The ever-increasing cybersecurity threat – and the evolving tactics of the cybercriminal – demand that an effective cyber defense is regularly accessed and tweaked to appropriately protect consumer data.  This is why the FTC Safeguards Rule requires that dealerships perform an annual risk assessment.  This assessment must be performed by a “qualified individual” and must be written and presented to dealership management.  This assessment isn’t just a document to file and forget.  In fact, this assessment is critical in preparing to maintain FTC Safeguards compliance.  Consider the following:

Cybersecurity and FTC Safeguards Compliance – A Continuous Effort:

Many dealerships mistakenly believe that achieving compliance with the FTC Safeguards Rule is a one-time task. However, compliance is not a set-it-and-forget-it endeavor. It demands continuous attention and effort to adapt to evolving cyber threats, technological advancements, and changes within your dealership.  For instance, software and hardware on your network will one day become obsolete and – as a result – pose a serious cybersecurity vulnerability for your dealership.  What’s ok today may not be ok tomorrow.  Not only is the use of obsolete technology a cybersecurity issue – it’s also a violation of the FTC Safeguards Rule.  Dealerships need to understand that cybersecurity is dynamic, and it requires continuous monitoring, careful planning, ongoing management, and proactive measures to identify and address potential vulnerabilities promptly.

The Annual Cybersecurity Risk Assessment:

The FTC Safeguards Rule mandates that dealerships conduct an annual cybersecurity risk assessment. This assessment serves as a comprehensive evaluation of your cybersecurity practices and infrastructure. It should cover critical areas such as user access controls, data encryption, authentication, device and software lifecycle management, and other cybersecurity best practices. The assessment should be conducted by a qualified individual.  Why is a qualified individual needed?  The answer is because it takes a knowledgeable, experienced cybersecurity professional to identify vulnerabilities, prioritize the potential impact of these vulnerabilities and devise an appropriate approach to mitigate the associated risks accurately. Relying on someone without the necessary expertise can lead to inadequate risk analysis, leaving your organization exposed to a potential cyberattack and falling out of compliance with the FTC Safeguards Rule.

The Need for Experienced and Knowledgeable Resources:

Identifying cybersecurity vulnerabilities, assessing associated risks, and devising an effective mitigation plan requires experienced and knowledgeable technical cybersecurity resources.  These resources must possess the bandwidth and technical expertise to mitigate prioritized risks promptly.  Investing in skilled personnel or partnering with cybersecurity experts can significantly enhance your ability to protect sensitive data and maintain compliance.

Compliance and Ongoing Cyber Defense:

Creating a checklist and ticking-off the boxes might give a false sense of security, but it does not guarantee compliance or effective cyber defense. Achieving and maintaining compliance with the FTC Safeguards Rule is an ongoing process that requires continuous effort and the appropriate resources.

Compliance with the FTC Safeguards Rule today does not guarantee that you will be compliant tomorrow.  Dealerships must conduct regular cybersecurity risk assessments, document their findings, prioritize the risks, present them to dealership management, and have the expertise and resources to swiftly implement appropriate risk mitigation measures. To ensure success, it’s essential to have experienced professionals and dedicated resources to stay ahead of cyber threats and maintain a robust cyber defense. By embracing cybersecurity as a continuous process, dealerships can protect their data, finances, and safeguard their reputations.