Dealers: Plan Now for a Cybersecurity Attack

As the CDK outage continues to roil the dealership world, dealers should look ahead and plan for the next cybersecurity attack. And that planning should be actually written down, as in a book with paper pages

“This is a huge wake-up call for everyone in our industry,” dealership consultant Todd Caputo says during a recent live stream panel hosted by ASOTU (Automotive State of the Union community). “You have to have a playbook or manual to open up when something like this occurs.”

That means more than having a file with the plan. Experts recommend an actual book.

“You have to have it printed out,” Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, tells WardsAuto. The nonprofit Alliance advocates for the safe use of technology and educates on protection from cybercrime.

Back to Basics

The immediate response to an outage was, and will usually be, a return to pen and paper. That can be beneficial, Caputo says. Many younger dealership employees have never had to learn the details of how parts get ordered, how technicians get paid or how the information on a sale is submitted, he says. Doing it by hand, “you learn how a deal actually works,” he says.  

But the pen and paper method has limitations.

Leaders at Nissan of Bowie in Maryland started using pen and paper when the Dealer Management System (DMS) went down, says dealership owner and ASOTU panelist Damon Lester. “We have gone old school,” he says.

But trying to capture all the necessary data by hand, especially in the parts and service department, is difficult, Lester says. Figuring out the hours for the technicians and service advisors will be a challenge, he says.

And, he adds, all the data will need to be keyed into the computer when the system is back up.

Dealer Organizations and Vendors to the Rescue

The National Assn. of Minority Automobile Dealers (NAMAD) has suggestions for dealing with this outage and preparing for the next, says Lester, a past president and current board member of the organization.

It sent members an email with steps to take, including updating a dealership’s website to include asking customers to call or chat instead of submitting online leads and to submit forms by sending them to the internet manager’s email address.

NAMAD also suggests getting legal advice about responsibilities if personal information is compromised and consulting with insurance companies about coverage. Consider if the insurance covers a third-party vendor event, coverage for customer claims against a dealership due to the event, and whether your general business interruption policy covers it, NAMAD recommends.

“Dealerships also need to figure out ramifications from lost business,” Lester adds.

When a dealership’s DMS is functional again, accounting firm Withum recommends dealers employ an overall reconnaissance before returning to business as usual. All departments should help the accounting office gather information collected during downtime and ensure it is accurately entered, Withum says.

Dealerships also need to ensure all templates are correct, that sales tax calculations are correct, and closing balances on May 31 and June 1 are free of discrepancies.

“Do not assume that this breach only impacted data collected when CDK was down,” Withum says.

‘Change Healthcare’ Moment

Steinhauer calls the CDK attack the ‘Change Healthcare’ moment for the auto industry.”

In February 2024, Change Healthcare’s nationwide health care billing and information systems were frozen, and cybercriminals demanded a ransom to unlock them. Change processes account for about half of all U.S. health care claims.

The DMS world is similarly concentrated. CDK, Reynolds & Reynolds and Dealertrack together provide services to around 80% of all dealerships. CDK is used by some 15,000 dealers.

So, like the health care system, when a dealer management system has a problem, “a lot of people have a problem,” Steinhauer says.

Dealerships and the health care profession collect a wealth of personal information, so data privacy concerns are magnified by the consolidation of services under just a few providers, he says.

Steinhauer recommends a dealership prepare for future outages by first doing an inventory of all the software it uses and who can access what data at what time. Focus on “the right users accessing the right data at the right time,” he says.

Strong passwords, multifactor authentication and training staff on cybersecurity, especially phishing, is key, as is keeping good backups of data.

All dealerships should have a business continuity plan detailing how to continue to operate when cybersecurity or other threats occur. That can start with writing information down, he says.

“The businesses (with) older staff are probably faring better because they remember the pen and paper days,” Steinhauer says.

Other aspects of the plan can include having an emergency laptop and free accounting software, using Google spreadsheets or submitting forms through an alternative website.

“You have to brainstorm,” Steinhauer says. “(Think), how would this work if we didn’t have this system?”