Cybersecurity for Car Dealerships: Protecting Against Modern Threats

One of the most common questions we get at Agency from dealership operators is: "Why would anyone target a car dealership?" The answer is straightforward — dealerships process and store an extraordinary volume of sensitive personal and financial data, and most do so with cybersecurity programs that are years behind the threat landscape. After working with automotive retail groups on their security posture, we have seen firsthand how vulnerable dealerships are and how much damage a single incident can cause. This guide covers what every dealership operator needs to know.

Car dealerships are not the first industry that comes to mind when people think about cybersecurity targets. But they should be. A single dealership transaction can involve a customer's Social Security number, driver's license, bank account information, credit history, employment details, insurance information, and income verification. The Finance and Insurance office alone processes enough personally identifiable information to make identity thieves salivate. Multiply that by hundreds or thousands of transactions per year, and a dealership — especially a multi-location dealer group — becomes one of the most data-rich targets in retail.

The industry learned this the hard way in June 2024 when the CDK Global attack shut down operations at approximately 15,000 dealerships across North America. That incident did not just expose a cybersecurity problem — it exposed a systemic dependency on a single technology vendor that most dealership operators had never seriously evaluated from a security perspective.

Why Dealerships Are Targeted

What we tell clients is that understanding your threat profile is the first step toward building an effective defense. Dealerships face a unique combination of factors that make them attractive targets.

The Data Problem

Every vehicle sale generates a dense packet of sensitive data. In our experience, dealerships routinely collect and store the following categories of personally identifiable information:

Data Category	Examples	Risk Level
Financial identity	Social Security numbers, credit reports, income verification	Critical — enables identity theft and financial fraud
Banking information	Bank account numbers, routing numbers, payment details	Critical — enables direct financial theft
Personal identity	Driver's license numbers, addresses, dates of birth, phone numbers	High — enables identity theft and social engineering
Insurance information	Policy numbers, coverage details, insurer information	High — enables insurance fraud
Employment data	Employer names, salary details, employment verification	Medium — supports social engineering and fraud
Vehicle information	VINs, registration details, lien information	Medium — enables vehicle fraud schemes

The F&I department is the single richest data target in the dealership. A compromised F&I system gives an attacker everything they need to commit comprehensive identity theft against every customer who has financed a vehicle.

The Technology Problem

What we see across dealership environments is an over-reliance on a small number of Dealer Management System providers combined with a patchwork of loosely integrated third-party tools. The typical dealership technology stack includes a DMS (CDK, Reynolds and Reynolds, or Dealertrack), a CRM system, desking and F&I software, inventory management tools, manufacturer portals, lender portals, and various marketing platforms. Each of these systems may have different security configurations, different access controls, and different data handling practices. In our experience, very few dealerships have a unified view of their technology risk.

The People Problem

Dealerships have high employee turnover, particularly in sales roles. What this means from a cybersecurity perspective is that access credentials are frequently shared, former employees often retain access to systems longer than they should, and security awareness training — if it exists at all — is inconsistent. Sales staff routinely handle sensitive customer documents, often on personal devices or shared workstations with minimal access controls.

The CDK Global Attack: Lessons for Every Dealership

The CDK Global ransomware attack in June 2024 was a watershed moment for automotive retail cybersecurity. CDK, which provides DMS software to roughly half the dealerships in the United States, was forced to shut down its systems for approximately two weeks. The impact was devastating: dealerships could not process sales, service departments could not access repair orders, and F&I operations ground to a halt. Some estimates put the total industry losses in the hundreds of millions of dollars.

What we tell clients about the CDK incident is that it exposed three critical vulnerabilities that every dealership needs to address.

Single-vendor dependency. Most dealerships had no contingency plan for a DMS outage. When CDK went down, they had no way to process transactions. What we recommend is that every dealership develop a business continuity plan that specifically addresses DMS unavailability, including manual processes for sales, service, and F&I operations.

Third-party risk management failure. Very few dealerships had ever conducted a security assessment of CDK or their other technology vendors. The assumption was that a company that large must have adequate security. In our experience, vendor size does not correlate with vendor security maturity as closely as people assume. We recommend that dealerships include cybersecurity requirements in their vendor contracts and conduct at minimum an annual review of critical vendor security posture.

Incident response unpreparedness. When the CDK systems went down, most dealerships had no incident response plan. Staff did not know what to do, who to contact, or how to communicate with customers. What we recommend is that every dealership have a documented incident response plan that includes specific scenarios for DMS outages, ransomware events, and data breaches.

FTC Safeguards Rule: What Dealerships Must Do

The Federal Trade Commission's revised Safeguards Rule, which went into full effect in June 2023, applies to all financial institutions — and that includes car dealerships because they extend credit through financing arrangements. This is not optional. It is a legal requirement with real enforcement teeth.

What we tell dealership clients is that the Safeguards Rule is actually a reasonable cybersecurity framework if you take it seriously. Here is what it requires:

Core Requirements

Requirement	What It Means for Dealerships	Implementation Priority
Designate a Qualified Individual	Appoint someone responsible for your information security program — can be an employee or outsourced	Immediate — this is your program owner
Conduct a risk assessment	Identify and evaluate risks to customer information across all systems and processes	High — this drives everything else
Implement safeguards	Deploy access controls, encryption, MFA, and monitoring based on your risk assessment	High — technical controls are the foundation
Monitor and test controls	Continuously monitor your safeguards and conduct annual penetration testing or vulnerability assessments	Ongoing — annual at minimum
Employee training	Provide security awareness training to all employees who handle customer information	High — dealership-specific training is essential
Vendor management	Assess and monitor the security of service providers who access customer information	High — DMS vendors, CRM providers, lender portals
Incident response plan	Maintain a written plan for responding to security events	High — must include notification procedures
Report to the board	The Qualified Individual must report at least annually to the board or equivalent governing body	Annual — document these reports

Common Compliance Gaps

In our experience working with dealership groups, the most common Safeguards Rule compliance gaps are:

No designated Qualified Individual. Many dealerships assume their IT person or IT vendor fills this role, but the Safeguards Rule requires a specific designation with clear responsibilities. What we recommend is formally designating this role in writing, whether it is an internal employee, an outsourced CISO, or a managed security provider.

No documented risk assessment. The risk assessment cannot be a checkbox exercise. It must identify specific risks to customer information, evaluate the sufficiency of existing safeguards, and document how identified risks will be addressed. In our experience, dealerships that conduct a thorough risk assessment almost always discover vulnerabilities they did not know existed.

Weak access controls. The Safeguards Rule requires multi-factor authentication for anyone accessing customer information. What we see is that many dealerships still use shared logins for DMS systems, have no MFA on critical applications, and have not implemented role-based access controls that limit employees to only the data they need.

No encryption. Customer data must be encrypted both in transit and at rest. Many dealerships store unencrypted customer files on network drives, transmit credit applications over unencrypted connections, and have no encryption on endpoint devices.

DMS System Security

Your Dealer Management System is the backbone of your operation and the most critical system to secure. Whether you use CDK, Reynolds and Reynolds, Dealertrack, or another platform, the security fundamentals are the same.

What we recommend for DMS security:

Implement individual user accounts. Shared DMS logins are one of the most common security failures we see in dealerships. Every employee who accesses the DMS should have a unique account with a strong password and MFA enabled. This is not just a security best practice — it is required by the Safeguards Rule and it gives you an audit trail for who accessed what data and when.

Configure role-based access. Not every employee needs access to every function. Sales staff do not need access to accounting functions. Service advisors do not need access to F&I customer credit data. What we recommend is mapping each role in the dealership to the minimum DMS access required for that role and configuring the system accordingly.

Monitor DMS activity. Enable logging for sensitive operations — credit pulls, deal jacket access, financial record exports, and administrative changes. Review these logs regularly for anomalous activity. In our experience, dealerships that implement DMS activity monitoring catch unauthorized access attempts within days rather than months.

Secure DMS integrations. Your DMS connects to manufacturer systems, lender portals, credit bureaus, and various third-party tools. Each integration is a potential attack vector. What we recommend is auditing every DMS integration, confirming that each uses encrypted connections, and disabling any integrations that are no longer in use.

Vendor Management for Dealership Software

The average dealership uses fifteen to twenty-five different software applications. Each vendor represents a potential security risk. The CDK attack demonstrated what happens when a critical vendor is compromised, but the risk extends to every vendor in your ecosystem.

What we recommend for dealership vendor management:

Inventory all vendors. Create a complete list of every software vendor, SaaS application, and third-party service that has access to your dealership data or systems. In our experience, most dealerships underestimate their vendor count by thirty to fifty percent.

Classify vendors by risk. Not all vendors require the same level of scrutiny. We recommend classifying vendors into tiers:

Tier	Criteria	Assessment Frequency	Examples
Critical	Processes or stores customer PII or financial data; operational dependency	Annual detailed assessment	DMS provider, CRM, F&I software, lender portals
High	Accesses dealership network or systems; handles some customer data	Annual questionnaire	Marketing platforms, inventory tools, service scheduling
Standard	Limited data access; no direct system integration	At onboarding and every two years	Office software, utilities, non-data vendors

Include security requirements in contracts. Every vendor contract should include data protection requirements, breach notification obligations, and the right to audit or request security documentation. What we tell clients is that if a vendor will not agree to basic security terms, that tells you something important about their security posture.

Employee Training for Dealership Environments

Generic cybersecurity training does not work well in dealership environments. What we have seen is that training programs designed for office workers miss the specific risks that dealership employees face.

What we recommend is dealership-specific training that covers:

Phishing awareness tailored to automotive. Dealership employees receive phishing emails disguised as manufacturer communications, lender notifications, customer inquiries, and inventory alerts. Training should use examples that reflect what dealership staff actually encounter, not generic corporate phishing scenarios.

Customer data handling. Sales and F&I staff handle physical and digital copies of extremely sensitive documents every day. Training must cover secure document handling — no leaving credit applications on desks, no emailing Social Security numbers, no storing customer documents on personal devices, and proper disposal of physical documents.

Social engineering recognition. Dealership employees are conditioned to be helpful and accommodating — it is part of the sales culture. This makes them particularly vulnerable to social engineering attacks. Training should address phone-based pretexting (someone calling and pretending to be from IT support or a lender), in-person social engineering, and business email compromise targeting the accounting or F&I departments.

Reporting procedures. In our experience, employees who suspect something is wrong often do not report it because they do not know who to tell or they are afraid of getting in trouble. Training must clearly communicate the reporting process and emphasize that reporting suspicious activity is encouraged and will not result in negative consequences.

Cyber Insurance for Dealerships

What we tell dealership clients is that cyber insurance is not optional — it is a critical component of your risk management strategy. The costs associated with a dealership data breach — forensic investigation, customer notification, credit monitoring, legal defense, regulatory fines, and business interruption — can easily reach six or seven figures.

What to Look for in a Dealership Cyber Policy

Coverage Area	Why It Matters for Dealerships	Minimum Coverage We Recommend
Data breach response	Covers forensic investigation, notification costs, credit monitoring for affected customers	$1 million minimum; $3-5 million for larger groups
Business interruption	Covers lost revenue during a system outage (as the CDK attack demonstrated)	30-60 days of coverage; calculate based on average daily gross profit
Ransomware / extortion	Covers ransom payments and associated costs	Confirm this is included and not sublimited
Regulatory defense	Covers legal defense and fines from FTC enforcement or state AG actions	$500,000 minimum; higher for multi-state operations
Third-party liability	Covers claims from customers whose data was compromised	$1 million minimum

Getting Better Rates

In our experience, dealerships that can demonstrate the following to their cyber insurer consistently receive better rates and broader coverage:

• A documented information security program aligned with the FTC Safeguards Rule
• MFA implemented on all critical systems
• A completed risk assessment within the past twelve months
• Employee security awareness training with documented completion
• An incident response plan that has been tested
• Endpoint detection and response software deployed across all workstations
• Regular data backups stored offline or in an immutable format

What we recommend is treating cyber insurance underwriting as a security audit. The questions insurers ask are a reasonable checklist of security fundamentals that every dealership should have in place regardless of insurance requirements.

Practical Security Improvements: Where to Start

For dealerships that are starting from scratch or have significant gaps, here is the prioritized action plan we recommend:

Phase 1: Immediate Actions (First 30 Days)

1. Designate your Qualified Individual under the Safeguards Rule
2. Enable MFA on all DMS, CRM, email, and lender portal accounts
3. Eliminate shared login credentials — every employee gets a unique account
4. Conduct an initial inventory of all software vendors and data flows
5. Secure physical access to F&I offices and any areas where customer documents are processed

Phase 2: Foundation Building (Days 30-90)

1. Conduct a formal risk assessment covering all systems that handle customer data
2. Implement role-based access controls on your DMS and other critical systems
3. Deploy endpoint detection and response software on all workstations and servers
4. Enable encryption on all endpoint devices and verify encryption on data at rest
5. Develop your incident response plan with dealership-specific scenarios
6. Begin dealership-specific security awareness training for all employees

Phase 3: Program Maturity (Days 90-180)

1. Implement DMS activity logging and monitoring
2. Conduct your first vendor security assessment for critical and high-risk vendors
3. Develop your business continuity plan including DMS outage procedures
4. Schedule a penetration test or vulnerability assessment
5. Conduct a tabletop incident response exercise
6. Establish your annual compliance calendar for ongoing Safeguards Rule activities

Phase 4: Continuous Operations (Ongoing)

1. Quarterly access reviews across all critical systems
2. Annual risk assessment updates
3. Annual penetration testing or vulnerability assessments
4. Ongoing employee training with quarterly phishing simulations
5. Annual vendor re-assessments for critical and high-risk vendors
6. Annual report to ownership or board from the Qualified Individual

Key Takeaways

• What we tell every dealership client is that the combination of dense customer PII, financial data, and F&I information makes car dealerships one of the most data-rich targets in retail — the question is not whether your dealership will be targeted but whether you will be prepared when it happens
• In our experience, the CDK Global attack was a turning point for the industry, and the dealerships that recovered fastest were the ones with business continuity plans, diversified vendor dependencies, and incident response procedures already in place — we recommend every dealership build these capabilities now rather than after the next major incident
• What we recommend to every dealership operator is to treat FTC Safeguards Rule compliance as the baseline for your cybersecurity program, not the ceiling — the rule provides a reasonable framework that addresses the most critical risks, and non-compliance carries real enforcement risk including fines and consent orders
• In our experience working with dealership groups, the highest-impact security improvements are eliminating shared DMS credentials, enabling MFA on all critical systems, and conducting a thorough risk assessment — these three actions alone close the majority of the most exploitable vulnerabilities we see in dealership environments
• What we tell clients about cyber insurance is that it is not a substitute for security controls but rather a financial backstop for the residual risk that remains after you have implemented reasonable safeguards — insurers are increasingly requiring documented security programs before they will issue policies, and dealerships without basic controls in place face higher premiums, reduced coverage, or outright denial
• We advise dealership operators to approach vendor management as a critical security function, not an administrative task — the lesson of the CDK attack is that your security is only as strong as your most critical vendor, and every dealership should know exactly what data each vendor accesses and what security controls they have in place

Frequently Asked Questions

Does the FTC Safeguards Rule apply to all dealerships?

What we tell clients is yes — the Safeguards Rule applies to any business that is significantly engaged in financial activities, which includes car dealerships because they arrange financing for customers. This applies whether you are a single-point franchise dealership or a multi-location dealer group. The rule does not distinguish by dealership size. Independent used car dealers that arrange financing are also covered. The only dealerships that might be exempt are those that conduct strictly cash transactions with no financing, leasing, or insurance activities — which in practice means virtually no modern dealership is exempt.

How much should a dealership budget for cybersecurity?

In our experience, a single-point dealership should expect to invest $30,000 to $80,000 in the first year to build a compliant cybersecurity program, including technology (endpoint protection, MFA, backup solutions), a risk assessment, employee training, and policy development. Ongoing annual costs typically range from $20,000 to $50,000. For multi-location dealer groups, first-year investment scales with the number of locations but benefits from economies of scale — a ten-location group might invest $150,000 to $300,000 in the first year. What we recommend is framing this investment against the cost of a breach, which for a dealership handling thousands of customer records can easily exceed $1 million when you factor in forensics, notification, legal costs, regulatory fines, and business interruption.

Can we outsource our cybersecurity program?

What we tell dealership clients is that outsourcing is not only acceptable but often advisable for most dealerships. The Safeguards Rule specifically permits the Qualified Individual to be an outsourced role. Managed security service providers, virtual CISO services, and compliance advisory firms can provide the expertise that most dealerships cannot cost-effectively build in-house. The key requirement is that the dealership retains oversight and accountability — you can outsource the work but not the responsibility. We recommend that dealership operators maintain enough internal knowledge to effectively oversee their outsourced security program and make informed decisions about security investments.