2025 Pub. 5 Issue 1

• Create and maintain encrypted, offline or immutable backups of essential company and customer data. • Implement strong protections around identity and access management, such as multifactor authentication on all devices that can access company networks. • Formulate, test and continuously evolve the response plan. It should identify stakeholders and their roles, communication tactics and off-network channels, reporting procedures required by regulatory bodies or local law enforcement, and criteria for restoration of safe states. 2. Backup and Test • Regularly confirm the integrity of backups. • Do not look at backups as the “last line of defense.” No backup method is 100% cybersecure, and stealthy bad actors can corrupt backups even before they launch ransomware. During an Incident 3. Detection and assessment • Use security tools to monitor network traffic for evidence of an adversary’s presence or movement and issue alerts. • Assess which systems are easily compromised by ransomware and isolate them. Coordinate a shutdown of all devices that cannot disconnect from the affected systems. • Reset all credentials and passwords connected to affected systems. 4. Communication and reporting • Inform all internal teams and stakeholders on a preselected communication channel to ensure individuals essential to the response are engaged. • As needed, report the incident to affected third parties or vendors that assist your dealership with security and incident response. • Notify cybersecurity agencies and/or local law enforcement to maintain regulatory compliance and to receive additional assistance or guidance. • Communicate with third parties and clients to ensure they have not experienced financial impacts after the incident. 5. Containment and remediation • Disable any system involved in the initial breach, as well as connected systems that malicious actors could use to access other parts of the company network or data systems. • Analyze network traffic and endpoints for evidence of the malicious actors’ persistence. Remediate vulnerabilities. • Rebuild the systems that are most critical to business operations. • Reset passwords and permissions. After an Incident 6. Recovery and response plan update • Complete a thorough forensic analysis of the incident and document all steps taken to eliminate the ransomware or remove footholds the threat actor established. • Confirm that backups remain uncorrupted and don’t contain malicious payloads. Restore affected systems. • Inform all relevant third parties and oversight agencies of the steps taken and the removal of the threat. • Make improvements to company systems based on forensics. • Continue to maintain vigilance. Update security systems regularly and adapt employee training to reflect lessons learned. To learn more, visit business.bofa.com. “Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets divisions of Bank of America Corporation. Lending, derivatives, other commercial banking activities and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA. 1Anderson Economic Group, “Dealer Losses Due to CDK Cyberattack Reach $1.02 Billion.” ²CDK Global, “The State of Dealership Cybersecurity 2024.” 47 MONTANA AUTO DEALER

RkJQdWJsaXNoZXIy MTg3NDExNQ==