top of page

Compliance Does Not Equal Security

Selecting Safeguards that protect your dealership and how much it costs.


Cover image for Mosaic's article entitled Compliance Does Not Equal Security.

The Safeguards Rule is seen by many dealers as a compliance problem. They often approach it the same way they approach other challenges at the dealership, asking, “What is the fastest and cheapest way I can check this box?” This is the wrong approach. And if taken, it may cost a dealership its most precious resource – its clients. According to CDK, 84% of consumers will not go back to a dealer where their data has been compromised. This whitepaper will give you the inside scoop on how to select Safeguard solutions that protect your dealership and potentially help your bottom line.


A graphic describing some statistics related to dealership Safeguards compliance.

Let’s start with the basics


Simply satisfying the minimum requirements of the Safeguards rule does not guarantee a data breach will not happen. However, if you implement the right infrastructures in the process, it will reduce the chance your organization will become a victim. Plus, it can greatly reduce the cost should a breach occur. Research from IBM’s 2022 Cost of a Data Breach Report showed the average cost of a data breach was $4.35 million. In contrast, organizations implementing protections reduced this cost by 70%.


What is a dealer to do? Select Safeguards solutions that protect your customer information continuously. A prime opportunity for this is with the continuous monitoring requirement. The FTC gives organizations two options to comply: continuous monitoring or annual penetration testing and vulnerability assessments at least every six months.


While both approaches fulfill the requirement, only true continuous monitoring, also known

as Endpoint Detection and Response (EDR or XDR), provides 24/7 real-time protection against cyber-attacks. A good EDR will include a human component known as Security Operations Center (SOC). A SOC is a team of cyber security experts that analyze your threats

Graphic describing the difference between Penetration Testing and Continuous Monitoring.

and help shut down a breach attempt as it is happening. There is no substitute for ongoing protection and human remediation. And while a penetration test is an excellent tool, alone, it does not protect you. For the best results, pair your EDR and SOC with frequent vulnerability scans or regular pen tests. You can bet that dealers who have already had a breach certainly are.


In 2022, 15% of dealerships experienced a cybersecurity incident.


There are about 17,000 franchised new car dealerships in the United States. In 2022, 15% experienced a cybersecurity incident according to CDK Global’s Annual Cybersecurity Study. The most common threat was sophisticated phishing attacks. These attacks involve tricking employees into revealing sensitive information or downloading malware through false emails or websites. It is interesting to note that the Safeguards Rule requires security awareness training for all employees, but does not require simulated phishing training. Phishing training is an affordable and powerful tool that when done continuously, can effectively reduce your risk of a breach.


More Affordable Than You Might Think


There is always concern about the cost of compliance. Here are a few things to know right away. Not all pen tests nor EDR services are equal. A good pen test typically takes place over several days and can cost between $10,000 - $30,000 per test. Beware of “free” or “fully automated” pen tests. While tempting, they lack the expert insight and recommendations that only a live pen test professional can provide to ensure your vulnerabilities are truly addressed.


EDR is typically charged as a monthly service based on the number of endpoints (workstations) or users you have. The type of EDR you need often depends on your level of in-house IT resources. If you do not have dedicated IT staff with cybersecurity expertise, it may be ideal to select an EDR with a SOC that fully remediates threats for you 24/7. For a dealership with 75 employees, this may cost anywhere from $6,000 - $10,000 or more a year.


Graphic describing how Phishing Simulation Training works.

Simulated phishing can be priced out in a number of ways such as per person, per emails sent, per test, or even bundled with security awareness training. Be sure to check the fine print to identify the true cost. Look for programs that offer unlimited phishing tests, allow a cadence of your choosing, and have training built-in at the moment an employee falls for the simulated phishing. Pricing may start at a few dollars per employee per month, with the opportunity for volume discounts.


EDR can help lower the cost of a cyber insurance policy, stop threats like ransomware, and overall lower the cost of downtime if a breach occurs.


Finally, implementing the right type of protections may help reduce other expenses at the dealership. For example, having EDR can help lower the cost of a cyber insurance policy, stop threats like ransomware, and overall decrease the cost of downtime if a breach occurs.


Compliance with the Safeguards Rule is not simply about avoiding government penalties. It is much more about protecting your customers and avoiding costly data breaches. By implementing Safeguards that continuously protect and train your dealership, you can feel confident that compliance with the Safeguards Rule is indeed helping your business. Compliance is possible, a higher level of cybersecurity is possible, and it is much more affordable than you think without taking shortcuts. Start now.


About Mosaic


Mosaic has over 16 years of experience developing compliance solutions exclusively for the retail automotive industry. In 2022 Mosaic created Mosaic Cyber Security a new company dedicated to providing a compliance solution for the revised FTC Safeguards Rule. Mosaic

provides a compliance solution that fulfills all the requirements of the revised Safeguards Rule. To learn more visit mosaiccs.com/safeguards.


bottom of page