OFFICIAL PUBLICATION OF THE NEW JERSEY COALITION OF AUTOMOTIVE RETAILERS

Pub. 22 2023 Issue 5

Understanding and Transferring Cyber Risk for Auto Dealerships

As every business in today’s digital age increasingly relies on technology to manage all facets of their operations, cyber threats have become a significant concern. This ever-increasing reliance on technology and the vast amount of sensitive customer data stored has placed auto dealerships in the crosshairs of cybercriminals. To mitigate the potential financial and reputational damages resulting from cyber incidents, it is crucial for dealerships to understand the risks they face and the importance of effectively transferring that risk through a combination of improved cybersecurity practices along with the purchase of comprehensive cyber insurance coverage.

Unique Threats to Auto Dealerships

Auto dealerships present a unique treasure trove of personal and financial information for cybercriminals, often set against a backdrop of porous security practices when it comes to protection against such attacks. Cyber events can range from ransomware attacks, data breaches, Distributed Denial of Service (DDoS) attacks and phishing scams to social engineering attacks. Moreover, the open-air sales floor environment often allows easy access to private information and critical systems, making auto dealerships unique from other, traditionally well-protected physical environments in the financial services sector.

This, combined with a generally high rate of staff turnover, makes instilling a consistent culture of data security even more challenging. It is essential for auto dealerships to recognize that cyber threats are constantly evolving. Staying ahead of these threats requires proactive measures, including robust cybersecurity protocols, continual employee training, and comprehensive cyber insurance coverage.

It’s About Much More Than Money

A cyber incident can have severe financial and reputational consequences for a car dealership. The costs associated with a data breach or cyberattack can be substantial, including legal fees, forensic investigations, customer notification costs, credit monitoring services, and potential regulatory fines. On the regulatory front, auto dealerships are seen by the Federal Trade Commission through the lens of a bank more than a retail store when it comes to required security practices, policies, and procedures. Moreover, the damage to a dealership’s reputation can lead to a loss of customer trust and loyalty, ruining any potential future revenue opportunities.

Cyber insurance can provide financial protection by covering costs to help maintain the dealership’s reputation. These days, it doesn’t matter that you had a cybersecurity event but rather how you responded to the event, and whether your organization maintained the confidence of your impacted customers along the way. A properly designed cyber insurance program can align the resources of expertise and money to enable a dealership to respond to these events in a timely and professional manner while ensuring compliance under various state and federal privacy laws.

Customize Coverage That is Unique to Your Dealership

When considering cyber insurance, it is crucial for dealerships to seek policies that are specifically tailored to their unique risks and needs. Generic cyber insurance policies may not adequately address the specific vulnerabilities and exposures auto dealerships face. Look for policies that cover first-party and third-party liabilities, including data breach response costs, business interruption losses (whether the event emanated from the dealer’s network, or the network of an outside entity for whom the dealer is reliant for business operations), and cyber extortion (i.e., ransomware). Additionally, as dealerships’ social media footprints continue to expand, media liability coverage will become increasingly important. Coverage for regulatory fines and penalties, as well as reputational harm, should be considered as well.

While these coverage elements are standard in many modern cyber insurance policies, it is the nuances, such as how a policy defines “private information,” “computer networks,” and triggers for regulatory coverage to engage if needed, that set these options apart from one another. For instance, if the recently expanded amendments to the FTC Safeguards Rule were to lead to audits of a dealership’s information security practices, would any of the fines levied against non-compliant dealers be covered by a cyber insurance policy, or would an actual data breach have to occur before coverage would be applicable? It is nuances like this that underscore the importance of working with seasoned insurance professionals with a broad knowledge of today’s modern privacy and security insurance landscape.

Mapping the Road Ahead

Before obtaining cyber insurance, dealerships should conduct a comprehensive risk assessment to identify any potential vulnerabilities for the purpose of developing and communicating a robust cybersecurity strategy. At a minimum, that strategy should include:

  • An incident response plan that outlines the roles and responsibilities of ALL stakeholders in the event of unauthorized access to your networks
  • Implementing strong perimeter security that requires multifactor authentication (MFA) for all remote access to networks, email systems, and on-premises access to systems with elevated network administration credentials
  • Strong data backups that are encrypted, where access is also protected via MFA, redundant in multiple locations, and tested regularly to ensure efficacy
  • Encryption of sensitive data, both in transit and at rest
  • Proper network segmentation that prevents lateral movement across multiple areas of your business (i.e., finance, sales, parts, etc.) in the event of a network intrusion
  • Regularly scheduled and documented cybersecurity training as well as awareness program for employees that include periodic phishing simulations
  • Regular vulnerability assessments and scheduled patch management protocols to ensure software programs are equipped with the latest means to prevent unauthorized access

Insurers may require evidence of these preventive measures as a condition of providing coverage. It is important to have a standard to measure oneself against, such as those provided by the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

By investing in proactive cybersecurity measures, auto dealerships can reduce the likelihood of a cyber incident and potentially lower their insurance premiums. For others, it may mean the difference between getting cyber insurance coverage and going without until improvements can be made.

Engage Experienced Professionals When Buying Insurance

Choosing the right insurance provider is crucial for car dealerships seeking cyber insurance coverage. Look for insurers with experience in the cyber insurance market with a deep understanding of the unique risks auto dealerships face. They should offer comprehensive coverage, prompt claims handling, and access to a network of cybersecurity experts who can assist in incident response and recovery. It is important to ask what proactive risk management solutions they can provide to help prevent costly cybersecurity events before they happen.

Collaborating with cybersecurity experts can help auto dealerships stay updated on emerging threats and implement effective risk management strategies. Insurers should offer their insight into vulnerabilities that might be associated with a dealership’s outward-facing network infrastructure (i.e., the same view bad actors have) to help bring attention and urgency to needed adjustments. This would reduce risk to the dealership while simultaneously making them a more attractive client to insurers.

As cyber threats and the associated regulatory environments continue to evolve, auto dealerships must prioritize cybersecurity and consider cyber insurance as an essential component of their risk comprehensive management strategy. By understanding the growing threat landscape and potential financial, reputational and regulatory implications; the need for customized coverage; the importance of risk assessment and prevention; and partnering with experienced insurers and cybersecurity experts, dealerships can better protect themselves from cyber risks. Investing in comprehensive cyber insurance coverage will provide peace of mind, financial protection, operational resiliency and help ensure the long-term success of the dealership in a constantly evolving digital world.

Steve Robinson is National Cyber Insurance Practice Leader at Risk Placement Services, a Division of Gallagher. He can be reached at (410) 901-0704 or, via email, at steven_robinson@rpsins.com.