Your dealership’s cybersecurity program only works if leadership understands it, supports it, and reviews it. The Federal Trade Commission (FTC) made that expectation clear in the Safeguards Rule by requiring an annual report to ownership or the board of directors.
This report is not a formality. It is your dealership’s chance to step back and ask, “Are our safeguards still working?”
What It Means
At least once a year, your Qualified Individual must prepare a written report that summarizes the state of your dealership’s information security program.
This report should include:
- A summary of the dealership’s most recent risk assessments
- The results of testing and monitoring activities
- Any security incidents that occurred during the year and how they were handled
- Updates or improvements made to safeguards
- Recommendations for changes or new protections needed in the coming year
Once complete, this report should be reviewed and signed by ownership or the board of directors. That signature is more than approval—it is proof that leadership understands and supports the dealership’s compliance responsibilities.
The report should be stored with your compliance records and be ready to share during audits, insurance reviews, or lender due diligence.
Why It Matters
The FTC expects dealership leadership to stay informed about how customer data is being protected. Compliance is a management responsibility, not just an IT or administrative task.
When ownership reviews and signs off on the report each year, it shows accountability and oversight. Regulators see that your dealership is taking security seriously and that decisions are being made with accurate information.
It also helps your business make better choices. The annual report provides a clear picture of where you are strong and where you may need improvement. Leadership can use this insight to prioritize budget decisions, approve new safeguards, or plan employee training.
Without regular reporting, cybersecurity can drift into the background. The annual review brings it back to the front of leadership conversations, where it belongs.
It also prepares you for lender and manufacturer requests. Many financial partners are now asking dealerships to verify their FTC Safeguards compliance status. Having a signed annual report makes that verification fast and professional.
Example from a Dealership
At the end of each year, a dealership’s Qualified Individual prepares a summary report for the ownership team. The report includes:
- Results from vulnerability scans and penetration testing
- A record of completed employee cybersecurity training
- Updates to vendor oversight agreements
- Details of one minor phishing incident and how it was contained
- Recommendations for adding multi-factor authentication to the service department network
The general manager and owner review the report together, discuss the recommendations, and approve funding for the new safeguard. They both sign the report and store it in the dealership’s compliance binder.
When their insurance company later requested documentation of FTC Safeguards compliance, the dealership provided the signed report as proof of ongoing oversight and risk management.
How to Make Annual Reporting Simple
You do not need a long or technical document to meet this requirement. A concise, organized report is often better.
Here is a straightforward approach your dealership can follow:
- Set a Reminder: Schedule the report near the end of your fiscal year or after your annual risk assessment.
- Summarize Key Areas: Cover risk assessments, testing results, incidents, updates, and recommendations.
- Include Documentation: Attach supporting evidence such as training logs, test summaries, and vendor certifications.
- Meet with Leadership: Present the report to ownership or the board. Allow time for questions or approvals.
- Get Signatures and Store Securely: Keep the signed copy with your compliance records, both digitally and in a physical binder.
Many dealerships also keep a printed version of this annual report in their offline compliance binder, along with their incident response plan and vendor contracts. This ensures the documentation is available even if systems go offline or are compromised.
How Safer Dealer Can Help
Safer Dealer works with trusted Managed Security Service Providers (MSSPs) and compliance consultants who understand how to prepare, format, and maintain FTC Safeguards documentation for dealerships.
Our partners help dealerships:
- Conduct annual risk assessments
- Track and document ongoing compliance activities
- Compile easy-to-understand board reports
- Organize digital and offline compliance binders
This support gives ownership the confidence that their dealership can prove compliance at any time.
The Bottom Line
The annual report to ownership or the board is where accountability meets leadership. It keeps cybersecurity from being a technical issue buried in the back office and makes it a core part of your dealership’s management process.
By reviewing and approving this report each year, ownership ensures the dealership stays informed, compliant, and ready for whatever comes next.
A strong annual report is more than paperwork—it is your dealership’s proof that compliance is a culture, not a checkbox.
If your team needs help preparing this report or reviewing what to include, Safer Dealer can connect you with compliance partners who understand both the technical and business sides of dealership operations.
Leadership sets the tone for security. A signed, thoughtful annual report shows that your dealership takes that role seriously.