A people problem is the No.1 challenge that makes a recent 6-month postponement necessary for dealerships, auto lenders and service providers to fully prepare for new cybersecurity requirements under an update to the Federal Trade Commission’s Safeguards Rule, automotive insiders tell Wards.
The updated requirements, which now take effect in June 2023, are designed to protect consumers’ private information online. When the original Safeguards Rule first took effect, back in 2003, the emphasis at the dealership level was on the physical security of paper documents.
The most recent FTC rules, first published in October 2021, add a list of requirements that reflect how cybercrime has evolved in the intervening years, such as increased threats from ransomware attacks, experts say.
The new regulations require countermeasures, like constant monitoring of consumer data – even in real-time during online interactions – and the use of multifactor authentication, to make sure consumers don’t falsify identities.
But one of the most difficult new requirements is for dealerships to appoint or hire a “qualified individual” responsible for implementing the new rules. Experts say that search should go to the top of the to-do list for dealerships that don’t already have a qualified individual – either on-staff or, more likely, for-hire.
The FTC is OK with dealerships hiring third-party providers to fill the roles, says Mark Dante, national cybersecurity subject matter expert for CDK Global of Hoffman Estates, IL. CDK provides dealerships with many services including steps toward Safeguards Rule compliance. But hiring an outsider might not be easy, Dante says.
Even vendors like CDK Global are finding it difficult to hire enough experts with the right skills and experience to do the job. “The cybersecurity industry is short of people,” Dante (pictured, below left) tells Wards.
The new regulations are vague about the professional qualifications required to be a “qualified individual,” Dante says. However, he says the level of expertise the position calls for effectively requires what the cybersecurity trade calls a CISO – Chief Information Security Officer – and people with those qualifications and experience are in short supply.
“You can’t snap your fingers. It takes time to train them,” he says. Candidates “also need experience – on-the-job training.”
In addition to a CISO who may serve multiple dealerships, Dante recommends each dealership also appoint a knowledgeable staffer to serve as the point person for executing the dealership’s information security program.
In a recent dealer survey, CDK finds only about half of respondents saying they would be ready to meet the original deadline of Dec. 9, Dante says. The other half say they’re working on it, including a small percentage who say they’re just getting started, he says.
In the Nov. 15 announcement postponing the new rules, the FTC acknowledges the scarcity of trained cybersecurity experts: “The Commission is extending the deadline based on reports… that there is a shortage of qualified personnel to implement information security programs.”
The FTC also cites “supply chain issues,” which may make it hard to obtain “necessary equipment for upgrading security systems.” The COVID-19 pandemic has made shortages of both personnel and of equipment worse, the commission says.
“The bigger issue is the people,” says Celia Winslow, senior vice president of the Washington-based American Financial Services Assn., a lender trade group. “The new rules require you to have certain people who are certified. You can use a contractor, but even contractors are fully booked.”
The AFSA and other trade groups, including the National Automobile Dealers Assn. of Tysons Corner, VA, are among those who lobbied the FTC for a Safeguards Rule extension.
Brad Miller, chief regulatory counsel for digital affairs and privacy for NADA, says it's best if dealers already are far along in complying with the new requirements.
“This is the message we always tell dealers: 'You’ve got six more months. That does not mean you don’t start thinking about this until April,'” he says. “If you started today, it’s going to be tight, to do this in six months.”
The Dec. 9 deadline caught a lot of dealerships only partly ready, the AFSA's Winslow says. “The issue was, everybody could do at least part of it,” she says. “The situation was, could you do all of it?”
Robert Ebin, senior manager of legal affairs for dealership vendor KPA, also points out the need for dealerships to involve their legal counsel in Safeguards Rule compliance.
KPA, based in Westminster, CO, provides dealerships with consulting services and software for compliance with rules governing finance & insurance, human resources, and environmental, health and safety.