Skip to main content
The Portal is now The Intelligence EngineAccess your dashboardLogin
Strolid(855) 787-6543

Dealership Cybersecurity Checklist: 25 Essential Controls

Complete dealership cybersecurity checklist covering 25 essential controls for automotive dealership compliance with FTC Safeguards Rule. Protect customer data and avoid costly breaches.

MD

Michael Donovan

VP Marketing · November 11, 2025

Dealership Cybersecurity Checklist: 25 Essential Controls for Automotive Compliance

In 2024, automotive dealerships became the third most-targeted industry for cyberattacks, with 67% of dealers reporting at least one security incident [Source: Automotive ISAC, 2024]. The average cost of a data breach in the automotive sector now exceeds $4.8 million, not including regulatory fines from FTC Safeguards Rule violations [Source: IBM Security, 2024]. For dealerships managing thousands of customer records daily - from credit applications to service histories - implementing robust dealership cybersecurity measures isn't optional; it's a business imperative and legal requirement.

This comprehensive guide is part of our Automotive Dealership Compliance Guide: FTC, FCC & Data Security series, providing a practical 25-point checklist that addresses both automotive dealership compliance requirements and real-world security threats. Whether you're a single-point dealer or a multi-location group, these controls form the foundation of a defensible security program that protects your customers, your business, and your reputation.

The stakes have never been higher. The FTC's updated Safeguards Rule now requires specific technical controls, regular risk assessments, and documented security programs. Simultaneously, cybercriminals have developed sophisticated attacks specifically targeting dealership management systems (DMS), customer relationship management (CRM) platforms, and business development centers (BDC). This checklist translates complex regulatory requirements into actionable steps your team can implement immediately.

Quick Summary

What: A comprehensive 25-point cybersecurity checklist specifically designed for automotive dealerships, covering technical controls, administrative policies, and compliance requirements mandated by FTC Safeguards Rule and industry best practices.

Why:

  • Regulatory Compliance: Meet FTC Safeguards Rule requirements and avoid penalties up to $46,517 per violation
  • Financial Protection: Prevent data breaches averaging $4.8 million in total costs, plus lost customer trust
  • Operational Continuity: Maintain business operations during cyber incidents - ransomware attacks shut down dealerships for an average of 21 days [Source: Automotive News, 2024]

How: Implement controls across five critical domains: Access Management, Data Protection, Network Security, Incident Response, and Vendor Management. Each control includes specific implementation steps, compliance mapping, and priority levels based on risk and regulatory requirements.

Table of Contents

Understanding Dealership Cybersecurity Requirements

Automotive dealerships operate in a unique threat landscape. Unlike typical retail businesses, dealers handle extraordinarily sensitive financial data - full credit reports, Social Security numbers, driver's licenses, bank account information - while simultaneously managing complex technology ecosystems. Your DMS, CRM, F&I systems, parts inventory, service scheduling, and BDC platforms all contain customer data requiring protection.

The FTC Safeguards Rule, originally enacted under the Gramm-Leach-Bliley Act (GLBA), treats automotive dealerships as financial institutions because you regularly extend credit to customers. The 2023 amendments significantly strengthened requirements, mandating specific technical controls rather than general security principles. Dealerships with 5,000+ customer records must now implement encryption, multi-factor authentication, penetration testing, and formal incident response plans.

Beyond federal regulations, state data breach notification laws create additional obligations. California's CCPA, Virginia's CDPA, and similar laws in 12+ states require specific disclosure timelines and consumer rights protections. A single breach can trigger notification requirements across multiple jurisdictions, each with different deadlines and penalties.

The threat actors targeting dealerships have evolved dramatically. Organized cybercrime groups now develop ransomware specifically designed to encrypt DMS databases, knowing dealers cannot operate without access to inventory and customer records. Phishing campaigns impersonate manufacturer representatives, finance companies, and even customers to trick employees into revealing credentials. Business email compromise (BEC) attacks have cost individual dealerships hundreds of thousands in fraudulent wire transfers.

The 25 Essential Cybersecurity Controls

Access Management & Authentication (Controls 1-6)

Control 1: Implement Multi-Factor Authentication (MFA) Require MFA for all systems containing customer information, especially DMS, CRM, email, and remote access. Use authenticator apps or hardware tokens rather than SMS-based codes, which can be intercepted. FTC Safeguards Rule explicitly requires MFA for any system accessing customer data.

Control 2: Enforce Strong Password Policies Mandatory 12+ character passwords combining uppercase, lowercase, numbers, and symbols. Implement 90-day rotation for administrative accounts, 180 days for standard users. Use password managers to reduce written passwords. Ban common passwords like "Dealer123" or vehicle model names.

Control 3: Principle of Least Privilege Grant employees minimum access necessary for their roles. Sales staff shouldn't access service records; service advisors don't need F&I system access. Create role-based access groups in your DMS and review quarterly. This control alone prevents 58% of insider threat incidents [Source: Verizon DBIR, 2024].

Control 4: Immediate Access Revocation Disable accounts within one hour of employee termination or role change. Dealerships average 22% annual turnover; departed employees with active credentials represent critical vulnerabilities. Implement automated deprovisioning integrated with HR systems.

Control 5: Privileged Access Management Restrict and monitor administrative accounts. Never use admin credentials for daily tasks. Require approval and logging for all privileged access. Change default passwords on all systems - DMS, routers, security cameras, door access systems.

Control 6: Regular Access Reviews Quarterly audits of who has access to what systems. Remove unnecessary permissions, validate business justification for sensitive access, document reviews for compliance audits. Use DMS audit logs to identify unused accounts.

Data Protection & Encryption (Controls 7-11)

Control 7: Encrypt Data at Rest All customer information stored on servers, workstations, and mobile devices must use AES-256 encryption. This includes DMS databases, CRM systems, and file servers containing credit applications or service records. Modern DMS platforms offer built-in encryption - ensure it's enabled.

Control 8: Encrypt Data in Transit Use TLS 1.2+ for all network communications. Verify your dealership website uses HTTPS, especially lead forms and credit applications. Configure email systems to require encrypted connections. Disable outdated protocols like SSL and TLS 1.0.

Control 9: Secure Data Disposal Physically destroy hard drives, USB drives, and printed documents containing customer data. Use certified shredding services for paper records. Wipe or destroy devices before recycling. Document disposal in compliance logs.

Control 10: Data Retention Policies Keep customer data only as long as legally required - typically 7 years for finance documents, 3-5 years for service records. Automatically purge old records to minimize breach exposure. Balance retention requirements against privacy principles.

Control 11: Laptop and Mobile Device Encryption Full-disk encryption on all laptops, tablets, and smartphones accessing dealership systems. Enable remote wipe capabilities for lost devices. Require encryption before allowing personal devices (BYOD) to access email or CRM.

Network Security & Infrastructure (Controls 12-16)

Control 12: Firewall Configuration and Management Deploy next-generation firewalls at network perimeter. Configure rules to block unnecessary inbound traffic, restrict outbound connections to known-good destinations. Update firmware monthly. Log all blocked connection attempts for threat intelligence.

Control 13: Network Segmentation Separate customer data systems from general business networks. Isolate DMS/CRM on protected VLANs. Guest WiFi must never connect to internal networks. Create separate segments for security cameras, VOIP phones, and IoT devices.

Control 14: Wireless Security WPA3 encryption on all WiFi networks. Change default SSID and disable SSID broadcast for internal networks. Rotate WiFi passwords quarterly. Never use the same password for guest and employee networks.

Control 15: Vulnerability Management Monthly vulnerability scans of all internet-facing systems. Patch critical vulnerabilities within 15 days, high-severity within 30 days. Prioritize DMS, CRM, and website patches. Subscribe to vendor security bulletins.

Control 16: Endpoint Detection and Response (EDR) Deploy EDR software on all workstations and servers. Traditional antivirus is insufficient - modern threats require behavioral analysis and threat hunting. EDR solutions detect ransomware, credential theft, and lateral movement.

Incident Response & Monitoring (Controls 17-20)

Control 17: Security Information and Event Management (SIEM) Centralized logging and real-time monitoring of security events. Alert on failed login attempts, after-hours access, privilege escalation, and data exfiltration. Review logs weekly; retain for 90+ days per FTC requirements.

Control 18: Incident Response Plan Documented procedures for detecting, containing, and recovering from security incidents. Define roles (who calls the shots during a breach?), communication protocols (when do you notify customers?), and recovery priorities (DMS restoration first). Test annually through tabletop exercises.

Control 19: Data Backup and Recovery Daily incremental backups, weekly full backups of all critical systems. Store backups offline or in immutable cloud storage to prevent ransomware encryption. Test restoration quarterly - 72% of dealerships discover backup failures only after an incident [Source: Automotive ISAC, 2024].

Control 20: Security Awareness Training Quarterly training for all employees covering phishing recognition, password security, physical security, and social engineering. Include role-specific training - F&I managers need different focus than lot attendants. Track completion and test retention.

Vendor Management & Third-Party Risk (Controls 21-25)

Control 21: Vendor Security Assessments Evaluate cybersecurity practices of all vendors accessing customer data - DMS providers, CRM platforms, lead generation companies, marketing agencies. Require SOC 2 reports or security questionnaires. Document assessments annually.

Control 22: Vendor Contract Requirements Include specific security obligations in contracts: encryption requirements, breach notification timelines (24-48 hours), liability provisions, right to audit. Never sign vendor contracts without legal review of data protection clauses.

Control 23: Vendor Access Controls Limit vendor access to specific systems and timeframes. Use separate vendor accounts rather than sharing employee credentials. Monitor vendor activity through audit logs. Disable access immediately when services end.

Control 24: Service Provider Oversight For critical vendors (DMS, CRM), appoint an internal relationship manager responsible for security oversight. Quarterly security reviews, annual penetration test results, incident notification protocols. This is a specific FTC Safeguards Rule requirement.

Control 25: Supply Chain Risk Management Assess security risks in your technology supply chain. Verify vendors don't use high-risk subcontractors or offshore development in countries with weak data protection laws. Understand where customer data flows and who can access it.

Implementing Your Cybersecurity Program

Translating this 25-point checklist into operational reality requires structured implementation. Start with a risk assessment documenting current security posture, identifying gaps, and prioritizing controls based on risk and compliance requirements. The FTC Safeguards Rule requires annual risk assessments conducted by qualified personnel.

Create a phased implementation roadmap. Quick wins (30 days): Enable MFA, update passwords, conduct employee training, review vendor contracts. Medium-term (90 days): Deploy EDR, implement network segmentation, establish backup procedures, develop incident response plan. Long-term (180+ days): SIEM deployment, penetration testing, comprehensive vendor assessments.

Assign a qualified individual to oversee your information security program - this is another explicit FTC requirement. For single-point dealers, this might be your IT manager or controller with security training. Multi-location groups should consider a dedicated Chief Information Security Officer (CISO) or fractional CISO service.

Document everything. Compliance audits require evidence of implementation - configuration screenshots, policy documents, training completion records, vendor assessment reports, risk assessment findings. Create a centralized compliance folder (encrypted, of course) containing all security documentation.

For comprehensive guidance on regulatory requirements driving these controls, see our complete Automotive Dealership Compliance Guide: FTC, FCC & Data Security guide. Understanding the "why" behind each control helps prioritize implementation and justify budget requests to ownership.

Common Implementation Challenges and Solutions

Challenge: Budget Constraints Dealership principals often view cybersecurity as pure cost rather than investment. Reality: The average breach costs $4.8 million versus $50,000-150,000 annual investment in proper security. Present cybersecurity as insurance - you're not spending money, you're avoiding catastrophic loss. Many controls (password policies, access reviews, training) cost nothing but time.

Challenge: Employee Resistance Sales staff complain MFA slows them down. Service advisors hate password complexity. Reality: One compromised account can shut down your entire operation. Frame security controls as protecting their jobs - if the dealership suffers a breach, everyone's employment is at risk. Gamify training with rewards for spotting phishing tests.

Challenge: Legacy Systems Older DMS versions don't support modern encryption or MFA. Reality: This represents unacceptable risk. Upgrade or migrate to compliant platforms. If immediate replacement is impossible, implement compensating controls - network isolation, enhanced monitoring, restricted access. Document the risk and mitigation plan.

Challenge: Vendor Cooperation Third-party providers resist security assessments or contract modifications. Reality: If a vendor won't demonstrate basic security competence, they're not suitable for handling customer data. The FTC Safeguards Rule makes you responsible for vendor security - you can't outsource compliance. Find alternative providers willing to meet your requirements.

Challenge: Keeping Current Cybersecurity threats evolve constantly; yesterday's controls become obsolete. Solution: Subscribe to automotive-specific threat intelligence (Automotive ISAC), attend industry conferences, engage with peer dealerships. Quarterly security reviews ensure controls remain effective.

Measuring Cybersecurity Effectiveness

Implementing controls is only half the battle - you must verify they're working. Establish key performance indicators (KPIs) tracking security program health:

  • Mean Time to Detect (MTTD): How quickly do you identify security incidents? Target: <24 hours
  • Mean Time to Respond (MTTR): How quickly do you contain and remediate? Target: <48 hours
  • Phishing Test Results: What percentage of employees click malicious links? Target: <5%
  • Patch Compliance: Percentage of systems with current security updates? Target: >95%
  • Access Review Completion: Quarterly reviews completed on time? Target: 100%
  • Backup Test Success: Can you actually restore from backups? Target: 100%

Conduct annual penetration testing where ethical hackers attempt to breach your defenses. This identifies vulnerabilities before criminals do. FTC Safeguards Rule requires penetration testing for larger dealerships; all dealers benefit from this validation.

Schedule quarterly security committee meetings with general manager, controller, IT manager, and compliance officer. Review incidents, discuss emerging threats, approve security investments, update policies. Executive engagement ensures security remains a business priority.

Integration with Dealership Operations

Effective dealership cybersecurity doesn't exist in isolation - it must integrate seamlessly with daily operations. Security controls that disrupt sales processes will be circumvented; the key is finding balance between protection and productivity.

For your Business Development Center (BDC), security is particularly critical. BDC agents access customer data constantly - lead information, previous purchase history, service records, contact preferences. Implement role-based access ensuring agents see only necessary information. Monitor for unusual data access patterns indicating compromised credentials or insider threats. For more on protecting BDC operations, review our BDC Data Security: Protecting Customer Information guide.

F&I departments require heightened controls given the sensitivity of credit applications and financial documents. Encrypt all stored credit reports, implement dual-control for credit bureau access (requiring manager approval), and maintain detailed audit logs. Many F&I breaches result from improper disposal of printed credit applications - secure shredding is non-negotiable.

Service departments often overlook security, yet service records contain valuable personal information and vehicle details. Ensure service advisors can't access unrelated customer records. Restrict parts department access to inventory systems only. Monitor for unusual after-hours access to service systems.

Regulatory Compliance Mapping

This 25-point checklist directly addresses multiple regulatory requirements:

FTC Safeguards Rule Compliance:

  • Risk Assessment: Controls 1-25 collectively address identified risks
  • Qualified Individual: Implementation requires designated security oversight
  • Access Controls: Controls 1-6 meet authentication and authorization requirements
  • Encryption: Controls 7-8 satisfy data protection mandates
  • Monitoring: Controls 17-20 provide required security event visibility
  • Vendor Management: Controls 21-25 address service provider oversight
  • Testing: Controls 15, 18, 19 cover vulnerability management and incident response testing

For detailed analysis of FTC requirements, see our 2025 FTC Safeguards Rules For Auto Dealers: Complete Guide.

State Data Breach Notification Laws: Controls 17-20 (Incident Response) ensure you can detect breaches within required notification timeframes. Most states require notification within 30-60 days of discovery; your incident response plan must support these deadlines.

Payment Card Industry (PCI DSS): While dealerships typically don't store credit card data (processors handle this), Controls 12-16 (Network Security) align with PCI requirements for merchants. If you do process cards, additional PCI-specific controls are required.

FCC Lead Generation Rules: Controls 9-10 (Data Retention) support compliance with new FCC requirements around lead data handling and consumer consent. See our New FCC Lead Generation Ruling: What Dealers Must Know (2025) for complete details.

Building a Security-Conscious Culture

Technology controls are necessary but insufficient. The strongest firewall is useless if an employee clicks a phishing link and enters their credentials. Building a security-conscious culture transforms your entire team into a human firewall.

Start with leadership commitment. When the general manager and dealer principal visibly prioritize security - attending training, following policies, discussing security in meetings - employees understand its importance. Security cannot be "IT's problem"; it's everyone's responsibility.

Celebrate security wins. When an employee reports a suspicious email instead of clicking it, publicly recognize their vigilance. Create a "Security Champion" program where department representatives promote best practices. Make security awareness fun through contests, prizes, and gamification.

Normalize security conversations. Include security topics in weekly sales meetings, service huddles, and BDC team meetings. Discuss recent automotive industry breaches, share lessons learned, review policy updates. Regular exposure builds awareness and reduces resistance.

Provide context for why controls exist. Don't just mandate MFA - explain how credential theft shuts down dealerships for weeks. Don't just require complex passwords - show examples of breaches caused by weak passwords. When employees understand the "why," compliance improves dramatically.

Cost-Benefit Analysis

Implementing comprehensive automotive dealership compliance and cybersecurity controls requires investment. Here's realistic budgeting for a mid-sized dealership (200-300 vehicles/month):

Technology Costs (Annual):

  • EDR/Antivirus: $50-75 per endpoint = $5,000-7,500 (100 endpoints)
  • Firewall: $5,000-10,000 (hardware + licensing)
  • MFA Platform: $3-6 per user/month = $3,600-7,200 (100 users)
  • SIEM/Log Management: $10,000-25,000
  • Backup Solution: $5,000-15,000
  • Vulnerability Scanning: $3,000-8,000
  • Total Technology: $31,600-72,700

Professional Services (Annual):

  • Risk Assessment: $8,000-15,000
  • Penetration Testing: $10,000-20,000
  • Security Awareness Training: $2,000-5,000
  • Fractional CISO (if needed): $36,000-60,000
  • Incident Response Retainer: $5,000-10,000
  • Total Services: $25,000-50,000

Total Annual Investment: $56,600-122,700

Compare this to breach costs:

  • Average breach: $4.8 million total cost
  • FTC penalties: $46,517 per violation (potentially thousands of violations)
  • Operational downtime: $50,000-100,000 per day
  • Reputation damage: Immeasurable but significant
  • Legal fees: $200,000-500,000+

The ROI is clear: Investing $100,000 annually to prevent a $5+ million breach is prudent risk management. Moreover, many insurance carriers offer 10-20% premium reductions for dealerships with documented security programs, partially offsetting costs.

Conclusion

Implementing these 25 essential cybersecurity controls transforms your dealership from vulnerable target to hardened defender. While the task may seem daunting, remember that cybersecurity is a journey, not a destination. Start with high-priority controls - MFA, encryption, employee training, incident response planning - and build from there.

The regulatory landscape will continue evolving. FTC enforcement is increasing, state privacy laws are expanding, and industry standards are rising. Dealerships that proactively implement comprehensive security programs will navigate these changes smoothly, while reactive dealers face costly catch-up efforts and potential penalties.

Your customers trust you with their most sensitive information. Honoring that trust through robust dealership cybersecurity and automotive dealership compliance practices isn't just good business - it's ethical obligation. In an era where data breaches make headlines weekly, dealerships that protect customer information earn competitive advantage through reputation and trust.

Ready to implement these controls at your dealership? Download our comprehensive Cybersecurity Implementation Workbook with detailed checklists, policy templates, and vendor assessment questionnaires. Contact Strolid Marketing for personalized compliance consulting and security program development.

For more comprehensive guidance on regulatory requirements and industry best practices, see our complete Automotive Dealership Compliance Guide: FTC, FCC & Data Security guide.

Frequently Asked Questions

What is the FTC Safeguards Rule and how does it apply to automotive dealerships?

The FTC Safeguards Rule, enacted under the Gramm-Leach-Bliley Act (GLBA), treats automotive dealerships as financial institutions because dealers regularly extend credit to customers through financing and leasing. The 2023 amendments require specific technical controls including encryption, multi-factor authentication, penetration testing, incident response plans, and vendor oversight. Dealerships with 5,000+ customer records face enhanced requirements. Non-compliance can result in penalties up to $46,517 per violation, plus enforcement actions requiring costly remediation. The rule applies to all dealerships that finance, lease, or arrange financing for customers - essentially all franchised and most independent dealers.

How much does it cost to implement proper dealership cybersecurity?

For a mid-sized dealership (200-300 vehicles monthly), expect annual costs of $56,000-122,000 covering technology (EDR, firewalls, MFA, SIEM, backups) and professional services (risk assessments, penetration testing, training). Single-point dealers may implement basic programs for $30,000-50,000 annually, while large dealer groups require $200,000+ for enterprise solutions. However, these costs are minuscule compared to breach expenses: the average automotive data breach costs $4.8 million, plus FTC penalties, legal fees, and reputation damage. Many controls (password policies, access reviews, network segmentation) require minimal financial investment - primarily staff time. View cybersecurity as insurance protecting against catastrophic loss rather than discretionary spending.

What are the most common cybersecurity threats facing dealerships?

Dealerships face three primary threats: (1) Ransomware attacks encrypting DMS databases and demanding payment for decryption - these shut down operations for an average of 21 days; (2) Phishing campaigns tricking employees into revealing credentials or wire transfer funds, with business email compromise (BEC) attacks costing individual dealerships hundreds of thousands; (3) Insider threats from current or former employees accessing customer data inappropriately, either maliciously or through negligence. Additional threats include credential stuffing attacks exploiting reused passwords, supply chain compromises through vulnerable vendors, and physical theft of devices containing unencrypted data. Organized cybercrime groups now develop attacks specifically targeting automotive dealership systems, recognizing dealers' dependence on technology and valuable customer data.

How often should we conduct security training for dealership employees?

Conduct formal security awareness training quarterly for all employees, with role-specific training addressing department-unique risks. New hire orientation must include security basics before system access is granted. Supplement formal training with monthly security tips via email, posters in break rooms, and brief topics in department meetings. Conduct simulated phishing tests monthly to measure awareness and identify employees needing additional coaching. Annual refresher training should cover policy updates, recent industry breaches, and emerging threats. F&I managers and BDC agents handling sensitive data require enhanced training covering data handling, privacy regulations, and social engineering. Document all training completion for compliance audits - the FTC Safeguards Rule requires evidence of ongoing security awareness programs.

What should we do if we discover a data breach?

Activate your incident response plan immediately: (1) Contain the breach by isolating affected systems to prevent further data access; (2) Assess the scope - what data was accessed, how many customers affected, how did the breach occur; (3) Notify appropriate parties - your attorney, cyber insurance carrier, and potentially law enforcement within 24 hours; (4) Investigate using forensic specialists to determine root cause and ensure complete remediation; (5) Remediate vulnerabilities that allowed the breach; (6) Notify affected customers and regulatory authorities per state breach notification laws (typically 30-60 days); (7) Document the entire incident for compliance and insurance purposes. Never attempt to handle breaches internally without expert assistance - improper response can worsen legal exposure and regulatory penalties. Consider retaining an incident response firm before any breach occurs to ensure immediate expert support when needed.

Do we need to hire a cybersecurity expert or can our IT person handle this?

The FTC Safeguards Rule requires a "qualified individual" to oversee your information security program - someone with appropriate knowledge and experience. For single-point dealers, your existing IT manager can fulfill this role if they receive proper security training and certification (CISSP, CISM, or automotive-specific security training). However, many dealership IT staff focus on keeping systems running rather than security expertise. Consider these options: (1) Provide extensive security training for current IT staff; (2) Hire a fractional CISO (Chief Information Security Officer) who works part-time across multiple dealerships; (3) Engage a managed security service provider (MSSP) specializing in automotive; (4) For dealer groups, hire a dedicated full-time CISO. The key is ensuring someone with genuine security expertise oversees your program - the "qualified individual" requirement isn't satisfied by simply assigning the role to whoever handles computers.

How do we balance cybersecurity with sales productivity?

Security controls that significantly disrupt sales will be circumvented, creating false sense of security while maintaining vulnerability. The solution is finding balance through smart implementation: (1) Use single sign-on (SSO) so sales staff log in once and access all systems without repeated authentication; (2) Implement MFA using mobile authenticator apps that approve with one tap rather than typing codes; (3) Deploy password managers so complex passwords don't require memorization; (4) Create role-based access giving sales staff exactly what they need without unnecessary restrictions; (5) Automate security controls (automatic encryption, background vulnerability scanning) requiring no employee action. Involve sales managers in security planning to identify friction points before deployment. Frame security as protecting their ability to earn - a breach shutting down the dealership for three weeks costs everyone commissions. Well-designed security enhances rather than hinders productivity.

What vendor security assessments do we need to conduct?

Assess all vendors accessing customer data, prioritizing based on data sensitivity and access level: Critical Vendors (DMS, CRM, F&I platforms) require comprehensive annual assessments including SOC 2 Type II reports, penetration test results, security questionnaires covering 50+ controls, and contract reviews ensuring proper data protection obligations. High-Risk Vendors (lead generation, marketing automation, BDC platforms) need annual security questionnaires and contract reviews. Moderate-Risk Vendors (website hosting, email marketing) require basic security questionnaires every 2 years. Document all assessments, identified risks, and remediation requirements. The FTC Safeguards Rule specifically requires service provider oversight - you remain responsible for vendor security failures affecting your customer data. If vendors refuse assessments or demonstrate inadequate security, find alternatives. Include security requirements in all vendor contracts: encryption standards, breach notification timelines (24-48 hours), audit rights, and liability provisions.

About the Author: This guide was developed by the team at Strolid Marketing, a specialized BDC consulting firm with 11+ years of experience servicing automotive dealerships across the US market. Our expertise in dealership operations, compliance requirements, and cybersecurity best practices helps dealers protect customer data while maintaining operational efficiency. We provide comprehensive compliance consulting, security program development, and ongoing support to dealerships nationwide.

Great people still win. We just give them superpowers.

Strolid is built on relationships, disciplined follow-up, and transparency. The technology exists to make those strengths consistent at scale.

Talk to Our TeamSee How It Works