Cyber Incident Communications: What to Say (and Who to Call) When Your Dealership Gets Hit

Most dealerships plan for hail, floorplan audits, and month-end chaos.

Very few plan for the moment systems go down, phones light up, and everyone asks the same question at once: “What do we tell people?”

That’s how technical incidents become business crises.

We saw a version of this during the well-publicized DMS disruption in 2024. Even stores that handled the technical side reasonably well struggled with communications: inconsistent messaging across rooftops, staff saying too much (or nothing), customers confused about appointments and data, OEM reps asking for status, and lenders wanting to know what’s impacted.

A good communications plan does two things:

  • Protects revenue and customer trust while you stabilize operations
  • Prevents unforced errors like incorrect statements, rumor-fueled panic, and mixed messages that create liability

Note: This is general guidance, not legal advice. Always coordinate breach-related communications with legal counsel and your cyber insurance carrier.

The dealership reality: your audiences have different fears

In a cyber incident, everyone is stressed, but for different reasons.

  • Internal team worries about: “Can I do my job? Am I going to get blamed? Are we getting paid?”
  • Customers worry about: “Is my data safe? Is my car done? Can I pick up today?”
  • OEMs worry about: “Are you meeting process requirements? Are you reporting accurately? What’s the customer impact?”
  • Lenders and finance partners worry about: “Are deals funding? Are instructions legitimate? Are you a fraud risk right now?”

Your communications must match those concerns, or people will fill the gaps with assumptions.

The 5 rules of incident communications

1) One voice, one source of truth

Pick a single incident communications owner (often the GM or Controller) paired with IT/security and your broker/counsel as needed. Everyone else follows the script.

2) Speed matters, but accuracy matters more

Send a quick holding statement early, then update on a cadence. Do not speculate. Do not guess at cause. Do not promise timelines you can’t guarantee.

3) Separate operational updates from data exposure statements

“Systems are down” is different from “data was accessed.” Treat them differently and coordinate anything data-related with counsel/carrier.

4) Give staff what to do, not just what happened

Your team needs marching orders: how to handle customers, where to route calls, how to schedule service, how to desk deals, how to verify payment changes.

5) Assume everything is discoverable

Write every message like it could be forwarded, screenshotted, or read out loud later. Keep it factual and consistent.

Who owns what: a simple dealership comms org chart

Incident Communications Lead (GM or Controller): approves messages, sets cadence
Technical Lead (IT/Security/MSP): provides status, what’s impacted, estimated restoration windows (if known)
Customer-Facing Lead (Service Director or BDC Manager): executes customer messaging and call scripts
OEM Liaison (GM or fixed ops leader): communicates status to OEM rep
Finance Liaison (Controller/F&I Director): handles lender communications and fraud controls
Legal/Cyber Carrier: approves any breach notification language, regulatory posture, and customer data statements

What to communicate by audience

1) Internal communications: staff, managers, and rooftops

Internal messaging is about keeping the store functioning and preventing rumor.

What staff need in the first message:

  • What’s impacted (email, DMS, phones, scheduling, payments)
  • What’s not impacted (if known)
  • The temporary process (paper ROs, manual deal log, no ACH changes without voice verification)
  • Where questions go (one channel, one owner)
  • A reminder not to freelance communications

Internal message template (first hour)
Subject: Operational Update: System Disruption and Next Steps

Team,
We’re experiencing a disruption affecting [systems]. We’re working with our IT/security partners to stabilize operations.

Effective immediately:

  • Use [workaround process] for [service write-ups/scheduling/desking].
  • Do not process any bank detail changes, wire instructions, or vendor payment updates from email alone. Use call-back verification.
  • Direct all customer questions to [point person/team].
  • Please do not share unverified details externally. We will provide updates every [X hours] or as major changes occur.

Thank you for staying focused. Our priority is customer service and safe operations.

2) Customer communications: service appointments, sales, and data concerns

Customers don’t care what tool is down. They care if their car is ready and whether their information is safe.

Customer messaging goals:

  • Keep appointments moving where possible
  • Reduce inbound call volume with clear instructions
  • Avoid definitive statements about data exposure unless confirmed and approved

Customer holding statement (website/social/phone)
We’re currently experiencing a system disruption that may impact [appointments/communications/processing times]. Our team is still operating and will assist you as quickly as possible.
For service, please [call this number / arrive as scheduled / bring your appointment details].
We’ll share updates as we restore normal operations. Thank you for your patience.

What not to say:

  • “Nothing was accessed” (unless confirmed and approved)
  • “It’ll be back by end of day” (unless you’re certain)
  • “It’s the vendor’s fault” (blame creates unnecessary risk)

3) OEM communications: accurate status, customer impact, and operational continuity

OEMs want calm, accurate reporting and proof you’re managing impact.

What OEM reps typically need:

  • High-level incident category (outage, cybersecurity incident, suspected compromise)
  • Operational impact (sales, service, warranty submissions, customer communications)
  • Workarounds and continuity steps
  • Next update cadence

OEM update template
We’re managing a system disruption impacting [functions]. Customer operations are continuing via [workarounds]. At this time, we’re coordinating with our IT/security partners and will provide our next update by [time/date]. We will notify you promptly of any confirmed customer-impacting developments.

4) Lenders and finance partners: funding continuity and fraud prevention posture

Lenders care about fraud risk. During incidents, impersonation attempts often increase.

What to communicate to lenders:

  • You are operational (if true) but using alternate processes
  • You are enforcing verification for any payment instruction changes
  • Any limitations on document delivery (secure portal, in-person, alternate channel)
  • A single dealership point of contact for funding questions

Lender message template
We’re currently experiencing a system disruption affecting [email/portals/doc delivery]. We are continuing deal processing using alternate workflows.
For security, we are verifying any payment instruction changes by phone using known numbers on file. Please do not accept banking changes via email.
Funding contact: [name/phone]. Updates will be provided as needed.

Timeline: what “good” communications look like

First 60 minutes:

  • Stand up an internal war room channel
  • Send internal holding message plus immediate do/don’t list
  • Post customer holding statement (website/social/phone)
  • Notify OEM and key lenders with a short status and next update time

First 4 hours:

  • Confirm what’s impacted and what isn’t
  • Implement manual processes (service write-up, parts, sales logs, payment controls)
  • Publish an FAQ for staff and customer-facing teams
  • Start a repeating update cadence (every 2–4 hours)

Day 1 to Day 3:

  • Refine customer comms: appointment instructions, pickup process, expected delays
  • Expand lender guidance and strengthen fraud verification
  • Decide on data exposure language only if confirmed and approved by counsel/carrier

Day 4 to resolution:

  • “Return to normal” message with what changed and what’s next
  • Internal debrief schedule (what worked, what failed, what to fix)
  • Evidence capture: timeline, key decisions, comms samples (helps insurance and future readiness)

What we’re really looking for in a dealership communications plan

If we’re building this with a dealer, we look for:

  • A single communications owner and approval path
  • Pre-written templates (internal, customers, OEM, lenders)
  • A call routing plan (often BDC-led) to reduce chaos
  • A paper ops playbook for service and sales
  • Fraud controls during incidents (call-back verification, pause on high-risk actions)
  • A do-not-say list
  • Update cadence and a way to track what was sent, when, and to whom

CTA: Build a Cyber Incident Communications Playbook before you need it

If your store had an outage tomorrow, would your team send five different messages in five different directions? Most do.

A Cyber Incident Communications Gap Assessment helps you get ahead of that. We’ll map your audiences, build the templates, assign owners, and run a tabletop exercise so you’re not writing statements under pressure.

Book a Cyber Incident Communications Gap Assessment and you’ll walk away with:

  • A dealership-ready communications plan (internal, customers, OEMs, lenders)
  • Pre-written templates and call scripts
  • A practical update cadence and approval workflow
  • A tabletop drill agenda to rehearse it with leadership
Share

Disclaimer

Dealerships should consult their own legal counsel, compliance specialists, or cybersecurity professionals before taking any action based on this website.
Explore
Get FTC Safeguards help today!
Subscribe