Of the nine elements in the FTC Safeguards Rule, the first sets the tone for everything else: you must designate a Qualified Individual to be responsible for overseeing, implementing, and enforcing your information security program. One named person. Documented. Accountable to ownership.
It sounds simple, and most dealers treat it as a formality — they write the GM's or controller's name on a line and move on. That's where the trouble starts. The QI is the person the FTC, your cyber-insurer, and a plaintiff's attorney will all point to after an incident. Getting this designation right is worth more than a signature.
What the rule actually says
The Safeguards Rule requires the Qualified Individual to oversee and enforce the program. Per the FTC's own guidance for auto dealers, that person can be one of your employees, or someone who works for an affiliate or a service provider. They don't have to install software or configure firewalls. They do have to understand your business, have real authority, and be able to demonstrate the program is running.
Crucially, the rule says the QI must provide a written report at least annually to your board of directors or equivalent governing body — for most dealerships, that means the dealer principal or ownership group — covering the overall status of the program and any material incidents.
You can outsource the role — not the responsibility
What the Qualified Individual is on the hook for
Own the written information security program
The QI is accountable for the WISP existing, being maintained, and actually operating — not just sitting in a binder. They don't have to write every line or configure every control, but the program is theirs.
Oversee the risk assessment
Make sure a written risk assessment is completed and refreshed — covering DMS access, F&I packet handling, credit-app storage, vendor access, and remote connectivity.
Oversee service providers
Confirm vendors that touch customer data (DMS, CRM, F&I tools, payment processors) are selected with due diligence and held to contractual security obligations.
Report to ownership at least annually
The rule explicitly requires a written report to the board or equivalent governing body — the dealer principal / ownership group — covering program status and any material incidents.
Keep the program current
Trigger a re-assessment after major changes: a DMS migration, an acquisition or new rooftop, a new F&I or marketing tool, or a security incident.
The three ways dealers fill the role
1. A capable internal employee.If you have an IT manager or a controller who genuinely understands security, has authority over vendors, and can keep documentation an auditor would accept, an in-house QI is legitimate and cost-effective. The risk: most dealership staff are stretched, and "security" competes with their day job.
2. Name a manager, hope for the best. The most common — and most dangerous — choice. A GM with no security background is named QI, the program is never really built, and the designation becomes a liability the day something goes wrong. A title on an org chart is not a program.
3. An outsourced ("virtual") Qualified Individual. A security partner supplies the QI function — the expertise, the documented risk assessment, the vendor oversight, the annual written report to ownership — while a designated person inside the dealership stays the internal point of contact. You get depth and continuity without hiring a full-time security leader.
When outsourcing the QI makes sense
Outsourcing isn't automatically right. Use this quick decision guide:
| Ask yourself | Keep in-house | Outsource the QI |
|---|---|---|
| Do you have a named person with real authority over IT and vendors? | An employee QI can work | Outsource if no one truly owns it |
| Can that person produce evidence the FTC would accept? | Keep in-house if yes | Outsource if it's informal / undocumented |
| Do they understand the 9 Safeguards elements and current threats? | In-house if genuinely current | Outsource the expertise, keep the title internal |
| Will they still own it in 18 months (turnover risk)? | In-house if stable | Outsource for continuity |
For most single-rooftop and small-group dealers, the honest answer is a hybrid: keep an internal owner who knows the store, and back them with an outsourced QI who supplies the expertise, documentation, and the annual report ownership needs to sign. This is exactly the gap a virtual CISO (vCISO) role is built to fill.
The designation auditors and insurers test
The bottom line
The Qualified Individual is the human anchor of your entire Safeguards program. Name the wrong person and the rest of the WISP is built on sand. Name the right one — internal, outsourced, or hybrid — and you have someone who can actually answer for the program when it counts.
See how we serve as the outsourced security leader for dealers on our vCISO service and our cybersecurity for auto dealerships page.
Related reading: the 9 required WISP elements for dealers and whether a small business needs a vCISO.
Free FTC Safeguards WISP template — with the Qualified Individual section built in.
All 9 control families, including the QI designation and the annual-report structure ownership needs to sign.
Get the free templateNeed a Qualified Individual you can actually rely on?
We act as your outsourced QI — risk assessment, vendor oversight, and the annual report to ownership, all handled. Start with a free WISP-readiness assessment.
Get Free Assessment