The CDK Global ransomware attack in June 2024 knocked 15,000 dealerships offline for the better part of two weeks. For Florence, KY auto dealerships—many of them anchored along the US-42 and Dixie Highway corridor—it was a stark illustration of what happens when a single DMS dependency becomes an attack vector. The FTC’s revised Safeguards Rule, which took full effect in June 2023, means that kind of exposure is no longer purely operational risk. It is regulatory and legal risk as well, and Florence dealerships operating finance and insurance desks are squarely in scope.
Why Auto Dealers Are Covered Under the FTC Safeguards Rule
Auto dealers qualify as “financial institutions” under the Gramm-Leach-Bliley Act because they originate and arrange consumer financing—credit applications, indirect lending through captive finance arms and third-party lenders, lease structures. That classification brings 16 CFR Part 314 into full force. The amended rule requires a formal Written Information Security Program (WISP), and the bar is substantially higher than a firewall policy document drafted five years ago.
The specific obligations include: a designated Qualified Individual responsible for the program; annual written risk assessments covering every system touching customer nonpublic personal information (NPI); multi-factor authentication on any employee access point to NPI; encryption of customer data in transit and at rest; continuous monitoring or periodic penetration testing; a documented incident response plan with tested recovery procedures; and a vendor oversight program covering DMS providers, lenders, and CRM platforms.
That last requirement is where most Florence dealerships have a gap they have not fully recognized. Your DMS vendor—whether CDK Global, Reynolds & Reynolds, or Dealertrack—provides the platform. They do not configure your network segmentation, harden your endpoints, or manage your staff’s Microsoft 365 tenant. That responsibility belongs to you.
The Attack Surface in a Typical Florence Dealership
A mid-sized Florence new-car franchise typically runs multiple overlapping environments on the same network: DMS terminals in the F&I office and accounting, service advisor workstations running parts lookup and repair order software, showroom-floor tablet kiosks, a guest Wi-Fi network that often shares a broadcast domain with back-office systems, surveillance cameras on aging firmware, and a VoIP phone system. In assessments of comparable dealerships in the Greater Cincinnati area, the most common findings are flat networks with no VLAN segmentation, Windows systems more than 12 months behind on patches, shared local administrator credentials across F&I workstations, and backup sets stored on the same network segment as production data.
That last item is directly relevant to the CDK incident. When ransomware encrypts your DMS and your backup is reachable from the same compromised machine, recovery time is measured in weeks, not hours. Veeam-based immutable backups with offsite or air-gapped copies, tested on a documented schedule, are what the Safeguards Rule’s “periodic testing” requirement points toward. Titan Tech’s backup and disaster recovery services use exactly this architecture for dealership clients.
Endpoint detection is the other critical gap. Consumer-grade antivirus does not meet the behavioral detection standard that modern ransomware and info-stealer variants require. Dealerships at this scale benefit from managed cybersecurity built on SentinelOne EDR with Huntress MDR providing 24/7 human threat hunting—meaning a trained analyst reviews flagged behavior, not just an automated rule set.
Microsoft 365 Is Not Secured by Default
Most Florence dealerships run Microsoft 365 for email and internal collaboration. The default M365 tenant configuration is not Safeguards-compliant. Legacy authentication protocols are enabled by default—those protocols bypass MFA entirely and are actively targeted in credential-stuffing campaigns. Conditional Access policies, which enforce MFA based on user, location, device, and risk signals, are not configured out of the box.
Business email compromise through compromised M365 accounts is the most common fraud vector in dealership finance offices. Attackers gain access to a staff email account, monitor for pending wire transfers related to floor plan financing or vehicle purchases, and redirect payments. One successful BEC event in this category routinely exceeds $80,000. Hardening the M365 tenant—blocking legacy auth, enabling Conditional Access, deploying Defender for Business—is not optional under the Safeguards Rule’s access control requirements, and a competent managed IT team can execute it in days, not months.
Wireless and Physical Security Complete the Compliance Picture
Dealership wireless networks require architecture that the Safeguards Rule’s access control language directly implicates. Guest and customer-facing SSIDs must be isolated from any network segment that touches NPI. Service bay Wi-Fi—used by technicians accessing parts lookup and DMS—should be on its own VLAN with appropriate access controls. A properly segmented wireless network is straightforward to implement with the right structured cabling foundation; for most dealership footprints it is a one- to two-day project.
The physical layer matters as well. Vehicle key control, service lane access, and after-hours lot access all carry liability that electronic access control systems address with auditable trails. IP surveillance on Avigilon or Axis cameras gives the incident documentation that a tested response plan requires.
What a Safeguards-Ready Program Looks Like in Practice
For a Florence dealership with 50 to 150 employees, a compliant information security program involves six concrete components: a formal annual risk assessment with written output; MFA on all DMS, M365, and VPN access points; network segmentation isolating F&I and accounting from other environments; endpoint protection with behavioral detection and 24/7 monitoring; tested immutable backups with documented recovery time objectives; and a written vendor management process covering your DMS provider, lenders, and any third party accessing customer data.
The Qualified Individual designation also requires attention. The rule does not require a full-time internal hire—a managed IT provider can serve that advisory function—but someone must be formally named, the program must report to them, and they must report to ownership or the board at least annually.
The FTC has issued enforcement actions and guidance letters in the retail auto sector since the amended rule took effect. Dealerships in Kentucky and Ohio are not exempt from federal enforcement. The CDK incident demonstrated what operational disruption looks like; a regulatory enforcement action adds notification obligations, civil penalties, and reputational damage on top of that.
If your Florence dealership has not completed a Safeguards risk assessment since June 2023—or if a network refresh, DMS migration, or expansion has not been reviewed against current requirements—contact Titan Tech to schedule an assessment. We work with auto dealerships across Greater Cincinnati and Northern Kentucky and can close the gap between where your program stands today and what the rule requires.