KC
Kapacyber
ComplianceAuto Dealerships8 min read

The FTC Safeguards Rule for Auto Dealers — What Your WISP Must Include

Every dealer that arranges financing falls under the rule. Here are the nine required elements of a written information security programme — in plain English, with dealership-specific examples.

If your dealership arranges financing for customers — even occasionally — you are a "financial institution" under the FTC's expanded definition. That means the FTC Safeguards Rule applies to you. Enforcement of the expanded rule began in June 2024.

The penalty for non-compliance is up to $43,792 per violation per dayunder the FTC Act. State attorneys general can also enforce. And — practically more painful — if a breach happens and you can't produce a compliant WISP, your cyber-insurance claim will likely be denied.

Below are the nine elements your written information security programme must contain, in plain English with dealership-specific notes for each.

The 9 Required Elements

Each element is a technical requirement. Each must be documented in your WISP. And each must be operating, not just written down.

1

Designate a Qualified Individual

One named person responsible for the security programme.

For dealers: For most franchise dealers this is the GM, controller, IT manager, or an outsourced "virtual" Qualified Individual from a security partner. The person doesn't need to be a cybersecurity expert — but they must own the programme and report to ownership.

2

Conduct a written risk assessment

Document foreseeable internal and external threats to customer information.

For dealers: Cover DMS access, F&I packet handling, scanned IDs, credit-app storage, vendor access, payroll, service department devices, multi-rooftop network connectivity, and remote access. Refresh annually and after major changes (DMS migration, acquisition, new tool rollout).

3

Implement access controls

Least-privilege access, no shared logins, role-based permissions.

For dealers: End the "everyone uses the same F&I login" practice immediately. Each user gets a named account; service writers don't need access to F&I files; sales doesn't need access to accounting. Document the access matrix and review it quarterly.

4

Identify and inventory customer information

Know where customer data lives — every system, every file share, every paper file.

For dealers: Map your DMS records, F&I deal jackets (paper and digital), credit-app uploads, scanned licences, accounting exports, and any back-office spreadsheets. You can't protect what you haven't inventoried.

5

Encrypt customer information in transit and at rest

Encryption everywhere customer data moves or sits.

For dealers: DMS-to-lender connections, email containing PII, file-share storage of F&I documents, laptops, tablets, and any USB devices used for backups. Almost every dealer fails this on the back-office spreadsheet step.

6

Adopt secure development and change-management practices

Security baked into how you change systems and onboard tools.

For dealers: Vendor due diligence on every system that touches customer data — DMS, CRM, F&I tools, marketing platforms, payment processors. Documented change-management process when you adopt new tools or update existing ones.

7

Implement multi-factor authentication (MFA)

MFA on every account that can access customer information.

For dealers: DMS, email, RDP, VPN, accounting, payroll, F&I tools, lender portals, manufacturer portals. The single highest-impact control on this list. The CDK attack and most dealer ransomware events both started with credential theft that MFA would have blocked.

8

Implement secure data disposal

Documented retention and disposal procedures for customer data.

For dealers: Paper deal jackets shredded, end-of-life devices wiped or destroyed, scanned IDs purged after retention period, old F&I exports deleted on schedule. Most dealers have no documented retention schedule — fix that first.

9

Implement monitoring, training, incident response, and reporting

Run the programme — don't just write it.

For dealers: 24/7 monitoring of customer-data systems, security awareness training tailored to F&I, sales, and service roles, a written incident response plan that's been tabletop-tested, and at least annual reporting from the Qualified Individual to ownership.

What Doesn't Count

A few things many dealers assume satisfy the Safeguards Rule but don't:

  • Your DMS vendor's security controls. They protect their platform. They don't protect your endpoints, your email, your file shares, your paper files, or your vendor chain.
  • A "cyber check-up" from a year ago. The rule requires periodic risk re-assessment, ongoing monitoring, and continuous training. A snapshot isn't a programme.
  • Your local IT shop "handling it." They may handle your IT. The Safeguards Rule requires a documented programme with a designated Qualified Individual and demonstrable controls — not informal IT support.
  • Antivirus software. Antivirus is a control, not a programme. The rule requires nine specific elements; AV touches maybe one of them.

Penalties — and the Things That Hurt More

The headline penalty is $43,792 per violation per day under the FTC Act. State attorneys general bring their own actions. But the financial impact most dealers feel comes from:

  • Cyber-insurance claim denial. Most policies now require a documented WISP and attestations to specific controls (MFA, EDR, awareness training, backups). Misrepresent any of those and the claim is denied.
  • State data-breach notification costs. Every state requires breach notification. Average per-record costs run $150–$300 in legal, mailing, and credit-monitoring expense.
  • Civil litigation. Class actions follow large breaches. Dealerships hold SSNs and bank info on every credit applicant.
  • Manufacturer scrutiny. Manufacturers increasingly review dealer cyber posture during franchise reviews. A breach can trigger franchise-agreement consequences.

The 9-Question Self-Audit

Walk through these in order. If you can't answer "yes" — with documentation — to each one, you have a Safeguards gap.

  • 1
    Have we designated a Qualified Individual in writing?
  • 2
    Have we completed a written risk assessment in the past 12 months?
  • 3
    Do we have named user accounts on the DMS — no shared logins?
  • 4
    Do we know every system, file share, and paper location holding customer NPI?
  • 5
    Is customer NPI encrypted in our F&I storage and back-office files?
  • 6
    Have we run vendor due diligence on every system handling customer data?
  • 7
    Is MFA enforced on DMS, email, lender portals, and admin accounts?
  • 8
    Do we have a documented retention and secure-disposal schedule?
  • 9
    Do we run continuous monitoring, awareness training, and have an IR plan?

The Bottom Line

The Safeguards Rule isn't about ticking boxes — it's about running a real, documented, ongoing security programme. The nine elements aren't ambiguous. The penalty exposure isn't theoretical. And after the CDK Global ransomware attack of June 2024, every dealer should already have a board-level conversation about cyber underway.

If you can't answer the 9-question self-audit with a clear yes — backed by documentation — you have work to do. The good news: a typical franchise rooftop can stand up a defensible WISP in 60–90 days with the right partner.

Related reading: See our companion piece on what dealers can learn from the CDK Global ransomware attack.

Free WISP-Readiness Assessment

We map your dealership against all 9 elements and hand you a one-page roadmap. No obligation. No IT-jargon report.

Get Free Assessment
← Back to Security Insights