How Well Are You Managing Your Service Providers? The most common response dealers give in conversations about their network’s cybersecurity posture is that they don’t house any information on their network — it’s all “in the cloud” or sent directly to a service provider’s database. This leads many dealers to (falsely) assume that their customers’ nonpublic information is automatically safe and secure within the service provider’s environment. If recent history has taught us anything, it’s that even the most widely used DMS and CRM service providers in the industry with the largest cybersecurity budgets are not safe from cyber criminals, not to mention small or regional website design, advertising and marketing companies. For this exact reason, the FTC included a Vendor Evaluations clause in the most recent update of the Safeguards Rule — to ensure that dealers carefully consider with whom they are doing business and sharing their customers’ sensitive, nonpublic information. A recent report by SecurityScorecard, mentioned in an article by Security Magazine, details that 29% of all breaches are attributed to third-party attacks. This means that almost a third of breaches occur through the exploitation of trusted service providers and vendors. To mitigate this risk, dealers need to have a documented, replicable vendor selection, vetting and documentation process. Appropriate personnel must be trained on what that process is, how to follow that process and how to manage and communicate with the service providers and vendors that are carefully selected as business partners. Even though vendor management doesn’t intuitively seem to be related to cybersecurity, it’s important to understand the holistic landscape of what cybersecurity entails and how it should be approached, especially when most of your company’s data is housed by a third party. Unfortunately, because it involves the most nuance and subjectivity, vendor management is traditionally the least understood and least emphasized piece of the Safeguards Rule. Even though it’s arguably the most critical piece of a dealership’s network environment, many dealers act as if vendor compliance can be “automated” or solved with a pre-signed agreement and risk assessment. This could not be further from the truth. While the risks vendors pose can never be 100% removed, performing the due diligence of vetting and verifying that vendors with whom dealers are sharing customer information with are reputable, responsible and take the necessary steps to safeguard information is more important now than ever before. Dealers need to make sure they can trust their compliance partner to be involved and knowledgeable about not only the regulations and compliance landscape, but also how their specific business functions within them. For more information on how Ethos Group can help your dealership develop more leaders in your F&I office, sales management tower and your sales floor in 2025, please contact: Chris Nesseth at cnesseth@ethosgroup.com or (319) 270-4779, or Austin Shane at ashane@ethosgroup.com or (319) 296-8760. By Kaitlyn Paresi, Ethos Group SCAN THE QR CODE FOR AUDIO. 33 Illinois Automobile Dealer News
RkJQdWJsaXNoZXIy MTg3NDExNQ==