Pub. 22 2023 Issue 5

any business, with dealerships requiring as much as 16 days (on average) to recover from ransomware attacks. With all these potential digital threats, protecting a dealership’s network may seem like a daunting task. However, with the appropriate steps, even the smallest vulnerability can be protected. Training for users, multi-factor authentication, and data encryption protocols are a few options to prevent potential cyber attacks. In the event of a successful attack, an incident response plan and a comprehensive cyber-insurance policy can also help get the dealership back on their feet. In addition to what dealerships SHOULD do to protect themselves, there are also a few items they are REQUIRED to do to ensure compliance with regulations. The FTC Safeguards Rule, revised in 2022, has various requirements, including performing periodic risk assessments; regularly testing or monitoring effectiveness of safeguards; overseeing service providers; and evaluating and adjusting the dealership’s information security program in response to the results of testing and monitoring. These regulations provide an understandable starting point for dealerships to safeguard both their customers’ private information and their own secure data. By conducting regular system penetration testing and vulnerability scans, dealerships are given the opportunity to shore up their cyber defenses before an incident occurs. Even with a comprehensive security plan in place and properly executed, dealers must realize that not all protective measures are foolproof. Because of how fast technology is evolving, safety precautions to protect against potential threats will always be lagging behind. No matter how much you train your team, someone can always have a bad day. Incidents can happen at any time, and because of this, it’s imperative that dealerships obtain a cybersecurity insurance plan with the appropriate limits. You can read more about insurance coverages in the article authored by Steven Robinson found on page 26. On top of a sturdy cybersecurity insurance policy, dealerships should also put into place a cybersecurity strategic plan. A robust cybersecurity strategic plan allows the dealership to implement an easy-to-follow game plan for their staff and develop a culture that prioritizes cybersecurity. A welldeveloped plan should include security policies such as access control, data encryption, backup, and retention: • Access control can be handled in many ways, such as following the Principal of Least Privilege, multifactor authentication, network segmentation, and even physical securities such as a locked door to your IT closet. Essentially, access controls should only allow an end user the minimum amount of access they need to perform their job. • Data encryption must be done while data is at rest, such as stored in a hard drive, and while in transit, like when emailing. • Data backups should be kept in three separate versions. The data that is being used, a physical backup, and an offsite backup. • Data retention should dictate how long data is held. Typically, data is held for seven years before being destroyed, however it’s important to research the appropriate retention requirements for specific documentation. Training programs and phishing simulations should be conducted regularly as a part of a cybersecurity strategic plan. This allows a hardened front to what is widely considered the weakest link. Additionally, periodic vulnerability assessments should be a routine part of every plan. A white-collar hacker can provide dealerships with a way to expunge any inadequacies in their systems. Most importantly, dealerships should develop a detailed incident response plan. This document should include the roles and responsibilities of all stakeholders in the event of a breach. This provides a pathway for anyone to get the business back on its feet after an incident. Charles Pearson is NJ CAR’s Technical Coordinator. He can be reached at (609) 883-5056 x134 or via email at cpearson@njcar.org. 17 new jersey auto retailer ArentFox Schiff’s Automotive Group drives innovative strategies forward. Our cutting-edge, national practice advises automotive leaders as the industry faces a dizzying array of competitive and regulatory hurdles. Smart in Automotive Smart In Your World afslaw.com Key Contact: Michael P. McMahan Partner, NY 212.484.3982 Michael.McMahan@afslaw.com

RkJQdWJsaXNoZXIy MTg3NDExNQ==