Written by: Thomas Johnson, VP of Compliance and Risk Advisory
Many recent posts have been about the recent cyberattack on CDK Global, a leading IT and digital marketing solution provider to the automotive retail industry. The general theme of these posts champion the need to beef up dealership cybersecurity practices. While there is undoubtedly merit in ramping up cybersecurity controls in the dealership, this was an attack on a vendor, spotlighting a real challenge for dealerships - maintaining operations in the absence of a critical vendor.
Service Provider Oversight
The recently issued FTC Safeguards Rule articulated a number of requirements for dealerships to comply with – one of them being Service Provider Oversight.
As part of this oversight, the dealership should ensure all vendors or third parties with access to customer information also maintain safeguards in line with the dealership’s information security policy. This goes as far as identifying whether a vendor has controls to protect the information dealerships are giving them but doesn't cover some of the other elements of a proper Vendor Management Program.
Vendor Management and Business Continuity Planning
Complying with the bare minimum FTC Safeguards Rule doesn’t help the dealership, particularly regarding Service Provider Oversight. Developing a Vendor Management Program is the key to understanding the importance of key vendors and developing contingency plans if something does happen to the vendor, as we have seen with the CDK Global attack.
A mature Vendor Management Program should include at least the following elements, with an annual review of each critical vendor:
- Vendor Risk Ranking: How critical is the vendor to your operations? Are we rating them from High to Low?
- Financial Fitness: Do the financials indicate challenges with longevity or ability to invest in cybersecurity?
- Performance Management: Is the vendor performing in accordance with what is in the contract with the dealership?
- Business Continuity Planning and Resiliency: Does the vendor have a plan in place to respond to common threats, and how does the dealership fit into these plans?
- Incident Management: Does the vendor have formal plans, protocols, and escalation plans that involve the dealership?
Connect with Xamin
The cyberattack on CDK Global highlights the need for cybersecurity measures in the automotive retail industry, it also emphasizes the vulnerability posed by third-party vendors. Bolstering dealership cybersecurity is crucial. Implementing a comprehensive Vendor Management Program and Business Continuity Plan with oversight, risk assessment, financial scrutiny, performance monitoring, and contingency strategies, is paramount. This approach strengthens defenses against potential disruptions from vendor incidents as well as ensures operations and safeguarding of customer data. By taking proactive steps in these areas, dealerships can manage risks, protect their interests, and maintain customer trust.