Don’t let hours become months

The truth about the time you will need to set up your Safeguards and when to get started.

Enforcement for the FTC Safeguards Rule begins June 9th. Compliance is mandatory and failure to do so is viewed by the FTC as a deceptive trade practice. The question is how long can your dealership afford to wait before implementing its Safeguards? This whitepaper will reveal when to consider getting started and how long it takes to set up each Safeguards requirement.

When to set up Safeguards at your dealership:

When the FTC extended the Safeguards deadline for some items back in November ‘22, they did so “in response to reports of personnel shortages and supply chain issues.” This suggests that even the most competent dealerships were struggling to get everything in place, despite knowing about it since January 10, 2022. That is 11 months of lead time! Let us look at why that is.

How long does each dealership Safeguards requirement take:

While every dealership has been given the same set of requirements, there are a number

of ways to address them. As a result, how a dealer satisfies them ultimately determines

both the effort and effectiveness of a dealership’s Safeguards. To best answer the question “How long does it take to comply with Safeguards”, let’s take a closer look at some of the requirements. Here are three examples illustrating the efforts involved:

Service Provider Oversight

First, there is the most time-consuming process of all – overseeing your service providers. Dealers must review their vendors, confirm if they have access to dealership customer information, and ensure they are adequately protecting it. Most dealerships have 16 or more service providers that qualify. Someone at your store, likely the QI, would reach out to each service provider, collect the necessary documentation, read through it, and approve that provider based on their security measures. This can be very time-consuming, and responses limited - adding even more follow-up to your QI’s workload. Completing this task could easily take eight hours or more. Finally, if a service provider is unable or unwilling to protect your dealership’s data to your standards, you will then need to find and implement a new provider for that function.

Continuous Monitoring

Continuous monitoring is perhaps the most impactful security requirement. Dealers may satisfy this in one of in two ways: Endpoint Detection and Response (EDR) or A Penetration test paired with vulnerability scanning at least every six months. We recommend EDR because it protects your dealership, while the latter option does not and may cost more. Learn More EDR is commonly set up by installing a software “agent” on all your computers. Once installed, the technology will monitor your devices 24/7 to detect and alert you of cyber threats. Hint: A good EDR will come with a team of cyber security humans (SOC) that will also remediate the threats for you. Installing an agent typically takes 2-3 minutes per computer. Keep in mind mass deployment or RMM tools can significantly reduce the installation burden but will require initial setup. It may take a single point, with 70 computers, 3-4 hours to set up EDR completely. The AI will also need a few weeks of calibration to ensure optimal protection post-installation.

Multifactor Authentication & Encryption

The Rule requires dealers to implement multifactor authentication (MFA) for any individual accessing any information system and encrypt customer information both in transit and at rest. Solving for these often necessitates dealer-specific solutions resulting in the greatest variety of outcomes and cost. For example, a dealer’s DMS and CRM may already have MFA and encryption, but the salespeople still use their personal email. This may require the dealer to implement Microsoft Office 365 or Google Workspace which natively includes MFA and encrypted emails. When transitioning email platforms, give yourself at least two full months and the cost for MSP support is unique to the dealer’s size and license selection. Bottom line? This may be the most involved and expensive requirement, or... it may be the least. It all depends on what tools you currently have in place.

Seek Expert Help to Streamline the Process

It’s easy to quickly become frozen by the size and scope of requirements. Take courage, there is help! You can save significant time and money by partnering with a company that specializes in dealership Safeguards compliance. In addition, you may receive peace of mind knowing it’s done right. Keep in mind that your dealership will still need a designated qualified individual to oversee and implement the security program, and ultimately, it’s still the dealership that’s responsible in the eyes of the FTC.

A Comparative Time Estimate for Safeguards Requirements

To help illustrate the time necessary for each Safeguard, we’ve created a comparison chart. It highlights the time you can expect to take for a single-point dealership to set up everything on their own, or with a partner. In this example, we’ve used Mosaic Compliance Services as the partner.

Don't Wait, Start Now

Your worst enemy is doing nothing. Whether you need to implement one requirement or all of them, don’t wait to get started. The Safeguards Rule is quickly becoming the most expensive liability risk a dealership can face. Procrastination can lead to costly data breaches and legal battles. Start addressing the Safeguards requirements today and consider partnering with an expert to ensure a smooth and efficient compliance journey.

Streamline Your Safeguards Compliance with Mosaic

Discover the Benefits and Take Our Questionnaire

Selecting Safeguards that protect your dealership and how much it costs.

The Safeguards Rule is seen by many dealers as a compliance problem. They often approach it the same way they approach other challenges at the dealership, asking, “What is the fastest and cheapest way I can check this box?” This is the wrong approach. And if taken, it may cost a dealership its most precious resource – its clients. According to CDK, 84% of consumers will not go back to a dealer where their data has been compromised. This whitepaper will give you the inside scoop on how to select Safeguard solutions that protect your dealership and potentially help your bottom line.

Let’s start with the basics

Simply satisfying the minimum requirements of the Safeguards rule does not guarantee a data breach will not happen. However, if you implement the right infrastructures in the process, it will reduce the chance your organization will become a victim. Plus, it can greatly reduce the cost should a breach occur. Research from IBM’s 2022 Cost of a Data Breach Report showed the average cost of a data breach was $4.35 million. In contrast, organizations implementing protections reduced this cost by 70%.

What is a dealer to do? Select Safeguards solutions that protect your customer information continuously. A prime opportunity for this is with the continuous monitoring requirement. The FTC gives organizations two options to comply: continuous monitoring or annual penetration testing and vulnerability assessments at least every six months.

While both approaches fulfill the requirement, only true continuous monitoring, also known

as Endpoint Detection and Response (EDR or XDR), provides 24/7 real-time protection against cyber-attacks. A good EDR will include a human component known as Security Operations Center (SOC). A SOC is a team of cyber security experts that analyze your threats

and help shut down a breach attempt as it is happening. There is no substitute for ongoing protection and human remediation. And while a penetration test is an excellent tool, alone, it does not protect you. For the best results, pair your EDR and SOC with frequent vulnerability scans or regular pen tests. You can bet that dealers who have already had a breach certainly are.

In 2022, 15% of dealerships experienced a cybersecurity incident.

There are about 17,000 franchised new car dealerships in the United States. In 2022, 15% experienced a cybersecurity incident according to CDK Global’s Annual Cybersecurity Study. The most common threat was sophisticated phishing attacks. These attacks involve tricking employees into revealing sensitive information or downloading malware through false emails or websites. It is interesting to note that the Safeguards Rule requires security awareness training for all employees, but does not require simulated phishing training. Phishing training is an affordable and powerful tool that when done continuously, can effectively reduce your risk of a breach.

More Affordable Than You Might Think

There is always concern about the cost of compliance. Here are a few things to know right away. Not all pen tests nor EDR services are equal. A good pen test typically takes place over several days and can cost between $10,000 - $30,000 per test. Beware of “free” or “fully automated” pen tests. While tempting, they lack the expert insight and recommendations that only a live pen test professional can provide to ensure your vulnerabilities are truly addressed.

EDR is typically charged as a monthly service based on the number of endpoints (workstations) or users you have. The type of EDR you need often depends on your level of in-house IT resources. If you do not have dedicated IT staff with cybersecurity expertise, it may be ideal to select an EDR with a SOC that fully remediates threats for you 24/7. For a dealership with 75 employees, this may cost anywhere from $6,000 - $10,000 or more a year.

Simulated phishing can be priced out in a number of ways such as per person, per emails sent, per test, or even bundled with security awareness training. Be sure to check the fine print to identify the true cost. Look for programs that offer unlimited phishing tests, allow a cadence of your choosing, and have training built-in at the moment an employee falls for the simulated phishing. Pricing may start at a few dollars per employee per month, with the opportunity for volume discounts.

EDR can help lower the cost of a cyber insurance policy, stop threats like ransomware, and overall lower the cost of downtime if a breach occurs.

Finally, implementing the right type of protections may help reduce other expenses at the dealership. For example, having EDR can help lower the cost of a cyber insurance policy, stop threats like ransomware, and overall decrease the cost of downtime if a breach occurs.

Compliance with the Safeguards Rule is not simply about avoiding government penalties. It is much more about protecting your customers and avoiding costly data breaches. By implementing Safeguards that continuously protect and train your dealership, you can feel confident that compliance with the Safeguards Rule is indeed helping your business. Compliance is possible, a higher level of cybersecurity is possible, and it is much more affordable than you think without taking shortcuts. Start now.

About Mosaic

Mosaic has over 16 years of experience developing compliance solutions exclusively for the retail automotive industry. In 2022 Mosaic created Mosaic Cyber Security a new company dedicated to providing a compliance solution for the revised FTC Safeguards Rule. Mosaic

provides a compliance solution that fulfills all the requirements of the revised Safeguards Rule. To learn more visit mosaiccs.com/safeguards.

This checklist is intended to help you quickly gauge which Safeguards you have, and which you might need. The list below represents the technical and administrative requirements of the revised Safeguards Rule. Click here to view our physical Safeguards checklist.

Dealership Safeguards Requirement Checklist:

Click the button below to download a copy of this checklist.