Cyber Insurance for Auto Dealerships — What Carriers Require

Two things changed dealership cyber insurance in the last few years. First, the FTC Safeguards Rule made dealers that arrange financing into regulated "financial institutions." Second, the June 2024 CDK Global ransomware attack took roughly 15,000 rooftops offline for weeks — turning "cyber" from an IT line item into a business-continuity and balance-sheet problem every dealer principal now understands.

Carriers responded the way carriers do: they tightened underwriting. A cyber policy is no longer something you simply buy — it's something you qualify for by demonstrating specific security controls.

What a dealership cyber policy typically covers

Coverage varies by carrier and policy, but most dealership cyber policies address some mix of:

First-party costs: forensics, breach response, customer notification, credit monitoring
Ransomware / cyber-extortion (where lawful) and the downtime it causes
Business interruption — lost gross when the DMS or network is down (the CDK scenario)
Social-engineering / funds-transfer fraud — the F&I and payoff-wire exposure (often a sub-limit)
Third-party liability: claims from customers whose data was exposed
Regulatory defense: response to FTC or state-AG inquiries after a breach

The business-interruption lesson from CDK

Many dealers who lost weeks of operations in 2024 learned the hard way how their business-interruption coverage, waiting periods, and dependent/contingent business-interruption terms (covering an outage at a vendor like the DMS) actually worked. Read those clauses before you need them — not after.

What carriers require to quote you

These are the controls that now commonly appear as application questions — and increasingly as conditions of coverage:

Multi-factor authentication (MFA)

On email, remote access (VPN/RDP), the DMS, lender and manufacturer portals, and admin accounts. This is the single control most often gating coverage — many carriers will not quote without it.

Endpoint detection & response (EDR)

Modern EDR on workstations and servers, not just legacy antivirus. Insurers increasingly distinguish between the two on the application.

Tested, segregated backups

Backups that are encrypted, kept offline or immutable, and actually test-restored. Ransomware recoverability is a core underwriting question.

Security awareness training

Recurring training plus phishing simulation for F&I, sales, and service staff — the roles attackers target.

A written incident response plan

A documented IR plan that has been tabletop-tested, with carrier-notification steps built in.

A written information security program (WISP)

Your FTC Safeguards WISP is increasingly requested as evidence of a managed program — and it answers most of the questionnaire in one document.

How your WISP affects the premium

Here's the part most dealers miss: the work you do to comply with the FTC Safeguards Rule is largely the same work that makes you a better insurance risk. A documented, operating WISP helps in three concrete ways:

It answers the questionnaire. The application's control questions map almost one-to-one onto the nine Safeguards elements. Hand the underwriter a real WISP and you're answering from evidence, not guesswork.
It improves your terms. Underwriters price risk. Stronger, documented controls can mean better pricing, higher limits, fewer sub-limit restrictions, and a smoother renewal — while gaps can mean surcharges, exclusions, or a declination.
It protects the claim. A program you can evidence is far harder for a carrier to challenge after a loss than informal "our IT guy handles it" assurances.

The #1 cause of denied dealer claims: misrepresentation

If you attest on the application that MFA is enforced everywhere, or that backups are tested, and a breach later shows that wasn't true, the carrier can rescind coverage or deny the claim. Never attest to a control you can't prove. Close the gap first, then answer "yes."

Before you renew: the 7-question readiness check

Cyber-Insurance Readiness Check

If you can't answer "yes" — with documentation — to each of these, fix the gap before you sign the application.

1
Is MFA enforced on email, remote access, DMS, and lender/manufacturer portals?
2
Do we run EDR (not just antivirus) on every endpoint and server?
3
Are backups encrypted, offline/immutable, and test-restored on a schedule?
4
Do all staff complete recurring awareness training and phishing simulations?
5
Do we have a written, tabletop-tested incident response plan?
6
Do we have a current FTC Safeguards WISP we could hand the carrier today?
7
Can every 'yes' on the application be backed with documentation?

The bottom line

Cyber insurance and FTC Safeguards compliance are two sides of the same coin. The controls that keep you compliant are the controls that get you insured on good terms — and the documentation that proves your program is what protects the claim when you need it most. Build the program once; satisfy the regulator and the underwriter together.

See how we get dealers control-ready on our cybersecurity for auto dealerships page, or read the cyber-insurance claim process guide.

Auto Dealerships

Free FTC Safeguards WISP template — the document your underwriter wants to see.

All 9 control families with template language and evidence checklists, so your insurance application answers from documentation.

Get the free template

Make your dealership insurable — and compliant

We close the control gaps insurers underwrite on and document the program your carrier (and the FTC) will ask to see. Start with a free readiness assessment.

Get Free Assessment

← Back to Security Insights

Cyber Insurance for Auto Dealerships: What Carriers Require