Michael Alf, general manager at St. Charles Toyota in Illinois, said in addition to making sure his store’s third-party vendors comply with the new rule, the biggest burden likely will be appointing a qualified individual to oversee the information security program.
“That’s going to be one of the largest expenses besides the hardware and software,” Alf said.
Dealers don’t need to hire highly paid chief information security officers under the new requirements, but instead must select an individual with “some level of information security training and knowledge,” said Randy Henrick, president of dealership compliance firm Randy Henrick & Associates.
“The exact qualifications will depend on the nature of the dealer’s information system, and the volume and sensitivity of the customer information that the dealer possesses or processes,” he said.
For groups with multiple rooftops and similar risk assessments, “there could be one person who assumes that role for each entity and does it for more than one entity in a group,” Henrick said.
While dealers might not see a tangible return on investment, Brad Holton, CEO of dealership IT consulting firm Proton Technologies, said “if you don’t do it, you will certainly see a significant, potential loss.”
“If the dealer is actively engaged in hardening their network and focusing on cyber hygiene and cybersecurity,” he said, “then this is not that big of a reach outside of what I would normally expect them to be doing anyway.”
Despite any upfront and ongoing costs, Erik Nachbahr, president of dealership IT company Helion Technologies, said taking steps to prevent data breaches is worth the investment.
“You have one of these big attacks: What does that do to your reputation?” Nachbahr said. “Protecting that, I think, is another key piece to all of this.”