the FTC will also prevent attacks on entire companies, says Brown, who stresses that the average cyberattack can lead to hundreds of thousands to millions of dollars in lost revenue.
Roberts points out that a single payout in a ransomware attack can be as much as $250,000. Add that to lost revenue because the company can’t operate – a period that currently averages 16 days per cyber-attack incident – and a loss of trust and reputation among consumers.
“They are looking at substantial costs,” Roberts says. “It is important to have preventative measures in place and a response plan.”
Failing to comply with the Safeguards Rule also has a cost. The agency has the power to impose up to $10,000 per day, per breach. It’s also possible for the FTC to seek more than $43,000 per day for each violation.
The new ruling requires dealerships to protect consumer data through technology and through people and processes. On the technology side, businesses must implement multifactor authentication; put next-generation antivirus systems in place; and add firewalls and a system to patch computers and servers. “But technology will not solve everything,” Brown says. “You can add as much technology as you want, but if you are not implementing it properly, looking at it regularly, and maintaining it, it’s worthless.”
On the people and process side, Brown says businesses need policy documents that outline cybersecurity hygiene practices and procedures, personnel training, and more.
“But in many businesses, these documents become digital paperweights,” he says. “All too often, people don’t even print them, which is a mistake. The documents should be printed and supplemented with training. These practices will not be enforced or maintained without training.”
At a minimum, the FTC requires financial institutions of all types to do the following by June:
■ Assign a qualified person to oversee cybersecurity
■ Encrypt all sensitive information
■ Train security personnel
■ Develop an incident-response plan
■ Regularly assess the security practices of third-party service providers
■ Implement multifactor authentication or another method of protection
“The FTC is really asking dealerships to develop good cybersecurity hygiene, which is something every business should already do,” Brown says.
Six Steps to Take Now
Auto dealerships can journey toward FTC Safeguards Rule compliance by taking the following steps.
1. Assign Cybersecurity to a Qualified Person. The FTC requires dealerships to designate a Qualified Individual who is either an employee of the company or a third-party service provider to oversee the businesses’ cybersecurity programs. “Who in your organization or with your third-party vendor is going to figure out your cybersecurity? The first step in meeting the FTC Safeguards Rule is identifying that individual,” Brown says.
2. Know the Risk. A vulnerability assessment and risk assessment are the next steps, according to Roberts. “Both tasks must be done consistently so that you’re constantly testing and assessing where your gaps are.”
Risk and vulnerability assessments scan for vulnerabilities to identify unknown cyber risks. They help dealerships find and fix vulnerabilities in their cybersecurity.
“These assessments help dealers understand the state of their cybersecurity and build a roadmap of what they need to do,” Roberts says. “Then they can prioritize what needs to be done first. However, these assessments are not one-and-done. They must be ongoing.”
Autonomous Penetration Testing, or PEN testing, also helps identify vulnerabilities, Brown says. The test is a simulation of a cyberattack on a company’s computer system. Companies can get an honest, unbiased glimpse into their security processes and how they are working by regularly performing PEN testing.
“We could PEN-test a 50-to 100-person dealership within an hour and have a report five minutes after that,” Brown says. “Because it is autonomous, you can redo the report monthly or quarterly. We are continuously testing and verifying, fixing, then testing and verifying. But these tests are just a snapshot in time. You may be safe today, but you may have vulnerabilities tomorrow. The landscape is constantly changing.”
3. Make Multi-Factor Authentication a Priority. Brown believes that the No.1 thing to help prevent attacks is multifactor authentication. Multi-factor authentication requires users to present two or more pieces of evidence to confirm their identity before they may access critical data in business systems.
“It won’t get you into full compliance with the FTC Safeguards Rule, but it will reduce your cybersecurity risk and profile,” he says. “Hackers will take the path of least resistance to access a company’s data. In most cases, that is to walk through the digital ‘front door’ using an employee’s credentials. Password crackers are readily available, and there are massive databases of credentials available to them.” Multifactor authentication is inexpensive.
“It only costs a couple bucks per user, per month,” he says. “If you use Microsoft, you can turn it on for free.”
4. Tackle Employee Training. Nearly 98% of cyberattacks involve some sort of social engineering, when hackers exploit human behavior to gain access to sensitive or confidential information. The tactics they use are convincing and persuade victims to hand over requested information. It’s vital to train employees to spot those efforts. “This is a crucial line of defense for dealers and is very low-cost to implement,” Roberts says.
She says training must be thorough and occur often. To underscore its importance, she points to an example of a company that conducted security awareness training, then tested employees. It sent an email informing employees that an ice cream truck would deliver ice cream in the afternoon and that all employees had to do was give their badge number to claim their ice cream. Many employees did. “This scenario shows these emails can fool a lot of folks and regular training is required,” she says.
5. Regulate Incident Response. The FTC stresses that every business needs a “What if?” incident response and recovery plan in place for security events that lead to unauthorized access to or misuse of company information.
The plan should detail the internal processes to be activated after a breach. The document defines roles and responsibilities, levels of decision-making, and communication and informationsharing inside and outside the company. It should also include a process to fix identified weaknesses in IT systems; measures to document what occurred; and how to conduct a post-mortem review.
Response plan templates are available online, but Brown advises that the best plans are customized to the business. “If you’re just looking to check a box, a template works fine,” he says. “But if you’re looking to improve your cybersecurity, you need a customized plan.”
Roberts says that a response plan can improve recovery times after an incident. “A response plan helps you rebound quickly and minimize your costs,” she says. “But only if you practice the plan.”
She cites a situation that involved a business with a response plan. Business leaders thought they had everything covered but soon realized the plan was useless after a breach because they had never practiced it in a tabletop exercise. Such an exercise simulates and practices the incident-response plan to make sure everyone knows what to do and to identify weaknesses and gaps in the plan.
“You need to practice with all stakeholders and do scenario testing,” she says. “Then have someone come in and do a PEN test. This is another critical way to identify gaps and plug holes before someone else finds them.”
6. Bring in Outside Help. The Safeguards Rule will help dealers prepare for attacks on their infrastructure. But there is much to be done. Both Brown and Roberts agree that a third-party expert can help.
“Partnering with a managed service provider can assist dealerships in eliminating the guesswork for FTC compliance, ensuring a safer, more secure, and up-to-date IT infrastructure,” says Joe Bell, vice president and general manager of IT Solutions, Product & Technology for CDK Global.
A six-month reprieve gave dealers more time to comply with the Safeguards Rule. “But these are things every business should do to protect their business,” Roberts says. “The sooner they get started, the better. It is not a question of if they will get hacked but when.”