Dealership DMS vendor risk is the cyber exposure that comes from running your business on a third party's platform. Your dealer management system holds the most sensitive data you have — credit applications, SSNs, driver's licences, bank details — and when something happens to that vendor, it happens to you.
Dealers learned this twice over. In June 2024, the CDK Global ransomware attack knocked roughly 15,000 dealerships offline for weeks. Then a separate ransomware attack on a DMS provider exposed the personal data of hundreds of thousands of dealership customers. Different incidents, same lesson: your vendor is part of your attack surface.
"CDK/Reynolds handles our security" is the dangerous myth
What the Safeguards Rule actually requires of you
The FTC Safeguards Rule names vendor oversight directly: you must select and retain service providers capable of safeguarding customer information, require them by contract to maintain safeguards, and periodically assess them. In other words, due diligence on your DMS — and every other vendor that touches customer data — is a written, ongoing obligation, not a handshake.
The DMS vendor due-diligence checklist
Get the security attestations in writing
Ask every vendor that touches customer data (DMS, CRM, F&I, payment, marketing) for a SOC 2 report or equivalent, and keep it on file. "We're secure" in a sales call is not due diligence.
Put breach-notification duties in the contract
Your contract should require the vendor to notify you of a security incident within a defined window — you can't meet your own 30-day FTC breach-notification duty if your vendor sits on the news.
Confirm what they protect — and what they don't
DMS providers secure their platform. Your endpoints, email, network, F&I file shares, and staff are yours. Map the boundary so nothing falls in the gap.
Enforce least-privilege on vendor access
Service accounts and vendor remote-access tools are a common entry point. Scope them tightly, monitor them, and review them quarterly.
Segment the DMS from everything else
A flat network means a breach anywhere reaches the DMS. Segmentation limits blast radius — especially across multiple rooftops.
Keep a vendor inventory and review it
List every system that touches customer data, the data it holds, its security posture, and its contract terms. Refresh it annually and whenever you add a tool.
6 questions to ask your DMS vendor
- 1Do you carry a current SOC 2 Type II (or equivalent) — can we see it?
- 2Within how many hours will you notify us of a security incident?
- 3Is MFA enforced on all access to our data, including your staff?
- 4How is our customer data encrypted, at rest and in transit?
- 5Who are your subcontractors, and how are they vetted?
- 6What is your tested recovery time if your platform goes down?
The bottom line
You can't outsource your way out of cyber risk by picking a big-name DMS. The vendor is one input to your security program — a powerful one, and a liability if you treat it as the whole thing. Vet it, contract for breach notice, segment it, and keep a living vendor inventory. That's what turns "we trust our DMS" into a defensible position.
See how we help dealers on our cybersecurity for auto dealerships page.
Related reading: lessons from the CDK Global ransomware attack, the 9 required WISP elements, and why one breach can hit every store.
Free FTC Safeguards WISP template — includes the vendor due-diligence section.
All 9 control families, with the service-provider oversight language and evidence checklists the FTC expects you to keep on file.
Get the free templateKnow your real DMS exposure
A free 30-minute assessment maps your vendor risk, network segmentation, and Safeguards gaps — and hands you a one-page roadmap. No obligation.
Get Free Assessment