What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Mar 15, 2023
CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Zero-Day Vulnerability
THE THREAT On March 14th, as part of Microsoft’s monthly Patch Tuesday release, the company disclosed a critical, actively exploited vulnerability impacting Microsoft Office and Outlook. The…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Nov 03, 2022

How the New FTC Safeguards Rule Update Will Impact Auto Dealerships

9 minutes read
Speak With A Security Expert Now

On June 9th, 2023, new Federal Trade Commission (FTC) Safeguards Rule requirements will come into effect. By this date, auto dealerships throughout the United States are expected to have deployed and implemented an information security program with administrative, technical, and physical safeguards designed to:

The update to the Safeguards Rule extends the requirements first introduced in the 2003 Gramm-Leach-Bliley Act and coincides with a number of cyberattacks against auto dealerships around the world:

These cyberattacks aren’t contained to Europe – auto dealerships in the United States are also at severe risk. In fact, a study released in October 2022 by leading automotive retail software provider CDK Global revealed that 15% of dealers — nearly one out of every six — experienced a cybersecurity incident in the past year, resulting in sensitive data breaches, business interruptions, and loss of revenue.

So, what makes auto dealerships an attractive target for cybercriminals? There are two primary reasons:

  1. Auto dealers have a considerable amount of sensitive data on their customers and are even considered financial institutions by the FTC
  2. Many auto dealerships may not think of a cybersecurity incident as a real threat

Auto Dealerships are Financial Institutions with Highly Valuable Customer Data

First, automotive dealerships are considered financial institutions and as a result, they process and store an abundance of sensitive customer information. This data holds considerable value for attackers because it can be used to extort a payment from the victim and because it can be leveraged in additional cyberattacks.

In the Safeguards Rule’s terminology, “customer information” is defined as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” It also further defines personally identifiable financial information to mean any information:

Just to clarify the breadth of what’s covered by that list, the Safeguards Rule also provides the following specific examples:

Auto Dealerships May Not Prioritize Cybersecurity Programs

Many auto dealerships may think of themselves as a local small business within a community. In addition, their senior leadership team may understand the value of cybersecurity – in general – but may not see themselves as an attractive target. Therefore, it’s likely that cybersecurity is not top-of-mind for auto dealerships, rendering them poorly prepared to withstand or recover from a cyberattack.

For example, the CDK Global study found that only 37% of auto retailers reported being confident in their current level of protection against cyber threats. Interestingly, this is a 21% decrease in preparedness compared to the findings of their 2021 study.

As a result, cybercriminals, many of whom have the means to use Ransomware-as-a-Service (RaaS) or Malware-as-a-Service (MaaS), recognize the average car dealership as a fairly low-hanging fruit with the potential of a quick payday.

9 Elements That Must Be in Your Information Security Program

According to Section 314.4 of the Safeguards Rule, there are nine elements that your company’s information security program must include:

  1. Designate a Qualified Individual to implement and supervise your company’s information security program: The goal here is to engage an internal, or external, CISO-level expert who is familiar with your company, your industry, and the specific cyber threats that can impact your dealership. However, if you engage an external provider, you need to have a senior employee manage the program alongside the provider since you’ll be held responsible.
  2. Conduct a risk assessment: Given the large amount of critical data your dealership stores and has access to, you must conduct a full inventory of that data. Following the inventory, conduct a risk assessment so you can account for all potential cyber risks and threats that can impact your dealership.
  3. Design and implement safeguards to control the risks identified through your risk assessment: To ensure your information security program is effective at safeguarding your data, you’re expected to:
    1. Implement and periodically review access controls.
    2. Know what you have and where you have it.
    3. Encrypt customer information on your system and when it’s in transit.
    4. Assess your apps (if applicable).
    5. Implement multi-factor authentication (MFA) for anyone accessing customer information on your system.
    6. Dispose of customer information securely.
    7. Anticipate and evaluate changes to your information system or network.
    8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
  4. Regularly monitor and test the effectiveness of your safeguards: It’s not enough to simply onboard a set of tools and technologies and presume you have the necessary controls to limit cyber threats. Engaging a service like penetration testing will allow you to test your cyber defenses to ensure there are no gaps in your cybersecurity posture. The FTC also recommends conducting a vulnerability assessment to ensure there are no weaknesses in your applications, systems, and devices.
  5. Train your staff: Humans are by far the weakest link in cybersecurity so it’s critical that you’re continually educating, and empowering, your employees to recognize the signs of a phishing attack or business email compromise (BEC) scams as well as cyber threats that rely on drive-by social engineering tactics (e.g., SEO poisoning).
  6. Monitor your service providers: Third-party supply chain attacks are some of the biggest threats impacting businesses – no matter the size or industry. Therefore, it’s your responsibility to ensure that any contract you sign with a third-party service provider outlines your expectations for cybersecurity, especially if that third-party has access to your sensitive data.
    • Last year, Volkswagen suffered a significant data breach that exposed the contact information and personal details — including driver’s license numbers — of customers in the United States and Canada. This headline-grabbing incident impacted 3M+ customers – 90,000 of whom had especially sensitive information stolen. The source of the breach? A third-party company that worked with VW.
  7. Keep your information security program current: Cybercrime is constantly evolving; there are new threats in the market and cybercriminals are constantly evolving the tactics, techniques, and procedures (TTPs) to ensure they fulfill their objectives. Therefore, your information security program must also keep up with the changing pace. Continually assess to ensure you’re on top of your cyber risks, emerging threats, and any gaps in your program to stay ahead of the threat curve.
  8. Create a written incident response plan: No matter how strong your cyber defenses are, there is no guarantee you can prevent a cyberattack from happening. Therefore, you must maintain an incident response readiness plan that accounts for:
    1. The goals of your plan;
    2. The internal processes your company will activate in response to a security event;
    3. Clear roles, responsibilities, and levels of decision-making authority;
    4. Communications and information sharing both inside and outside your company;
    5. A process to fix any identified weaknesses in your systems and controls;
    6. Procedures for documenting and reporting security events and your company’s response; and
    7. A post-mortem of what happened and a revision of your incident response plan and information security program based on what you learned.
  9. Require your Qualified Individual to report to your Board of Directors: To ensure the success of your information security program, the Qualified Individual you engage must report to your Board of Directors, its equivalent, or to a senior officer at least annually. The report must cover an overall assessment of your dealership’s compliance with the program, specific topics related to the program (e.g., risk assessment, test results, risk management and control decisions, etc.) and recommendations for any changes to the program.

How eSentire Can Help You Achieve Compliance with the Safeguards Rule and Protect Your Auto Dealership Against Critical Cyber Threats

Complying with the Safeguards Rule’s updated requirements is a daunting challenge, and few dealerships will have the in-house skills, experience, and time to interpret the law and implement all the necessary information security program elements.

To help guide auto dealers make the necessary investments and changes, the National Automobile Dealers Association (NADA) published A Dealer Guide to The FTC Safeguards Rule, which contains a detailed explanation of the Safeguards Rule, its requirements, and a roadmap for achieving compliance.

Additionally, eSentire’s Managed Risk, Managed Detection & Response (MDR), and Digital Forensics and Incident Response portfolio offers many services that align with the Safeguards Rule’s requirements:

To learn how eSentire can help your auto dealership comply with the updated Safeguards Rule and put your business ahead of disruption, connect with an eSentire cybersecurity specialist today to get started.

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.