Cybersecurity pricing for dealerships is hard to pin down because most providers won't publish a number. The honest version: cost scales with the size of the store (and the number of rooftops) and how much of the work you run yourself versus outsource. The controls are largely the same from a single independent lot to a franchised group — what changes is the operating burden and the WISP documentation the FTC Safeguards Rule expects.
Here are the four realistic tiers, what each covers, and where the gaps sit.
The Four Realistic Tiers
DIY Baseline
$0–$200 / monthBare minimum — Safeguards gaps remain
Controls
- MFA on email, the DMS, and banking (free)
- Built-in OS antivirus and automatic updates
- Native Microsoft 365 / Google Workspace backup
- A written WISP drafted from a template
- Drive encryption (BitLocker / FileVault, free)
Gap
No 24/7 monitoring, no Qualified Individual operating the program, no one watching for a compromised F&I mailbox, and the WISP is only as good as your follow-through.
Software + Self-Managed
$200–$799 / monthBetter tooling, still no operator
Controls
- Everything in the baseline, plus:
- Password manager for the store
- Microsoft 365 Business Premium (Defender + Intune)
- Third-party backup for M365 / Workspace
- A phishing-training platform
- Endpoint detection (EDR) licences
Gap
The tools exist but nobody operates them. The alert that an attacker is in your network lands in an inbox nobody is watching.
Managed Essential → Plus
$799–$1,699 / monthThe realistic fit for most single-rooftop dealers
Controls
- Everything above, fully operated, plus:
- Managed EDR with 24/7 SOC monitoring
- Email security with active response (F&I BEC defence)
- Phishing simulations + training run for you
- Account-compromise monitoring and lockout
- Monthly plain-English security report
Gap
Light coverage on a named incident-response retainer and dedicated Qualified-Individual / vCISO time at the lower end.
Complete / Multi-Rooftop
$1,699–$2,400+ / monthLarger stores and dealer groups (per rooftop)
Controls
- Everything above, plus:
- Fractional vCISO / Qualified Individual support
- Vulnerability scanning with remediation
- Full WISP ownership and Safeguards documentation
- Incident-response retainer with named team
- Cyber-insurance renewal support
Gap
Multi-rooftop groups scale per store; flat-network groups should budget for segmentation so one breach can't hit every store.
The Compliance Floor You Can't Skip
Whatever you spend, there's a floor. Any dealer that arranges financing is a “financial institution” under the FTC Safeguards Rule and must maintain a written information security program with nine specific elements. We map exactly what the WISP must contain in the FTC Safeguards Rule for auto dealers. There's no size exemption — the floor applies to the small independent lot as much as the franchised group.
Why the DMS Isn't Your Safety Net
The most expensive misunderstanding in the business is “our DMS vendor handles security.” The CDK Global ransomware attack took roughly 15,000 dealerships offline for weeks — every one of them on a “trusted” DMS. Your vendor is part of your supply-chain risk, not your WISP. The lessons are in lessons from the CDK Global attack, and the F&I-specific fraud angle in F&I BEC fraud.
What You're Actually Paying For
EDR licences cost a few dollars per device — so why does managed security cost more? Because the licence is the cheap part. The value is someone operatingit: enforcing MFA on DMS logins, catching a compromised F&I mailbox before it redirects a lender payment, running training, testing backups, and keeping the WISP documentation current. That's labour. The general version is in what cybersecurity actually costs for SMBs, and the cross-industry view in what compliance cybersecurity costs.
Multi-Rooftop Groups Scale Differently
If you run more than one store, two things change. Pricing typically moves to a per-rooftop rate, and you need to budget for network segmentation — because many groups run flat networks where one breach can reach every store. We cover that exposure in why one breach can hit every store.
The Bottom Line
Most single-rooftop dealers should expect to spend between $799 and $1,699 per monthfor credible managed security, with groups scaling per store. Below that you're buying tools nobody operates; above it you're paying for scale or deep specialisation. Against FTC penalties measured per violation per day — and the memory of CDK — it's a small, predictable cost.
See our published plans and pricing for exact tiers, or how we deliver them on the cybersecurity for auto dealerships page.
This article is general information, not legal, tax, or compliance advice. Pricing shown is indicative and subject to a written services agreement.
Get the free FTC Safeguards WISP template for dealerships.
A written information security program template aligned to all nine FTC Safeguards Rule elements, with plain-English template language, an evidence checklist for each section, and a signature block — drafted for dealership realities.
Get the free templateWant a Real Number for Your Store?
A free 30-minute assessment maps your current controls against the nine FTC Safeguards elements and gives you a clear, right-sized quote — per rooftop if you run a group.
Get a Free Assessment