Companies provide expertise to meet Safeguards Rule

CDK Global, Helion Technologies, Reynolds and Reynolds and other vendors provide products and services with an eye on helping dealers achieve revamped FTC compliance requirements.

Some key auto industry technology companies are actively helping dealers meet a June 9 deadline for the revised federal Safeguards Rule governing consumer information security.

After gaining a six-month reprieve in November, auto dealerships and other financial institutions are working hard to meet the new Federal Trade Commission cybersecurity mandates. Companies including CDK Global, Helion Technologies, Reynolds and Reynolds Co. and ComplyAuto told Automotive News they have long provided everyday IT and cybersecurity offerings such as firewall and virus protection that will help dealerships comply. Some also have injected more involved services such as virtual chief information security officers, cybersecurity risk planning and threat testing.

"We are the one-stop for all things privacy and cybersecurity, and that was our pitch even before the [revised] Safeguards Rule," said Chris Cleveland, co-founder and CEO of dealership compliance startup ComplyAuto in Utah.

Initially passed in 2021, the updated Safeguards Rule mandates a dealership's cybersecurity program have certain elements in time for the compliance deadline. They include hiring or outsourcing a "qualified individual" to oversee cybersecurity and report to company leadership; assessing risks and acting to minimize them; and putting an incident response plan in place for potential breaches.

Related Article
Affordability creates F&I sales concerns
Safeguards tools

Beyond traditional cybersecurity, auto industry technology companies offer several options geared toward helping dealers meet the June 9 FTC Safeguards Rule deadline for consumer information security. Here are some examples.

  • CDK Global and Helion: They provide dealers a virtual chief information security officer.
  • Comply Auto: Automated compliance processes help with many CISO functions. Other services include penetration testing and helping dealers perform their own risk assessments.
  • Reynolds and Reynolds: Helps dealers secure data, and perform encryption and multifactor authentication. Proton division aids dealers with compliance document templates, risk assessment, cyberattack penetration tests and other services. 
Virtual CISO

CDK and Helion help dealers establish a virtual chief information security officer, or CISO, to oversee cybersecurity. That's a targeted compliance area worth noting because FTC commissioners voted for the extension, in part, because of reports of a lack of qualified people who could fill the role.

CDK, based in Illinois, launched its Virtual CISO service with Fortinet Inc. at the 2023 NADA Show with a specific goal in mind, senior product marketer Brenda Lynch told Automotive News.

"It was brought on board to fill a gap that we were seeing that dealers didn't have available," Lynch said. "We wanted to … make sure that they were not only compliant, but secure."

The CDK program is meant to provide expertise that a dealership office may not have. It also helps them develop a cybersecurity plan, put it in place and identify/address cyber vulnerabilities. This can include developing an incident response framework or helping bring on other software platforms to ensure compliance, Lynch said.

A fee for the service varies depending on how far along a dealership is with compliance plans.

Lynch: Filling a security gap

Erik Nachbahr, president and founder of Helion Technologies, an outsourced IT provider based in Maryland that targets automotive and heavy-truck dealers, said his company has a virtual CISO offering.

If you look at the FTC's rules, they state the CISO "needs to have continuous training and be certified. Their knowledge needs to be verified," he said. "That person or entity needs to assess the dealer's situation, the entire technology situation, its compliance with the rule and then come up with and implement a plan to comply with the rule and then continuously evaluate it."

Cleveland at ComplyAuto said the company provides software that helps automate compliance processes so a formal, virtual CISO "would be an unnecessary expense."

ComplyAuto also provides automated policy drafting, penetration testing, multifactor authentication, hard drive encryption services and tools that help dealerships perform their own risk assessments.

Related Article
Here's our 2022 list of the top U.S. dealership groups
Compliance tech tools

Reynolds and Reynolds already has software products that address compliance areas including encryption, data in transit and in rest and multifactor authentication, said Nikhil Kalani, CISO for Reynolds and its cybersecurity monitoring division Proton.

The company also has fine-tuned multifactor authentication for dealers — a "best practice" in terms of security regardless of the Safeguards Rule.

Proton, which Reynolds acquired in 2022, is poised to help dealers design compliance document templates, perform risk assessments, create incident response plans, conduct viability scans and enact cyberattack penetration tests. These services are available through the web and with consulting services, Kalani said.

RECOMMENDED FOR YOU
Citizens Financial to end indirect dealership car loan business
Letter
to the
Editor

Send us a letter

Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

Recommended for You
A Ciitizens Bank location in Pittsburgh, Pa. (iStock.com/JHVEPhoto) MUST CREDIT. EDITORIAL USE ONLY.
Citizens Financial to end indirect dealership car loan business
ftc-MAIN_i.jpg
CAR: FTC auto dealer regs will cost buyers time, industry billions
auto_loan_tightening-MAIN_i.jpg
Auto lenders don't plan to loosen up before end of 2023, survey shows
Sign up for free newsletters
Digital Edition
Automotive News 6-5-23
THIS WEEK'S EDITION
See our archive
Fixed Ops Journal
Fixed Ops Journal 12-19-22
Read the issue
See our archive