Illustrative scenario. This is a composite example built from common engagement patterns we expect to encounter — not a real client. The business name, people, dollar amounts, percentages, and timelines are fictional and presented for educational purposes. Actual results vary based on environment, scope, and risk profile.
FTC-Compliant in 60 Days — and a $47,000 Wire Fraud Stopped Cold
A franchised dealership had no WISP, no MFA on their DMS, and customer PII in unencrypted spreadsheets. Sixty days later they were fully FTC-compliant, their GM's compromised account was secured, and a business email compromise attempt was caught before a cent left the account.
Outcomes after 60 days
Wire-fraud attempt blocked before funds left the account
FTC Safeguards Rule compliance — WISP accepted at first review
Staff phishing simulation click rate across two cycles
Cyber insurance premium reduction at renewal
The Wake-up Call
“Our IT guy said we were fine. Then I watched the CDK news.”
When BlackSuit ransomware took down CDK Global in June 2024, it locked roughly 15,000 dealerships out of their DMS for two to three weeks. Inventory, F&I, accounting, payroll — all gone. Some smaller stores never fully recovered.
The owner of this mid-sized franchised dealership watched the news and called their local IT company. “We're fine,” they were told. But when the FTC Safeguards Rule came up — requiring every dealer that arranges financing to have a written, documented security programme — the IT company went quiet. “That's not really our area.”
They reached out to Kapacyber the same week. The free assessment that followed was not comfortable reading.
Before · What Our Initial Assessment Found
A typical dealership IT setup — and a direct path to an FTC enforcement action.
- No written Information Security Program (WISP) — a direct FTC Safeguards Rule violation
- No MFA on the Dealer Management System (DMS) — shared F&I credentials in a sticky note on the monitor
- Customer PII (SSNs, driver's licences, bank account numbers) stored in unencrypted Excel files on a shared drive
- Service department tablets running Windows 10 without auto-update enabled — two had known unpatched CVEs
- Standard antivirus only — no endpoint detection & response on any device
- No email security beyond Microsoft Defender defaults — no anti-impersonation rules for lender domains
- General manager's email account had been compromised in a 2022 credential breach — still in active use with the same password
The FTC exposure: Under the Safeguards Rule, violations can cost $43,792 per violation per day. The absence of a WISP alone was a continuous, documentable breach. The dealership had no idea.
The Engagement · 60-Day Plan
Compliance-first. Security always.
With an FTC deadline pressing, we prioritised the WISP build-out in parallel with immediate technical controls — not one before the other.
Week 1
Immediate Risk Reduction
- MFA enforced on DMS, email, and all admin accounts within 48 hours
- Compromised GM credentials identified via dark-web scan and reset immediately
- EDR deployed on every endpoint across the dealership floor, F&I office, and service drive
- Shared F&I credential practice eliminated — individual named accounts issued
Weeks 2–4
FTC Safeguards Foundation
- Written WISP drafted and approved by ownership — covering all 9 FTC-required elements
- Customer PII audit completed — unencrypted files moved to encrypted, access-controlled storage
- Email anti-impersonation rules configured to flag spoofed lender and manufacturer domains
- Service department tablets patched and enrolled in device management policy
Month 2
Training & Controls
- Security awareness training rolled out to all 34 staff, tailored to automotive scenarios (fake lender emails, F&I BEC, CDK-style outages)
- Incident response plan written and tested in a tabletop exercise with the GM and finance director
- Immutable offsite backups configured for DMS data, customer records, and accounting
- First phishing simulation run across all staff as baseline measurement
Month 3+
Ongoing 24/7 Operations
- 24/7 monitoring with after-hours alert escalation to Kapacyber SOC team
- Monthly plain-English security reports delivered to ownership — no jargon
- Quarterly WISP review to capture new FTC guidance and evolving threats
- Continuous phishing simulations with targeted re-training for at-risk staff
Six Weeks In — The Attack We Were Waiting For
A $47,000 wire transfer request. Flagged in seconds.
Six weeks after onboarding, the finance director received an email appearing to come from their flooring lender — complete with the lender's logo and a plausible payment reference number. The email asked for a $47,000 wire to a “new banking partner.”
The anti-impersonation rules we'd configured flagged the domain mismatch immediately. The email was quarantined before it reached the finance director's inbox. Our SOC alerted the GM within four minutes.
The same attack — with a slightly different lender name — hit three other dealerships in the region the same week. Two of them wired the money.
After · 60 Days In
Compliant. Protected. And one very relieved GM.
- FTC Safeguards WISP completed and accepted at first review — covering all 9 required elements
- $47,000 BEC wire-fraud attempt blocked — quarantined before the finance director even saw it
- GM's compromised account credentials rotated and protected with MFA — 3 unauthorized login attempts blocked in the first month alone
- Staff phishing-simulation click rate dropped from 38% to 5% after two training cycles — F&I team improved most
- Cyber insurance underwriter acknowledged the WISP and security controls — 19% premium reduction at renewal
- All customer PII encrypted at rest — unencrypted spreadsheet practice eliminated across the whole store
The intangible win: The owner can answer “yes” to every FTC Safeguards question — and prove it with documentation. That's a position almost no peer dealership in their market can match.
“I watched the CDK attack shut down dealers for weeks and I genuinely didn't know if we could survive something like that. Now I know exactly what's protecting us and exactly what would happen if something did get through. That's the first time I've been able to say that.”
T.K.
Owner · Riverside Motors (illustrative)
Illustrative scenario. Quote, names, and figures are fictional and presented to show the kind of engagement we're built for.
Is your dealership FTC-ready?
Most dealers aren't. We'll run a free WISP-readiness assessment — mapped to the 9 FTC Safeguards elements — and show you exactly what's missing before an auditor or attacker does.