Understanding the Nine Requirements of the FTC Safeguards Rule for Auto Dealerships

Share :

Nov 16 Update: The FTC has extended the deadline until June 9, 2023. That means less scrambling and more time for your organization to strategize and meet these requirements.

Auto dealerships need to prepare for changes in the FTC Safeguards rule and understand how they’re going to move forward in compliance with the new rule. 

With roots in the Gramm-Leach-Bliley Act (GLBA), the Safeguards Rule expands the definition of “financial institution” to include a broader swath of industries that provide financial services to customers.

The rule “sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” 

With the prospect of non-compliance and fines looming, so organizations need to act around the nine requirements and make sure they are in a strong position not only for the deadline but for the future when it comes to protecting consumers’ financial and private data. Each of these requirements is two parts, one is an action item, and the second part is the ability to document and follow up on the action.  

Security is a journey, not a destination. So, while the December 9 deadline is an important one, this will be an ongoing process for auto dealerships, with multiple of the requirements needed periodic follow ups and adjustments. 

In addition, it’s important to note that while these requirements can seem overwhelming, many can be handled from a business perspective. No dealership needs to hire an employee with a PhD in computer science to stay in compliance, and there are multiple third-party organizations that can assist with these requirements.  

So, what are the nine requirements and what do they mean for auto dealerships? 

Nine Requirements of the FTC Safeguards Rule for Auto Dealerships 

There are nine major requirements for auto dealerships to stay compliant under the new rules:  

1. Designate a “qualified individual” to implement and supervise your dealership’s information security program.

This individual won’t need to implement every aspect of the security program, meaning they won’t need to be the person installing the software, but they do need to be someone who understands the organization, the business needs, and can oversee IT tasks and projects. Who this person is will depend on the auto dealership, but naming a name is critical for organizations to continue their security journey and achieve compliance.

2. Conduct periodic risk assessments to inform and guide the continued updating and enforcement of your information security program.

You can’t protect what you don’t know, so it’s important for auto dealerships to evaluate their own security program so they can implement future protections. This requirement is about understanding the business’ structural risk and the security controls in place. A good way to achieve this assessment is to track customer information through the lifecycle and understand how it moves into and out of the business. That will help identify vulnerabilities and pain points.

3. Implement customer information safeguards to control the risks identified in the risk assessments.

Once an auto dealership has knowledge about their risk, they need to take steps to mitigate. This is not a one-and-done kind of requirement, but a task that will be ongoing and will change as vulnerabilities and business needs change.

Customer information is defined broadly, so it’s best to consider any information as sensitive data and make sure these practices apply to all of that information. There are a few specific safeguards highlighted in the rule that are becoming standard across industries, such as multi-factor authentication, information disposal, and encryption, so if your organization is choosing which to address first, those are strong contenders. 

4. Regularly monitor and test your safeguards.

This, again, is a requirement that won’t be completed Dec 9 but is an on-going one for organizations. The rule specifies two kinds of monitoring and testing that are acceptable: continuous monitoring or regular penetration testing and vulnerability assessments. While the second option appears at first to be the easier one, penetration testing is a heavy lift and gives an incomplete picture of your security environment. Continuous monitoring can identify threats in real time and offer vulnerability management strategies.

5. Train your staff.

Employees are the first line of defense, and often, the first to be targeted by social engineers and bad actors. Training should not be a “one-and-done” task but a comprehensive, on-going process that addresses threats specific to the industry and adjusts when those threats change. There are many security awareness training programs on the market, and several are light lifts for the IT Department.

6. Monitor your service providers.

Auto dealerships deal with several third parties, from financial organizations to auto-parts suppliers to technology providers. Any entity that has access to your system poses a threat, so those threats need to be continuously mitigated. A best practice to ensure security is to make sure the contracts reflect this shared agreement and ensure that vendors are meeting security requirements. This is a collective effort that will change over time.

7. Keep your information security program current.

There are two important facets to note with this requirement, one is that out-of-date software is a major attack vector, and two is that security programs should be flexible as security needs change. What worked six months ago may not be effective today, so it’s important for auto dealerships, and especially that qualified individual, to make sure the program is re-evaluated periodically.

8. Develop and implement a written incident response plan.

This requirement will need the designated qualified individual, as well as business leadership and multiple departments to execute. The intended goal is to bring departments together to understand what would be needed in case of a breach, and make sure all that information is known and can be accessed. This kind of plan can be as detailed as needed, and it’s recommended that it’s updated regularly to reflect changes in the security environment as well as in the business.

9. Require your qualified individual to report to your board of directors.

Not every auto dealership has a board of directors, but every dealership has leadership that a qualified individual can report to. This requirement is about accountability, and about making sure that all the above requirements are being met and if any adjustments need to be made. Every aspect of the organization needs to be on the same page for compliance to be continually met.

Why Do Auto Dealerships Need to Comply? 

Auto dealerships are vulnerable to cyber attacks (including ransomware) because they have what cybercriminals want: consumers’ private data and financial information. In addition, the auto industry hasn’t invested in cybersecurity — according to CDK Global, only 24% of organizations surveyed stated they increased their cybersecurity spending in the last year. 

In addition, there’s a major cost that comes with non-compliance. Not only has the FTC established penalties for non-compliance that can go up to $46,000 per violation per day, but ransomware attacks are increasing in cost. Not to mention the various costs an organization can incur through restoration, remediation, downtime, and reputation damage. 

So, what do auto dealerships need to do to make sure they’re in compliance and customer data is safe? It’s more complicated than hiring an IT team or putting up a firewall. 

How Can Arctic Wolf Help? 

As an established security operations organization, Arctic Wolf understands the complexities of compliance and has experience helping previously analog-first businesses improve their security posture and continue their security journey. As mentioned above, trying to maintain both compliance and security can be difficult in-house, so choosing a partner may be the best solution. 

The Arctic Wolf® Managed Detection and Response (MDR) solution provides not only 24×7 monitoring and threat detection but can help auto dealerships be in the best position to meet the new Safeguards Rule requirements. 

Benefits include: 

  • The Concierge Security® Team, who will help your organization improve your security posture through regular meetings and strategy recommendations 
  • Continual vulnerability assessments 
  • Network and cloud threat identification 
  • 24×7 monitoring, detection, and response 

Every new requirement for auto dealerships is covered by Arctic Wolf, who combines cutting-edge technology with human expertise to further your organization’s security journey. 

Learn more about the FTC rule change and how to prepare your organization with our dedicated auto dealership hub. 

Louis Evans

Louis Evans

Louis Evans is a veteran Product Marketing leader with over four years at Arctic Wolf Networks, where he works specifically on cloud products, as well as partner products, enablement and training. He’s passionate about understanding and fighting back against the next generation of cybersecurity threats.
Share :
Table of Contents
Subscribe to our Monthly Newsletter