With dealerships changing hands at a record pace, a cybersecurity risk assessment and cybersecurity insurance have become important boxes to check in potential buy-sell agreements, experts say.
“Dealers need to understand there’s a major risk here,” says Elliot Schor, vice president-sales for JM&A Group. “If I were buying a dealership, I would certainly be looking into what policies and procedures the store has.”
JM&A, Deerfield Beach, FL, is a leading F&I products provider. It also offers in-store and online training and dealership consulting. Cybersecurity is a growing business area for the company. Fidelity Insurance Agency is a division of JM&A Group, specializing in cyber risk assessment and insurance policies against cybersecurity issues.
Some OEMs now routinely require dealerships to carry cybersecurity insurance, similar to requirements for other forms of specialty insurance dealerships commonly carry, like garage liability, Schor (pictured, below left) says in a phone interview.
Hackers can take many paths to gain access to confidential information stored in dealership files. Access can be gained through vendors or dealership employees, either through carelessness or sometimes on purpose, he says.
“As dealership tech has become more ingrained in the DMS systems for dealer management, there are more software vendors than ever before. That has created an opportunity for cyber thieves to really prey on dealers,” Schor says. “There’s no shortage of new ransomware, all sorts of phishing schemes, hacking schemes.”
Phishing refers to trying to get employees to click on links or attachments that may contain malicious software. So-called spearphishing is more closely targeted, such as an email that appears to come from a genuine dealership account, asking an employee to send money to what looks like a bona fide boss within the organization.
Boris Lopez, general manager and vice president at South Dade Toyota and South Dade Kia, south of Miami, says he has seen quite a few bogus emails and spearphishing attempts.
“They copy my name or my partner. The e-mail looks like it’s coming from you,” Lopez says in a phone interview. “But the way they put the account on the e-mail just doesn’t look right. That’s happened at least eight or 10 times. We’ve been lucky.”
It’s not just luck. The dealership also trains employees to recognize suspicious situations. “We have training we do, at least twice a year,” Lopez says. “We pass through the training all employees who have access to computers. We train them about the consequences of opening a file when they don’t know where it comes from.”
A documented training program with certain security practices, such as two-factor authentication, can save dealerships money on cybersecurity insurance, Lopez says. “They recommend two-step verification on text messages or email. If we implement that, they reduce the price of the policy by almost 20%.”
Lopez says an early quote he got for cybersecurity insurance was $200,000 per year, but by shopping around and by taking advantage of discounts for training and security practices, he’s gotten it down to $60,000 per year. “I’ve got friends paying $160,000 or $170,000,” he says.
Brokers who negotiate buy-sell agreements say in interviews that cybersecurity generally is on the radar for dealers considering buy-sell agreements, but awareness always can be improved.
For example, there are misconceptions that a buyer could be held liable for data breaches or other cybersecurity problems that occurred under the previous ownership. That’s unlikely since the buyer’s liability typically doesn’t start until they take ownership, says Alan Haig, president of Haig Partners, Fort Lauderdale, FL.
“I can’t recall any of our clients getting hit post-claim for a cyberattack,” he says in a phone interview. “I haven’t seen cyber insurance be a factor in normal buy-sells, other than the seller has that insurance, like any other kind of insurance,” Haig says.
George Karolis, president of the Presidio Group, Duluth, GA, says sizable dealer groups making acquisitions already have their own fully developed cybersecurity training, practices and insurance in place, which they install at new acquisitions.
However, Karolis says it’s standard practice before an acquisition to take a close look at the existing corporate culture and business practices in all business areas, not just cybersecurity.
“In buy-sells, you want to understand that, and make sure controls are in place, to try to understand as a buyer what the existing situation is,” he says. “I haven’t really seen it as something that gets in the way of deals.”