Many dealerships have been falsely led to believe that FTC compliance can be satisfied with checklists and self-assessments completed by those with limited – if any – technical cybersecurity training and expertise.  This is not the case and the consequences of this approach to cybersecurity, FTC compliance, and in securing cyber liability insurance can be severe.   

The Illusion of Competence: The Dunning-Kruger Effect

The Dunning-Kruger effect is a cognitive bias where individuals with limited competence in a specific domain overestimate their abilities. In the context of cybersecurity self-assessments, this phenomenon can be particularly dangerous. For many dealerships, those responsible for completing a cybersecurity self-assessment may falsely believe that they have a solid grasp of their dealerships cybersecurity measures, appropriate technologies and best practices, cyber threats, and regulatory requirements.  This leads to potentially exaggerating the security posture of the dealership, providing false information to insurance underwriters and regulatory agencies, and overlooking critical vulnerabilities that can be exploited by the cybercriminal.

The Cost of Inadequate Self-Assessments

The consequences of a cybersecurity self-assessment performed by someone with limited or no technical cybersecurity expertise can be dire. Recently, a case involving Travelers Insurance highlights the risks associated with inaccurate assessments. Travelers Insurance received a claim from a business that had fallen victim to a ransomware attack. The business had previously submitted a self-assessment claiming they had implemented Multi-Factor Authentication (MFA). However, upon forensic analysis, it was revealed that MFA was not properly in place. Consequently, Travelers rejected the claim and initiated legal action against the business.  This case is not an isolated incident. As Jess Burns, Senior Analyst at Forrester Research, aptly states, “Lawsuits and the rescinding of coverage, the calling out of the insured and the policyholders on little fibs that they told, or omission of details around how they’re protected in their secure practices appear to be an emerging trend.”

The Path to Proper Cybersecurity Assessment

To avoid the pitfalls of inadequate self-assessments, dealerships must recognize the importance of a comprehensive and professionally conducted cybersecurity assessment. Such assessments require individuals or teams with the following qualifications:

• A Solid Understanding of Regulations: Those performing assessments must have a thorough grasp of related regulations, including the FTC Safeguards Rule, to ensure compliance.
• Cybersecurity Expertise: Knowledge and expertise in cybersecurity threats, technologies, and best practices are essential for accurately evaluating a dealership’s security posture.
• Prescriptive Actions and Prioritization: An understanding of appropriate prescriptive actions and the ability to prioritize and implement these actions effectively is crucial for safeguarding the dealership.
• Appreciation of Assessment’s Value: The assessors must appreciate the value of the assessment as a tool to strengthen the dealership’s cyber defenses, rather than a mere compliance checkbox.
• Adaptability: Recognizing the need for periodic reassessment, especially when material changes occur, such as technology advancements, acquisitions, or the emergence of new threats, is vital.

Relying on self-assessments performed by those lacking the necessary expertise can lead to dire consequences, including rejected insurance claims and legal battles.  To safeguard against cyber threats effectively, dealerships must invest in qualified professionals who possess the knowledge, skills, and experience required to conduct accurate assessments and protect their digital assets. The cost of negligence in this area is not just financial but also threatens the reputation and trust of the dealership itself.