Why Automakers Are Raising the Dealership Cybersecurity Bar

For years, dealership cybersecurity has lived in a familiar place: a checklist.

✔️ MFA?
✔️ Antivirus?
✔️ Security policy?

Boxes checked. Everyone feels better. Back to selling cars and trucks.

But the latest Mercedes-Benz USA Cyber Security Guidelines for Dealers make one thing very clear: that era is over

A Not-So-Subtle Message from the OEMs

In the wake of high-profile attacks like the 2024 CDK Global ransomware incident—which disrupted more than 15,000 dealerships—manufacturers are no longer comfortable taking a dealer’s word for it when it comes to cybersecurity.

Mercedes-Benz USA now requires dealerships to prove that an effective information security program is in place—through ISO/IEC 27001 or TISAX L2 certification by September 30, 2026

That’s not a paperwork exercise. That’s an audit.

And it signals a growing concern across the industry: Too many dealerships say they’re secure—but can’t demonstrate that they actually are.

The Problem with Self-Assessment Security

Many dealerships rely on compliance platforms that function as little more than self-reported questionnaires.

A classic example:

“Do you use multi-factor authentication?”

✔️ Yes

Technically true. MFA exists.

But:

Is it enabled everywhere it should be?
Is it enforced for remote access, admin accounts, SaaS apps, and vendors?
Is it monitored?
Is it tested?
Is it maintained as systems and users change?

That’s the difference between having MFA and having MFA that actually reduces risk.

Auditors—and now automakers—care deeply about that difference.

What OEMs Are Really Asking For

Mercedes-Benz’s guidance aligns directly with what the FTC Safeguards Rule, NIST, and CIS Critical Security Controls have been saying all along:

Dealerships must develop, implement, and maintain a comprehensive information security program—not just document one.

That means:

A designated dealership cyberecurity owner who is accountable
A written information security program that reflects how the dealership actually operates
Continuous monitoring and logging
Regular risk assessments
Ongoing access reviews
Incident response planning
Training that goes beyond “watch this video once a year”

In other words: security as a process, not a product.

Why ISO Audits Change the Conversation

An ISO or TISAX audit doesn’t ask:

“Do you have a policy?”

It asks:

“Show me how this policy is implemented, monitored, tested, and improved.”

That’s a big shift for dealerships that have historically leaned on:

Internal IT teams already stretched thin
Compliance software with no operational follow-through
Vendor assurances instead of validation

Manufacturers aren’t doing this to be difficult. They’re doing it because customer data, brand trust, and operational resilience are now inseparable.

This Isn’t About Fear—It’s About Maturity

The takeaway here isn’t panic. It’s progress.

OEMs are pushing dealerships toward the same security standards already expected in banking, healthcare, and large enterprise environments. And frankly, given how much sensitive financial and personal data flows through a dealership every day, that makes sense.

The days of “we checked the box” are giving way to:

“We can prove it works.”

And that’s ultimately good for dealers, customers, and manufacturers alike.

When “Checking the Box” Isn’t Enough: Why Automakers Are Raising the Dealership Cybersecurity Bar

Related Posts

Tekion Is Taking Over Dealerships – But Here’s What You Need to Get Right

FBI Warning: Dealership Cybersecurity Risks Are Rising

Comfortable Doesn’t Mean Secure: The Dangerous Reality of Dealership Cybersecurity

Dealership Cybersecurity: Why AI-Powered Attacks Are About to Flood the Zone

When Your Dealership Cybersecurity Compliance Solution Becomes a Liability