The recent cyberattack on CDK Global has highlighted the importance of the Federal Trade Commission’s (FTC) Safeguards Rule for the automotive retail industry. This hack, which affected approximately 15,000 dealerships across North America, illustrates the potential consequences of inadequate cybersecurity measures, the need for compliance with federal regulations, and the risks that come with being overly reliant on one vendor.
The FTC Safeguards Rule, which requires auto dealerships to implement comprehensive security programs to protect customer information would not have prevented the breach, but could have significantly mitigated the impact of such an attack. However, with many dealerships still working towards full compliance, the industry faces both cybersecurity risks and potential regulatory penalties.
Key Insights
- A ransomware attack on CDK Global disrupted operations for over 15,000 auto dealerships in the US and Canada.
- The attack forced dealerships to revert to manual processes, impacting sales and customer service.
- Industry analysts estimated a reduction in June 2024 sales of over 100,000 vehicles, a 7% decrease compared to 2023.
- The incident exposed vulnerabilities in dealership IT infrastructure and emphasized the need for robust cybersecurity measures.
- Non-compliant dealerships may face severe consequences, including FTC fines of up to $46,517 per violation, legal liabilities, and reputational damage.
- The event highlights the importance of compliance with the FTC Safeguards Rule and implementing comprehensive security programs including the risk of being overly dependent on one vendor.
- Dealers who adhere to FTC Safeguards have a better chance of not being overly impacted by a cyberattack like the CDK Global Hack.
Empower your compliance journey
Get early access to the only compliance tool that truly simplifies the process.
Details of the CDK Global Hack
On June 19, 2024, CDK Global fell victim to a ransomware attack that forced the company to temporarily shut down all its systems. The Blacksuit ransomware group claimed responsibility for the attack on June 22.
While recovering from the initial breach, CDK faced a second cyberattack between June 20-24, further complicating their response efforts. The incident severely disrupted operations for approximately 15,000 dealerships across the United States and Canada, impacting critical functions such as vehicle sales, financing, inventory management, and customer relationship management.
FTC Safeguards Rule Overview
The Federal Trade Commission’s Safeguards Rule, part of the Gramm-Leach-Bliley Act, requires auto dealerships to develop and maintain comprehensive security programs to protect customer information. Key requirements include:
- Designating a qualified individual to oversee the information security program
- Conducting regular risk assessments
- Implementing specific safeguards like access controls and data encryption
- Developing an incident response plan
- Providing employee training on cybersecurity practices
- Overseeing third-party service providers
The deadline for compliance with the updated rule was June 9, 2023. While exact compliance figures are unavailable, many dealerships are likely still working towards full implementation due to the complexity of the requirement.
Financial Risks of Non-Compliance
Non-compliance with the FTC Safeguards Rule poses significant financial risks for auto dealerships. Fines can reach up to $46,517 per violation, potentially accumulating rapidly for dealerships handling numerous customer transactions daily.
Given the industry’s thin profit margins of 1-2%, even a single fine could wipe out profits from hundreds of car sales. Smaller dealerships or those with limited financial buffers are particularly vulnerable, as the cumulative effect of fines, compliance costs, and potential reputational damage could threaten their business viability. To mitigate these risks, dealerships should prioritize compliance efforts, implement comprehensive security programs, and consider cybersecurity insurance to offset potential costs associated with breaches or non-compliance penalties.
Additionally, auto dealerships could face increased legal liability and potential lawsuits from customers whose data was compromised. The reputational damage could be significant, potentially leading to loss of business and customer trust.
Furthermore, these dealerships might experience more extensive operational disruptions and financial losses compared to compliant counterparts, as they may lack proper incident response plans and security measures.
The FTC may also impose long-term consent decrees or extensive injunctive relief, hindering future business operations. Given the scale of the CDK Global hack, non-compliant dealerships could find themselves under intense regulatory scrutiny, potentially facing costly audits for years to come.
How FTC Safeguards Compliance Help Car Dealerships Prepare
Compliance with the FTC Safeguards Rule including the requirement to implement a WISP (Written Information Security Plan) can help car dealerships be better prepared in several ways:
- Enhanced security measures, including access controls, encryption, and multi-factor authentication, significantly improve resilience against cyberattacks
- Mandatory incident response plans enable faster and more effective recovery from security breaches
- Improved vendor management practices help assess and mitigate risks associated with third-party service providers
- Reduce security “choke points” due to over-reliance on one vendor to perform multiple functions
- Regular risk assessments and employee training foster a culture of cybersecurity awareness
- Proper data handling and protection practices build customer trust and loyalty
- Compliance due diligence, potentially mitigating legal and reputational risks in the event of a breach
Simply put, CDK customers that were FTC Safeguards compliant would not incur the FTC fines for non-compliance, are more likely to work with vendors that adhere to top level security standards, and most likely have backups in place in the case that their systems fail.
Additionally, the good faith adherence to FTC Safeguards in an organization would have identified the major choke point of being strictly reliant on CDK or any other vendor and the inherent risks of this relationship.
Empower your compliance journey
Get early access to the only compliance tool that truly simplifies the process.
Lessons and Path Forward
The CDK Global cyberattack serves as a stark wake-up call for the automotive industry, highlighting the critical importance of robust cybersecurity measures and compliance with regulations like the FTC Safeguards Rule. This incident has exposed the vulnerabilities inherent in relying heavily on a single software provider and underscored the need for dealerships to prioritize data protection and system resilience.
Moving forward, dealerships must invest in comprehensive security programs, employee training, and incident response planning to mitigate risks and protect their operations and customer data. The financial and reputational consequences of non-compliance, as demonstrated by this attack, far outweigh the costs of implementing proper security measures. Ultimately, this event should catalyze an industry-wide shift towards stronger cybersecurity practices, ensuring better protection against future threats and fostering greater trust between dealerships and their customers.
