There’s lots of interest in – and questions about – the new FTC Safeguards Rule.  In this blog we provide answers to some of the most common questions we are hearing from dealers.

Does the new rule apply to dealerships?

In the new rule, the FTC specifically mentions “automobile dealerships” as an entity that must comply with the new regulations.  The rule considers automobile dealerships to be financial institutions.  This rule applies to you if your dealership maintains 5000 or more consumer records.

When does the new rule take effect?

To comply with the new rule, dealerships will be expected to have the bulk of the new requirements in place by Q4 2022.

Do dealerships need to perform annual penetration testing?

The new rule specifically states, “continuous monitoring OR periodic penetration testing and vulnerability assessments” are required.  The rule goes on to say that for those who elect to engage in periodic penetration testing and vulnerability assessments that penetration testing should take place at least once annually and that vulnerability assessments happen at least twice per year.  Therefore, if you have appropriate continuous threat monitoring in place then penetration testing is optional.

What is continuous monitoring?

The rule says that continuous monitoring is “a system that allows for real-time, ongoing monitoring of an information system’s security, including monitoring for security threats, misconfigured systems, and other vulnerabilities.”  This is something many dealerships don’t currently have in place – but its implementation would be of significant benefit.

While penetration testing and vulnerability assessments are valuable, they are a snapshot of a point in time.  The appropriate implementation of continuous threat monitoring offers 24/7/365 visibility into potential cyberattacks in real-time.  This provides the ability to stop an attack in its infancy – BEFORE it can cause damage to your dealership.  Quick detection and sift remediation is the key to mitigating the impact a cyberattack will have on your dealership.

What are the requirements for a “qualified” individual?

In the new rule, it states that “a qualified individual be responsible for overseeing and implementing your information security program.”  It goes on to say that “in order to effectively comply, a financial institution’s coordinator must have some level of information security training and knowledge.”  The rule doesn’t get into the specific kind of training needed but does state that “verification that security personnel are taking steps to maintain current knowledge on security issues” is required.  This would appear to indicate that the qualified individual that oversees your dealership’s cybersecurity program must have and maintain some type of professional cybersecurity certification – like those of a Certified Information Systems Security Professional (CISSP).

Finding, recruiting, and keeping certified cybersecurity professionals is difficult and expensive.  As a result, the rule allows dealerships to outsource this responsibility.