July 02, 2024
The recent cyberattack on CDK Global, which affected thousands of car dealerships nationwide, underscored significant vulnerabilities within industries in which a single vendor hack can disrupt entire swaths of the market, such as healthcare and fine arts. The incident disrupted daily operations and revealed critical weaknesses in the systems many dealerships rely on.
As cyber threats continue to evolve, reassessing cybersecurity strategies becomes crucial for car dealerships, with a particular focus on vendor management as well as comprehensive cyber insurance.
Lessons from CDK cyberattack: addressing outdated systems
Naturally, car dealerships are primarily focused on selling and servicing vehicles, with owners and managers dedicated to engaging with customers and running successful businesses. Business leaders in this space, may not be all that tech-savvy, and dealerships, in general, are not on the forefront of cyber best practices. While larger dealerships might have CIOs, many operate without any full-time IT staff and still use outdated, pre-Windows, DOS-based systems. Security limitations in these systems abound including:
- Lack of advanced security features like encryption.
- No multi-user support, making it vulnerable to unauthorized access and malware.
- Higher vulnerability to cyberattacks as cybercriminals view them as easy targets.
Managing vendor cybersecurity risks
The CDK breach, originating from a vulnerability in a specific vendor's technology, affected the Dealer Management System (DMS) used by thousands of dealerships across the country. This system is crucial for managing sales, ordering (vehicles and parts), and maintenance (scheduling, quoting, invoicing). The breach allowed malicious actors to launch a ransomware attack on CDK. Ransomware attackers infiltrate IT systems, silently moving through devices and stealing corporate data. After taking all data and gaining control, they encrypt every device and leave ransom notes. They demand payment to decrypt devices and promise not to leak stolen data, using it as leverage.
The impact of the breach was multifaceted:
- Sales Operations: Dealerships faced significant delays in processing vehicle and parts orders, resulting in customer dissatisfaction and lost sales opportunities.
- Maintenance Scheduling: The disruption of maintenance scheduling systems led to confusion and delays in service appointments, affecting customer trust and revenue.
- Quoting and Invoicing: The inability to generate accurate quotes and invoices in a timely manner hindered financial operations and strained dealer-customer relationships.
Most dealerships are heavily dependent on their DMS vendors and lack the IT resources to easily switch to alternative solutions. The "switching cost"—the financial, time, and resource investment required to transition to a new vendor—is prohibitively high. This includes not only the direct expenses of purchasing new software but also the indirect costs of training staff, migrating data, and adjusting business processes. In addition, given manufacturer vendor mandates, they have a limited universe from which to choose. Consequently, dealerships remain tied to their current vendors despite the risks exposed by the breach, underlining the critical need for robust cybersecurity measures and comprehensive contingency plans.
Leveraging comprehensive cyber insurance policies
A comprehensive cyber insurance policy should cover both direct and contingent business interruption. In cybersecurity insurance, "direct disruption" refers to immediate, tangible losses caused by a cyber incident, such as system damage, supply chain disruption, and negative publicity. "Business disruption," on the other hand, involves the broader impact on business operations, including:
- Lost revenue
- Downtime
- The cost of restoring normal operations
Cyber insurance policies also address costs related to business continuity measures, such as overtime payments for staff and finding alternative vendors.
A well-structured cyber insurance policy can also provide:
- Financial support
- Coverage for costs associated with switching to alternative vendors
- Mitigation of operational disruptions
Developing backup systems and alternative vendor arrangements are also key components of a resilient cybersecurity strategy. This type of planning can come into play before a breach occurs as part of a comprehensive proactive risk management plan, which may also include steps like business continuity planning and customer response planning.
Proactive risk management
Companies can stay vigilant to thwart potential attacks by implementing risk management best practices into their systems and culture. Here are a few examples.
Conduct business continuity planning
Dealerships would benefit from detailed business continuity planning, preparing for worst-case scenarios, and rehearsing the steps to bring their business back online. Planning for the absence of technology—such as reverting to manual processes—helps maintain operations during a cyber incident.
As mentioned, cyber insurance coverage allows businesses that may not be as focused on tech to build in a safety net should unforeseen events occur.
Identify and correct single points of failure
Addressing single points of failure is a vital part of business continuity efforts. Evaluating whether a supplier, specific equipment, a key staff member, or other resource could bottleneck the business if they become unavailable can guide backup plan development. In the case of the CDK Global breach, for example, many dealerships did not have a digital backup plan and thus resorted to pen-and-paper methods for selling and managing inventory.
Develop a breach response plan
When a breach happens, multiple response plans are put into action. Beyond the technical response, leaders need to think about the communications of the breach to employees and customers. Developing best practices and policies for transparently communicating breaches when they happen will allow you to act quickly and communicate transparently. These initial communications touchpoints will be important for restoring trust with key stakeholders.
Carefully vet and oversee vendors
Careful vendor vetting and oversight prevent vulnerabilities from being exploited. Review contracts to understand who is responsible for patch management and other cybersecurity activities. Regularly update and verify vendor compliance to strengthen security.
Review insurance policies regularly
Thoroughly reviewing insurance policies ensures proper protection. Verify the coverage is relevant to how the dealership operates. This will help you better understand the fine print, especially during policy renewals, which can prevent gaps in coverage.
Exercise vigilance
- Assume cyber criminals are targeting your business
- Bring in specialists to evaluate cyber vulnerabilities
- Conduct regular cyber training for all employees since over 80% of cyber breaches trace back to human error
Looking ahead
The CDK Global hack serves as a stark reminder of the cybersecurity challenges faced by car dealerships. To protect against future cyber threats, proactively manage vendor relationships, invest in comprehensive cyber insurance, and develop robust contingency plans. Businesses can also partner with a cybersecurity insurance broker to ensure they are adequately protected against potential hacks. By addressing these challenges head-on, you can ensure business continuity and build resilience in the face of evolving cyber threats.
Want to learn more
Find Luke Shipp on LinkedIn.
Find Allen Blount on LinkedIn.
Connect with Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client.