Companies provide expertise to meet Safeguards Rule

Some key auto industry technology companies are actively helping dealers meet a June 9 deadline for the revised federal Safeguards Rule governing consumer information security.

After gaining a six-month reprieve in November, auto dealerships and other financial institutions are working hard to meet the new Federal Trade Commission cybersecurity mandates. Companies including CDK Global, Helion Technologies, Reynolds and Reynolds Co. and ComplyAuto told Automotive News they have long provided everyday IT and cybersecurity offerings such as firewall and virus protection that will help dealerships comply. Some also have injected more involved services such as virtual chief information security officers, cybersecurity risk planning and threat testing.

"We are the one-stop for all things privacy and cybersecurity, and that was our pitch even before the [revised] Safeguards Rule," said Chris Cleveland, co-founder and CEO of dealership compliance startup ComplyAuto in Utah.

Initially passed in 2021, the updated Safeguards Rule mandates a dealership's cybersecurity program have certain elements in time for the compliance deadline. They include hiring or outsourcing a "qualified individual" to oversee cybersecurity and report to company leadership; assessing risks and acting to minimize them; and putting an incident response plan in place for potential breaches.

CDK and Helion help dealers establish a virtual chief information security officer, or CISO, to oversee cybersecurity. That's a targeted compliance area worth noting because FTC commissioners voted for the extension, in part, because of reports of a lack of qualified people who could fill the role.

CDK, based in Illinois, launched its Virtual CISO service with Fortinet Inc. at the 2023 NADA Show with a specific goal in mind, senior product marketer Brenda Lynch told Automotive News.

"It was brought on board to fill a gap that we were seeing that dealers didn't have available," Lynch said. "We wanted to … make sure that they were not only compliant, but secure."

The CDK program is meant to provide expertise that a dealership office may not have. It also helps them develop a cybersecurity plan, put it in place and identify/address cyber vulnerabilities. This can include developing an incident response framework or helping bring on other software platforms to ensure compliance, Lynch said.

A fee for the service varies depending on how far along a dealership is with compliance plans.

Erik Nachbahr, president and founder of Helion Technologies, an outsourced IT provider based in Maryland that targets automotive and heavy-truck dealers, said his company has a virtual CISO offering.

If you look at the FTC's rules, they state the CISO "needs to have continuous training and be certified. Their knowledge needs to be verified," he said. "That person or entity needs to assess the dealer's situation, the entire technology situation, its compliance with the rule and then come up with and implement a plan to comply with the rule and then continuously evaluate it."

Cleveland at ComplyAuto said the company provides software that helps automate compliance processes so a formal, virtual CISO "would be an unnecessary expense."

ComplyAuto also provides automated policy drafting, penetration testing, multifactor authentication, hard drive encryption services and tools that help dealerships perform their own risk assessments.

Reynolds and Reynolds already has software products that address compliance areas including encryption, data in transit and in rest and multifactor authentication, said Nikhil Kalani, CISO for Reynolds and its cybersecurity monitoring division Proton.

The company also has fine-tuned multifactor authentication for dealers — a "best practice" in terms of security regardless of the Safeguards Rule.

Proton, which Reynolds acquired in 2022, is poised to help dealers design compliance document templates, perform risk assessments, create incident response plans, conduct viability scans and enact cyberattack penetration tests. These services are available through the web and with consulting services, Kalani said.