Understanding the FTC Safeguards Rule for Auto Dealerships

Share :

With roots in the Gramm-Leach-Bliley Act (GLBA), the Safeguards Rule expands the definition of “financial institution” to include a broader swath of industries that provide financial services to customers.

The rule “sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”

With the prospect of non-compliance and fines looming, organizations need to act around the nine requirements and make sure they are in a strong position to protect consumers’ financial and private data. Each of these requirements has two parts,; one is an action item, and the second part is the ability to document and follow up on the action.

Security is a journey, not a destination. So, this will be an ongoing process for auto dealerships, with many of the requirements requiring periodic follow-ups and adjustments.

In addition, it’s important to note that while these requirements can seem overwhelming, many can be handled from a business perspective. No dealership needs to hire an employee with a PhD in computer science to stay in compliance, and there are multiple third-party organizations that can assist with these requirements.

So, what are the nine requirements and what do they mean for auto dealerships?

Nine Requirements of the FTC Safeguards Rule for Auto Dealerships

There are nine major requirements for auto dealerships to stay compliant under the new rules:

1. Designate a “qualified individual” to implement and supervise your dealership’s information security program

This individual won’t need to implement every aspect of the security program, meaning they won’t need to be the person installing the software, but they do need to be someone who understands the organization, the business needs, and can oversee IT tasks and projects. Who this person is will depend on the auto dealership, but naming a name is critical for organizations to continue their security journey and achieve compliance.

2. Conduct periodic risk assessments to inform and guide the continued updating and enforcement of your information security program

You can’t protect what you don’t know, so it’s important for auto dealerships to evaluate their own security program so they can implement future protections. This requirement is about understanding the business’ structural risk and the security controls in place. A good way to achieve this assessment is to track customer information through the lifecycle and understand how it moves into and out of the business. That will help identify vulnerabilities and pain points. It’s important to remember that information security can be a broad term, and that all aspects of the environment, from the cloud to identity to endpoints should be considered with this requirement. Holistic visibility is key, here.

3. Implement customer information safeguards to control the risks identified in the risk assessments

Once an auto dealership has knowledge about their risk, they need to take steps to mitigate. This is not a one-and-done kind of requirement, but a task that will be ongoing and will change as vulnerabilities and business needs change.

Customer information is defined broadly, so it’s best to consider any information- sensitive data and make sure these practices apply to all of it. There are a few specific safeguards highlighted in the rule that are becoming standard across industries, such as multi-factor authentication (MFA), information disposal, and encryption, so if your organization is choosing which to address first, those are strong contenders. Following a zero trust strategy and implementing proper identity and access management (IAM) will go a long way in meeting this specific requirement.

4. Regularly monitor and test your safeguards

This, again, is a requirement that should be an on-going one for organizations. The rule specifies two kinds of monitoring and testing that are acceptable: continuous monitoring or regular penetration testing, and vulnerability assessments. While the second option appears at first to be the simpler one, penetration testing is a heavy lift and gives an incomplete picture of your security environment. Continuous monitoring can identify threats in real time and offer vulnerability management strategies. Ideally, an organization will have both continuous monitoring and vulnerability assessments in place.

Many incidents start with vulnerabilities that could’ve been previously patched, and while monitoring may alert your team to an in-progress incident, vulnerability remediation will prevent that incident from occurring in the first place.

5. Train your staff

Employees are the first line of defense, and often, the first to be targeted by social engineers. In the 2024 Arctic Wolf Labs Threat Report, social engineering, including phishing, accounted for 11.3% of non-business email compromise (BEC) incidents. According to Verizon’s Data Breach Investigations Report, 76% of social engineering attacks were used to compromise credentials in 2023. Human risk is only growing.

Training should be a comprehensive, on-going process that addresses threats specific to the industry and adjusts when those threats change. There are many security awareness training programs on the market, and organizations should consider one that is both a light lift for IT departments and full of relevant, engaging content.

6. Monitor your service providers

Auto dealerships deal with several third parties, from financial organizations to auto parts suppliers to technology providers. Any entity that has access to your system poses a threat, so those threats need to be continuously mitigated. A best practice to ensure security is to make sure the contracts reflect this shared agreement and ensure that vendors are meeting security requirements. This is a collective effort that will change over time.

7. Keep your information security program current

There are two important facets to note with this requirement, one is that out-of-date software and vulnerabilities are two major attack vectors, and two is that security programs should be flexible as security needs change. What worked six months ago may not be effective today, so it’s important for auto dealerships, and especially that qualified, designated individual, to make sure the program is re-evaluated periodically.

8. Develop and implement a written incident response plan

This requirement needs the designated qualified individual, as well as business leadership and multiple departments to execute. The intended goal is to bring departments together to understand what would be needed in case of a breach, and make sure all that information is known and can be accessed. This kind of plan can be as detailed as needed, and it’s recommended that it’s updated regularly to reflect changes in the security environment as well as in the business.

Learn more about incident readiness and the value of not only an incident response plan, but a retainer that will help your organization swiftly respond to and remediate an incident.

9. Require your qualified individual to report to your board of directors

Not every auto dealership has a board of directors, but every dealership has leadership that a qualified individual can report to. This requirement is about accountability and about making sure that all the above requirements are being met and if any adjustments need to be made. Every aspect of the organization needs to be on the same page for compliance to be continually met.

Why Do Auto Dealerships Need to Comply?

Auto dealerships are vulnerable to cyber attacks (including ransomware) because they have what cybercriminals want: consumers’ private data and financial information. Many of the major breaches of 2023 targeted private data, and according to a CDK Global survey, 17% of auto dealerships suffered a cyber attack in 2023, up from 15% in 2022.

In addition, the auto industry hasn’t invested in cybersecurity — according to CDK Global, only 24% of organizations surveyed stated they increased their cybersecurity spending in the last year.

There’s also a major cost that comes with non-compliance. Not only has the FTC established penalties for non-compliance that can go up to $46,000 per violation per day, but ransomware attacks are increasing in cost, with the median ransom in incidents responded to by Arctic Wolf® Incident Response now standing at $600,000 USD, not to mention the various costs an organization can incur through restoration, remediation, downtime, and reputation damage.

So, what do auto dealerships need to do to make sure they’re in compliance and customer data is safe? It’s more complicated than hiring an IT team or putting up a firewall.

How Arctic Wolf Can Help

As an established security operations organization, Arctic Wolf understands the complexities of compliance and has experience helping previously analog-first businesses improve their security posture and continue their security journey. As mentioned above, trying to maintain both compliance and security can be difficult in-house, so choosing a partner may be the best solution.

Arctic Wolf Security Operations, led by Arctic Wolf® Managed Detection and Response (MDR) provides 24×7 monitoring and threat detection and can help auto dealerships be in the best position to meet the Safeguards Rule requirements.

Benefits include:

Every new requirement for auto dealerships is covered by Arctic Wolf, which combines cutting-edge technology with human expertise to further your organization’s security journey.

Learn more about the FTC rule change and how to prepare your organization with our dedicated auto dealership hub.

Better understand compliance requirements and how a security operations partnership can help with our compliance page.

Picture of Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents
Subscribe to our Monthly Newsletter