As of June 9, 2023, the FTC Safeguards Rule took full effect and is now required to be implemented for compliance. The rule expanded applicability to auto dealers that hold or process personal information and are considered a “non-banking” financial institution.
What does it mean for auto dealers? Well, June 9, 2023, has come and gone. Owners and management should receive periodic updates on the status of their cybersecurity program as they are accountable. While this may seem like just another compliance requirement, regulatory enforcement actions across industries continue to increase due to the exposure of consumer data and material impacts upon organizations. Failure to comply with the rule could result in financial penalties and your organization’s exposure to legal risk. The cost of addressing a cyber incident after it happens can be up to 6 times greater (6X) than investing in preventative measures and appropriate policies, processes, and procedures to mitigate risk. The 6X number does not factor in any civil actions that can come from customer information being breached, as your organization is responsible for ensuring the personal information you collect is protected.
The FTC safeguard rule requires dealerships to have a comprehensive information security program. This includes requirements to conduct an annual risk assessment and regular testing of your information systems by assessors trying to circumvent or defeat the security features and attempting to penetrate databases or controls from outside or inside your organization. This is more than just an automated tool.
The FTC outlines specific requirements for security controls. Still, their design and implementation should be based on understanding the risks that could harm or inconvenience your customers. That implies regular cyber threat intelligence updates for your leadership, regularly testing the effectiveness of the key controls, systems, and procedures, including tabletop exercises to ensure your organization understands what to do and who to contact to address a cyber incident when it occurs. Auto Dealers should beware of “solution providers” who claim to be an “all in one” compliance solution employing a “check in the block” approach, as one size does not fit all for organizations.
Information security programs are not static; they change based on many factors, including internal and external risks, business processes, and organizational culture; a program must be tailored to your organization (fit for purpose). This is important because it defines the level of risk that the organization is willing to accept in pursuit of its business objectives and serves as strategic guidance that helps leaders make informed decisions about various activities, initiatives, and investments. If you’re not compliant with the current FTC requirements or need independent advice, Withum can help you understand the new rules and get you moving toward compliance.
Author: Jason Spezzano, Executive Cybersecurity Advisor | [email protected]
Contact Us
For more information on this topic, contact Withum’s Dealership Advisory Services Team.
