You can’t protect what you don’t know you have.
The FTC’s Safeguards Rule takes that idea and turns it into a very specific expectation:
Your dealership must have a written risk assessment that clearly documents what customer information you handle, where it lives and travels, and how it could be exposed.
This isn’t an IT inventory spreadsheet. It’s the backbone of your entire information security program. If your risk assessment is weak, everything built on top of it is shaky: policies, tools, training, vendor contracts, even your cyber insurance story.
Let’s break down what a solid, dealership-ready risk assessment actually looks like.
Step 1: Define the scope of your dealership environment
Start by drawing the box around what you’re assessing.
For most auto groups, scope includes:
- All rooftops and satellite lots
- All departments that touch customer info
- Sales, F&I, BDC, service, parts, accounting, recon, HR
- All systems where customer or employee data lives or flows, including:
- DMS (Dealertrack, Reynolds, CDK, etc.)
- CRM (VinSolutions, Elead, DealerSocket, etc.)
- Desking & F&I menu tools
- Digital retailing and online credit apps
- OEM portals and lender portals
- Service scheduling and MPI tools
- Phone/BDC and call recording systems
- Email (Microsoft 365, Google Workspace)
- File shares, local drives, cloud storage
- HR/payroll platforms
- Backup and disaster recovery systems
Write this down. The FTC expects the risk assessment to be written and to show you’ve thought through where customer information actually lives, not where you wish it lived.
Step 2: Inventory the data you collect
Next, identify what you’re actually collecting and storing.
At a minimum, dealerships typically handle:
- Personal identifiers: names, addresses, phone numbers, email
- Government IDs: driver’s license numbers, SSNs (often in credit apps)
- Financial data: income, bank account details, payoff info, credit card numbers in service & parts
- Credit information: credit scores, bureau reports, credit application data
- Vehicle data: VINs, service histories, warranty status, GPS / telematics in some cases
- Employment data: employee SSNs, direct deposit info, benefits details, I-9 and background checks
For each data type, document:
- Where it is captured (online forms, in-store F&I, service write-up, HR onboarding)
- Where it is stored (DMS, CRM, scanned docs, shared drive, third-party platform)
- Where it is sent (lenders, OEMs, warranty companies, third-party vendors)
This is the “know what you have” piece the Safeguards Rule is very explicit about. A regulator doesn’t want to hear “our IT guy handles that.” They want to see that you, as a business, understand your own data footprint.
Step 3: Map your data flows
Now connect the dots. This is where the risk picture starts to emerge.
For example, think through a typical F&I deal:
- Lead enters the CRM from a website form or OEM lead feed.
- Sales works the deal, then sends customer to F&I.
- F&I pulls bureaus, gathers income proof, scans IDs, and loads everything into:
- DMS / F&I menu / lender portals
- Deal gets funded, documents are stored in:
- DMS, scanning system, cloud drive, sometimes local machines
- Copies may be emailed to the customer, lender, or other parties.
Do the same for:
- Service: online scheduling → RO creation → MPI tools → warranty submissions → long-term storage of service history.
- BDC: call recording systems that capture full credit card numbers when a customer reads them over the phone.
- HR: job applications, background checks, employee onboarding packets.
For each flow, note:
- Systems involved
- People involved (roles, not names)
- Vendors involved
- Places where data is at rest or in transit
This becomes the foundation for asking: “Where are the weak spots in this chain?”
Step 4: Identify internal and external threats
Now you can layer on risk.
Common internal risks at dealerships:
- Shared logins in DMS or CRM
- Former employees retaining remote access
- Staff emailing unencrypted spreadsheets with customer data
- Scanned driver’s licenses saved to desktops or personal cloud storage
- Poor physical security around F&I offices or deal jackets
- Lack of clear process for offboarding employees and removing access
Common external risks:
- Phishing emails stealing credentials to email or DMS/CRM
- Ransomware shutting down your systems and backups
- Vendor compromise (like a major DMS, CRM, or integration provider being attacked)
- Attacks on remote access tools, VPNs, and exposed ports
- Weak or reused passwords breached in other systems and tried against your accounts
Your written assessment should specifically call out risks to the security, confidentiality, and integrity of customer information, and how that data could be:
- Accessed without authorization
- Misused (e.g., identity theft, fraud)
- Altered (e.g., data tampering)
- Destroyed (e.g., lost in a ransomware event or failed backup)
Step 5: Evaluate likelihood and impact with clear criteria
The Safeguards Rule doesn’t just want a brain dump of worries; it expects you to evaluate them using defined criteria.
That means you decide, in writing, how you will rate risks, such as:
- Likelihood: How probable is it that this threat will occur in your environment?
- High / Medium / Low
- Impact: If it happens, how bad is it for the dealership?
- Customer harm, regulatory exposure, downtime, revenue loss, reputational damage
- Inherent vs. residual risk:
- Inherent: risk before controls
- Residual: risk after you consider existing safeguards
Then you apply those criteria:
- Missing MFA on email:
- Likelihood: High (phishing is constant)
- Impact: High (email is often the keys to everything)
- Shared sales logins in CRM:
- Likelihood: High (very common behavior)
- Impact: Medium to High (data misuse, weak accountability, potential unauthorized exports)
- Offsite deal jackets in an insecure storage room:
- Likelihood: Medium
- Impact: High if physical theft occurs
The point is not to become a risk-management think tank. The point is to show that you are systematically evaluating what matters most and not just guessing.
Step 6: Tie risks to specific Safeguards
A good risk assessment doesn’t live in isolation. It sets up your actual Safeguards.
For each meaningful risk, you should be able to say:
- Risk: “Shared logins in CRM and DMS make it impossible to track who did what and increase the chance of unauthorized access.”
- Safeguards:
- Unique logins for all users
- Enforcement of least-privilege access
- Quarterly user access reviews
- Safeguards:
- Risk: “Phishing could lead to compromise of email and cloud systems.”
- Safeguards:
- MFA on email and critical apps
- Security awareness training with phishing simulations
- Alerting on suspicious login locations and impossible travel
- Safeguards:
- Risk: “Third-party vendor compromise could expose our customer data.”
- Safeguards:
- Vendor due diligence and contract language
- Data minimization and segmentation
- Incident response playbook that includes vendor events
- Safeguards:
When the FTC or a plaintiff’s attorney looks at your program, they expect to see this line of sight:
Risk identified → Safeguard chosen → Evidence it was implemented and monitored.
The written risk assessment is where that story starts.
Step 7: Make it living, not “set it and forget it”
The Safeguards Rule is explicit: risk is not static, and neither is your assessment.
You should revisit and update the assessment when:
- You acquire or open a new rooftop
- You change DMS, CRM, or other core systems
- You add new high-risk vendors (digital retailing, online credit, call recording, etc.)
- You significantly change how you collect or use customer data
- There is a major threat change (for example, a new type of attack targeting dealers, or a large third-party breach affecting your vendors)
- You experience a security event and learn something new about your environment
Practically, most groups run:
- A formal annual review that ties into Board/ownership reporting
- Interim updates when a material change happens (like a DMS change or big new integration)
If your risk assessment looks identical three years in a row while your tech stack, staff, and vendors have changed, it’s a red flag.
What leadership should be asking about the risk assessment
For CEOs, CFOs, and GMs, you don’t need to write the assessment yourself, but you should absolutely ask for clarity on it.
Questions to ask your Qualified Individual or IT/security partner:
- Do we have a current, written risk assessment that covers every rooftop and all systems that touch customer data?
- Can you walk me through our top 5 risks in business terms, not technical jargon?
- For each of those, what specific safeguards have we put in place, and how do we know they are working?
- When was this assessment last updated, and what triggered that update?
- How does this assessment feed into:
- Our Safeguards program
- Our cyber insurance requirements
- Our incident response planning
- Our vendor management
If your team can’t answer those questions cleanly, you don’t really have a usable risk assessment yet, regardless of how many pages your document is.
Bottom line
A written risk assessment is not a regulatory chore; it’s the playbook for where you focus your security effort.
For a dealership, a strong assessment:
- Makes your data landscape visible across all rooftops and departments
- Highlights real-world weaknesses before attackers or auditors do
- Guides where you invest in tools, training, and vendor controls
- Gives leadership a clear, defensible narrative when something goes wrong
Get this piece right, and every other Safeguards requirement becomes more targeted and easier to justify. Get it wrong, and you end up spending money on controls that don’t match your true risks, while the real exposure stays hidden in the background.