Auto dealerships are financial institutions under the FTC Safeguards Rule holding Social Security numbers, credit reports, and bank statements for every customer who has ever financed a vehicle. One ransomware attack, one vendor breach, one phishing email to your F&I manager can shut it all down. CDK Global proved it.
The FTC Safeguards Rule treats auto dealerships as financial institutions. You are required to have a written information security program, a designated qualified individual, annual risk assessments, and breach reporting within 30 days. Most dealerships are not fully compliant and the FTC is actively enforcing.
The CDK Global attack proved that a single vendor breach can lock every dealership that depends on it: sales, service, financing, and accounting completely offline for weeks. Your DMS is your most critical vulnerability.
Every deal you close involves Social Security numbers, bank statements, and credit reports. The FTC Safeguards Rule classifies dealerships as financial institutions and holds you to the same data security standards.
36% of dealership breaches start with phishing. Finance and F&I personnel are the highest-value targets because they have access to the most sensitive customer data and the wire transfer capabilities attackers want.
Lenders, software vendors, auction platforms, and service providers all connect to your systems. Under the FTC Safeguards Rule, you are responsible for ensuring every one of them maintains adequate security controls.
Six modules built around the real-world vulnerabilities of auto dealerships. Every finding manually validated and mapped directly to FTC Safeguards Rule requirements so your assessment doubles as compliance documentation.
Take 5 minutes to cross-reference your current operations against a 9 question baseline hygiene checklist covering common dealership entry points.
We map your internet-facing systems from an attacker's perspective DMS portals, online credit applications, inventory platforms, and any remote access tools used by staff or vendors.
Credentialed scanning of workstations, servers, DMS infrastructure, and vendor integrations. Findings mapped directly to FTC Safeguards Rule technical requirements.
Dark web intelligence to identify leaked staff credentials and customer financial data actively circulating before they are used to access your DMS or initiate fraudulent transactions.
We assess customer-facing credit applications, online finance tools, and internal portals for authentication flaws, injection vulnerabilities, and exposure of nonpublic customer information.
Server room access, F&I office controls, service drive workstations, and key management evaluated in person including after-hours physical access points and visitor procedures.
Executive summary for dealer principals plus a full technical report with remediation timelines and documentation supporting your Written Information Security Program (WISP) requirements.
*This baseline check is informational only and does not substitute for a professional compliance audit.
We define scope and agree on timing that avoids high-volume sales periods, month-end closes, and major inventory events.
We map your digital footprint from the outside DMS portals, credit apps, and any system exposed to the internet.
Credentialed scans of your internal network and DMS infrastructure plus an on-site physical walkthrough of the entire facility.
Every finding reviewed. False positives removed. Real risks confirmed, scored, and mapped to FTC Safeguards Rule requirements.
Executive summary and full technical report with a debrief documentation ready to support your WISP and annual Safeguards Rule certification.
Every credit application, every trade-in evaluation, every deal jacket contains customer financial data protected under the FTC Safeguards Rule. Compliance is mandatory not optional.
Multi-location dealers face compounded exposure. A breach at one store can cascade across your entire group through shared DMS systems, network connections, and centralized finance operations.
BHPH dealers store the most sensitive customer financial data of any dealership type often for customers who cannot obtain traditional financing. This data is highly valuable and frequently targeted.
The FTC Safeguards Rule applies to any dealership that facilitates financing. RV and powersports dealers are increasingly targeted as attackers recognize the gap between data stored and security in place.
Auction platforms handle financial transactions for thousands of vehicles and collect dealer and buyer financial information at scale. A breach here exposes every dealer in your network simultaneously.
Shops that store customer payment information, insurance records, or vehicle history data have compliance obligations even without a direct financing operation. Physical security gaps are especially common.
Not sure if you need an assessment? That's exactly why this conversation exists. Tell us about your organization and we'll take it from there