Let’s face it—no one ever said “You know what sounds fun? A deep dive into FTC cybersecurity compliance requirements.” But here we are, because like it or not, the success and survival of your dealership depend on more than just your sales team and service bay. Your cyber defense—and your ability to comply with the FTC’s Safeguards Rule—lives and dies in the details. And you know what they say: the devil is in the details.

We Get It. Cheap and Easy Sounds Great.

You’re running a dealership. You’re juggling inventory shortages, manufacturer programs, CSI scores, and staff turnover—so of course you’re tempted when someone offers a “fully compliant information security program” in a tidy little software package for $499. Maybe they throw in a free vulnerability scan just to sweeten the deal.

But let’s call it what it is: a scam.

Because here’s the truth—real cybersecurity isn’t cheap and it’s definitely not easy. And anyone who tells you otherwise is either misinformed, misleading you, or selling snake oil.

Compliance Is a Process—Not a Template

Too many dealers are lulled into a false sense of security by the idea that “creating an information security plan” checks the compliance box. But what does that really mean?

• Does the plan include implementation steps?

• Who’s managing the rollout?

• Who’s responsible for ongoing oversight?

Slapping your logo on a security template is about as effective as printing out a diet plan and taping it to the fridge. It only works if someone actually does the work.

MFA Isn’t a Checkbox—It’s a Strategy

“Implement multi-factor authentication,” they say. Sounds simple, right? Until you’re stuck figuring out:

• Should it be desktop MFA or federated MFA?

• Does your DMS support it?

• Do all employees need MFA, or just some?

Spoiler alert: there’s no one-size-fits-all answer. Someone needs to think through these details—someone qualified.

About That “Qualified Individual”…

Another FTC requirement is to appoint a “qualified individual” to oversee your information security program. But what exactly makes someone qualified?

Is your office manager qualified? Probably not—unless they moonlight as a cybersecurity engineer. This role isn’t just ceremonial; it’s about strategy, execution, and accountability. And choosing the wrong person could leave your dealership exposed (and non-compliant).

Scans, Tests, Assessments—Oh My!

You’ve got vulnerability scans. You’ve got penetration tests. And yes, you’ve done your periodic risk assessments. Great!

But now what?

What good is a report if no one interprets it? If no one prioritizes the results? If no one actually fixes what’s broken?

Cybersecurity isn’t about collecting paperwork—it’s about understanding, acting, and adapting. Otherwise, you’re just checking boxes while the real risks remain unchecked.

The Problem? No One Wants to Talk About the Details.

We get it. The details are boring. They’re messy. They require time, money, and people who actually know what they’re doing.

So, for years, dealerships have skimmed the surface—treating cybersecurity like an afterthought or a compliance nuisance. But as threats grow more sophisticated and regulators grow less forgiving, this approach just doesn’t cut it anymore.

Dealers Need to Get Curious

We’re not saying every GM needs to become a cybersecurity expert. But the status quo of “I don’t want to be bothered” isn’t sustainable. Not when one phishing click or misconfiguration could cost you your DMS, your customer trust, and your reputation.

So, let’s shift the mindset:

• Ask questions.

• Get curious.

• Demand more than surface-level solutions.

Because whether you’re protecting inventory, customer data, or your bottom line, an effective cyber defense lives in the details.

And yes—the devil’s in those details.

But so is your dealership’s future.