The recent cyberattack on CDK Global, which affected thousands of car dealerships nationwide, underscored significant vulnerabilities within industries in which a single vendor hack can disrupt entire swaths of the market, such as healthcare and fine arts. The incident disrupted daily operations and revealed critical weaknesses in the systems many dealerships rely on.
As cyber threats continue to evolve, reassessing cybersecurity strategies becomes crucial for car dealerships, with a particular focus on vendor management as well as comprehensive cyber insurance.
Naturally, car dealerships are primarily focused on selling and servicing vehicles, with owners and managers dedicated to engaging with customers and running successful businesses. Business leaders in this space, may not be all that tech-savvy, and dealerships, in general, are not on the forefront of cyber best practices. While larger dealerships might have CIOs, many operate without any full-time IT staff and still use outdated, pre-Windows, DOS-based systems. Security limitations in these systems abound including:
The CDK breach, originating from a vulnerability in a specific vendor's technology, affected the Dealer Management System (DMS) used by thousands of dealerships across the country. This system is crucial for managing sales, ordering (vehicles and parts), and maintenance (scheduling, quoting, invoicing). The breach allowed malicious actors to launch a ransomware attack on CDK. Ransomware attackers infiltrate IT systems, silently moving through devices and stealing corporate data. After taking all data and gaining control, they encrypt every device and leave ransom notes. They demand payment to decrypt devices and promise not to leak stolen data, using it as leverage.
The impact of the breach was multifaceted:
Most dealerships are heavily dependent on their DMS vendors and lack the IT resources to easily switch to alternative solutions. The "switching cost"—the financial, time, and resource investment required to transition to a new vendor—is prohibitively high. This includes not only the direct expenses of purchasing new software but also the indirect costs of training staff, migrating data, and adjusting business processes. In addition, given manufacturer vendor mandates, they have a limited universe from which to choose. Consequently, dealerships remain tied to their current vendors despite the risks exposed by the breach, underlining the critical need for robust cybersecurity measures and comprehensive contingency plans.
A comprehensive cyber insurance policy should cover both direct and contingent business interruption. In cybersecurity insurance, "direct disruption" refers to immediate, tangible losses caused by a cyber incident, such as system damage, supply chain disruption, and negative publicity. "Business disruption," on the other hand, involves the broader impact on business operations, including:
Cyber insurance policies also address costs related to business continuity measures, such as overtime payments for staff and finding alternative vendors.
A well-structured cyber insurance policy can also provide:
Developing backup systems and alternative vendor arrangements are also key components of a resilient cybersecurity strategy. This type of planning can come into play before a breach occurs as part of a comprehensive proactive risk management plan, which may also include steps like business continuity planning and customer response planning.
Companies can stay vigilant to thwart potential attacks by implementing risk management best practices into their systems and culture. Here are a few examples.
Dealerships would benefit from detailed business continuity planning, preparing for worst-case scenarios, and rehearsing the steps to bring their business back online. Planning for the absence of technology—such as reverting to manual processes—helps maintain operations during a cyber incident.
As mentioned, cyber insurance coverage allows businesses that may not be as focused on tech to build in a safety net should unforeseen events occur.
Addressing single points of failure is a vital part of business continuity efforts. Evaluating whether a supplier, specific equipment, a key staff member, or other resource could bottleneck the business if they become unavailable can guide backup plan development. In the case of the CDK Global breach, for example, many dealerships did not have a digital backup plan and thus resorted to pen-and-paper methods for selling and managing inventory.
When a breach happens, multiple response plans are put into action. Beyond the technical response, leaders need to think about the communications of the breach to employees and customers. Developing best practices and policies for transparently communicating breaches when they happen will allow you to act quickly and communicate transparently. These initial communications touchpoints will be important for restoring trust with key stakeholders.
Careful vendor vetting and oversight prevent vulnerabilities from being exploited. Review contracts to understand who is responsible for patch management and other cybersecurity activities. Regularly update and verify vendor compliance to strengthen security.
Thoroughly reviewing insurance policies ensures proper protection. Verify the coverage is relevant to how the dealership operates. This will help you better understand the fine print, especially during policy renewals, which can prevent gaps in coverage.
The CDK Global hack serves as a stark reminder of the cybersecurity challenges faced by car dealerships. To protect against future cyber threats, proactively manage vendor relationships, invest in comprehensive cyber insurance, and develop robust contingency plans. Businesses can also partner with a cybersecurity insurance broker to ensure they are adequately protected against potential hacks. By addressing these challenges head-on, you can ensure business continuity and build resilience in the face of evolving cyber threats.
Find Luke Shipp on LinkedIn.
Find Allen Blount on LinkedIn.
Connect with Risk Strategies Cyber Risk team at cyber@risk-strategies.com.