How the New FTC Safeguards Rule Update Will Impact Auto Dealerships

On June 9th, 2023, new Federal Trade Commission (FTC) Safeguards Rule requirements will come into effect. By this date, auto dealerships throughout the United States are expected to have deployed and implemented an information security program with administrative, technical, and physical safeguards designed to:

• Ensure the security and confidentiality of consumer information
• Protect against anticipated threats or hazards to the security or integrity of that information
• Protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

The update to the Safeguards Rule extends the requirements first introduced in the 2003 Gramm-Leach-Bliley Act and coincides with a number of cyberattacks against auto dealerships around the world:

• In early 2022, Europe’s largest car dealer, Emil Frey, was victimized by the Hive ransomware gang.
• In the last few months, two major car dealerships in the United Kingdom — Pendragon and Holdcroft — were impacted by ransomware attacks. In the case of Pendragon, the hackers threatened to release 2TB of stolen data unless the dealership paid $60M USD.

These cyberattacks aren’t contained to Europe – auto dealerships in the United States are also at severe risk. In fact, a study released in October 2022 by leading automotive retail software provider CDK Global revealed that 15% of dealers — nearly one out of every six — experienced a cybersecurity incident in the past year, resulting in sensitive data breaches, business interruptions, and loss of revenue.

So, what makes auto dealerships an attractive target for cybercriminals? There are two primary reasons:

1. Auto dealers have a considerable amount of sensitive data on their customers and are even considered financial institutions by the FTC
2. Many auto dealerships may not think of a cybersecurity incident as a real threat

Auto Dealerships are Financial Institutions with Highly Valuable Customer Data

First, automotive dealerships are considered financial institutions and as a result, they process and store an abundance of sensitive customer information. This data holds considerable value for attackers because it can be used to extort a payment from the victim and because it can be leveraged in additional cyberattacks.

In the Safeguards Rule’s terminology, “customer information” is defined as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” It also further defines personally identifiable financial information to mean any information:

• A consumer provides to you to obtain a financial product or service from you;
• About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
• You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.

Just to clarify the breadth of what’s covered by that list, the Safeguards Rule also provides the following specific examples:

• Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service;
• Account balance information, payment history, overdraft history, and credit or debit card purchase information;
• The fact that an individual is or has been one of your customers or has obtained a financial product or service from you;
• Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;
• Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on, or servicing, a credit account;
• Any information you collect through an internet “cookie” (an information collecting device from a web server); and
• Information from a consumer report.

Auto Dealerships May Not Prioritize Cybersecurity Programs

Many auto dealerships may think of themselves as a local small business within a community. In addition, their senior leadership team may understand the value of cybersecurity – in general – but may not see themselves as an attractive target. Therefore, it’s likely that cybersecurity is not top-of-mind for auto dealerships, rendering them poorly prepared to withstand or recover from a cyberattack.

For example, the CDK Global study found that only 37% of auto retailers reported being confident in their current level of protection against cyber threats. Interestingly, this is a 21% decrease in preparedness compared to the findings of their 2021 study.

As a result, cybercriminals, many of whom have the means to use Ransomware-as-a-Service (RaaS) or Malware-as-a-Service (MaaS), recognize the average car dealership as a fairly low-hanging fruit with the potential of a quick payday.

9 Elements That Must Be in Your Information Security Program

According to Section 314.4 of the Safeguards Rule, there are nine elements that your company’s information security program must include:

1. Designate a Qualified Individual to implement and supervise your company’s information security program: The goal here is to engage an internal, or external, CISO-level expert who is familiar with your company, your industry, and the specific cyber threats that can impact your dealership. However, if you engage an external provider, you need to have a senior employee manage the program alongside the provider since you’ll be held responsible.
2. Conduct a risk assessment: Given the large amount of critical data your dealership stores and has access to, you must conduct a full inventory of that data. Following the inventory, conduct a risk assessment so you can account for all potential cyber risks and threats that can impact your dealership.
3. Design and implement safeguards to control the risks identified through your risk assessment: To ensure your information security program is effective at safeguarding your data, you’re expected to:
   1. Implement and periodically review access controls.
   2. Know what you have and where you have it.
   3. Encrypt customer information on your system and when it’s in transit.
   4. Assess your apps (if applicable).
   5. Implement multi-factor authentication (MFA) for anyone accessing customer information on your system.
   6. Dispose of customer information securely.
   7. Anticipate and evaluate changes to your information system or network.
   8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
4. Regularly monitor and test the effectiveness of your safeguards: It’s not enough to simply onboard a set of tools and technologies and presume you have the necessary controls to limit cyber threats. Engaging a service like penetration testing will allow you to test your cyber defenses to ensure there are no gaps in your cybersecurity posture. The FTC also recommends conducting a vulnerability assessment to ensure there are no weaknesses in your applications, systems, and devices.
5. Train your staff: Humans are by far the weakest link in cybersecurity so it’s critical that you’re continually educating, and empowering, your employees to recognize the signs of a phishing attack or business email compromise (BEC) scams as well as cyber threats that rely on drive-by social engineering tactics (e.g., SEO poisoning).
6. Monitor your service providers: Third-party supply chain attacks are some of the biggest threats impacting businesses – no matter the size or industry. Therefore, it’s your responsibility to ensure that any contract you sign with a third-party service provider outlines your expectations for cybersecurity, especially if that third-party has access to your sensitive data.
   • Last year, Volkswagen suffered a significant data breach that exposed the contact information and personal details — including driver’s license numbers — of customers in the United States and Canada. This headline-grabbing incident impacted 3M+ customers – 90,000 of whom had especially sensitive information stolen. The source of the breach? A third-party company that worked with VW.
7. Keep your information security program current: Cybercrime is constantly evolving; there are new threats in the market and cybercriminals are constantly evolving the tactics, techniques, and procedures (TTPs) to ensure they fulfill their objectives. Therefore, your information security program must also keep up with the changing pace. Continually assess to ensure you’re on top of your cyber risks, emerging threats, and any gaps in your program to stay ahead of the threat curve.
8. Create a written incident response plan: No matter how strong your cyber defenses are, there is no guarantee you can prevent a cyberattack from happening. Therefore, you must maintain an incident response readiness plan that accounts for:
   1. The goals of your plan;
   2. The internal processes your company will activate in response to a security event;
   3. Clear roles, responsibilities, and levels of decision-making authority;
   4. Communications and information sharing both inside and outside your company;
   5. A process to fix any identified weaknesses in your systems and controls;
   6. Procedures for documenting and reporting security events and your company’s response; and
   7. A post-mortem of what happened and a revision of your incident response plan and information security program based on what you learned.
9. Require your Qualified Individual to report to your Board of Directors: To ensure the success of your information security program, the Qualified Individual you engage must report to your Board of Directors, its equivalent, or to a senior officer at least annually. The report must cover an overall assessment of your dealership’s compliance with the program, specific topics related to the program (e.g., risk assessment, test results, risk management and control decisions, etc.) and recommendations for any changes to the program.

How eSentire Can Help You Achieve Compliance with the Safeguards Rule and Protect Your Auto Dealership Against Critical Cyber Threats

Complying with the Safeguards Rule’s updated requirements is a daunting challenge, and few dealerships will have the in-house skills, experience, and time to interpret the law and implement all the necessary information security program elements.

To help guide auto dealers make the necessary investments and changes, the National Automobile Dealers Association (NADA) published A Dealer Guide to The FTC Safeguards Rule, which contains a detailed explanation of the Safeguards Rule, its requirements, and a roadmap for achieving compliance.

Additionally, eSentire’s Managed Risk, Managed Detection & Response (MDR), and Digital Forensics and Incident Response portfolio offers many services that align with the Safeguards Rule’s requirements:

• Our Technical Testing services can help to address the Safeguards Rule’s need to monitor and test the effectiveness of your safeguards.
• Our Managed Vulnerability Service fulfills a significant part of the Safeguards Rule’s “risk assessment” and will help build continuous awareness of the threat landscape, identify vulnerable systems, and prioritize and remediate them immediately.
• Our Virtual CISO service can help fill your organizational gaps as you build out your information security program. A dedicated vCISO resource can also work with your dealership as your Qualified Individual who can help you undertake, and implement, the Safeguards Rule and ensure the program’s success.
• Our Managed Phishing and Security Awareness Training (PSAT) directly addresses the need to train your staff so they can be an important line of defense, rather than a liability, and drive behavioral change with your employees to help you build a culture of cyber resilience.
• Our 24/7 multi-signal Managed Detection and Response (MDR) service provides around-the-clock security operations, deep visibility across your entire attack surface, 24/7 threat detection, investigation, and proactive response against any threat that bypasses your existing defenses, ensuring that customer data is never breached or exfiltrated.
• Our Digital Forensics and Incident Response program can be engaged on a retainer basis so you can respond with industry-leading speed and efficacy with a 4-hour threat suppression SLA anywhere in the world. Our Incident Response (IR) experts can also help you develop a comprehensive Incident Response (IR) plan.

To learn how eSentire can help your auto dealership comply with the updated Safeguards Rule and put your business ahead of disruption, connect with an eSentire cybersecurity specialist today to get started.