March 22, 2023 By Jennifer Gregory 2 min read

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.

The study also found that dealerships experienced an average of 16 days of downtime after a ransomware attack, with an average payout of $228,125. However, the biggest impact of attacks on dealerships is likely the impact on customer loyalty. Some 84% of customers say they would not buy another vehicle from a dealership if a breach compromised their data.

With 36% of data breaches at dealerships related to phishing, it’s not surprising that dealerships rated phishing as their top concern. Other top threats included ransomware, lack of employee awareness, theft of business data, PC viruses or malware and stolen or weak passwords.

Increased vulnerabilities at dealerships

Attacks related to phishing schemes are typically related to user error. According to the National Automobile Dealers Association Workforce Study, the annual turnover rate across all dealership positions is 24%. While this rate has gone down in recent years, dealerships still see relatively high employee turnover. This makes training and compliance a continuing challenge.

Dealerships typically also have unsecured wireless networks for customers to use while at the dealership. While this is a nice perk for customers, especially those waiting for their cars to be serviced, hackers can more easily gain access to customer data through unsecured networks. By moving to guest networks and providing passwords, dealerships can provide more protection and decrease risk.

The CDK Global study found that almost 60% of dealerships plan to increase their IT infrastructure investments. Top investments included antivirus and malware protection tools, which saw a 31% increase from 2021. According to the report, dealers also are updating cybersecurity measures that will protect them from top threats such as phishing and ransomware. Other planned investments reported by dealerships include securing endpoint devices, investing in cybersecurity insurance and continued staff training.

Dealerships must comply with safeguards rule by june 2023

In addition to the increased threats, many dealerships are focusing on cybersecurity to comply with the FTC Safeguards Rule. While the rule was initially planned to be active starting in December 2022, dealerships got an extension until June 2023 to meet the requirements. As a non-bank financial institution, auto dealerships specifically fall under the Safeguards Rule, which requires businesses to develop, implement and maintain a comprehensive security program to keep their customers’ information safe.

To meet the requirements, dealerships must:

  • Designate a qualified individual to oversee their information security program
  • Develop a written risk assessment
  • Limit and monitor those who can access sensitive customer information
  • Encrypt all sensitive information
  • Train security personnel
  • Develop an incident response plan
  • Periodically assess the security practices of service providers
  • Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.

Even with the six-month extension, dealerships must act quickly to meet the new regulations. The requirements for compliance take careful planning and time for implementation. By beginning today, your dealership will be ready both to meet the new regulations and reduce your vulnerability.

More from News

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government. The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of…

Recent developments and updates in Biden cyber policy

3 min read - The White House recently released its budget for the 2025 fiscal year, which supports the government’s commitment to cybersecurity. The cybersecurity funding allocations line up with the FY 2025 cybersecurity spending priorities released last year that included the following pillars: Defend critical infrastructure Disrupt and dismantle threat actors Shape market forces to drive security and resilience Invest in a resilient future Forge international partnerships to pursue shared goals. In 2023, the White House released a 35-page document detailing the new…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today