Audience: Dealer Principal, CFO/Controller, and QI/Compliance lead at single or multi-rooftop groups.
Note: Practical guidance, not legal advice. Requirements vary by carrier and state.
Why carriers care (and why dealers should too)
Carriers don’t want essays. They want proof you can prevent claims and limit blast radius if something goes wrong. For dealerships, that means protecting the systems that move money and fund deals: email, DMS/CRM, AP banking, and file servers that touch RO history and deal docs. Readiness shortens questionnaires, improves renewal terms, and avoids last-minute underwriting surprises.
The eight controls most carriers ask about first
1) Multifactor Authentication (MFA) on email, remote access, and admin accounts
What “good” looks like
MFA is enforced on Microsoft 365 and any VPN/RDP. Admin accounts are separate from daily-use accounts.
How to prove it
Screenshots of M365 conditional access policies; list of users with MFA status; VPN configuration showing MFA.
Premium impact levers
Block legacy/basic auth. Require MFA for privileged DMS/CRM roles, not just email.
2) Endpoint Detection & Response (EDR) with 24/7 monitoring
What “good” looks like
EDR (with MDR eyes-on-glass) on all Windows desktops, F&I machines, service lane PCs, and servers.
How to prove it
EDR console export showing agent count and health; sample alert with triage notes; coverage map by rooftop.
Premium impact levers
Document mean time to isolate (MTTI) from recent drills. Carriers love fast isolation.
3) Backups that are immutable, off-domain, and tested
What “good” looks like
Daily backups with at least one copy immutable and off the primary domain. Quarterly restore tests.
How to prove it
Backup policy screenshot, immutability setting, last three successful restore test logs, RPO/RTO targets.
Premium impact levers
Write down the 4-hour “Tier 1” recovery play for DMS integration servers and AP shares.
4) Email security and anti-impersonation
What “good” looks like
Advanced phishing/impersonation filters, external tagging, and blocked auto-forward rules.
How to prove it
Security policy screenshots, recent phishing campaign results, list of auto-forward blocks, DMARC record status.
Premium impact levers
Quarterly phishing failure rate under 4 percent with store-level coaching.
5) Privileged access management and offboarding discipline
What “good” looks like
No shared admin accounts; least privilege in DMS/CRM; accounts disabled within 24 hours of termination.
How to prove it
Admin account inventory; offboarding audit comparing HR term list to AD/M365/DMS; quarterly access review attestation.
Premium impact levers
Service-level agreement: 24-hour disablement backed by weekly spot checks.
6) Patching and vulnerability management
What “good” looks like
Critical patches within 14 days; routine patch windows for service-lane PCs and finance servers.
How to prove it
RMM patch compliance report; sample change ticket; vulnerability scan results with closed findings.
Premium impact levers
Document an exceptions process with temporary compensating controls.
7) Incident response plan with tested tabletop
What “good” looks like
A current IR plan, call tree, and two tabletop exercises per year covering DMS outage, BEC, and ransomware.
How to prove it
IR plan PDF, tabletop agendas, decision logs, after-action items with owners and due dates.
Premium impact levers
Have an incident-response retainer with your MDR or forensics provider. Underwriters view this as risk-reducing.
8) Vendor risk and payment security (wire/ACH controls)
What “good” looks like
Top-risk vendors have security attestations; AP uses dual control and out-of-band callbacks from the vendor master.
How to prove it
Vendor due-diligence folder index; sample SOC/attest letters; AP wire checklist with callback logs.
Premium impact levers
Positive pay enabled, daily bank reconciliation, and strict change-control on the vendor master.
The evidence pack that wins renewals
Create a shared “Cyber Insurance — Evidence” folder with quarterly subfolders. Include:
- MFA policy exports and user MFA status
- EDR coverage and recent alert triage
- Backup test logs and immutability settings
- Phishing results and training completion
- Offboarding audits and admin account inventory
- Patch compliance reports and closed vulnerabilities
- IR plan, tabletop minutes, and retainer letter
- Vendor attestations and AP wire callback logs
Pro tip: Keep this to 15–25 pages total. Screenshots beat paragraphs.
Sample answers for common questionnaire items
Do you use MFA
“Yes. MFA is enforced for Microsoft 365, VPN, and all administrative accounts. Legacy protocols are blocked. Evidence attached.”
Do you have immutable, offline, or air-gapped backups
“Yes. Daily backups include an immutable copy stored off-domain. Quarterly test restores are documented. Evidence attached.”
Is EDR deployed on all endpoints and servers
“Yes. EDR with 24/7 MDR coverage is deployed on all endpoints and Windows servers across all rooftops. Coverage report attached.”
How do you prevent and detect phishing and BEC
“Advanced email security filters and external tagging are enabled. Auto-forward to external domains is blocked. Monthly phishing tests with <4 percent failure rate and targeted coaching. Evidence attached.”
What is your incident response process
“Documented IR plan with call tree. Two tabletop exercises per year covering DMS outage, BEC, and ransomware. IR retainer in place. Evidence attached.”
30-day readiness sprint for your next renewal
Week 1
- Pull last two quarters of evidence.
- Run a 6-month offboarding audit.
- Verify MFA for admins and remote access.
Week 2
- Close EDR gaps on straggler PCs in service and F&I.
- Run and document a backup restore test.
- Enable auto-forward blocks and review impersonation settings.
Week 3
- Tabletop a 45-minute BEC + wire fraud scenario.
- Lock down shared admin accounts; split if found.
- Collect top-10 vendor attestations.
Week 4
- Generate a one-page KPI scorecard for the Dealer Principal: phishing rate, EDR coverage, offboarding speed, backup test pass, admin account count, vendor attestations.
- Package your evidence folder and send to your broker proactively.
What can actually lower premiums or improve terms
- Demonstrated MFA coverage everywhere that matters (email, remote, admin).
- Real EDR+MDR with logged isolations from drills.
- Immutable backups with recent, successful restore tests.
- Phishing failure rate trending down and below 4 percent.
- IR retainer letter and twice-yearly tabletop minutes.
- Positive pay and dual control proven in AP.
- Clear exception handling for patching with compensating controls.
- Documented vendor due diligence for systems touching NPI.
Avoid these dealership-specific pitfalls
- “MFA is on” but legacy auth is still allowed in M365.
- Shared “F&I Admin” or “Parts Admin” accounts no one can attribute.
- Service PCs missed by EDR because they’re off the domain.
- Backups stored on the same domain the ransomware can encrypt.
- Vendor bank changes accepted from an email thread without callback.
- No paper delivery SOP when DMS or lender portals are down.
Controller’s quick checklist for renewal meetings
- Evidence folder updated this quarter
- Bank and insurer contacts verified
- Dual control and callback logs sampled
- Positive pay and daily reconcile confirmed
- Incident response retainer current
- Cyber training completion over 90 percent
Need Help for Your Dealership?
Want a fill-in-the-blank “Carrier Evidence Pack” with screenshot guides and a one-page KPI scorecard? Insert your group name and we’ll send a clean, branded version aligned to dealership workflows.