There is a looming deadline that MSPs need to be aware of when it comes to their clients in the Car Dealers space. This includes Car Dealerships along with their counterparts in boats, RVs, and motorcycles. The FTC (Federal Trade Commission) has found that car dealers deal with a lot of personal customer data. This makes dealers a highly desirable target for cybercriminals.
So, on June 9th, 2023, all car dealers in the US will need to comply with new FTC Safeguard Rules.
What Are the New FTC Rules?
The National Automobile Dealers Association has a great document on the revised safeguard rules for their member organizations. These are the key security measures the dealership will be required to secure in order to prove compliance:
1. Designate a qualified individual to implement and supervise your information security program.
The dealer needs to appoint a qualified individual to oversee this process. This designation can be outsourced to an MSP but the dealer will still be required to designate an in-house senior employee to supervise the program.
2. Conduct a risk assessment.
The risk assessment needs to take into account all potential risks around customer information. It should review and assess if customer information can be accessed by bad players and how that customer information could be misused, altered, or destroyed. Compliance measures must be reviewed and assessed regularly.
3. Design and implement safeguards to control the risks identified.
This process includes, but is not limited to, the following actions:
- Implement and periodically review access controls.
- Know what you have and where you have it.
- Encrypt customer information on your system and when it’s in transit.
- Assess your apps.
- Implement multi-factor authentication for anyone accessing customer information on your system.
- Dispose of customer information securely.
- Anticipate and evaluate changes to your information system or network.
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
- Regularly monitor and test the effectiveness of your safeguards.
4. Train dealership staff.
As with any cybersecurity program, it’s vitally important that the staff are trained to be aware of any potential risks and understand what to do if they feel that something isn’t right. The MSP should either do this training (if qualified) or recommend a provider/service to do staff training.
6 Monitor dealership service providers.
The MSP should carefully select and recommend service providers and ensure that they have rigorous cybersecurity practices in place.
7. Keep the information security program current.
Keep your dealership clients’ security program documentation up to date. It should continue to evolve as time goes on, as staff changes within the dealership, and as the information technology landscape grows and develops.
8. Create a written incident response plan.
This is a written disaster avoidance and recovery plan that defines what a security event is and what must happen in case of a security event. The MSP should have a repository of all such forms and plans to be customized for each client.
9 Require the Qualified Individual to report to the dealership’s Board of Directors.
The dealership’s designated qualified person is responsible for ensuring security initiatives are followed. This person is required to report to the Board of Directors at least annually.
How Do The New Rules Affect My MSP?
The FTC states, in no uncertain terms, that dealerships must monitor their service providers. That includes you. They may ask you about your upstream activities, if you are fully utilizing MFA, your data encryption policies, and anything else applicable. Hopefully your security plan is already written and discussed with the dealership, but be ready for the questions to come in as the dealership ramps up their cooperation with these new security measures.
Further, and perhaps more importantly, this is a huge opportunity for MSPs to speak to car dealers. You are well placed to help them prepare their written incident plans, conduct staff training, and ensure that they are aware of the requirements.
How JumpCloud Can Help
If you are a JumpCloud partner you can help your car dealers right away by enforcing Multi-Factor Authentication (MFA), deploying cross-platform patch management, ensuring all devices are fully encrypted and much more.