Financial institutions

Dealerships and Other Financial Institutions Must Fully Comply with FTC Safeguard Rule by December

Written risk assessment: The FTC requires dealerships to perform a written security risk assessment periodically. Nachbahr said this should be done at least once a year and would involve conversations with dealership staff and an understanding of potential risks in the industry. This review can identify issues such as written passwords kept in a drawer or user software profiles copied rather than created specifically based on the employee’s role, as a staff member may not need the same degree access than another.

A dealer should base the safety program on the results of the risk assessment. Nachbahr said there’s often a lot of “low hanging fruit” here, like instituting rotating passwords and removing admin rights from computers that don’t need them.

Dealerships must also provide an annual appraisal and summary to management, Nachbahr said.

Testing and monitoring: The updated rule requires dealers to remain vigilant and provides two choices. One option is to continuously monitor the system. The alternative is to perform penetration testing annually and conduct vulnerability assessments at least every six months or if something with a “hardware impact” (e.g. purchase from another dealer, has said Nachbahr) occurred, according to the FTC.

Penetration testing involves “white hat” hackers – who are helpful rather than malicious – trying to break into the system and report flaws. Vulnerability assessments may involve system scans and finding issues such as a missing Microsoft hotfix. Nachbahr said continuous monitoring could cost $10 per month per computer, while penetration testing could cost tens of thousands of dollars.

Written response plan: Dealerships need a written plan in the event of a breach and “don’t make it longer than one page,” Nachbahr said.

It comes down to knowing what to do if a cybersecurity problem is discovered, with Nachbahr describing it as inevitable.

The document may contain details such as instructions for calling a breach insurer or cybersecurity expert, a definition of who is on call, details of who has decision-making authority in the event of an incident, and a description of the problem solving plan.