Dealerships outsource and collaborate with many third-party vendors to create lasting customer experiences and keep internal operations running smoothly. In the wake of critical vendor security incidents, panic may ensue as dealers question whether customer data and dealership data are safe.
Cybersecurity incidents and ransomware attacks can cost an organization millions of dollars, cause reputational damage with clients and other business partners, and delay getting operations up and running again. If your dealership has been impacted by a critical vendor security incident, keep reading to learn three steps you can take to help secure your data.
Contain the Security Incident at the Dealership's Perimeter
Disconnect the edge routers and site-to-site VPNs belonging to the vendor that are connected to your IT infrastructure to prevent connectivity between an attacker and your IT systems.
This can help reduce the impact of a security incident by limiting the systems and data an attacker can compromise. Connections should not be restored until the incident is resolved.
Follow Your Incident Response (IR) Policy
The FTC Safeguards Rule requires dealerships to execute an IR plan when a cybersecurity incident arises involving vendors. A meeting of all key stakeholders should be held to:
- Assess the threat to the dealership-owned infrastructure:
- Eradicate threats from the network. Dealerships should perform security assessments for all networks, even those they think may not have been impacted, out of precaution.
- Contact your cyber liability coverage insurance provider:
- Report the incident to your cyber carrier for awareness. Depending on your carrier’s requirements and the length of the outage, you may qualify for contingent business interruption and extra expense coverage.
- Establish communications with the affected critical vendor to determine:
- What exactly happened and how?
- Has the compromise impacted the confidentiality of our customers’ personally identifiable information (PII)?
- The impact on the confidentiality of your customer information is crucial in understanding if a data breach has occurred and whether customers will need to be notified. Dealerships need to understand their state data privacy laws. For example, Massachusetts and California have strict data privacy law timelines for notifying customers of data breaches post-security incidents regardless of their origination (dealership’s network versus critical vendor’s networks).
- How far into the investigation is the vendor in their incident response, and which firms are supporting their IR efforts?
- Will a summary of the IR or digital forensic reports be provided to your leadership?
If your dealership does not have an IR plan, learn the fundamental steps to create one.
Consult With General Counsel or Outside Counsel for Litigation Purposes
- Review contract services-level agreements along with penalties, including any legal fees associated with potential breach notifications to customers.
- Understand what the critical vendor is required to provide the dealership by way of uptime, penalties, crisis communications, and lines of communications during a security incident.
- Public relations personnel should prepare for updated announcements to your customers who may have been impacted, along with go-forward strategies if a data breach has occurred. Consistent, accurate, and clear messaging is crucial for effective communications following a security incident.
Dealers should not consider if a cybersecurity event will happen but when. Maintaining robust safeguards and an effective IR plan is critical to protecting customer data and helping mitigate the impact of an attack. Forvis Mazars can help your dealership through its cybersecurity journey, including IT risk assessments, cybersecurity compliance assessments and audits, data protection officer services, and more. Reach out to your Forvis Mazars advisor or our cybersecurity team to learn more.