Live
450,000+ new malware samples created dailyAV-TEST·Ransomware attack occurs every 11 secondsCybersecurity Ventures·43% of cyberattacks target small businessesVerizon DBIR·Average SMB breach costs $200,000IBM Cost of Data Breach Report·95% of breaches are caused by human errorIBM·Only 14% of SMBs are prepared to defend themselvesPonemon Institute·450,000+ new malware samples created dailyAV-TEST·Ransomware attack occurs every 11 secondsCybersecurity Ventures·43% of cyberattacks target small businessesVerizon DBIR·Average SMB breach costs $200,000IBM Cost of Data Breach Report·95% of breaches are caused by human errorIBM·Only 14% of SMBs are prepared to defend themselvesPonemon Institute·
KC
Kapacyber
Vertical SolutionAuto Dealerships

FTC-Safeguards Cybersecurity Built for Auto Dealerships

A WISP your insurer will accept. MFA on your DMS. Endpoint protection on every device from the showroom to the service drive. F&I BEC defence that catches the wire-fraud emails before your finance director sees them. All of it run by people who actually understand how a dealership operates.

Get Free WISP AssessmentSee Dealer Case Study

Why Now

The dealership cyber landscape changed in 2024. The compliance bar moved with it.

For years, dealership cybersecurity was an afterthought. Maybe basic antivirus on the front-desk PC. Maybe a backup nobody had ever tested. Mostly: trust the DMS, trust the local IT shop, hope nothing happens.

Two events changed that. In June 2023, the FTC's expanded Safeguards Rule extended "financial institution" to include any dealer that arranges financing — making a written information security programme (WISP) and nine specific control families mandatory. Enforcement began June 2024.

Then on June 19, 2024, BlackSuit ransomware took down CDK Global. Roughly 15,000 dealerships in the US and Canadalost their DMS for two to three weeks — no inventory, no F&I, no payroll, no accounting. Industry losses passed $1 billion. CDK reportedly paid a $25 million ransom.

The lesson every dealer principal took from that summer: even a "trusted" vendor can take you offline overnight. Your in-store security posture is what determines whether you survive the next one. And the FTC isn't going to wait.

The 9 FTC Safeguards Elements

What your WISP must contain — and how we deliver each one.

The FTC requires nine specific elements. We don't check boxes. We operate the controls behind each one, every day.

1

Qualified Individual

A named person responsible for the security programme. We act as your virtual Qualified Individual or work alongside your appointed staff member.

2

Written Risk Assessment

Documented assessment of foreseeable internal and external threats — DMS, F&I, customer PII, payroll, vendor chain. Refreshed annually.

3

Access Controls

Least-privilege access, named accounts (no shared logins), and role-based permissions across DMS, CRM, and email.

4

Data Inventory & Classification

We map where customer NPI lives — DMS, F&I packets, scanned IDs, credit apps, accounting — and classify by sensitivity.

5

Encryption

Customer information encrypted in transit and at rest — including F&I scans, credit apps, and back-office spreadsheets.

6

Application Security

Secure configuration of DMS, CRM, dealer portals, and back-office software. Vendor due diligence on every system handling customer data.

7

MFA Everywhere

Multi-factor authentication enforced on every account that can reach customer info — DMS, email, RDP, VPN, accounting, payroll.

8

Secure Disposal

Documented retention policy and secure-disposal procedures for paper deal jackets, scanned IDs, old hard drives, and end-of-life devices.

9

Monitoring, Training, Response & Reporting

24/7 SOC monitoring, security awareness training tailored to F&I, sales, service, and parts roles, incident response plan, and quarterly reporting to ownership.

Threats Built for Dealerships

Not generic SMB threats. The exact attacks targeting dealer rooftops.

F&I Wire-Fraud BEC

Attackers spoof lender, manufacturer, or dealer-trade domains to redirect payoffs and floor-plan payments. The average BEC loss per incident is over $125,000 (FBI IC3).

Ransomware on the DMS

Lock the DMS, you can't sell, service, finance, or pay anyone. CDK Global's June 2024 outage took ~15,000 dealers offline for 2–3 weeks. Some never recovered.

Customer PII Exposure

Every credit app contains an SSN, driver's licence, and bank info. Most dealers store this data unencrypted on shared drives. One breach = state AG action + class action.

Stolen DMS Credentials

Employees reuse passwords across personal sites. When those leak, attackers log straight into your DMS — no malware required, nothing to detect.

Service-Drive Endpoints

Shop tablets and PCs run unpatched Windows, share accounts, and connect to public Wi-Fi. They're the easiest pivot point onto the dealership network.

Multi-Rooftop Lateral Movement

If your group runs flat networks across stores, a compromise at the smallest rooftop reaches the biggest. We segment, monitor, and contain.

We Speak Dealer

No translation needed. We know your stack.

We won't make your service writer explain what a deal jacket is. We've already mapped controls onto the systems your store actually runs — so the WISP and the day-to-day controls fit your workflow, not someone's textbook.

Whether you run a single rooftop or a 12-store group, the controls scale to match. Network segmentation between rooftops, group-level identity governance, multi-rooftop SOC monitoring — built in.

Systems We Work With

CDK Global
Reynolds & Reynolds
Dealertrack
Tekion
DealerSocket
PBS Systems
Auto/Mate (DealerSocket)
Frazer
vAuto
Dealer.com
VinSolutions
ELEAD CRM

Not a complete list. If your DMS, CRM, or F&I tool isn't shown, we've almost certainly worked alongside it.

What Onboarding Looks Like

90 days to a dealership that can answer the FTC honestly.

1

Week 1

Free WISP-Readiness Assessment

We map your environment against all 9 FTC Safeguards elements and rank gaps by enforcement risk. No obligation, no IT-jargon report — a one-page roadmap you can show your insurance broker.

2

Weeks 2–4

Stabilise the Critical Gaps

MFA on DMS and email, EDR on every endpoint across the floor / F&I / service drive / back office, removing shared logins, encrypting customer PII files.

3

Month 2

Build the WISP

Drafted to the 9 FTC elements, signed by a Qualified Individual, with documented procedures your insurer and an FTC examiner could review. Tabletop incident-response exercise with the GM and finance director.

4

Month 3+

Run It

24/7 monitoring, monthly plain-English reports to ownership, quarterly WISP review, monthly phishing simulations targeted to F&I and sales scenarios. We're your dealership's outsourced security team.

What It Costs

Indicative pricing for a typical franchise rooftop.

Single Rooftop

$1,400+/mo

~25–60 staff, 1 location

  • WISP build & ongoing oversight
  • MFA enforcement on DMS & email
  • EDR on every endpoint
  • 24/7 monitoring & response
  • Dealership-specific awareness training

Multi-Rooftop Group

$3,500+/mo

2–6 rooftops, group-level oversight

  • Everything in Single Rooftop
  • Group-level identity governance
  • Inter-rooftop network segmentation
  • Group security committee reporting
  • Per-rooftop WISP variants

Independent Dealer

$799+/mo

Used-car & small-volume stores

  • Right-sized WISP
  • MFA & EDR essentials
  • Email security & backups
  • Quarterly check-ins & reporting

Indicative pricing. Final figures depend on rooftop count, headcount, DMS / CRM stack, and existing controls. Set out in the written services agreement.

What We Hear From Dealers

The five objections — answered honestly.

Doesn't our DMS vendor handle security?+

They handle their platform's uptime and patching. Everything else — your endpoints, email, identities, customer files outside the DMS, backups, training, the WISP itself — is the dealer's responsibility. The CDK outage proved that even a major DMS can fail catastrophically; if it does, your in-store cyber posture is what determines whether you survive it.

We have a local IT guy. Isn't that enough?+

Most local IT shops are excellent at networking and DMS support but aren't security-led. Ask them: do you have a written WISP that covers all 9 FTC Safeguards elements? Do you run 24/7 monitoring? Do you do dealership-specific phishing simulations? If those answers are no, you have IT, not security.

We're too small for the FTC to care about us.+

There's no size exemption. The Safeguards Rule applies to every dealer that arranges financing — full stop. Penalties run up to $43,792 per violation per day under the FTC Act. State attorneys general also enforce. Smaller dealers are also less likely to survive the legal and PR fallout from a breach.

Our cyber insurance has us covered.+

Insurance only pays if you have the controls you attested to on the application. Most dealer applications now ask about MFA, EDR, backups, awareness training, and a documented WISP. Misrepresent any of those and the carrier can deny the claim. We make your attestation truthful.

We had an assessment last year. We're fine.+

An assessment is a snapshot. The Safeguards Rule requires ongoing monitoring, periodic risk re-assessment, change management, and continuous training. If nothing has changed since last year's report, that itself is the problem.

Dig Deeper

Dealership-specific reading.

Compliance

The FTC Safeguards Rule for Auto Dealers — what your WISP must include

A plain-English walkthrough of all 9 required elements with dealership examples.

Threat Alert

Lessons from the CDK Global ransomware attack

What dealers actually lost and the 7 controls that would have changed the outcome.

Case Study (Illustrative)

Riverside Motors: FTC-compliant in 60 days, $47k wire-fraud blocked

A composite scenario showing the 60-day path from no WISP to defensible.

See where your dealership stands.

Free WISP-readiness assessment. We map your environment to the 9 FTC Safeguards elements and hand you a one-page roadmap. No sales pressure. No IT-jargon report. Whether you engage us or not, you walk away with clarity.

Get Free WISP Assessment