By Greg Reddock —
Cybercrime is increasing in many industries, and the automotive sales industry is no exception. Auto dealers are under constant attack by cybercriminals because of the large quantities of customer data stored on dealership management systems and the hefty sums involved in car buying.
In fact, 85% of dealership IT employees reported that their dealerships were victims of at least one cybersecurity incident within the past two years, according to CDK Global, a firm that provides technology solutions to auto, truck, motorcycle, marine, recreational and heavy equipment dealers worldwide. On average, 153 viruses and 84 malicious spam emails are intercepted daily by auto dealer IT networks, according to another report published by industry trade magazine Automotive News.
These cyberattacks can be costly for dealers. PointPredictive, an auto finance artificial intelligence firm that tracks these incidents, estimates that Internet fraud cost dealers more than $26 billion between June 2016 and July 2019.
The vast majority–91%–of cyberattacks on auto dealers involve social engineering–the use of deception to manipulate individuals to do something they should not.
For example, say your comptroller receives an email that looks like it came from the dealership’s owner requesting a funds transfer to buy a fleet of cars. The comptroller sends the money to the bank account listed without verifying the request, and poof! The money is gone, sent to some offshore account whose real owners can’t be traced.
“Digital kidnapping” scams involving the use of ransomware are also growing in popularity. One such scam occurred last December to a dealership in South Florida. An unsuspecting employee opened a phishing email and launched a ransomware attack that crippled most of the computer systems at five interconnected dealerships, halting operations for several days. No employee or customer data was stolen, but it cost the dealer nearly $500,000 to restore the IT system.
Since most dealerships have up to 20 vendors accessing their systems, they are also vulnerable to back-door attacks. That was how the 2013 Target Stores breach occurred. A hacker accessed 41 million customer accounts on Target’s credit card processing system via an HVAC vendor’s IT system. Vendors are most susceptible to ransomware because criminals realize that interrupting the dependent and interconnected relationships between vendors and customers will cause the most pressure, and more likely the vendors will pay quickly to protect customers. Once a victim of a ransomware attack, the extended loss of business and cost to repair systems could be quite costly to a dealership, especially if multiple dealerships are connected on one network.
Insurance package policies designed for automotive dealerships don’t always pay for such crimes. And if a package policy does have any coverage, it will be subject to sub-limits, or there may be exclusions. For example, most auto dealer package policies exclude coverage for incidents involving employee and third-party theft, like In the case an employee absconds a customer’s vehicle. Package policies also exclude coverage for “voluntary” release of funds, as in the case of social engineering scams.
Crime policies and cyber insurance can fill many of these gaps, but make sure your broker checks the box for “social engineering” coverage on the insurance application. Otherwise you’ll still have some holes in your coverage.
Implementing a cyber security plan is helpful in limiting your dealership’s exposure to such risks, but no plan is 100% foolproof. That’s why your cyber security plan should include cyber insurance. Cyber policies include risk management and legal services, third-party liability, cover for regulatory defense, fines and penalties, and business interruption coverage.
Cyber insurance also has benefits that come in handy if your dealership has an incident that makes headlines. In a recent survey taken by Total Dealer Compliance, 84% of consumers said they would not buy a car from a dealership after a data breach. Besides breach notification and credit monitoring, cyber insurance provides access to crisis public relations services to help salvage a dealer’s reputation.