Safeguards and Cybersecurity Q&A
Disclaimer
This content is not intended and does not constitute legal advice or recommendations. You are responsible for compliance with applicable laws and regulations, and you should seek your own legal advice and counsel with regard to compliance with the legal obligations described in this recording.
Intro
Shawn Leibold: Well, good morning, and welcome to our Q&A session on FTC safeguards and cybersecurity. My name is Sean Leibold. I’m the director of Industry relations here at Reynolds and Reynolds, and I’m joined by a panel of great industry experts. I’m going to start off with Brad Holton, founder of Proton Dealership IT. Thank you, Brad, for joining us this morning.
Brad Holton: Thank you, thanks for having me.
Leibold: Also joined by Nikhil Kalani. He’s our Chief Information Security Officer here at Reynolds and Reynolds. And also, graciously joining us via Zoom is Brad Miller, who’s our Chief Regulatory Counsel and Digital Affairs and Privacy Officer at NADA. Good morning, gentlemen and thank you again for joining us.
Brad Miller: Thank you.
Leibold: Brad Holton, I’m going to kick off to you real quick. Can you set the stage where we’re at and why we’re having this Q&A session this morning?
Holton: Sure! In the last several years, we’ve seen in the industry and the automotive world tons of increases of cybersecurity breaches, events, ransomware attacks — all sorts of events that are really putting a lot of pressure on dealers to improve security and to protect data. And I think the FTC has also, obviously, been watching all of that. They’ve come out with their updated safeguards last October that basically requires dealers to start taking cybersecurity very seriously and puts a whole list of criteria out there that dealers need to make sure they protect data and to protect the environment inside their network.
Those two things together are really kind of driving a significant conversation about how dealers approach cybersecurity — how they need to address things and change things in order to comply with this new regulation. And, of course, we’re also seeing a significant change in cyber insurance right now, as well, as a result of all those breaches, and that’s really putting a lot of pressure on dealers. So that’s what’s making this the hot topic. Dealers that I talk to all the time — they go to 20-groups, they go to state association meetings, whatever — and they always come back and [talk about] cybersecurity, and someone being breached, and somebody having a ransomware event. Somebody being down for a week is always a hot topic.
We kind of refer to that as the loudest secret out there, because nobody wants to talk about it, but everybody knows it happens. I think that’s really kind of what makes this a hot topic for dealers right now.
Leibold: That’s great. And, Brad Miller, from your perspective, how would you answer that same question on, “Why are the four of us getting together to talk about this very serious issue?”
Miller: Sure! I think specifically from a regulatory perspective, what’s driving this — in addition to what Brad said, in terms of the overall increase of focus on data security — the FTC specifically has changed the rule that applies to dealers. Okay?
Dealers are regulated — in our industry, dealers are the regulated entity. It’s not the OEM, it’s not the dealer vendors — it’s the dealers, because they are deemed to be financial institutions under federal law. As a result of that, they’re subject to a statutory mandate and a specific data security rule called the FTC Safeguards Rule. As Brad mentioned, they amended that rule very significantly last year.
The date that I want folks to remember is December 9th of this year (2022). That is the deadline for compliance with these — a litany of specific new requirements that the dealers have to meet. And, frankly, many vendors and service providers of dealers also have to meet by December. So the overall theme, and the overall atmosphere, has definitely changed as Brad has mentioned, but specifically we’ve got the statutory mandate that’s really driving activity in 2022. It’s going to continue, because it’s not a one-time set and forget; it is do it, and then make sure you’re amending it, updating it, and keeping up with it. This arms race will go on forever, and it’s a kind of thing that dealers are not going to be able to just, “Okay, I’ve checked that box, now I can move on.” You really have to change the way you do your business and dealers have come to grip with that. It’s a big change.
Leibold: Nikhil, I’m going to throw that question at you as well, because obviously you do a great job of protecting Reynolds and that same world. Why do you think we’re here today?
Kalani: Let’s tie a couple of things together. Brad talked about technical security, right? Defending against attacks. The FTC wants this as well for the consumer protection. They’ve got regulations that are very prescriptive. And so, our goal here is to tie together this combination of related, but separate, topics — there’s true security, technical security, and then complying with regulations. We’ll work through both of those and see how they fit together, and how a dealer can then help themselves from a technical perspective, as well as meet their compliance obligations.
Cyberattacks in Automotive
Leibold: That’s perfect. I’m going to break it down a little bit, and I’m going to throw the question to you, [Nikhil and Brad Holton]. What do cyberattacks in the automotive industry look like?
Kalani: Nowadays, the way modern attacks work — it’s very easy for the attacker. They send an email, the unsuspecting user may click on a link or open an attachment that’s malicious. Now this attack is starting from inside the network.
Ten years ago, the attack came from the outside, trying to get through your firewalls. That’s all gone. The attack’s now inside the network. The attacker has a foothold on that one PC from which to start to explore. “What else do you have on the network? Let’s look around. Let’s see what else we can get.”
As they find resources, they don’t begin to encrypt them right away. The first thing they want to do is steal information. What happens with this is, now even if you can recover from their next step — which is encrypting all of your infrastructure — even if you can recover by a backup, they still have the information, so they can extort you for the data breach (because you have to release information to your consumers, maybe reputational loss), so they can extort you for that breach.
If you are able to recover from their next step— which is encrypting the infrastructure — and if you can’t recover from that, well they got you there, too. The typical playout is, they want to know how much your cyber insurance policy will pay out, and, coincidentally, that’s exactly how much they want from you and they will give you a decryption key if you pay the amount.
Leibold: Unbelievable.
Holton: Yeah. In Vegas at the last NADA, we did a presentation on cybercrime and we came up with about six stories that were real breaches — real attacks that dealers had gone through. We had to turn it in to get to the legal review at NADA in, I think, August, even though the presentation wasn’t until spring. By the time spring came, and I got up on stage, I said, “Okay, these are a great six stories, but I’ve got 18 more stories that happened since these six stores were turned in.”
It’s something that we see constantly. We call it incident response. This is when we get a call from a dealer who has been referred to us and who’s in the middle of a breach, or it’s just started, or maybe they’ve even been down for a week. We had one call where a dealer had been down for almost two weeks. When I say, “down,” I mean down — no email, phone system wasn’t working, it was limping along. They couldn’t get their DMS working. All their files were gone. Computers didn’t operate.
It’s a consistent problem we see, and when it does hit, it is not something that is going to a two-hour or even a two-day inconvenience.
Leibold: I’m sure they love going back to paper and pens, right? [laughs]
Holton: [sarcastically] Everybody loves the four-square, right? Getting it out and trying to work out a deal!
In today’s dealership, you cannot do anything without a computer. You really can’t. Everything’s in the CRM, it’s in the DMS, and all your desking tools. Everything is electronic. There’s just no way to do it [without a computer].
So, as Nikhil was saying, the double-extortion process — we see that all the time, where everything’s ransomed and they take the data as well, then they exfiltrate that back to you over the dark web. It’s consistent; it’s ongoing. I would say probably at least twice a month, we know of dealers that get referred to us in some way going through this experience.
Kalani: So one more point to add is the timing of these attacks. They want to attack you when it’s going to hurt the most. So before a big holiday, before a big sale, nights and weekends, especially before the big sale are prime moments for the attackers.
Leibold: Sure. Most vulnerable.
Kalani: Most vulnerable. Most profitable for them.
Miller: All good points. And, from a legal perspective, let me just add a couple of things. First of all, one of the requirements in the new Safeguards Rule is that dealers — by December — have to have a written incident response plan. Brad [Holton] sort of alluded to that. It’s one of the things that makes this sort of a pain to comply with, but it’s a very good idea. Because, frankly, if you are not prepared — if it’s Friday, as Nikhil said, before the big, Labor Day sale — and all of the sudden you’re getting a ransomware demand, if you don’t even know — if the dealer’s on vacation, or no one knows who’s going to be responsible for taking what steps — you’re in real trouble.
So the written incident response plan in part requires you to think about what you’re going to do in advance should something go wrong. That’s a very valuable step. Now, it’s not going to protect you, necessarily, but at least it will get you back on the road to being up hopefully sooner than Brad mentioned — two weeks. Because you’ve got to know: are you going to notify law enforcement? Are you going to notify your outside counsel? Your IT professionals? Are you going to just say, “forget it,” and restart your old system? Are you going to pay the ransom?
I’ll tell you; legally there’s been some change from the federal government. This is a very interesting area, because there’s a question now as to whether it’s even legal to pay these ransomware payments. It’s something that you’ve got to really think about with your lawyer beforehand. But remember, these are not good guys that are doing this. These are often nation-state actors, and many of them are on what’s called the Specially Designated Nationals List under the OFAC rules, and if you pay a ransomware to someone who’s on the OFAC list, you can have some legal liability, yourself.
So you’re in a catch 22, where you had this issue and if you’re not prepared, you’re in deep trouble. But even if you are prepared, you’ve got to make some hard choices with your lawyers about how you’re going to handle it, just from a practical perspective. So, just a couple thoughts.
Again, not to make this even worse, but it’s better to know these things beforehand — before the disaster strikes than after.
Holton: And I would say a lot of dealers, you really got to think about that incident response. How far do you really need to get down into the weeds there and figured out? You need to go pretty far.
A good example: we had a dealer called in Monday morning. This was a couple years ago, but called in Monday morning, got referred to us. He was in the middle of a ransomware attack and they didn’t have any incident response planned, didn’t have any conversation internally. So he had multiple stores — it was a large group — and all the employees went around telling everybody — all the customers — “We’re in the middle of a ransomware event right now.” And so a woman came to pick up her car, couldn’t get her car, was told, “We’re in the middle of a ransomware event, we’ll get to you when we can. We don’t have any computers at work.”
Within two hours, the local TV station had that little thing going up out of the top of the van — you know, the one you never want to see in the parking lot? The dealer calls me back and he says, “Hey, I know you guys are just getting started engaging with us and getting everything working. Buy I’ve got a reporter sitting right here in my office. What do I say?”
He actually put me on the phone with the reporter and said, “Could you please talk because I don’t know what to say.” It was pretty bad.
Miller: I’ll tell you, it’s not only required, it’s one of the good ideas. Legal counsel, your press strategy, your notification of law enforcement. I’ll tell you, there are some good federal law enforcement resources. Federal agencies that deal with these things, actually, in many cases, know the actors involved, they know whether they’re the kind of folks who will — after you pay the ransomware, will they go onto extort you a second time. They can give you some guidance.
They can actually give you some technical tools to help address the specific encryption, maybe even an encryption key. It’s a question really to go through, not just with your lawyer, but from a business perspective. It can really help mitigate these things that happen.
Holton: Yeah, we worked with the FBI Cyber Task Force several times, and they are really sharp guys. They really do care a lot and then give some really good guidance through the whole process.
Leibold: You know, it’s amazing. We’re having these kind of discussions when dealers want to sell cars, and the wany to service cars, but we’re talking about all the things that are most scary, probably, in today’s world.
One of your earlier points, Brad Holden, you had mentioned how things had changed from one speech to the next, from an NADA perspective. So it kind of blends into this next question that I created before we came on here. As these threats — they come and they go, but they’re going to continue to get more sophisticated, because they’re just going to get smarter as we’ve seen over the course of time. IT people, and people that do ransomware, they just get more sophisticated and smart. So what can dealerships do to protect themselves and to stay ahead of that curve, per say, and not be reactive but more proactive in this space?
Holton: One of the things we see a lot is they’re not just getting more sophisticated, they’re also getting more automated. The difference there is that you can see a bot network that will attack millions of targets — millions of individuals — in a matter of an hour at zero cost to a hacker.
Leibold: Explain “bot network” real quick.
Holton: For instance, you might see a toolkit that’s taken over some servers or taken over a bunch of devices. Malware has gotten on these devices. They then use these devices to launch coordinated attacks. It might be email, where they’re sending out millions of spam messages. Now, the spam messages — they all contain some sort of unique attachment. Someone clicks on it, it then dumps their entire mailbox.
So it takes, let’s say for instance, you click on something that you shouldn’t be clicking on, and you don’t have good endpoint detection. You don’t have good tools in place. So, you click on it, you see this little box, and then it goes away. You don’t think anything else about it. Something went wrong. That’s about as far as you got.
What this actually did, in the background: the first thing it did was dump your entire inbox. It dumps, not just your contacts, but your actual conversations. It’s then going to go all conversations you’ve had in the last 90 days, and it’s going to reply to all those people. With that reply is going to be — okay, it’s from you. And the subject line is something that you’ve typed. The text is something you’ve typed. And it’s going to have a little note that says, “Hey, please see the attachment in reference to this conversation.”
Somebody’s going to then get that — all your contacts are going to get that — and, because it’s social engineered to feel like it comes from you, they’re going to going to click on it much more likely. When they do, the process starts over in — their inbox gets dumped.
While the inbox is getting dumped and all this is going on, they’re also scanning your network, dumping your Chrome passwords, dumping every password you’ve got on there — scanning the network, going and looking laterally to try to attack.
So, it all starts with that one little email click, but the entire process is fully automated. We’re seeing it now, millions of times, versus three or four years ago, it might be one guy who loads up a thousand targets and then tries to attach a thousand people simultaneously. Now: fully automated, millions at a time.
So, what do you do? The first thing you do is you look at email. There are statistics all over the place — some say 85–95% of the initial threat vector is coming through email. Because, to Nikhil’s point earlier, you used to have attacks to the firewall and try to get in the network. Now, it’s much easier to use the weakest link inside the network that already exists. That’s the human factor. You’ve always got the weakest link between the chair and the keyboard.
That’s where it’s going to start. Putting good tools in place to prevent email good spam, geoblock countries. If you’re getting email from countries that you’re not doing business with, stop getting email from countries you’re not doing business with! There’s no need for it. Restrict it down, block it down. Put some policies and procedures in place. Educate your employees. Get security awareness training. Make sure we’re doing common sense things.
Are we changing passwords? Do we have passwords? You’d be amazed at how many dealers I can walk into and I can go sit down at an F&I computer, and there’s no password; just hit a button. There you go, it’s up and I can see the last deal that was up right now.
If you take physical security seriously and you have a policy to protect deal jackets, why wouldn’t you have a policy to protect all your information in your systems as well?
Start working through some of that stuff — cyber insurance is always a requirement. At least it should be. Most of the OEMs now are starting to address that, so make sure you’ve got tools like that in place together. And then put everything like that into a common program — an information security plan — that identifies what you have, where your weaknesses are. Do a risk assessment.
There’s a lot of different things that dealers need to be doing, and I know this sounds overwhelming, because I just went through, like, 26 things in 45 seconds. And it is a lot, and it’s something that dealers have to recognize is not the same old thing they’ve been doing.
Bob’s computer repair and the IT guy that also have to be the porter or the parts manager is not the tool you need right now. It’s not the resource you need. This is a cybersecurity issue that is addressed by some sort of cybersecurity functionality, whether you hire it internally or you outsource it. But it’s different; it’s a totally different game. I think having dealers understand that and start to look at all those pieces is really what kicks this off.
Leibold: I agree. Nikhil, do you want to hit on how we can stay ahead of that curve as we move forward and they get more advanced in how they’re going to attack?
Kalani: As much as the bad guys keep getting more advanced, the basics can really help. This is a complex issue, but it can be broken down into some basic building blocks. And, if done well, these will be a pretty solid defense.
Let’s talk about people, process, and technology. The people have to be well educated. They’re the ones opening these emails, right? So, if the people are well educated and cyber-aware, they’re not likely to be as susceptible to these scams. That’s your first defense. Inside Reynolds, we call it a “human firewall.”
You must have good, basic, sensible policies — what to do, what not to do — that serves as a guide to your people, along with the cybersecurity education.
Your IT layer is a very fundamental layer. Good, basic IT hygiene are keeping systems up to date, running on current software, constant patching, monitoring for failures of patching, addressing them, good backups — all of that together gives you a layer on which you can add security. Without a strong IT layer, security can’t work anyway. You’re trying to secure these IT systems. So now, when we get to security, the core tools — Brad already talked about email. That’s a critical tool to have done — a good email filter. Good firewall.
One of the main tools is called EDR — Endpoint Detection and Response. This action by the bad guys is happening at the endpoints — the PCs, the servers, those are called the endpoints. So the modern antivirus is no longer actually called antivirus anymore — it’s called EDR — sits on this endpoint on the PC, Server, etc. It’s constantly monitoring for behavior, not signatures like the old school stuff. It’s looking for the intention of what’s happening on the machine — is the intention looking malicious?
With that kind of technology, you can thwart attacks, because each of these attacks in different businesses, you’ll have unique attack files. The idea is to complete evade signature. So, signature is no longer a really useful security technique. It’s based on behaviors.
Then the third part of that tool is a response part shutting down the attack in software before it gets very far. A good EDR tool will stop the attack in seconds. And now, adding to that, you stop the attack, you’ve got to clean it up, right? The tool will usually do a pretty good job of cleaning it up. But a human layer on top, watching what the tool is doing, and that it responds appropriately — is there additional follow up action required? — that is needed as well. The tool is to be monitored 24/7 by human beings, checking on the whole situation.
So that’s the two layers, and then wrapping all of this up — your employee education, your IT, your security, your cyber insurance policy — wrapping the whole thing up together to form a program gives you a solid defense.
Leibold: Well, I like building just a basic foundation, because — like Brad said earlier in his comment — it seems overwhelming to the dealer. Twenty-six thousand different things that they have to do, but you broke it down in a simplistic, fundamental way. So, Brad Miller, I’m going to throw this question at you. From your role at NADA, can you give us your spin on what does cybersecurity look like in automotive?
Miller: That’s obviously the big question, and I think the message I’d like to give to dealers listening, is that there is a mindset — and you touched on it earlier, Sean. “I sell cars and trucks, I service cars; I’m good at that! That’s what I do, that’s my core competency, and that’s not going to change.”
The reality that dealers have to face is that cyber security awareness and understanding — at least in a basic level — is part of the job. It is a part of the deal. They are swimming in very deep waters, and whether they like it or not, there are all sorts of reasons why their feet are going to be held to the fire. I mentioned earlier that dealers are regulated entities; of course, dealer principals or dealer boards as part of this new rule, there’s a requirement to report to the board or to the dealer principal every year on IT issues.
Now, why is that? It’s because the regulars want to make sure that the folks at the top of the chain and the top of the management of the entity of the financial institution have a basic understanding of this. They can no longer say, “Oh, look. I hire somebody, and I thought they were doing a good job.” It’s important to have all the tools that Nikhil and Brad were mentioning. Dealers have a history of relying on their technology vendors very heavily. I’m not saying that that has to change, but a level of understanding really is going to be required moving forward.
This is part of just doing business these days. It is a cost of doing business. It is a core competency that needs to be developed at the dealership. I know it’s changing rapidly. I know as generations change, it becomes easier, but that’s the hard medicine the dealers have to swallow as you cannot fail to have a basic understanding of these things. You don’t have to be as smart as Nikhil or Brad, but you have to understand the basics, you have to understand the relevance of it, and the importance of it to your store.
Because it’s going to hit you in all sorts of ways — not only enforcement actions, not only private lawsuits if there’s a breach, but frankly it’s becoming part of standard contract terms with your OEMs, with your finance sources, with all your cyber insurance providers. The world has changed, and if you haven’t changed, you’re behind. That’s just the message, and the reality now — having done this for 15 years — I can see a change, and it’s improving. We still have a ways to go, but the message from the dealer perspective is: Put this in the center of your core competencies, because it’s going to need to be done.
Leibold: I’m going to flip it to you, Brad [Holton]. From a Proton side, you gave one example earlier about the TV truck pulling in, the dealer called you. Can you walk us through what that process would look like in a traditional fashion?
Holton: We’ll back up. We got the call on that one, I think it was a Monday morning at 7:30 or 8am. It was actually a dealer group that we had given a proposal to earlier that June. This was in December, I think. So we had kind of been in touch with them, and they called and said, “That stuff you told us that could happen if we didn’t completely get everything in place and overhaul — this is what you meant?”
And I said, “Yeah, this is what we’re talking about.” All we knew at that point was something was wrong, not a single computer worked, all the servers — I mean everything — email — was down. Everything was down.
We got engaged around 7:30; wake up everybody, get everybody going, and let’s get the team going. We sent guys to the tallest stores and tried to figure out, as fast as we could, what was going on. We were able to, actually as we were cleaning things up, we were able to trace it back to see how it actually happened. It had happened through that same email platform I mentioned earlier, where a finance manager had gotten an email. He thought came from the controller, clicked on it, saw a little thing pop up and didn’t think much about it. Literally just a little rectangle popped up, and then went away. That was on Thursday, about 4:35 when he clicked on that. And by 4:39, we were able to see that things had already been downloaded on his computer, they were already scanning, and they already dumped all of his email, already dumped his passwords, all that sort of stuff.
By Friday, we could see that it was reaching out to other computers, scanning the network. Once again — fully automated, still. Nobody was involved. It had already started to penetrate some of the servers. And then Saturday evening, we were able to see in the logs, notes that showed that people were actually logging in now from overseas. We knew it was Eastern Europe; some of the tools they used had Russian alphabet in it. We had a pretty good idea who our hacker was.
Once we were able to see the file extensions, the way they encrypted things, we were able to actually drill right down. It was actually a group that was affiliated with the FSB in Russia. It was called Grim Spider. That was their online moniker they went by. It was… well. We figured all that out.
The dealer — what he experienced from Monday morning until, we’ll call it, Thursday — he was pretty much not doing anything at all. So, we overnighted, I think, 200 PCs. We started wiping PCs that we could, started locking down servers. Basically every single device they had, had been encrypted. When I say encrypted, they actually encrypted the operating system itself — the user files. So, when you try to turn the computer on and log in, it would just error out. Nothing worked at all. All the servers were gone.
Unfortunately, they did not have good backups. Out of all of their stuff, they might have had 10% backed up. Or 15%, something like that. So we did lose a ton of data. Luckily, they did not exfiltrate data ahead of time. So, we were able to go back and look through all the logs — look at the firewall logs, look at all the traffic going out — and we were able to determine they did not package any data and exfiltrate it out in that case. So we didn’t have that double extortion situation, we just had the initial extortion.
We wound up destroying basically everything and starting over. We lit a match and just rebuilt everything. It took about three weeks for them to be 100% operational. By Thursday, we had maybe two PCs in each service drive, one or two PCs in sales, one or two PCs in finance. We had each business function restored, but it was limping along. Even then, it was very painful. Email had to be completely rebuilt from scratch. It was all gone.
It was just one thing after another that you had to put back together, and you had to prioritize who was going to get what. [Even] the simple things you don’t think about, like Office — reloading Office on all the PCs. And all the saved passwords you had on the PCs because everybody just put their passwords in Chrome. All these pain points that it took to get them back to work. It’s a very long process.
Kalani: I had a little bit more to what Brad said here. Once an attack happens, now is the time where you can’t afford to hesitate in how you’re going to respond. So that fluency of responses — working with a professional who has done this dozens and dozens or hundreds of times, who has got the fluency and the tools, no hesitation. That’s what’s needed during an incident response. It’s very difficult, otherwise, for a business to figure this out if this is the first time you’ve ever seen this happen.
Leibold: We’ve said that, if a dealership has the right infrastructure and the right IT infrastructure in place, the cybersecurity pieces in place — how could these attacks be mitigated? Can or can’t they? They think they’re good, right?
Kalani: They can. I’ll answer in two parts. You need to have everything in place — good IT, good security, overall a good cybersecurity program. Then you need to test that program regularly. That’s the point of the risk assessments. That’s the point of external penetration tests and vulnerability tests. All of those are checking: is your program actually working? Then, those are bundled up as reports and given to the seniors at a dealership, so they understand the programs working.
Now, in case of a working program, the way it should happen is when the email has gotten clicked on, the tool should immediately shut down the attack right there and then. So what might be a massive situation, is over in seconds, maybe minutes. The folks watching on the other end — the 24/7 monitoring, that’s part of a good program. They’ll check was the cleanup complete. Anything more to do here? Are we good?
And end of story. If you’ve got the right processes in place. If you don’t have them in place, then what happens is entirely up to the attacker.
Leibold: I think of the test piece is almost like — and dealers can relate — the old mystery shopping days. You get somebody to pretend their sending you something, or you have somebody Mystery Shop you, and you get real, real results from that sort of test, correct?
Kalani: Oh, yes. In fact, it works with email, right? You can proactively send test emails that look like real scams. They’re quite deceptive, and the idea is: Will the users click or not click?
If they do click, then it’s a chance to educate them. You show them: here’s what we see in this email. You could have spotted this as a scam yourself; here’s how. You build up those good habits, good cyber hygiene.
Holton: We actually had a dealer that asked us to build a very customized automotive-specific phishing attack. And we did. We didn’t tell them when it was coming. We sent it out, I think it was a Monday morning around 9am. We sent it to all of his employees. It said that, “You have seven days to accept the new terms and conditions, or your DMS would stop working. You need to click this link to accept the new terms and conditions.”
We sent it out. When you click the link, the page they go to is a browser version that looks exactly like their DMS, but it’s very obvious if you look. We left some Easter eggs all around the screen.
Leibold: Misspellings and…
Holton: The website’s unsecure, and the email itself had spelling and grammar errors in it. So we deliberately made it somewhat obvious. I called the controller for the group at 11am and said, “How’s your day going?” Just to get feedback and see what the response was, and he said, “Oh, it’s not good.”
He said, “The dealer principal’s on the phone with our DMS and he is furious. Apparently we have seven days to get all of our employees to click on this link in this email, and get them to sign it and accept. Or our DMS is going to stop working. They only gave us a seven day notice.”
And I said, “Okay, tell them to hang up the phone. [laughter] That was our phishing email that you wanted us to send you.” And, by the way, anybody that put their username in, we discarded the password, but we kept the username and added it to a spreadsheet and sent it back to them. We got 70% of the dealership to give us their credentials to their DMS.
Kalani: So that’s pretty sophisticated, right? That’s very sophisticated, but it doesn’t have to be that sophisticated. It can be really simple. “Your Amazon package is delayed; click here to check your package status.”
Leibold: Exactly.
Kalani: Everybody gets Amazon packages, right?
Miller: And I’ll just chime in. You said 70% — that’s a shockingly high number, but I’ve seen lots of instances where you do some training, you do an exercise like that, and then if anybody else falls for the exercise, then “has to” do some follow-up training. Those number tend to plummet pretty significantly pretty quickly.
Holton: It definitely works.
Miller: It works both ways, as well. I’ll add one other, from a practical perspective and thinking from a legal perspective as well. You talked about the operational challenges that are raised, but remember that — because of the nature of your business — there is a segment of the data of all non-public personal information that I’ll term of the customer data, basically that you have especially in the front end. It is particularly sensitive from the legal perspective.
So, why do I say that? You mentioned risk assessments a number of times, and that’s one of the requirements the dealers must complete by December 9 — to do a risk assessment. That means you’re looking at all your systems, [and asking], “Where does this stuff live? Who has access to it? What are the risks that can happen based on that access?”
I mentioned that, but just the thought of — dealers have historically had their operations all centralized for a very good reason. Thinking about segmenting networks, keeping that sensitive information in places that are different, because you’ve got an operation channel and —
I mean, if your service lane computers go down, that’s bad enough. But you’ve then lost the customer information, those are two separate legal ramifications: one operational and one legal. I’ll just encourage dealers as they’re thinking about it — and vendors, when they’re thinking about working with dealers — just think about ways to segment our network to narrow the damage, narrow the scope. If you’ve got castle walls and a moat around your system anyway, to put extra layers of protection around the places where the non-public personal information, the customer information lives. Because that’s the dynamite from the legal perspective in terms of breach liability, in terms of safeguard liability, and frankly also for your business.
Those are your customers. You don’t want them being affected. So, again, that’s hopefully not too technical, but I want to dealers to think about, not just: “Hey, it’s a pain in the neck to open my store on a Monday morning,” but “I also have to make sure that sort of really sensitive stuff is uniquely protected as well.”
And, again, I keep saying this because these are all good ideas, and we’ve spent two years saying that the FTC is making dealers do too much. But these are all things that are basically required by the new rule. The FTC has said — what they’ve done, basically, is they’ve taken all their enforcement actions from the last 10 or 12 years and said, “Whatever we made anybody do, we’re going to make everybody do it.”
You don’t have to go through and see which ones are giving the most bang for your buck. You just have to do all these things. But that said, most of them are still good ideas, certainly individually and collectively. It’s hard conceptually if you’re not an IT professional, the nature of data is just so odd. You can see a piece of paper, you can see a car; the data just exists where it exists, and you have to be much more proactive to make sure that it’s limited, that it’s segregated, and that you know where it is, and that, beyond that, it’s not going anywhere else, if possible.
Safeguards Amendments Breakdown
Leibold: That’s a great segue into the next question. But first, I love the passion that all three of you have around this topic. Obviously, it’s something that you’re all very versed in and passionate about, and protecting the dealers. So, with that, Brad Miller, I’m going to ask you: Can you expand and maybe go into a little bit more detail on what does the Safeguards Amendment look like, and break it down a little bit for our audience as well?
Miller: This is a big new rule. This is probably the highest priority issue for the Federal Trade Commission, which is the primary federal regulator for auto dealers in this country. Because, frankly, it’s the thing they get the most complaints about and it’s something they get the most pressure from Capitol Hill about. And, therefore, they respond.
They have issued a new that applies, again, to all financial institution — including dealers. And it’s going to require you to do a number of things. First of all, you have to appoint a person at your store who’s called the qualified individual who’s going to be in charge of all these things. That’s point one.
- Qualified Individual must report in writing to your Board of Directors annually (or senior officers if you do not have a Board of Directors).
Now, is that going to be your office manager? Is that going to be the person who’s the current program coordinator? That’s a current title under the current rule. There’s no real requirement. It doesn’t have to be a SISO (Senior Information Security Officer) level expert like Nikhil, but it does have to be someone who’s qualified.
So, you appoint this person, and then that person has to ensure you’ve done a whole series of things. There’s a series of technical IT issues, like: encrypting data at rest and in transit, enabling multi-factor authentication, as somebody who’s supposed to mention penetration testing, systems monitoring, those kinds of things for internal dealer systems.
- Encrypt data at rest and in transit
- Enable Multi-Factor Authentication (MFA) when accessing consumer information
- Monitor and document who is accessing what information and when
- Implement and review access controls (who has access to what)
Now, you get all that set up, then you’ve got to have four documents that you need by December 9. We talked about a couple of them. One’s a written incident response plan, one’s a written information security program, one’s a written risk assessment, and then one is a written report to your board or your dealer principal.
- Written Response Plan
- Conduct periodic risk assessments (must be written and include criteria used for evaluation)
- Document change management processes for your network
- Document an inventory of your data
- Document a process to evaluate vendor’s security
Those take a lot of work. We put out some guidance. If you’re an NADA member, you can get our guide to this rule on our website. It’s got templates for all these documents you have to put together, so you’re not reinventing the wheel.
But this is going to take some real work and you’ve got to analyze your systems. All the horror with these conversations have been about, you’ve got to know what you have, and where this stuff resides, and what the risks are in that data. I think, frankly, when you start digging into these things, hopefully your eyes will be opened a little bit to some of the risks, when you think about how dangerous these things are.
But, they’re forcing you to look at it and to put it in writing. Then you’ve got to do training, and you’ve got to do some other policy issues. And then, you also have to manage your service providers. Including our friends at Reynolds, you’ve got to go and make sure that you have your service providers doing some of same things that you’re doing yourself.
- Train your staff on your plan
- Monitor and test the effectiveness of your security plan
- Monitor service providers and their data security plans
- Securely dispose of customer information within two years
- Your plan must provide flexibility to be updated
Hopefully, a lot of the service providers are doing that. We, certainly, at NADA hope that it’s going to become a competitive issue among the service providers — the folks doing the best job are going to be the ones winning in the marketplace.
Again, the reason for that, remember, the federal government has the ability to regulate dealers, not the vendors. They also realize that a lot of these breaches come through the service provider. Famously, the Target breach — we’ve all heard about all these breaches — coming through third-party service providers into the financial institution network.
It’s a big lift and it’s a lot to do. If you haven’t done it, don’t think you can wait until December first. You are probably behind the curve, because this is going to take some time. Look, I can spend a long time telling you about the intricacies of this.
I encourage dealers, if you haven’t, go to our website. We’ve got a bunch of webinars talking about all this stuff. This is an important thing to do. It’s going to be a bit of a pain. It’s going to take some work. You’re going to need some expertise on the outside, most likely. You’re going to have to work really closely with your vendors.
But it’s important, because it gets you a lot of the things we’re talking about today. The government is coming and saying you have to do it; that’s not always ideal. But it is going to require you to do those things.
I can go on all day. Sean, I won’t do that, but suffice to say it’s complicated. It’s involved. And it’s something that you really have to focus on to make sure that you’re ready by December 9.
Leibold: That’s actually perfect, because I know trying to set this Q&A session up, you’ve been traveling across the country. You’re doing this same speech and talk. If you’re at a coffee break at one of these things, and you’ve got a small forum of dealers, what would be your quick key insights? What would you share with them quickly to make them feel better in regards to the safeguards rule and the amendments?
Miller: I don’t know if I can make them feel better, but I do want to make them understand how important it is. [laughs] I usually make them feel worse by the time I’m done, frankly, because it’s daunting. It is.
That said, there’s a lot of help. Look at our guidance. If you were left to do this on your own — to toot our own horn, if you didn’t NADA’s help — it would be very hard. If you didn’t have that help of expertise in the marketplace, it would be very, very difficult. Because, if you don’t know this, then you don’t know what you don’t know.
But you’ve been given the guidance, get some good vendor help, and put some effort into it. It’s a cultural thing, too, it really is. As with all these things, if it comes from the top that this is an important issue, it will get done. Dealer personnel are smart, they’re dedicated, and they’re goal oriented. If you give them the right goals, they’ll get it done.
Leibold: One last piece around the Safeguard Amendment piece, and that new term that we’re using: qualified individual. Can you break that one down just a little bit more for those that might not understand the term? I know we had a different term for it before, but now it takes on a whole new life.
Miller: There’s all this terminology, and it does get confusing. At one point, it was going to have to be a SISO-level person. The current title is called the program coordinator. What they said is you’ve got to have a person. I’ll tell you, I think this largely comes from some of their enforcement actions, where they realize that, after digging into this, that there were three or four people and each of them had a different responsibility, ultimately, and they’re all saying, “Nah, it was his fault,” or, “It was her fault.”
They want one person who is ultimately responsible. Now, you don’t have to be an expert in everything. You can delegate duties. There’s no particular extra liability personally for you, but you do have to be qualified. So you have to take some special training. You have to be capable of understanding the systems and the risks in your systems at your store.
So, that depends on level of your sophistication, your size, the type of data have. Dealers have sensitive data, they really do. And so you are already starting at pretty high level of urgency and importance, so you’ve got to have someone who’s competent.
You can outsource it if you want, you don’t have to. But you do have to have someone inside who’s supervising that outside person. Ultimately, you’re going to need to develop a little bit of in-house expertise. Again, it doesn’t have to be someone who is necessarily an IT expert. But they are going to have to be trained specifically and they are going to have to do their annual report to the board or the dealer principal. So there is some responsibility that goes with it.
It’s not the kind of thing you can just say to your office manager, “In your extra free time, go do this.” You’re going to have to dedicate — I don’t know if it’s one FTE, but at least part of the FTE — to doing this throughout the year. That’s the qualified individual.
Kalani: One key point I’d like to add to that. You can outsource it, as Brad said, however, you cannot outsource your responsibility.
Leibold: Correct.
Kalani: It’s still a dealer’s responsibility. Even the outsourced qualified individual must be held to a high standard by the dealer themselves.
Leibold: That’s a perfect point. Brad, did you want to add to that?
Holton: I would just say, that’s probably one of the biggest questions we run into. Dealers say, “Is this you guys?” Well, we can be the qualified individual, but somebody in your organization has to step up and take ownership and understand what’s going on.
You can’t just say, “Okay, I wrote a check. I’m done.” There has to be some internal diligence and ownership. And nobody wants that. The controller doesn’t want it, the CFO doesn’t want it. Everybody’s already got enough stuff on their plate.
Unless you’ve got a sizeable group that got some sort of risk compliance officer already, who’s stepping into that role or understanding. Dealers are just having a really hard time throwing a dart to see who wants to wind up getting this responsibility.
Miller: From NADA’s perspective, hopefully dealers will take this in the right frame of mind. Where we’re coming from — we’re dealer advocates. We’re doing what can to help you. We certainly commented on the nature of this when the FTC issued it. But make no mistake — that’s why I mentioned earlier in particular that border port — why are they doing that?
It’s because they want to specifically make sure that there is no plausible deniability at the highest levels of the dealership. Remember that the fact — regardless of who you appoint the qualified individual — you as the dealer principal, you as the board member of the dealer group, are going to really have to up your game. You just are. It’s not everybody’s favorite, but it’s the reality.
Think of it how you go to your bank or your credit union; how you expect that to be treated. How data is treated, how seriously they take it, what a high standard they’re held to. They’re basically saying you’re held to basically the same standard as a dealer, because of what you do.
It’s going to require some investment in time, effort, energy and attention.
Holton: When you talk about risk, you’ve got to look at the different types of risk. As we were saying earlier, you’ve got the risk of consumer information. You’ve got the risk of a network breach that affects that information. You’ve got the risk of what your employees are doing.
So you’ve got to break it down and say, “Okay, overall risk assessment is incorporating all of these things.” Let’s say we start with the physical layer, and we say, “Okay, what are we looking at from a risk of our network being breached? What security tools do we have in place? Who’s monitoring them? How are we locking this down? How are we keeping bad guys out? How are we content-filtering?” All these different things to help lock that piece down.
Then from an employee standpoint, “How are we training our employees? What is our risk of an employee doing something — I mean, literally ‘stupid’ is probably the best word I can think of?”
I tell dealers, “You remember the commercials for insurance, where they had Mayhem?” Well, I always tell dealers, “Look, Stupid exists in your dealership. It’s going to happen. The best thing we can do is make sure, when it happens, it’s a 30-minute experience, and not a 30-day experience.”
So, we look at the physical layer, we look at the personal layer of employees, and then we look at operationals. “What are we doing with our vendors? What are we doing? Do we know where all of our data is? Do we even understand what our risk is, because we’ve got to figure out first: Where are the keys to the kingdom? Where’s our crown jewels?”
And if we don’t know that, then we don’t know how to protect them.
Leibold: I think that’s perfect, because Nikhil actually mentioned earlier: rather than responding to it in 30 days or 30 — he said, within seconds, it can at least be contained to where now it’s not touching 200 PCs, where you’re lighting a match like you said earlier.
Kalani: To add a little more, what Brad was describing — understanding the threats, and the problems. You’ve got to assess all of those, you got to have a list of all of that. Then, for each one of those, you look at three additional pieces:
- What’s the likelihood of that problem becoming reality?
- What’s the impact if it does?
- What’s our response plan? Not after — what are we going to do now to control those risks to an acceptable level?
Put those columns together: the problems or threats, the likelihood of impact, and the plan. That together is a risk assessment and needs to guide the entire security program.
Miller: I’m going to jump in real quick again, only just to clarify something. Hopefully dealers listening realize that, since 2003 when this rule was issued, you’ve been required to have a risk assessment. What’s different now is it’s required to be in writing and it’s required to be done periodically.
Again, ask yourself, “Why is that?” They want a record. They want you to require you to really dig it out and look at it. They also want you to write down what you’ve done. You can ask your lawyer why you think he or she thinks that is, that they want you to write it down. But you can probably realize that it’s to hold your feet to the fire.
The other thing I’ll just mention is that we always tell folks, “Be expansive in your risk assessment.” Dealers have tons of creative. We’re very good at what we do. But are not always thinking about the risks involved when they do it. We talked about this earlier; if you’ve got salespeople taking pictures of driver’s licenses on their personal cell phones, or calling consumers on their personal cell phones, or texting them, or whatever, you’ve got to think about that as part of your risk assessment.
You’ve got custody control, as a dealer, of that data. Frankly, you shouldn’t be doing that; you should be centralizing those things. But you’ve got to look operationally how you do things, where this data may live, and think broadly. It’s not just your DMS or your CRM or your websites. Although it’s certainly those things. It’s tier one, tier two, tier three of websites. If there’s credit that’s being taken on different websites. It’s your salespeople’s cell phones. Obviously it’s physical documents, as well.
We talked about this. Most dealers hopefully have locked F&I office and locked cabinets, but we do hear stories that stuff is still left around and not treated with the care it needs to be. So, think broadly when you do that risk assessment. You’re going to need some IT expert help, but a lot of this is really just that you’ve got to have a handle on what’s going on at your stores. Because the stuff is floating around just because of the chaos of life and the way that cars are sold.
I know it can be tough, but you’ve got to get a handle on all these things.
Leibold: I’m going to punt this one to Brad Holton. You had brought up third parties, vendors, things like that; documenting your security plans. This is definitely one that I’m curious about. Do dealerships have to do this on their own? Can the go get some help?
Holton: Yes. I’m going to say, if you’re a large public, or even if you’re a large private, you’ve probably got the resources to dedicate some full-time guys and girls that are going to go out and do this. They’re going to be able to have the resources to be able to do the training, the constant continuous training, to be able to always stay up on the latest and understand that the current cyber threats, and you’re going to be able to monitor things 24/7.
You’ll be able to do the risk assessment and build out your whole team. But, at the same time, I’ve seen large publics that outsource all this because they just don’t have the ability in-house and the knowledge in-house to do it, and they don’t want to take the time to build all that.
So, can it be done? Yes.
Is it likely to be done? No. Not internally.
Kalani: I think the likelihood situation here: To be good at cyber response and understanding what’s happening on a network, you need a couple of different things. You should see a wide volume of attacks. You should see a wide variety, and a single business doing them by themselves is just not likely to get that breadth of exposure.
In addition, the monitoring has to be 24/7. Not just an alert sent to a cellphone to a guy who might be sleeping, and you hope he wakes up. It’s got to be to an online, awake group of individuals, qualified to look at this data and make a decision. “Is this an escalation? Is it not?”
For most businesses, having that knowledge base with the volume and variety, having a 24-hour staff, shifts running — it’s not that practical. For larger enterprise groups, probably it can done. But for the smaller groups, even mid-sized groups, it’s not that practical. Outsourcing is a responsible way to meet the requirements, and it’s cost-effective because the outsourcing partner gets to spread those costs across a customer base.
Leibold: You mentioned monitoring, and I’m going to through this to the group. I know, Brad Miller, you probably have some more insight on this as well. Monitoring has been mentioned in the previous amendments, I believe, and now is it going to a different level of monitoring, or are there certain, stringent policies put in around the monitoring in these amendments?
Miller: Yeah, there are new requirements; they get a little complicated. This is the IP side of things, because you can either do continuous or you can do penetration testing. There is some choices you can make, and that’s part of the risk assessment process.
But, yes is the answer. The answer is — we didn’t say this at the start — but, the way this has changed: for 20 years, the way we’ve been operating on, you had to take steps that were reasonable to protect the data. That was basically the standard. That changed over time; what was “reasonable” changed, but it was also very amorphous and difficult, frankly, for the FTC to bring enforcement actions, because everybody thought what they were doing was reasonable.
So, the FTC responded by saying, “Okay, we’re going to tell you these 20 things at least are reasonable, and if you need to do more, you probably have to do more. But you have to do at least these 20 things.” And that does include some systems monitoring requirements as part of it.
There are a couple of choices you get to make, if that continuous required or if you want to do penetration testing, or both. But, that is definitely one of the added requirements. I’ll just add on the last point — I want to make this point, because from the dealer perspective, we’re sitting here in September, and dealers have been working for many months — many of them eight, nine, ten months on compliance — what we’re finding right now is that, as much as they’re buttoned up internally, they’re starting to now face the issue that I talked about at the start. They also have to reach out and make sure their service providers are doing the things they need to do, and we’re hearing some mixed responses on that. Now, remember, a couple things I’ll just tell you.
There’s no exception for your OEM partners, despite what you may be told or you may think. If you’re sharing that sensitive data with them as a service provider, there’s going to need to be some changes to contracts and changes to policies, and you’ll need some information from them. I know that’s not easy, but it applies to all of your service providers, and all of your OEM partners, if the circumstances fit.
This is tough. This is tough for 17,000 dealers to do with the dozens of vendors they deal with. Again, I’m hoping that we’ll continue to work and that maybe at next year’s show, hopefully they’ll be some vendors touting their compliance with these new requirements to make life easier for dealers. I wanted to just recognize that reality, because the dealers out there are saying, “Well, that’s great guys. You guys are talking about all these things, but I can’t really get what I need from the third parties I’m dealing with.” So, we’re working to try and help folks with that, and we would just encourage dealers and vendors to keep working together on that.
Leibold: You mentioned MFA, correct? Can you explain some of the things that we’re doing, as we get into the world of that acronym, and what does that mean?
Kalani: Sure. Brad talked about the vendors having their requirements, and dealers must ensure that the vendors are supplying those requirements. One of those requirements mandated in the Safeguards rule is MFA: Multi-Factor Authentication. To break that down, we’ve all be using passwords for a long time. But passwords are old school. They’ve been shown as an ineffective tool to secure data, because humans will do what’s easy.
You will pick an easy password, you’ll use the same password across a number of systems, because that’s going to reduce your mental load of logging into dozens of things. We all have so many things we log into in our lives. So, password reuse is a very common thing. Consequently, password theft is a very common thing.
Back to MFA. The password is one factor, something that you know. The idea of multi-factor authentication is adding a second factor. There are different kinds of factors. It can be something that you have — like your cellphone which might have special codes on it. It can be something that you are — your biology, your fingerprint, iris. Those are much more expensive, because they require dedicated hardware to implement those kinds of checks.
The most common way of doing multi-factor authentication is password plus something that you have. It can be a token, it can be a cellphone which has these codes — and you use both of those together to sign into an application. So, an attacker, without that second factor, will not be able to pretend to be you and compromise your account. That’s the idea behind it.
Leibold: You mentioned data encryption. You mentioned MFA. We had a question that came from one of our dealers pre-this-call. We asked them to submit some questions, and one of the dealers asked, “Is Reynolds going to put data encryption in writing — that we’re protecting them with data encryption?”
Kalani: Oh, sure. We’ve had encryption for a while, MFA is being rolled out now. So already, dealers have screens where they can get set up — the people set up — for MFA, and it’ll go live later in the fall.
But all the things that we are doing — encryption included — we’ll write out for you in a packet. You can download the packet and it’ll have how we are providing the tools you need to comply with safeguards.
Leibold: For all of our viewers out there, you can download all the FTC safeguards playbook information on www.reyrey.com/cp/safeguards. Obviously, Brad mentioned earlier that NADA has some great resources and downloads that you can go through as well (www.nada.org search “Safeguards”).
Now that we’re through those two things, I’m going to start with some of our dealers questions that were submitted specifically.
Dealership Questions Answered
Leibold: “Will Reynolds and Reynolds be ready for these amendments and will the DMS be ready with items like MFA?”
Kalani: Yes, of course, we will be ready. There’s already several of the requirements already met. Some are still in progress. But all of those that we need to meet will be met before the deadline and give dealers enough time to implement those changes. MFA is a significant project to get everybody enrolled and get the cellphones enrolled in the program. So it takes a little bit of time.
We’re going to be ready ahead of time to give dealers time to get all of this work done.
Leibold: I’m going to flip this one to you, Brad Miller. One of the questions was, “Do you have an example of what an acceptable SISO report would look like, or what it would be?” We don’t have one to share on the screen today, but if you could walk us through or talk us through for our dealers that are online with us, watching this, what that might look like?
Miller: Sure. I think it used to be called the SISO report, now they just called it the Board Report. Which is good. It was one of the few things the FTC listened to our comments on, which is, “Please don’t make this a SISO requirement.”
Assuming we’re talking about the Board Report, as I mentioned, it’s one of four documents you’re going to need. What it really is, is an update on both where things are and anything that’s happened in the systems over the last year. Because you have to do this annually. It’s probably going to be the qualified individual doing this. It doesn’t have to be, but it probably is.
We’ve got a template in our guide, buy the way, if you want to. You don’t have to start from scratch. You don’t have to reinvent the wheel. Don’t just take our templates and put your name on it, sand say that’s it. But at least we’ll give you a place to start.
What it’s doing, is saying, “Okay, the board. Here’s the status. Here’s what we’ve done today. Here’s the status of our information security program. Here’s any issues we’ve dealt with in the last year.”
In fact, the rule’s a little unclear, but if you have a ransom attack or some big issue in the year, that may require you to do something even more frequently than annually. But the idea is to keep them aware of the status of the risk assessment and the program, and anything that’s happened in the last year — any big changes, any big issues, anything that you’ve discovered that needs to be addressed.
There’s a lot more detail, or at least a sample of it. A lot of these reports they give you broad topics that you need to address. They don’t hold your hand through exactly what it has to say. But that’s essentially what you have to address in this report, at least annually to the board.
And, again, if you don’t have a board, it’s the equivalent governing officer of the dealership.
Leibold: I think that’s a great point. You’ll see that agendas are probably going to change when it comes to these kind of things. It’s not going to start with, “How many cars did we sell? And how many cars did we service?” It’s going to be, “Did we stay out of trouble this month?” I think that’s a great example of exactly where we’re going with the board reports or dealer principal reports, and things like that.
I’ll transition to the next question, which I’m going to throw this one at Brad Holton. The question is, “About how much is this going to increase expenses at a dealership?”
Holton: It really depends if the dealership already has — if you use Nikhil’s “good cyber hygiene” — and you’re already doing the things you should be doing to qualify for cyber insurance. If you’re proactively on top of your cyber security, it’s probably not that big of an adjustment to add the compliance paperwork piece with it, and the vendor assessments.
Versus if you’re not doing anything — if you’re operating your five-store group like it’s a buy-here-pay-here lot — to be able to put everything in place and to get all this stuff done in time, it’s a significant undertaking if you’ve not been focused on cybersecurity.
Kalani: Obviously, it’s not a cheap endeavor. What’s the cost of not doing it, besides the compliance issues associated with that? What’s the cost of a ransomware attack on a dealership? It can be enormous.
The ability or inability to purchase cybersecurity insurance, because you don’t have these basics in place, is all going to be extra costs on the business that can be avoided by having a good security program and working with good partners.
Holton: Yeah. One of the things we’re seeing right now, is that, because cyber insurance — they’ve gone up 100% to 300% year over year, the last two years on their rates. They’re doing that because they can jump in the business, all these different companies did, and completely misjudged their risk. So now, they’re having to go back and say, “Okay, we really lost money for a couple years. Let’s make it up now.”
But, two years ago, or three years ago, a cybersecurity application was one page. “What’s the name of your dealership? What’s the address? Where do we send the invoice? Can you afford to pay us? What’s your revenue?” That’s it. One document.
Now it’s seven to eight pages. It’s asking all the same questions that the FTC is requiring. It’s asking you, “Do you have endpoint detection or managed detection response? If so, which vendor?” and it give you five or seven vendors to choose from. If it’s not one of those vendors, it doesn’t qualify. You’re not getting insurance.
“Do you have multi-factor authentication, especially on remote VPN access?” Because that’s how the colonial pipeline ransomware event happened; it was a remote VPN. So, they’re very focused on that. If you don’t have multi-factor on remote VPN, you are simply not getting cyber insurance in most cases.
Seeing those two things lined up, when you take the cyber insurance document, put it here, and you take the FTC here — it really makes a compelling case for dealers, not only to pay attention to the FTC, because you’re getting mutual benefits. You’re also no qualifying for cyber insurance, whereas, if you didn’t do this, you wouldn’t be able to qualify.
Miller: Cost aside, we actually did a cost study of this in our comments. I’m glad to see that the market is responding in terms of providing services. I always caution dealers, and I’m sure Brad wouldn’t say this, but a vendor who says, “Hire us, and we’ll get you compliant on day one.” Just be cautious.
The nature of this is not — it’s not write a check and you’re compliant. It just isn’t. You’ve got to change some things, as you’ll see when you look at our guide. If you haven’t or watched the video, or watched the webinars — the policies, the cultural issues, the training, all of those other things are things that you as the dealership are going to have to do.
So, great that there are vendors that you can trust! Just be cautious with someone who’s making promises, saying, “Hire us, day one you’ll be compliant.” Because I just don’t think it’s going to work that way.
Leibold: So, Brad, let’s stay on that same topic: dealers not compliant, not being compliant. What’s the implications to that?
Miller: It’s complicated. We’re not Chicken Little on this, in the sense that I don’t want to overplay it here. Here’s the complicated legal answer:
There’s no private route of action under the Gramm-Leach-Bliley Act, which is the statute that this issued pursuant to. Someone cannot sue you directly, saying, “You don’t meet the safeguards rule requirements, so I’m suing you, that’s my cause of action.”
But, there are tremendously stiff penalties from the FTC — $46,000-something per violation. Everyone says, “What’s a violation?” I’m not sure. I think it’s generally per consumer. So you can do the math on that. It gets pretty steep, pretty quickly.
To be clear, and I’m going to get in the legal weeds just for a minute. What the FTC has to do is bring an enforcement action against you, then you enter a consent decree — which is expensive and terrible enough. And if you violate that, then they can issue fines against you. So it’s actually a two-step process to have those fines kick in.
I think the more likely, and higher risk-relevant issue for dealers today, is that, in many states, you can be sued by a class-action planus lawyer under state law, and they say, “Oh, the basis of our state law class action is this violation of federal law.”
So what they do, is they bootstrap a violation of the safeguards rule under state law class action. Okay. What does that all mean? That means you could get sued if you fail to do this. You’re also going to get sued if you have a data breach, anyway, and, frankly, that’s also happening.
If you talked to me two years ago, data breach class actions had a bit of an uphill battle, because most judges were saying, “Well, you haven’t really established any harm. There’s no standing.” But that’s changing. Courts are recognizing these as valid causes of action, and that’s why every time there’s a breach, you see a class action that comes. And the first thing they’re going to ask you is, “Where you’re safeguards compliance?”
It’s a long, complicated answer to say, “I don’t want to overplay the risks, but I do think the risks are real.” What you don’t want to do, is if you have an issue, not at least be able to give them those four documents I talked about and show that you’ve done the basic things that you need to do to comply. Because then you’re in No Man’s Land.
They can always second-guess your decisions that you made in your risk assessment, but if you haven’t done anything, then you’re really going to be in trouble. It’s a complication question, but that’s essentially what the landscape is.
Leibold: For all the dealers watching out there, we greatly appreciate you tuning in. Hopefully this was informative. Hopefully this was helpful. Thanks for all the dealers that submitted questions. The questions were great questions, and very consistent with lots of other questions.
If we didn’t answer your questions today, and you have additional questions you’d like to ask, please submit those. (Email info@reyrey.com)
I’d also love to say thank you to Brad Miller, from NADA who joined us today. Nikhil, thank you so much for joining us. And Brad Holton, thank you so much for joining us.
All the insight was greatly appreciated and hopefully very helpful. So, thank you.