As a GM, you already juggle enough: hitting the number, keeping fixed ops flowing, protecting CSI, managing turnover, and keeping the OEM off your back.
What a lot of stores still underestimate is this: if your dealership arranges financing or leases vehicles, you’re treated as a “financial institution” under GLBA, and the FTC Safeguards Rule is part of your world whether you asked for it or not.
This is not an “IT initiative.” It’s an operational risk issue that can shut down funding, cripple the service drive, and turn a normal Tuesday into a crisis.
Why this gets real fast in a dealership
Most dealership cyber incidents don’t start with a Hollywood-style hack. They start with a human moment:
- An F&I manager clicking a “lender portal update”
- An accounting clerk responding to a fake payroll request
- A service advisor opening an attachment that looks like a repair authorization
- A controller getting a “Microsoft password reset” prompt that’s not Microsoft
The Verizon DBIR consistently shows the human element is involved in a large share of breaches, and phishing clicks happen in seconds. That’s dealership pace. That’s the middle of desking, the service lane rush, month-end, or a packed Saturday.
So when we talk about the Safeguards Rule, the practical GM question is: where do we usually fail, and what do we lock down first?
The Safeguards Rule in GM language
At a high level, the FTC expects you to have a real, written information security program that’s actually implemented. Not “we have an IT vendor.” Not “we bought a tool.” A program.
That includes things like:
- Someone accountable (a qualified individual) who owns it
- A written risk assessment that reflects your store, not a template
- Controls like MFA, access management, encryption, monitoring/testing
- Ongoing training
- Vendor oversight
- An incident response plan
Now let’s talk about where this breaks in real dealerships.
Where things go wrong (the failure points we see most)
1) “IT owns it” but nobody has authority
One of the biggest misses is treating Safeguards like an outsourced task. You can have a vendor, but you still need a designated owner with the authority to enforce changes across the business.
If nobody can force MFA, kill shared logins, limit vendor access, or require training completion, you don’t have a program. You have a vendor relationship.
GM move: Assign a true owner and give them the power to say “no” to exceptions.
2) The risk assessment exists, but it doesn’t match your workflows
Dealers love templates. Regulators hate templates.
If your “risk assessment” doesn’t specifically account for your real environment, it’s a paper shield. Dealership reality includes:
- Scan-to-email and deal docs living in inboxes
- Shared workstations in service and sales towers
- Printer/copier hard drives holding contracts and RO history
- DMS exports saved to desktops
- Vendor tools with persistent access
GM move: Map where customer info lives and moves in your store, then build controls around that.
3) MFA is partially deployed (which is how attackers get in)
“Mostly on” is not on.
Email, remote access, and admin accounts are the usual entry points. If MFA isn’t enforced everywhere it should be, one compromised password can become a dealership-wide incident quickly.
GM move: Make MFA non-negotiable for email, remote access, admin accounts, and key vendor portals.
4) Microsoft 365 is running, but no one’s watching
A lot of dealerships assume Microsoft 365 or Google Workspace equals security. It doesn’t. It’s a platform.
Without proper monitoring, alerting, and configuration, you can have:
- Mailbox rules that silently forward lender emails
- Account takeovers that look like normal user activity
- Business email compromise (BEC) that triggers fake wire/pay requests
GM move: Ensure you have real detection and response, not just licenses.
5) Training is annual, generic, and forgotten by Tuesday
One “click-through” training once a year is not a shield. People forget, and attackers adapt.
Also, different departments face different threats:
- F&I and accounting are top targets for payment fraud
- Service advisors get hammered by attachments and invoice scams
- Reception and BDC see a ton of social engineering attempts
GM move: Short, role-based training with quick reinforcement (monthly micro-training beats annual marathons).
6) Vendors have too much access, for too long, with no review
Dealerships run on vendors: DMS, CRM, digital retail, payroll, marketing, call tracking, integrators. Vendor access is often the quiet back door.
If you can’t answer, “Who has access to what, and why?” you have a gap.
GM move: Create a vendor access list, require MFA, limit privileges, and review access quarterly.
7) Incident response is “we’ll figure it out”
In a real incident, you don’t rise to the occasion. You fall to your preparation.
If ransomware hits, you need immediate clarity:
- Who calls the cyber insurer and when
- Who calls legal counsel
- Who talks to OEMs, lenders, and customers
- Who decides to shut systems down
- What your recovery path is for DMS, email, and phones
GM move: Have a written incident response plan and run a tabletop exercise at least annually.
8) Reporting obligations surprise you after the fact
The FTC Safeguards Rule has reporting requirements for certain “notification events,” including thresholds tied to consumer impact.
Dealers often don’t know this until they’re already in crisis mode.
GM move: Know what triggers reporting, and align your plan with counsel and your cyber carrier. (This is general info, not legal advice.)
A simple GM-first action plan (that doesn’t require becoming IT)
If you want the most practical way to start, focus on the highest-failure areas first:
- Name the owner and make it official
- Map your data (where NPI lives, moves, and gets stored)
- Enforce MFA across email, remote access, admin, and key vendors
- Eliminate shared logins and tighten access by role
- Verify monitoring and backups (prove you can restore)
- Lock down vendors with least privilege + quarterly review
- Run an incident tabletop so your team isn’t improvising under pressure
The bottom line
The FTC Safeguards Rule isn’t about buying security tools. It’s about running your dealership so one rushed click doesn’t turn into downtime, funding delays, and an executive-level fire drill.