Pub 1 • Issue 3 Official Publication of the Louisiana Automobile Dealers Association Navigating the CDK Cyber Incident Immediate Actions and Long‑Term Security Strategies Cost, Loss and the Way Forward
10543 South Glenstone Place, Baton Rouge, LA 70810 • 225-769-9923 • theldsgroup.com LADA'S ENDORSED F&I PROVIDER OF PRODUCTS, TRAINING AND INCOME DEVELOPMENT A FEW OF OUR 60+ TEAM MEMBERS: Keith Decell President Jason Rasti Executive Vice President Cole Miller Director of Training Shelley Cavin Client Relations Manager Sunny Mayhall General Counsel Lee Martinez Regional Manager Dan Stowers Territory Manager Ryan Ipson Territory Manager Curtis Loftin Territory Manager Edward Burnett Territory Manager Alfonso ‘Fons’ Augustine Territory Manager Mustafa ‘Moose’ Mohammad Territory Manager
CONTENTS 6 A MESSAGE FROM THE PRESIDENT Fighting for the Future of Our Industry By Coulter McMahen, President/CEO, LADA 7 Louisiana House Bills 430 and 683 Impact on the Automotive Market By Brooke Barnett, Founder, Express OMV by Dealer Services Network 8 Navigating the CDK Cyber Incident Immediate Actions and Long-Term Security Strategies By KPA 10 86th Annual Convention 12 The CDK Breach Lessons Learned from an Attack on the Auto Industry By Robbie Harriman, Director of Advisory Services, OCD Tech 16 Cost, Loss and the Way Forward By Andre White, Director of Sales, Crescent Tek 18 Welcome New Associate Members! 19 Thank You, LADA-PAC Contributors! 23 Louisiana Automobile Dealers Association 2024 Charity Golf Tournament ©2024 Louisiana Automobile Dealers Association (LADA) | The newsLINK Group LLC. All rights reserved. Up to Speed is published four times each year by The newsLINK Group LLC for the LADA and is the official publication for this association. The information contained in this publication is intended to provide general information for review, consideration and education. The contents do not constitute legal advice and should not be relied on as such. If you need legal advice or assistance, it is strongly recommended that you contact an attorney as to your specific circumstances. The statements and opinions expressed in this publication are those of the individual authors and do not necessarily represent the views of the LADA, its board of directors or the publisher. Likewise, the appearance of advertisements within this publication does not constitute an endorsement or recommendation of any product or service advertised. Up to Speed is a collective work, and as such, some articles are submitted by authors who are independent of the LADA. While Louisiana Automobile Dealers Association encourages a first-print policy, in cases where this is not possible, every effort has been made to comply with any known reprint guidelines or restrictions. Content may not be reproduced or reprinted without prior written permission. For further information, please contact the publisher at (855) 747-4003. 2023-2025 EXECUTIVE COMMITTEE Kristie M. Hebert Arceneaux Ford Chairwoman Patton Fritze Red River Chevrolet Vice-Chairman, District 7 Rand Alford Alford Motors Inc. Treasurer, District 15 Marshall Harper Harper Chevrolet GMC Immediate Past-Chairman Robert A. Grace Southpoint Volkswagen District 11-12 John R. Young John R. Young Chevrolet GMC District 13 Mark A. Hebert Sr. Hebert’s Town & Country Ford Lincoln NADA State Director OUR TEAM Coulter McMahen President/CEO Katherine Carver Director of Events and Communications 4
While supplies last, Keep Louisiana Beautiful will provide the following to participating dealerships free of charge: A roadside litter reduction campaign that is positive and inviting to your customers. A vertical banner and counter sign to display in your dealership showroom. Litter prevention kits for distribution to your customers at the time of vehicle purchase. Kits will include a car litter bag, litter prevention tips, and a coaster with the litter hotline number. A digital toolkit, including a press release template to announce your partnership, digital ads, social media graphics, and sample posts. Questions? Contact info@keeplouisianabeautiful.org. Visit keeplouisianabeautiful.org to learn more about litter prevention. With your help, we can clean up our roadways. Why put the brakes on litter? Over 143 million pieces of litter are on Louisiana’s roadways. Over 79% of roadside litter is from motorists. The litter problem costs Louisiana over $91 million each year. 92% of Louisianans believe litter is a problem where they live. Scan to Sign Up! Supplies Are Limited. First-Come, First-Served. The Put the Brakes on Litter campaign from Keep Louisiana Beautiful offers your automobile dealership an opportunity to help reduce litter along our roadways.
A MESSAGE FROM THE PRESIDENT Fighting for the Future of Our Industry BY COULTER McMAHEN, PRESIDENT/CEO, LADA In today’s rapidly evolving automotive industry, where regulatory shifts and policy changes can swiftly reshape the business landscape, standing still is simply not an option. Every day, LADA fights for the future of our industry, and this year, we took decisive steps to ensure that Louisiana dealers’ concerns were not just heard, but made a priority on the national stage. Nowhere was this more evident than at the NADA Legislative Fly-In in Washington, D.C., where LADA’s influence made a significant impact. LADA’s delegation, which included Chair Kristie Hebert (Arceneaux Ford), Vice Chair Patton Fritzie (Red River Chevrolet), NADA State Director Mark Hebert (Hebert’s Town & Country Chrysler Dodge Jeep Ram), NextGen Representative Blake Hollingsworth (Hollingsworth Richards Ford), Jodie Teuton (Kenworth of Louisiana) and Keith Rutherford (Eagle Truck Center), engaged in high-level, strategic meetings with key members of the Louisiana congressional delegation. These meetings, including conversations with Speaker of the House Mike Johnson, Senator Bill Cassidy, Congressman Garrett Graves and Congresswoman Julia Letlow, ensured that the voices of Louisiana dealerships were heard on the critical issues that will shape the future of our industry. These discussions underscored Louisiana’s significant influence in Washington, and we made it clear that relentless advocacy on behalf of our dealers is essential. One of the primary concerns we addressed was the Federal Trade Commission’s (FTC) Vehicle Shopping Rule, derisively named the Combating Auto Retail Scams Trade Regulation Rule (CARS Rule). Despite clear process flaws and a lack of credible, data-driven analysis, the FTC finalized this rule, imposing unnecessary regulatory burdens on dealerships. A study conducted by the Center for Automotive Research (CAR) found that the CARS Rule would cost the industry over $24 billion in the next decade, add an additional 60 to 80 minutes to the car-buying process, and cost consumers at least $1.3 billion per year in lost time. During our meetings, we urged the Louisiana congressional delegation to support legislation (H.R. 7101/S. 3014) that would halt this rule and require the FTC to follow a more informed process should they choose to reconsider it. It’s important to note that our colleagues in Texas, along with NADA, have challenged the CARS Rule in the U.S. Fifth Circuit Court of Appeals. Oral arguments were set for Oct. 9, and we eagerly await the court’s decision, hoping for an outcome that invalidates this flawed regulation. We also expressed strong opposition to the Environmental Protection Agency’s (EPA) overly aggressive electric vehicle (EV) mandates and emissions standards, which could impose significant economic and operational challenges on dealerships. The Biden administration’s policy actions related to vehicle emissions and fuel economy — including the EPA’s final greenhouse gas (GHG) emissions rule for model years 2027-32 — fail to account for consumer demand. These mandates outpace consumer interest in EVs and risk disrupting the market. Our stance is clear: While we do not oppose electric vehicles, we oppose government mandates that force manufacturers to produce EVs, ultimately requiring dealers to sell them in a market with limited demand. Dealers are making significant investments — billions of dollars, in fact — to support the electrification of the fleet and ensure an unparalleled consumer experience when it comes to EV education, sales and service. However, it is the market — not government mandates — that should dictate production levels and sales strategies. Additionally, we championed support for catalytic converter anti-theft legislation, a growing concern for dealers nationwide, and stood against right-to-repair legislation, which poses risks to proprietary technology and consumer safety. We are at a pivotal moment for the automotive industry. It’s reasonable to expect that a Harris/Waltz administration would continue the policies of the Biden administration, particularly concerning the CARS Rule and the EPA’s emissions mandates. In contrast, a Trump/Vance administration has clearly indicated its intention to repeal burdensome regulations on day one. Both Trump and Vance have publicly stated their commitment to eliminating the EPA’s emissions mandates immediately. Regardless of the political landscape, LADA remains steadfast in advocating for dealers now and in the future, ensuring that their interests are protected. As new challenges emerge, LADA will continue to lead the charge, making certain that Louisiana dealerships are front and center in the national policy decisions that directly impact our businesses. Together, we will navigate these critical times and secure a prosperous future for our industry. 6
Louisiana House Bills 430 and 683 Impact on the Automotive Market In recent legislative sessions, Louisiana passed two significant bills — House Bill 430 and House Bill 683 — that promise to reshape the automotive landscape for car dealerships and their customers. These forward-thinking bills aim to streamline processes, boost sales and ultimately enhance overall satisfaction. Here's a closer look at the benefits these bills bring, paving the way for a more supportive and efficient automotive market in Louisiana. HB 430: ACCEPTANCE OF OUT-OF-STATE INSURANCE Overview HB 430 mandates accepting out-of-state insurance, simplifying the vehicle registration process for new residents moving to Louisiana by eliminating the need to switch to a Louisiana insurance provider immediately. Benefits for Car Dealerships Dealerships can expand their customer base by attracting new residents or out-of-state customers who might otherwise delay purchasing a new vehicle due to insurance hurdles. This can lead to increased sales and customer acquisition. Simplifying the insurance acceptance process reduces the administrative burden on dealership staff. It makes the purchase process smoother, allowing for a more efficient registration process by expediting vehicle sale finalizations and deliveries. A quick, hassle-free experience leads to a higher Customer Satisfaction Index and repeat business. Impact on Customers New residents can maintain their existing insurance coverage while settling in, making the transition smoother and reducing the stress of moving. This flexibility allows them to focus on other aspects of their relocation. Avoiding the immediate need to switch insurance providers can also save customers time and money. They can conveniently shop for Louisiana insurance at their own pace without penalties or delays. This leads to a better overall experience, fostering positive relationships with dealerships and a new community. HB 683: PROCESSING REINSTATEMENTS AND SETTLING DELINQUENT DEBTS Overview HB 683 requires an in-person reinstatement process and offers flexible payment plans for settling delinquent debts, making it easier for individuals to regain driving privileges and manage financial obligations. Benefits for Car Dealerships As more customers can resolve outstanding issues and regain driving privileges, dealerships can see an increase in foot traffic. This bill indirectly supports dealerships by potentially increasing sales and service opportunities. Dealerships offering in-person reinstatement services can attract more customers looking to purchase new vehicles. By assisting customers with reinstatements and debt settlements, dealerships also add value as a helpful resource to build stronger relations. Flexible payment plans for delinquent debts can lead to increased revenue through service fees. Impact on Customers While requiring in-person visits for reinstatements might seem inconvenient, it ensures customers receive personalized assistance and clear guidance to regain driving privileges — a convenience that significantly impacts life and the ability to work and fulfill daily responsibilities. Flexible payment plans provide a manageable way to settle delinquent debts. Customers can address their financial obligations without undue stress, improving their financial stability. Successfully reinstating driving privileges enhances customers' mobility and independence. This can lead to better employment opportunities and overall quality of life. The Office of Motor Vehicle (OMV) and Public Tag Agent offices play a pivotal role in educating the public about these new legislations. Through clear communication and community outreach with various media channels, they are instrumental in helping the public understand the benefits and navigate the changes effectively. Well-trained staff provide in-office support, answer questions and even offer expedited services for various transactions, ensuring a smooth transition for everyone. A WIN-WIN SCENARIO Louisiana HB 430 and HB 683 mark significant steps forward in improving the automotive market. Dealerships benefit from increased customer acquisition, streamlined operations and enhanced relationships, while customers enjoy easier transitions, cost savings and improved mobility. The new legislations encourage potential customers to take immediate action, reassured by the support available to them in navigating the process. BY BROOKE BARNETT FOUNDER, EXPRESS OMV BY DEALER SERVICES NETWORK Brooke Barnett is the founder of Express OMV by Dealer Services Network (DSN), a public tag agent serving as a one-stop shop for motor vehicle needs with 18 locations throughout Louisiana. For more information on OMV Express or DSN products and services, please contact Henry Casey at (985) 507-1189 or henry@expressomv.com or Clifton Speed at (985) 517-8747 or cspeed@dsn.net. 7
In the wake of the CDK Global cyber breach, the automotive industry is facing significant challenges and uncertainties. On June 19, CDK confirmed a “cyber incident” that led to a series of rapid and consequential actions, including shutting down various systems that are critical to dealership operations. This incident has escalated over weeks, revealing that Eastern European hackers allegedly demanded a multimillion-dollar ransom and culminating in reports that CDK may have paid approximately $25 million to end the outage. It is crucial for dealerships to stay informed and take immediate steps to protect their data. This article provides a detailed timeline of the events, an overview of the FTC Safeguards Rule and KPA’s recommendations for navigating this crisis and enhancing your dealership’s data security. CDK CYBER INCIDENT TIMELINE • June 19: CDK confirms “cyber incident,” shuts down customer access to various systems, turns customer access back on and turns customer access off again. • June 20: It is reported that bandwagon hackers are phishing, vishing and smishing dealers while posing as CDK. • June 21: CDK announces that systems will be down for several days, and it is reported by Bloomberg that Eastern European hackers are allegedly demanding a ransom. • June 22: CDK announces it has started the restoration process. CDK identifies this as a “cyber ransom event,” and the first purported class action complaint is filed against CDK. • June 25: CDK notifies dealers that not every dealer will have access restored by June 30, and dealers should look for other options to close month-end. • July 2: CDK announces that the DMS access is substantially restored to customers, and that CDK will make notifications to the FTC (if necessary, unless a dealer opts out). • July 11: CNN reports that CDK likely paid 387 Bitcoins (roughly $25 million) to hackers to end the outage. REPORTING OBLIGATIONS UNDER THE FTC SAFEGUARDS RULE The Federal Trade Commission (FTC) Safeguards Rule provides a framework for dealerships and other financial institutions to protect customer information by requiring them to have certain measures in place to ensure the security and confidentiality of customer records and information. On Oct. 27, 2023, the Federal Trade Commission (FTC) announced a revision to the Safeguards Rule, requiring non-bank financial institutions to report data breaches to the FTC within 30 days of discovering that unencrypted information of more than 500 consumers was obtained by third parties without authorization. This notification requirement went into effect on May 13, 2024, and is in addition to any state notification requirements. ARE YOU REQUIRED TO REPORT THIS INCIDENT TO THE FTC OR OTHERS? Dealership do not know yet since CDK has not revealed exactly what has happened. While it is very likely that the hackers accessed and acquired unencrypted customer information, we do not know the extent to what customer information was accessed. In other words, dealerships have no way of knowing whether their customers’ information was compromised during the CDK cyber incident. While CDK has worked out an agreement with the FTC that would allow CDK to report on behalf of any dealership if that dealership’s customer information was compromised, you should still gather more information before deciding to participate or opting-out. What will CDK’s message to the FTC state? Will the dealership have any obligations to follow up on requests from the FTC? Will CDK indemnify the dealers for any mistakes or errors? Additionally, states have their own notification laws, and the agreement between CDK and FTC does not address those state-level requirements. Regardless, if you have not already done so, you should notify your insurance company and put them on notice Navigating the CDK Cyber Incident Immediate Actions and Long-Term Security Strategies BY KPA 8
of this incident, even if not making a claim, to avoid arguments by the carrier that a notification delay caused prejudice to the carrier. The carrier will also be helpful in the notification process if necessary. Nevertheless, stay informed because date breach notification time frames are very narrow. TIPS FOR DATA SECURITY AT YOUR DEALERSHIP Ensuring the security of your dealership’s data is more crucial than ever. Evaluate how your organization protects user data and consider steps to enhance its security. Here are some essential tips to keep your dealership’s data secure: • Create Secure Passwords: Strong passwords are the first line of defense against unauthorized access. Use long passwords with a mix of uppercase and lowercase letters, numbers and special characters. • Set Up Multifactor Authentication: Multifactor authentication (MFA) adds an extra layer of protection by requiring multiple forms of verification, making it significantly harder for unauthorized users to gain access. With MFA, even if one credential is compromised, additional authentication factors can prevent attackers from accessing all sensitive information. • Encrypt Your Data: Data encryption transforms readable data into an unreadable format, ensuring that even if unauthorized parties gain access to the data, they cannot interpret or misuse it without the decryption key. Customer data must be encrypted at rest and in transit on the networks and systems that you use. • Identify and Address Phishing Messages: Phishing attacks are a common method for cybercriminals to gain access to sensitive information. These attacks often involve deceptive messages that lure individuals into clicking malicious links. Ensure your employees are educated on how to recognize and avoid phishing attempts. Test their skills with tools like Google’s phishing quiz at phishingquiz.withgoogle.com. • Minimize Public Wi-Fi Use: Public Wi-Fi networks are often unsecured, making them prime targets for cyberattacks. Encourage your employees to avoid using public Wi-Fi, especially when accessing company data. Provide secure private Wi-Fi in the workplace to reduce the risk of data breaches. • Back Up Your Data: In the event of a data breach, having backups of your data is essential. Regularly back up your data to ensure that you can recover important information if it is compromised. This practice can mitigate the impact of a breach and help maintain business continuity. • Partner with a SOC Compliance Vendor: SOC compliance refers to the set of standards and regulations that companies must adhere to ensure the security, availability and confidentiality of their customers’ data. Working with a vendor who is certified SOC-compliant can bring several benefits to your business. SOC compliance ensures that the vendor has established and implemented adequate controls to protect sensitive data and assets. By implementing these tips, you can strengthen your dealership’s data security and build trust with your clients. ENSURE YOU ARE SAFEGUARD COMPLIANT Need a partner in complete compliance? KPA is here for you! KPA Privacy & Safeguards software offers a comprehensive solution specifically designed for automotive dealerships to ensure complete compliance, protect customer data and streamline operations with a guided 10-step approach. Our robust 10-step compliance framework includes customized legal policies, technical safeguards and regular assessments to mitigate risks and ensure compliance. We’re your partners in true, complete compliance. Please reach out to us at info@kpa.io, by visiting kpa.io/automotive, or by giving us a call at (866) 856-1735. Step 1 Establish Safeguards Team Step 2 Written Risk Assessment Step 3 Written Information Security Program Step 4 Information Security Training Step 5 Simulated Phishing Attacks Step 6 Vendor Assessment and Agreements Step 7 Access Controls Step 8 Technical Requirements Step 9 Written Incident Response Plan Step 10 Written Annual Report Board 9
JUNE 11-15, 2025 86TH ANNUAL CONVENTION 01MK7923 R12/23 better with friends For life’s moments, big and small. We’re here with the strength of the cross, the protection of the shield. The Right Card. The Right Care. 10
fisherphillips.com | 36 Locations attorneys can help you steer through the labor laws affecting the car ness. Since 1943, we have been the labor lawyers of choice for mobile dealers. Fisher Phillips is dedicated to helping the members e Louisiana Automobile Dealers Association with their labor and oyment legal matters. We’re driven to help you succeed. 201 St. Charles Avenue, Suite 3710 | New Orleans, Louisiana 70170 Phone (504) 529-3834 • Fax (504) 529-3850 Timothy H. Scott tscott@fisherphillips.com Our attorneys can help you steer through the labor laws affecting the car business. Since 1943, we have been the labor lawyers of choice for automobile dealers. Fisher Phillips is dedicated to helping the members of the Louisiana Automobile Dealers Association with their labor and employment legal matters. We’re driven to help you succeed. Timothy H. Scott Partner New Orleans | Boston 504.529.3834 tscott@fisherphillips.com fisherphillips.com | 36 Lo Our attorneys can help you steer through the labor laws affecting the car business. Since 1943, we have been the labor lawyers of choice for automobile dealers. Fisher Phillips is dedicated to helping the members of the Louisiana Automobile Dealers Association with their labor and employment legal matters. We’re driven to help you succeed. 201 St. Charles Avenue, Suite 3710 | New Orleans, Louisiana 70170 Phone (504) 529-3834 • Fax (504) 529-3850 Timothy H. Scott tscott@fisherphillips.com fisherphillips.com 201 St. Charles Avenue | Suite 3710 | New Orleans, LA 70170 With almost 600 attorneys in 41 offices across the United States and Mexico, Fisher Phillips is an international labor and employment firm providing practical business solutions for employers’ workplace legal problems. FISHER PHILLIPS LLP
In October of 2023, I presented to the Massachusetts State Auto Dealers Association on the state of cybersecurity in the industry, warning that the industry was under attack. On the dark corners of the internet, attackers were sharing information that auto dealers were prime targets for a ransomware payday. They point to a workforce lacking cybersecurity awareness combined with outdated and unpatched technology as the reason. Since then, we saw a major breach at Toyota, a ransomware attack on a Midwest auto dealer, Jeff Wyler Automotive Family, and another on Findlay Automotive, a Nevada-based group whose operations and ability to sell vehicles were still reportedly impacted a month later. On June 19, 2024, CDK Global, a major dealer management system provider, was the victim of a cyberattack. This attack impacted about 15,000 dealerships to varying degrees, depending on how many and which CDK products they were using. As is common with these types of incidents, CDK has not disclosed a lot of the details. However, there are some things we do know, and some things we can speculate on given what we know about the attackers and these types of attacks in general. Most importantly, there are always lessons to be learned from unfortunate scenarios like this. And sadly, this is not the first time a dealer management software company has been breached. Let’s not forget that the catalyst for the enhanced FTC Safeguards rule was a breach of LightYear Dealer Technologies, doing business as “DealerBuilt” back in 2019. DealerBuilt settled with the FTC, who alleged that the company poorly protected the information of consumers, leading to a breach that exposed millions of consumers’ personal information. Let’s dive into the anatomy of the CDK attack, and shed light on what action can be taken to identify and address the cyber risks we face today. WHAT: RANSOMWARE Ransomware is a specific category of cyberattack where the attacker(s) either encrypt data, rendering systems inoperable and data inaccessible until purchasing a “decryptor” (a tool designed by the attackers to unlock the data), or steal data at the threat of public release or sale on the dark web. The attack group responsible for the CDK attack (called BlackSuit) is known for a “double extortion” approach — where they both encrypt files and threaten to leak sensitive data. This is a lethal blow as it combines the urgency of downtime with regulatory factors such as potential fines and penalties imposed by the Federal Trade Commission and other local and federal authorities, not to mention damage to reputation and loss of consumer and investor/stakeholder confidence (although CDK Global went private in 2022, acquired by Brookfield Business Partners). The ransom CDK reportedly paid was $25 million, and AEG estimated that this incident cost a total of $1.02 billion to dealers. WHO: BLACKSUIT BlackSuit is a Russian and Eastern European organized cybercrime group reportedly responsible for the attack. These organized ransomware groups are the modern-day virtual version of the mafia. They operate as a business, with reporting structures, bonus incentives and highly motivated and organized leadership. Located in regions difficult for U.S. authorities to pursue them in and extradite from — they even leave trademark signatures and publicly claim their attacks. For BlackSuit, their callsign is renaming their ransom-encrypted files with a “BlackSuit” extension. The CDK Breach Lessons Learned from an Attack on the Auto Industry BY ROBBIE HARRIMAN, DIRECTOR OF ADVISORY SERVICES, OCD TECH 12
Similar to the crime groups of yesteryear — these groups disband when “bosses” are incarcerated or go into hiding, with new syndicates forming from previous underboss members. BlackSuit is an iteration of an affiliated group known as Royal, which formed after the fall of one of the most notorious Russian groups, Conti. Conti was said to have annual revenue exceeding $180 million from ransomware attacks. WHEN: HOLIDAYS Organized cybercrime groups are very strategic about when and how they strike. They gather information about their targets, working to calculate the exact timing and amount to demand that will inflict the most damage, increasing the likelihood of the victim paying. Attackers know that U.S. holidays are times when IT is often thinly staffed and “on call” — potentially creating a scenario where their guards are down. This is two-fold for automotive sales, as holidays are often the biggest days for sales. So, the strike on the U.S. federal holiday of Juneteenth was the perfect storm for these adversaries, knowing that the 4th of July soon follows as one of the biggest days for auto sales. HOW: THE HUMAN ELEMENT (MOST LIKELY) Again, given that details of the attack have not been released, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports that 91% of attacks originate from a phishing email. Anonymous sources claiming to be insiders involved in the investigation of this attack have also indicated this was the case. Combine that with the fact that BlackSuit’s most common entry point is phishing, and we have a likely suspect for how the attack originated. That being said, most attacks employ a combination of tools and methods. As I mentioned previously, the second factor attackers have identified in the industry is outdated and unpatched “legacy” technology. Outdated software can contain known vulnerabilities and misconfigurations that allow attackers a foothold and pivot points within an environment. Honorable mention goes to easily guessable passwords and/or password reuse and lack of multi-factor authentication. LESSONS LEARNED Lessons from this attack are not just limited to CDK, or even those dealers impacted by the cyberattack and resulting outage. As I’ve warned, attackers tend to take the path of least resistance. 1. An Ounce of Preparation: The FTC Safeguards require you to have an Incident Response Plan in place. This should detail what actions are taken in the event of a cyberattack. These plans should be documented with roles and responsibilities and tested with “tabletop exercises” where attack scenarios are talked through to identify any potential enhancements to existing processes. Another recent amendment to the Safeguards Rule now includes reporting requirements for any incident impacting 500 or more individuals. 2. Vendor Management: This is another explicit FTC Safeguards requirement. OCD Tech has been pressing DMS providers on their security vulnerabilities and compliance since the Safeguards Rule was proposed, with some more responsive than others. Many of these systems are archaic, built on inherently vulnerable platforms and infrastructure. More modern and proactive DMS players are building solutions that are more in line with today’s technology and security needs. Proper vendor management means evaluating who your vendors are, who has access to your data, how critical they are to your operations and, subsequently, how adequate their security practices are. 3. Employee Awareness Training: Employ not only distribution of cybersecurity awareness training materials, but simulated phishing attacks to train your workforce on how to spot red flags and indicators of suspicious activity. OCD Tech has noted employee click and open rates as high as 30% during baseline simulated phishing campaigns. That means 30% or more of your employees could fall for an email sent by an attacker. We’ve seen those very same dealerships improve that rate to less than 2% over a period of six months of simulated campaigns. Employees should also be reminded to be on high alert going into high-volume sales and service periods such as holidays, and after events such as the CDK breach where “piggyback” attacks can follow — attackers posing as CDK representatives to convince individuals to open malicious software or grant them remote access. 4. Basic Cyber Hygiene: We can’t stress enough the importance of enabling multi-factor authentication where available, and especially where sensitive customer information resides. This is typically a low-cost and low-impact change, that is very effective. Easily guessable and reused passwords could also mean that an attacker already has login information for your environment. Leverage information sources such as dark web monitoring for leaked credentials — and make sure you force password changes when such credentials for your dealership appear. 5. Assess Risk, Address Risk, Repeat: You don’t know what you don’t know. Contracting a third-party to evaluate your security and compliance can be an incredibly valuable tool. Measuring your cyber risk and cybersecurity maturity can provide a roadmap towards improvement that allows you to focus your budget and effort in the right areas. With all the flashy tools and corresponding sales pitches out there today, it’s important to understand what threats you’re facing and what you’re paying for to mitigate the associated risk. Have a contracted simulated attacker evaluate your vulnerabilities and see if they can get into your systems, before a real attacker does. 13
Compliance with all requirements within the FTC Safeguards Rule was due June 9, 2023. FTC SAFEGUARDS COMPLIANCE PACKAGE Cyber attackers have declared war on the auto industry Only 53% of polled auto dealers are confident in their security 17% of dealers experienced a cyber-attack or incident in the past year $740,144 average ransom amount demanded 84% of consumers polled would not purchase another vehicle from a dealership if their data was breached We´ve got you covered of dealers that chose to become compliant with the FTC Safeguards saw significant improvement of their security after those efforts. OCD Tech secures dealerships with services catered to your unique needs. of auto dealers that signed on for a year of our services have renewed for another year. 75% 100% Additional Benefits Meet security best practices Safeguard against a data breach Safeguard against a ransomware attack Ensure you qualify for cyber insurance coverage Reduce cyber insurance premiums Satisfy the majority of local state data protection and privacy laws BE SECURE NOT JUST COMPLIANT ftc@ocd-tech.com As always, it’s important to stay vigilant. There are a lot of tools out there today that can help align you with security best practices and become compliant with data privacy and protection requirements. But, it’s important as a business leader to ask the difficult questions and demand answers in a language you understand. Know your weaknesses, because your adversaries sure do. And it’s not all doom and gloom. It’s about fostering a culture of cybersecurity awareness. Remind employees about the importance of cybersecurity awareness during department meetings. Ask your IT staff or third-party provider for metrics on your cybersecurity performance. Cybersecurity is a necessity these days, but as we’ve seen with this attack — it can also become your competitive edge. Some of our clients using CDK have inquired about alternative DMS solutions, and competitors in the market are so inundated with requests, one is actually declining to schedule demos. In a market with plenty of competition, a cyberattack can be make-or-break for your business. Robbie is the director of advisory services at OCD Tech. Robbie joined the firm in May of 2016. Prior to working at OCD Tech, Robbie worked in IT for other companies, including the heavily regulated casino industry. He oversees security assessments as well as government compliance services, including DFARS, NIST and CMMC for organizations in the Defense Industrial Base. Robbie has a diverse range of experience in the IT field, with a deep background in IT systems administration and control areas. Robbie presents regularly at events and contributes to security-related publications. 14
Integrated Software Platform Expert Consulting Award-Winning Training Your Safety & Compliance Partner Improve Safety. Lower Risk. Save Money. To learn more visit kpa.io/automotive or reach out to info@reply.kpa.io.
In today’s interconnected digital world, with our ever-growing reliance on the software and technology that drive our everyday tasks, the specter of cyber threats looms larger than ever before. From stealthy, sophisticated and sometimes state-sponsored hackers seeking to exploit vulnerabilities in our systems to the average untrained employee clicking a link, the landscape of cybersecurity is fraught with complexity and constant evolution. As businesses and governments alike navigate this treacherous terrain, the need for vigilance, preparedness, innovation and a willingness to learn continues to be urgent. Without them, the consequences can often be unfortunately costly. In 2023 we saw an estimated $1.1 billion dollars being paid in ransomware payments through cryptocurrency. This represents a rise of nearly 100% from 2022, according to Chainalysis and their tracking of the cryptocurrency used in these transactions. Of note, this is the highest number documented since tracking of these transactions began. While the ransom portion of these attacks can be costly, it does not represent the total financial losses that can be felt in the aftermath of a cyberattack. With each breach, we must account for the days, weeks and even months that a business or organization may be unable to function. The average cost of a data breach globally in 2023 was $4.45 million. Leading the tally are businesses within the United States, having paid an estimated $9.48 million per breach. According to the FBI’s annual IC3 (Internet Core Competency Certification), some 880,418 complaints were filed with the FBI, costing Americans over $12.5 billion in 2023. As our daily routines become more reliant on technology, we face the growing possibility of more attacks on our services over our direct networks and systems. Most recently, nearly 15,000 car dealerships were prevented from executing their most basic function of selling cars after a direct denial of service attack on the dealer management software CDK. The responsible Eastern European crime group demanded $25 million — a sum that it is expected CDK paid, with multiple sources close to the matter telling CNN’s Sean Lyngaas. This is a fraction of the cost North American auto dealers are expected to see in losses that are estimated by Anderson Economic Group to exceed $1 billion. Auto dealers are not the only industry having suffered from these attacks. United Heath Group was documented as having paid $22 million to a cybercriminal group during an attack in February of 2023. MGM suffered $100 million in losses during mitigations after deciding not to pay the ransom, while the city of Dallas, Texas, approved an $8.5 million in emergency budget for recovery and mitigation efforts. Whether it’s large or small corporate or small businesses, these attacks are varied and non-discriminatory. Having surely caused everyone’s financial stomachs to turn at these numbers, let me assure you that there are teams of professionals, companies and government agencies who stand ready to defend against these very threats. At any given moment, cyber squads supporting the FBI’s 56 field offices are working tirelessly with other government agencies to investigate and remediate cybercrimes while aiding in the development of modern mitigation methods and the prosecution of known bad actors. As mentioned when we started, these modern threats require vigilance, preparedness, innovation and a willingness to learn. The investment of time and financial resources into protecting our organizational processes, systems and networks is vital. IBM reports that the average savings for organizations using security is $1.76 million. As most people only feel so confident in cybersecurity, it is recommended to have knowledgeable and confident personnel supporting your team daily. An internal IT team with cybersecurity experts can be an asset but often takes a significant amount of time to build and hire. Alternatively, managed service providers and cybersecurity-specific companies exist to support your internal teams or act as your team daily. Protecting businesses and organizations can too often be an afterthought for those in control. With the attack frequency and cost of each attack growing annually, it is not a matter of if but when a cyber threat will affect your business. Often these attacks are preventable with the proper training, equipment and supporting individuals. Are you ready? Cost, Loss and the Way Forward BY ANDRE WHITE, DIRECTOR OF SALES, CRESCENT TEK 16
SPECIAL DISCOUNT FOR LADA MEMBERS! If these industry leaders trust Crescent Tek, why wouldn’t you? Sign up now and discover the Crescent Tek di erence! www.crescenttek.net/contact-us PROTECT YOUR DEALERSHIP FROM CYBER THREATS As an auto dealership, compliance with the FTC Safeguards Rule is a must. Stay ahead of cyber threats with Crescent Tek’s Security Awareness Training. Equip your team to: • Identify & prevent cyberattacks • Protect customer data • Comply with FTC regulations Trusted by the Best in the Industry “We’ve found a trusted partner in Crescent Tek. Their professionalism, reliability, and proactive approach have been instrumental in our day-to-day operations. We couldn’t ask for a better ally in the competitive world of car sales.” Matt Bowers - MB Auto “Crescent Tek has been a game-changer for our dealership. Their lightning-fast response times and technical expertise have ensured our systems run seamlessly. We’ve seen a significant reduction in downtime and a substantial increase in productivity - and that translates directly to our bottom line.” Otis Favre - Lakeshore Auto Group “Crescent Tek has been a catalyst for growth and innovation at our dealership. Their strategic guidance has helped us optimize our technology infrastructure, unlock new revenue streams, and stay ahead of the competition. We’re excited to see what the future holds with Crescent Tek by our side.” Allen Krake - Supreme Auto Sign up today for our Cybersecurity Awareness Training. www.crescenttek.net/training Promo Code: LADA
What will tomorrow look like? hubinternational.com Scan the QR code to learn more. It may not be what you expected. With HUB, you have a partner who is committed to supporting and protecting you, assisting to align business and personal goals to protect your profits and drive organizational vitality and resilience. Risk & Insurance | Employee Benefits | Retirement & Private Wealth David W. Alligood, Senior Vice President Office: 225-218-2410 david.alligood@hubinternational.com Welcome New Associate Members! Ascension Tag Title & Legal Service LLC www.ascensiontagtitlelegal.com/ services CHAMP Titles Inc. www.champtitles.com CP Handheld Technologies cphandheld.com Cross-Sell www.cross-sell.com Dealer Alchemist dealeralchemist.com IDS Distributing idsdistributing.com Merchant Advocate merchantadvocate.com Merchant Consulting Corporation MetroTech Automotive www.metrotechauto.com OCD Tech LLC ocd-tech.com Priority Payments Local pplocal.com WarrCloud warrcloud.com BUILD YOUR BRAND, CONTACT US TODAY! (855) 747-4003 sales@thenewslinkgroup.com 18
Thank You, LADA-PAC Contributors! The Louisiana Automobile Dealers Association appreciates the support of all the dealers who have donated to LADA-PAC, the association’s political action committee. LADA-PAC works hard to advocate for Louisiana dealers and ensures dealers’ voices are heard on a wide variety of important legislative issues. Contact LADA at lada@lada.org or (225) 769-5500 to make a contribution. Thank you to the following who have contributed to LADA-PAC: A & D Financial Services Acadiana Chrysler Dodge Jeep Acadiana Mazda Acura of Baton Rouge Advancial Federal Credit Union Advantous Consulting LLC Alford Motors Inc. All Truck Parts & Equipment Co. Inc. American Fidelity Assurance Company Arceneaux Ford Inc. Arthur J. Gallagher Ascension Tag Title & Legal Service LLC Audi Lafayette Audi New Orleans Audi Shreveport Auto Elite Collision of CENLA LLC Auto Elite Collision of NELA LLC Auto Plex 2000 Automotive Risk Management Partners Bank of America Banner Chevrolet Banner Ford Barker Buick GMC Barker Honda Barker Mitsubishi Kia Bayou Dodge Chrysler Jeep Bayou Ford Bayou Nissan LLC Benoit Chevrolet GMC Bergeron Chrysler Dodge Jeep Bergeron Volvo Best Chevrolet Bill Hood Ford Lincoln Bill Hood Hyundai Bill Hood Nissan Billy Navarre Chevrolet Cadillac of Lake Charles Billy Navarre Chevrolet of Sulphur Billy Navarre GMC Billy Navarre Nissan Billy Wood Ford BMW of Lafayette Bohn Toyota Bolton Ford LLC Brandt Management Ltd. Breazeale, Sachse & Wilson LLP Brian Harris BMW Brian Harris Porsche Brown Chrysler Dodge Jeep LLC Bruckner Truck Sales — Shreveport Bryan Subaru Bubba Oustalet Chevrolet Cadillac Inc. Bubba Oustalet Ford Lincoln Toyota Scion Inc. Cadillac of New Orleans Calvin Braxton Ford Camper’s RV Center Capitol Mack Car Giant Chevrolet Buick GMC of Homer Carriere-Stumm LLC Cazenave Motor Company Inc. CBG GMC Inc. Cecil Graves Chevrolet GMC Inc. Chevyland Community Honda of Lafayette Community Motors Chrysler Dodge Jeep Ram ComplyAuto Privacy LLC Courtesy Buick GMC — Lafayette Courtesy Chevrolet Buick GMC of Ruston LLC Courtesy Chevrolet Cadillac — Lafayette Courtesy Chrysler Dodge Jeep Ram — Breaux Bridge Courtesy Chrysler Dodge Jeep Ram — Ruston Courtesy Ford — Breaux Bridge Courtesy Lincoln — Lafayette Covington Powersports Cox Media Crown Buick GMC Inc., Crown Buick GMC Truck Dantin Chevrolet Dealer Collision Repair LLC Dominion Dealer Solutions Don Shetler Buick Chevrolet Inc. Eagle Truck Center LLC Eddie Tourelle’s Northpark Hyundai LLC Eddie Tourelle’s Northpark Nissan Inc. Enterprise Holdings Express OMV LLC Ford of Slidell LLC 19
Forvis Mazars Gateway Ford Inc. Geaux Chevrolet Geaux Napoleonville LLC Genesis of Lafayette Geri Lynn Nissan Gerry Lane Buick GMC LLC Gerry Lane Cadillac Giles Nissan Giles Nissan of Opelousas Giles Volvo Subaru GMC at All Star Golden Motors LLC GPW and Associates Inc. Greg LeBlanc Hyundai Greg LeBlanc Toyota Guaranty Corporation Hampton Mitsubishi Hampton Toyota Harper Chevrolet GMC Harvey Subaru Hebert’s Jeep Hebert’s Town & Country Dodge Chrysler Jeep Hebert’s Town & Country Ford Lincoln Hino of Baton Rouge Hixson Automotive Group Hixson Autoplex of Alexandria Inc. Hixson Autoplex of Leesville Hixson Chevrolet Chrysler Dodge Jeep Inc. Hollingsworth Richards Ford Holmes Honda Honda of Covington Honda of Harvey Honda of Slidell Hub City Ford Inc. HUB International Gulf South Ltd. Hyundai of Metairie Infiniti of Baton Rouge Infiniti of Lafayette Interstate Dodge Inc. Interstate Hyundai Inc. ITA Truck Sales & Service — Slidell ITA Truck Sales & Service LLC — Lake Charles ITA Truck Sales & Service LLC — NOLA ITA Truck Sales & Services LLC — Lafayette Jay Mallard Ford Lincoln Jim Taylor Buick GMC Jim Taylor Chevrolet LLC Jimmy Granger’s Natchitoches Ford Lincoln John Harvey Toyota John R. Young Chevrolet GMC Foy Chevrolet Buick GMC Kenworth of Louisiana — Bossier City Kenworth of Louisiana — Carencro Kenworth of Louisiana — Gray Kenworth of Louisiana — Harahan Kenworth of Louisiana — Lake Charles Kenworth of Louisiana — Monroe Kenworth of Louisiana — Port Allen Kia of Lake Charles Lake Charles Auto Plaza Lake Charles Toyota Lakeshore Chrysler Dodge Jeep Ram of Kenner Lakeshore Chrysler Dodge Jeep Ram Inc. Lakeshore Kia Lakeside Toyota Lamarque Ford Inc. Land Rover of New Orleans Landers Dodge Chrysler Jeep Larry Nobles Wrecker Sales LLC Lee Edwards Mazda Legacy Buick GMC Leglue Nissan Leson Chevrolet Co. Inc. Leson Isuzu Trucks Lexus of New Orleans Lexus of Shreveport Lonestar Truck Group Shreveport Louisiana Public Tag Association Maggio Buick GMC Mark Dodge Chrysler Jeep LLC Marketplace Chevrolet Buick Martin Truck Center, Martin Automotive Group Inc. Matt Bowers Ford Mendoza Ford Mercedes-Benz of Baton Rouge Mercedes-Benz of Covington Mercedes-Benz of New Orleans Mike Willis Ford Moffitt Mazda Moffitt Volkswagen Morgan Buick GMC Shreveport Inc. Mossy Buick GMC Musson-Patout Buick GMC Musson-Patout Chrysler Dodge Jeep Musson-Patout Toyota National Auto Care New Orleans and South East Information Technology Group New Roads Motor Company LLC Nexstar Broadcasting Inc. Northshore Toyota OCD Tech LLC Old River of New Orleans LLC Orr Kia of Bossier City Orr Kia of Shreveport Orr Nissan THANK YOU, LADA-PAC CONTRIBUTORS 20
Orr Nissan South P.K. Smith Motors Inc. Paretti Jaguar Land Rover Paretti Jaguar of New Orleans, Paretti Imports LLC Paretti Mazda LLC Peake BMW Perry Pitre Ford Company Inc. Peterbilt of Lafayette LLC Peterbilt of Louisiana LLC Peterbilt of New Orleans LLC Pliler International Porsche of New Orleans Premier Kia of Kenner Premier Nissan of Harvey Price LeBlanc Lexus Price LeBlanc Nissan Price LeBlanc Toyota Priority Payments Local Rainbow Chrysler Dodge Jeep Ram Rainbow Luxury Imports LLC Rainbow Northshore Buick GMC LLC Ralph Sellers Chevrolet Ralph Sellers Chrysler Dodge Jeep LLC Ralph Sellers Hyundai LLC Red River Motor Company Reynolds & Reynolds Richards Honda Risk Management Services LLC Robichaux Ford Robin Ford Robinson Brothers Ford Lincoln Ross Bus & Equipment Sales Inc. Ross Downing Buick GMC Cadillac LLC Ross Downing Buick GMC of Gonzales Ross Downing Chevrolet Inc. Roy Motors Inc. Royal Buick GMC Royal Honda Royal Nissan Ryan Chevrolet Ryan Honda Safe-Guard Products, International LLC Sango Buick GMC Scott Truck Company LLC Secure Shredding and Recycling Shetler Corley Ford Ltd. Southern Chevrolet Cadillac Inc. Southland Dodge Chrysler Jeep LLC Southpoint Volkswagen Southwest Volkswagen Inc. Sparks Nissan Kia Sterling Buick GMC Sterling Buick GMC West Sterling Chrysler Dodge Jeep Sterling Chrysler Dodge Jeep Ram Sterling Hyundai Sterling Kia StrategicSource Subaru of Baton Rouge Superior Ford Inc. Supreme Chevrolet Cadillac of Plaquemine Supreme Chevrolet LLC Supreme Nissan of Slidell Supreme Toyota of Hammond T & J Ford Inc. Tameron Kia Westbank Team Honda Team Mazda Team Toyota Terrebonne Ford Terrebonne Lincoln Mazda Louisiana Dealer Services Inc. Timmons Truck Center — Alexandria Toyota of Kenner Toyota of New Orleans Toyota of Slidell Trapp Cadillac Chevrolet TRUECar Van-Trow Toyota LLC Vaughn Automotive of Alexandria Vaughn Chevrolet Vaughn Chevrolet Buick GMC Vaughn Chevrolet Buick Natchitoches Vaughn Chrysler Dodge Jeep Ram Vaughn Ford Lincoln Vaughn Toyota of Bastrop Volkswagen of Mandeville Walker Acura Walker Automotive dba Walker Mitsubishi Buick GMC Walker Chrysler Dodge Jeep Ram Walker Honda Walker Kia Walker Mercedes BMW Walker Toyota Walker Volkswagen Inc. Waller Singer Chevrolet Inc. Walt Massey Chevrolet Franklinton WarrCloud White Ford LLC Winnsboro Chrysler Dodge Jeep Ram Wray Ford Inc. Yokem Motors LLC 21
www.thenewslinkgroup.orgRkJQdWJsaXNoZXIy ODQxMjUw