Automotive Cyber Insurers Are Upside Down On Ransomware Attacks & Data Breaches and Looking for Dealers to Pay-Up!

Automotive Cyber Insurers Are Upside Down On Ransomware Attacks & Data Breaches and Looking for Dealers to Pay-Up!

By James Lawrence, COO/Founder Sensitive Data Protect, LLC dba www.SDPCompliance.com

With the increasing reliance on technology in the covid era for a positive CX in automotive retailing and the threat of cyber-attacks and ransomware becoming more intense, the average dealer generally does not have the right strategy, tools, and resources in place to survive a data breach and its potential multimillion-dollar costs. The cyber insurance providers have come to this conclusion and are radically adjusting their premiums to reflect the emerging threat/risk environment. That’s a fact. They are looking for and expecting dealers to respond with a more comprehensive approach to cyber security. They want a “Good-faith” Compliance Effort from dealers before they consider providing the necessary insurance.

A “Good Faith” Compliance Program: Turning “Compliance” Into Concrete Security

The average dealership compliance policies and procedures handbook is dozens of pages long and includes numerous controls, forms, and process descriptions...and is likely out of date given the new threats emerging in the retail automotive space. And the Dealer’s Compliance Director (grudgingly accepting the assigned the task by Exec Management) is expected to meet all those programs’ requirements to regulatory satisfaction. This drives a piecemeal “checklist security” culture with little weight given to improving their dealership’s overall security and risk profile. This is especially true of the critical consumer data shared across the dealers’ DMS network and (on average) 10 to 15 trusted 3rd party applications integrated with their DMS, like ornaments on a Christmas tree.

Consumer Data is the lifeblood of the auto business, but with access to a greater volume and diversity of data, IT, security, and privacy Compliance Directors face increasing challenges around properly protecting this data-driven ecosystem throughout its lifecycle and across expanding IT footprints. Working with core DMS systems and integrated third-party systems (i.e. CRM, Lead Management, Warranty, etc.) while undoubtedly enhances business opportunities and the customer experience, it can simultaneously expose dealers to a wider (and often unmanageable) web of potential risks, that dealers are increasingly becoming liable for across even their partner IT systems, as seen in the recent California’s CCPA/CPRA legislation.

Today's dealerships feature complex IT landscapes that spread sensitive data and PII beyond primary environments: from structured and unstructured data, emails, PDFs, and even questionable unlicensed databases utilized by data scientists among your 3rd party sales and marketing applications syphoning consumer data from your DMS, unbeknownst to dealer management. A “Good Faith” Compliance Program around a comprehensive understanding of your risk ecosystems considering the type and use of consumer data required of your third-party vendors can address risk throughout the 3rd party systems attached to your core DMS.

A “Good Faith” Compliance Program: Turning Research Into Action and Results

Today’s dealerships find themselves managing a growing store of sensitive consumer data. The scale and speed of dealer sales operations create a deluge of sensitive consumer data which subsequently gets pulled or shoved into multiple databases, clouds, and 3rd Party Service Provider endpoints – all of which are a simple human mistake or lapse away from a costly, reputation-killing data breach. To combat unmanageable data growth and implement “good faith” privacy protection efforts, dealerships must employ regulation driven data remediation. New regulations mean it’s not just a simple case of ‘delete, and pray nothing happens’, as sensitive consumer data today can reside in a variety of 3rd Party Dealer Service Provider endpoints, strewn across multiple geographies and regulatory authorities.

The Research - A dealership wins or loses with its reputation. CDK Global research suggests that most consumers when asked if they would still do business with a retailer that experienced a breach in cybersecurity, the vast majority said “NO.” Further, 85% of automotive dealerships were hit with a security breach in the last 24 months and at this year's RSA security conference, FBI Special Agent Joel DeCapua stated that 70-80% of all network breaches are caused by attackers hacking into remote desktop servers exposed on the Internet, making up-to-date OS patches an especially important part of IT security. Lastly, over 60% percent of dealerships have no formal process to respond to a potential network threat, yet 70% of dealers said they felt safe with the cybersecurity efforts leading up to the cyberattack. Hope is not a strategy against these threats.

Your first step is to gain a holistic understanding of your dealership's risk points, i.e. IT Infrastructure (DMS), 3rd party DSP applications, and their software’s use of consumer data from your DMS; as well as personnel, especially sales and marketing staff emersed in consumer communications, given that BEC, “Business Email Compromise” poses the greatest risk to corporate email users, accounting for 96% of threats found in enterprise inboxes,” according to PhishLabs 2021 research. Further, CDK Global researchers indicate that 90%+ (We’ve seen research as high as 98%) of data breaches begin as an email Phishing attack. And the big one: THE FBI CONSIDERS RANSOMWARE ATTACKS THE #1 THREAT TO BUSINESSES IN 2022, with attacks occurring every 2-seconds!

In short, the risks are real, particularly for small and medium-sized dealerships, which usually do not have the robust cybersecurity protections of larger dealerships with substantial IT budgets. In 2019, the average cost of a breach was $8.9 million, the cost per breached record was $242 for Personally Identifiable Information (PII). Perhaps more importantly, a Deloitte University Press study reveals that 80 percent of consumers indicate they are less likely to do business with companies that have experienced a privacy event than with a company that has not suffered one.

For years, regulators (State and Federal) have been investigating privacy breaches and prosecuting companies doing business in their states. Fines in these actions often have exceeded $1 million. At the same time, consumer class actions can allege damages difficult to quantify making settlements more likely in arbitration. In California alone, since the adoption of the California Consumer Privacy Act (CCPA) on January 1, 2020, more than 25 regulatory investigations and a rapidly growing number of CCPA class actions have been opened, with consumers seeking damages between $100 and $750 per affected class member, per incident. In short, millions of your hard-earned dollars are at stake.

With SDP Compliance’s free consumer data and IT system assessments, you can better determine the risks and gaps in your dealership’s capability, so we can work together to quickly design and implement a clearly defined process to provide enterprise-wide visibility (to assist responsible Dealer Compliance Directors) for those risks in cyber security and consumer data management deemed the priorities. We help establish an ongoing Good-faith Compliance Effort your insurers will appreciate and reward (and now demand!).

What A “Good Faith” Compliance Program Means to Your Insurance Provider

Over the last few years, High profile Ransomware attacks in the media and the nascent unannounced ransomware infestation across dealerships and dealer groups are adversely impacting the profitability and risk profiles of the automotive service providers in the cybersecurity insurance industry. And by extension dealerships suffer high risks and a growing inability to obtain cost mitigating insurance.

For example, the increasing cost of ransomware over the last few years have driven the average cybersecurity insurance policy coverage has plummeted, while premiums are rising (doubling in many cases and 10X in a few post-incident cases) Further, deductibles are increasing, and exclusionary policy “out clauses” are increasing, i.e. if you don’t do this (MFA Logins, 24/7 IT infrastructure monitoring, unannounced prior events, etc.) you lose your insurance coverage immediately.

For automotive retail, it is a moment of reckoning and for the cybersecurity insurance industry it is a moment of realization they haven’t charged enough premium. Insurance brokers & providers are responding by requiring better computer security and anti-ransomware personnel training from a dealer before they even qualify to get cyber insurance quotes. And they are looking at the gaps from dealer to dealer with respect to the comprehensiveness of their respective cyber security efforts. They are looking for a good-faith compliance effort that not only protects the dealer but also prevents insurers from payouts, generally their worst possible outcome.

Usually that means that the dealer passes a costly vulnerability scan to prove they have deployed at least minimum cyber security protocols before getting a chance at a policy quote. (NOTE: In a recent post-incident situation 27 of 30 brokers would not bother quoting a dealership unless specific conditions were met before the quote was provided. Further, the quotes gathered were 5X to 10 X higher, unless the dealer could prove a good-faith cybersecurity compliance effort.

In short, insurance providers are now expecting dealerships to provide INDEPENDENT proof (i.e. not from your DMS provider) that a “Good-faith Compliance Effort” has been implemented and a comprehensive cyber security and consumer data compliance program can be maintained over time.

What A “Good Faith” Compliance Program Means to Your Dealership

A lot of effort is spent on and by service providers like SDPCompliance.com helping to deploy advanced computer security and consumer data management systems, including 24/7 IT System monitoring, MFA, etc. but when phishing causes 96%+ of data and system breaches, battling social engineering with anti-ransomware training and patching unpatched software on PCs will help tackle a couple of the biggest risks to any environment.

Threat actors are sharpening their deceptive practices to create the perfect email used to fool a would-be dealership victim. Cybercriminals’ phishing only works when the misleading email content is relevant to the recipient. It’s why social engineering plays a crucial role in email-based attacks on dealerships. According to Barracuda’s latest report, Spear Phishing: Top Threats and Trends, organizations are experiencing far more convincing and impactful campaigns focused on a wider range of roles in the organization than ever before. Roles targeted within an organization extend well-beyond that of the CEO or IT, making every employee a potential target.

Enabling a good-faith cybersecurity compliance effort at your dealership not only serves your need for data and system security, but it also satisfies the need of insurance providers to serve dealer clients that have worked to establish themselves as a low visibility target in a wave of ransomware and consumer database attacks expected to expand for the foreseeable future. A future where a good faith cybersecurity compliance effort at your dealership is the minimum expectation.

About the Author

Jim Lawrence is Co-Founder and COO of SDPCompliance.com (aka Sensitive Data Protect, LLC) and is experienced in Dealership Software Product Management, Marketing, Business Development, Strategic Partnerships, with core competencies in SaaS-based Dealership Governance, Risk and Compliance (GRC), CRM, Email Response and Lead Management software. A dealer systems subject matter expert, he is working with a team in a ground-breaking new business model providing IT Security and Consumer Data Managed Services, a One-Stop-Shop concept for enterprise-class ransomware remediation and consumer data content management across any dealer system, to avoid the cost of data and IT system breaches and minimize the burden of training an ever-churning sales and marketing organization. To arrange a no cost consultation call 503-318-3621 or email: [email protected] and enter “My Free Cybersecurity Assessment” in the subject line to receive your primary website’s cybersecurity assessment; or visit www.SDPCompliance.com for further information.