The FTC Safeguards Rule mandates that dealerships must “develop, implement, and maintain a comprehensive information security program.” The Rule illustrates the FTC’s commitment to compelling businesses to establish an effective cyber defense to protect consumer information. However, many dealerships are simply concentrating their compliance efforts on isolated measures that alone fall short of constituting a comprehensive information security program.

Understanding a Comprehensive Information Security Program

A comprehensive information security program is a dynamic combination of integrated technologies, procedures, and best practices effectively deployed, monitored, and managed to protect dealership systems and data.  Key components include continuous efforts in software security patching, network configuration, device lifecycle management, user access control, continuous threat monitoring, and prompt remediation of identified cybersecurity vulnerabilities.

 Automated Scans, Self-Assessments, Templates, & Checklists

The FTC Safeguards Rule aims to drive dealerships toward implementing a comprehensive information security program – an effort requiring the proper resources and expertise.  To lead this effort, the FTC mandates that a “qualified individual” oversee the implementation and management of the information security program – orchestrating the interplay of the elements of an effective cyber defense.

Unfortunately, many dealerships fail to see the complete picture when striving to comply with the FTC’s requirement to implement and maintain a comprehensive information security program.  Instead, many dealerships merely opt to run automated vulnerability scans and penetration tests that generate information that they have difficulty deciphering and therefore can’t act upon.

Similarly, many dealerships invest in compliance solutions that offer cybersecurity self-assessments and checklists. The problem with self-assessments and checklists is that most dealerships lack the technical cybersecurity expertise to accurately complete the self-assessments and checklists.  This will prove problematic if the dealership is audited by the FTC.  It also won’t do anything to ensure the implementation of a comprehensive information security program.

Beware of Incomplete Compliance

Having a set of inaccurately answered self-assessments and checklists, and improperly configured cybersecurity technology does NOT constitute a comprehensive information security program.  Likewise, if you’re generating automated vulnerability scans and penetration tests and not taking prompt action to remediate the vulnerabilities that these scans and tests uncover then you do not have a comprehensive information security program in place.

If you don’t have a comprehensive information security program in place, then you’re not FTC compliant.  And even worst – you’re not adequately protected against a cyberattack.