Audience: Dealer Principal and Controller/Compliance Officer at a 5–10 rooftop group. Secondary: IT/InfoSec lead, GM, GSM.
Quick refresher: why this role exists
The FTC Safeguards Rule requires every “financial institution” (dealers count) to designate a Qualified Individual (QI) to implement and oversee the information security program. In plain dealership terms: the QI is the owner of cyber risk and proof of due diligence.
Note: This post is practical guidance, not legal advice. Confirm requirements with counsel and your carriers.
The job, in dealership language
Core outcomes the QI owns
- Keep the DMS, CRM, and lender workflows available and trustworthy.
- Reduce the likelihood and blast radius of ransomware, BEC/wire fraud, and data leakage.
- Produce evidence for auditors, OEM field teams, your cyber insurer, and the FTC.
Day-to-day responsibilities (that actually fit the store rhythm)
- Security operations oversight: review MDR/EDR alerts, phishing results, and privileged access changes. Escalate to IT or vendor as needed.
- User lifecycle hygiene: weekly offboarding check against HR term list; monthly least-privilege review in DMS/CRM and M365.
- Vendor and data map owner: maintain who touches PII across DMS, CRM, menu/F&I, digital retailing, recon apps, marketing, service texting.
- Controls verification: quarterly evidence that MFA, backups, patching, email security, and encryption are in place and monitored.
- Training and testing: run role-based micro-training, phish your own stores, and coach GMs on results.
- Incident readiness: tabletop exercises and runbooks for DMS outage, wire fraud attempt, and ransomware.
- Board-level reporting: roll up KPIs for the Dealer Principal and Controller with a simple green/yellow/red scorecard.
What good looks like: a 90-day plan
Days 1–30: Stabilize and see the risk
- Publish a one-page WISP summary for GMs: what we do, why, who’s on point.
- Inventory systems and vendors touching NPI: DMS, CRM, menu/F&I, forms, digital retailing, phone/texting, recon, accounting AP, HR/Payroll.
- Baseline controls: confirm MFA on email and remote access, EDR on endpoints, daily backup health checks, email auto-forward blocks, admin account separation.
- Run a phishing baseline and an offboarding audit (last 6 months).
- Create a QI scorecard (template below) and set initial targets.
Days 31–60: Close biggest gaps
- Fix user access: disable stragglers, remove shared admin accounts, enable conditional access for M365.
- Patch and protect: get every fixed-ops PC and F&I machine under EDR and a patch cadence.
- Vendor due diligence: request security attestation from top 10 vendors; file them in a shared “Safeguards” folder.
- Build three runbooks: DMS outage, BEC/wire fraud, ransomware. Tabletop each with one store.
Days 61–90: Prove it and operationalize
- Launch monthly 15-minute trainings per role (Sales, F&I, Service Advisors, Accounting).
- Implement quarterly access reviews (DMS/CRM/admin).
- Deliver first executive report to the Dealer Principal: KPIs, costs, and next-quarter priorities.
- Schedule the annual risk assessment and pen test with your partner.
The QI scorecard (one-page view)
| Pillar | KPI | Target | Owner | Evidence |
|---|---|---|---|---|
| Phishing resilience | Failure rate | < 4% per quarter | QI + GM | Campaign report |
| Offboarding hygiene | Terminated users disabled within 24 hours | 100% | HR + IT | HR list vs. AD/DMS export |
| MFA coverage | Email, VPN/RDP, privileged DMS/CRM | 100% | IT | Screenshots/policy export |
| Endpoint protection | EDR deployed & healthy | > 98% | IT/MDR | Console export |
| Backups | Verified, immutable, tested | Weekly test pass | IT | Test log |
| Patching | Critical updates applied | < 14 days | IT | RMM report |
| Vendor due diligence | Top vendors with attestations | 100% of top 10 | QI | Vendor folder |
| Training coverage | Completed quarterly | > 90% | QI + GM | LMS export |
| Incident readiness | Tabletop exercises | 2 per quarter | QI | Agenda + notes |
| Wire fraud controls | Dual control & callback adherence | 100% wires | Controller | AP checklist |
Pro tip: Keep the scorecard to one page. Green/yellow/red. No jargon.
RACI that prevents finger-pointing
- QI: Owns policy, risk assessment, reporting, vendor due diligence, training, and audits.
- IT/MDR partner: Owns tooling, monitoring, patching, EDR, backup integrity, incident response execution.
- Controller/AP: Owns wire controls, positive pay, callback verification, vendor master changes.
- GMs/GSMs: Enforce training completion, approve access changes, back up the QI on social engineering policies.
- HR: Owns joiner/mover/leaver feed and timing.
Meeting cadence that won’t bog down the stores
- Weekly (20 minutes): QI + IT. Review alerts, offboarding, patch exceptions.
- Monthly (30–45 minutes): QI + GMs + Controller. Scorecard, incidents, training results, top 3 risks.
- Quarterly (60 minutes): Executive review with Dealer Principal. Budget, insurance requirements, pen test plan, audit prep.
Tool stack that plays nice with dealerships
- Identity & email: Microsoft 365 with conditional access, phishing protection, and auto-forward blocks.
- Endpoint & server: EDR with 24/7 MDR.
- Backup: Immutable, off-domain copies; quarterly restore tests.
- Email security: Inbound scanning, impersonation protection, and external tag.
- Awareness: Role-based micro-training plus monthly phish.
- GRC light: Ticketing or spreadsheet for evidence and tasks; shared “Safeguards” drive.
Budgeting reality check
For a 5–10 rooftop group, most QI programs land in two shapes:
- Internal QI + Co-Managed IT: QI at 0.3–0.5 FTE plus outside MDR and project help.
- Outsourced QI with internal IT: Vendor provides QI function, you keep a strong internal IT coordinator.
Either way, tie spend to risk reduction and insurance requirements, not tools-for-tools’ sake.
Frequently asked dealer questions
Does the QI have to be an employee?
No. You can designate a qualified service provider if they have the expertise and you retain oversight.
Can the Controller also be the QI?
Yes at smaller groups, but guard their time. Pair them with an MDR partner for 24/7 coverage and evidence collection.
What counts as proof for auditors or carriers?
Policies, change logs, screenshots, exports, vendor attestations, training reports, tabletop agendas/notes, and your scorecard.
Downloadable snippets you can lift into your SOPs
QI one-page charter
- Mission: Reduce cyber and compliance risk across Sales, F&I, Fixed Ops, and Accounting.
- Authority: Can require access changes, pause risky vendor integrations, and mandate training.
- Success: Downtime avoided, fraud attempts stopped, clean audits, stable insurance premiums.
Wire callback script for Controllers
- “This is [Name] from [Dealership Group]. I’m confirming wire details for invoice #[###].”
- Use a known good number from the vendor master, not the email thread.
- Record date/time, contact name, and confirmation in AP checklist.
How to measure impact beyond IT metrics
- Operations: fewer deal delays from DMS/CRM issues, faster desking, no rekeys after outages.
- Accounting: zero unauthorized vendor changes, clean month-end, no unexplained ACH/wire losses.
- Fixed Ops: no service drive slowdowns from dead PCs or phishing lockouts; advisors follow texting policy with no PII leaks.
- Insurance: better renewal terms and fewer painful questionnaires because you have evidence on hand.