AUTOMOTIVE
DEALERSHIP
SERVICES
IS YOUR DEALERSHIP READY FOR THE UPCOMING FTC REGULATION CHANGES?
DOES THIS AFFECT MY DEALERSHIP?
The Safeguards Rule requires non-banking financial institutions, such as motor vehicle dealers, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.
This applies to car dealers who:
-
Extend credit to someone (for example, through a retail installment contract) in connection with the purchase of a car for personal, family, or household use;
​
-
Arrange for someone to finance or lease a car for personal, family, or household use; or
​
-
Provide financial advice or counseling to individuals
​
​
​
The deadline for complying with the updated requirements of the Safeguards Rule is now June 9, 2023
WITH A STAFF OF QUALIFIED AND CERTIFIED CYBERSECURITY PROFESSIONALS WE CAN ENSURE YOUR DEALERSHIP'S COMPLIANCE AND HELP SAFEGUARD YOUR CUSTOMER DATA
Offering support and guidance every step of the way.
WE COVER ALL 3 OF YOUR COMPLIANCE CATERGORIES:
-
Reporting & Planning
-
Information Security Requirements
-
Testing Security
-
Designate a qualified individual to oversee their information security program
-
Develop a written risk assessment
-
Limit and monitor who can access sensitive customer information
-
Encrypt all sensitive information
-
Train security personnel
-
Develop an incident response plan
-
Periodically assess the security practices of service providers
-
Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information
FTC SAFEGUARD ELEMENTS:
WE DO THIS SO YOU DON'T HAVE TO
APPOINTING A QI (QUALIFIED INDIVIDUAL)
This person must have a reasonable level of security expertise to enable oversight, implementation, and enforcement of the Information Security Program.
Which means this person must have professional cybersecurity training, since they will be in charge of creating the plans and reports under this new rule.
This is so that the FTC can make sure the law is being followed accurately. There will have to be verification that the security personnel are taking steps to maintain current knowledge on security issues.
The QI will report to a Senior Member of Dealership Management.
REPORTING + PLANNING
Periodic Risk Assessments
-
Where are the gaps in security?
-
How safe are you?
-
How can we address it?
​
Written Incident Response Plan
-
How can we stop and respond to an attack or incident?
-
Who can make the call in case of an emergency?
-
How will we get everything back and functioning properly?
-
What can we do to make this plan better?
​
Annual Written Security Assessment
-
Are our systems being maintained appropriately?
-
What can we do to stay safe in the future?
-
What have we found and what are we doing about it?
INFORMATION SECURITY REQUIREMENTS
Multi-factor Authentication (MFA or 2FA)
-
Something you know like a Password or PIN number
-
​Something you have like a Cell Phone or Key Card
-
Something you are like a Fingerprint or Retinal Scan
​
Encryption of Data
-
Data in drives, databases, network shares, etc.
-
Data being sent through the network, email, instant messaging, etc.
​
Employee Cybersecurity Training​
-
Technology can only do so much, the human link is always the weakest
-
90% of all data breaches happen due to human error
-
We will train employees on security practices, including but not limited to: internet security, password management and phishing awareness, as well as other basic anti-social engineering training
SECURITY TESTING
Periodic Vulnerability Tests
-
Look at known vulnerabilities or gaps in your security and report potential exposure risks
-
These scans provide a good framework of the duties needed to be performed by the IT Team to harden security measures
-
Vulnerability Assessments must be performed AT LEAST every 6 months AND whenever there are material changes to the business
​
Annual Penetration Testing
-
Intended to exploit vulnerabilities and determine the degree to which an attacker or criminal could gain access to systems
-
Pen Testing is essentially a simulated attack
-
Not just finding weakness, but exploiting those weaknesses!
​
With the knowledge and information gained during both of these assessments, t
we can pinpoint how effective the security controls are and the areas that need improvement