With data security increasingly important to auto dealers — from the threat of cyberattacks that could halt their operations to their ability to obtain insurance coverage — the topic is often on the table during buy-sell transactions.
It’s particularly paramount as dealerships prepare for stiffer regulations related to securing consumers’ private information, dealership consultants say.
Experts say dealers interested in acquiring new stores should ask sellers about the security practices they deploy as part of due diligence when evaluating a transaction, especially ahead of new requirements under the federal Safeguards Rule. That outlines how financial institutions — including auto dealerships — must protect consumer information.
Consultants who advise auto retailers on cybersecurity and on mergers and acquisitions told Automotive News that dealership buyers should understand risks associated with the store or stores being acquired and have a plan to tighten any security protocols as needed, including replacing computers and training employees.
“Safeguards really has to be present in the entire transaction,” from negotiations and closing to integration, said Randy Henrick, a compliance lawyer with Ignite Consulting Partners in Middletown, Del., who works with dealerships.
But even before changes take effect in December, risk and vulnerability assessments should be conducted on sellers’ information technology systems before closing and again after the dealership becomes part of the buyer’s systems, Henrick said, to identify any additional measures that should be taken.
In October, the Federal Trade Commission released amendments to the Safeguards Rule, part of the federal Gramm-Leach-Bliley Act. Auto dealerships are regulated as financial institutions under the rule because they offer vehicle financing agreements.
Dealerships will be required to adopt data encryption and multifactor authentication, designate a single “qualified individual” to manage the organization’s information security program, conduct a written assessment of the potential security risks and scan their systems for technical vulnerabilities, such as missing security patches.
The updated rule says financial institutions must adjust their cybersecurity plans, including conducting vulnerability scans, “whenever there are material changes to your operations or business arrangements.”
“What they’re really saying is, if you have a material change like this, if you were to acquire a dealership, you need to go and reevaluate what do they have,” said Erik Nachbahr, president of Helion Technologies, a dealership information technology consultant.
The Safeguards Rule also allows for continuous, real-time network monitoring, which Nachbahr said likely could be done in place of regular vulnerability scans and penetration testing, or simulated attacks to find weak points.
It’s now common to see safeguarding and data transfer provisions in acquisition contracts, said George Karolis, president of investment banking and dealership advisory firm Presidio Group.
For instance, dealership purchase agreements often include representations that the seller has complied with Gramm-Leach-Bliley and has taken reasonable steps to protect their computer systems and customers’ information, said Stephen Dietrich, a lawyer and partner with Holland & Knight in Denver, who works on dealership transactions.
In the future, Safeguards Rule compliance likely will be added to the list of questions buyers ask about data security in their due diligence process, Dietrich said.
Dealership buyers can start a risk assessment before a transaction closes by asking sellers to provide questionnaires they give cyber insurance providers, which generally mirror the FTC’s requirements, Nachbahr said.
Asbury Automotive Group Inc. frequently looks for vulnerabilities in its own systems, as well as in systems for stores it plans to acquire, company leaders said last week.
The publicly traded group rose one spot to No. 5 on Automotive News‘ most recent list of the top 150 dealership groups based in the U.S., buoyed by its $3.2 billion purchase last year of Larry H. Miller Dealerships’ 61 new- and used-vehicle stores.
“When you buy a single store, it needs a lot of work and structure on the IT side, especially on the security side,” Asbury CEO David Hult said. “Most of the smaller groups have minimal security on their systems. They have it, but it’s minimal. Being a large company, we have layers of protection. So in every acquisition we’ve done, even the big ones like [Larry H.] Miller and Park Place [Dealerships], we’ve had to add layers on top of their security, just to get ourselves comfortable. Certainly, Park Place had a more sophisticated one and so did the Millers. But being public, we enhanced it further.”
It’s often the norm for larger groups, particularly the public retailers, to replace existing equipment when they buy a store, Karolis said.
“Many of the buyers will do what’s called ‘rip and replace,’ which is, they’ll bring in basically all new systems and start fresh,” Karolis said.
Alan Haig, president of dealership buy-sell firm Haig Partners in Fort Lauderdale, Fla., also said it’s common for dealership buyers to replace hardware and software to ensure security and standardization across all stores. Some sellers also may not update equipment if they know they will exit, so buyers may find it outdated, Haig said.
Findlay Automotive Group this month acquired two Larry H. Miller dealerships in Washington state from Asbury.
Findlay, of Henderson, Nev., kept the stores’ existing computers but wiped Asbury’s data and reset the machines with its own security software, said John Steffy, Findlay’s information technology director.
With the Asbury acquisitions, Steffy said, Findlay asked about the stores’ security firewalls and whether Asbury had hired a company that provides monitoring services.
“When we’re taking over a store, we always look at what they’re currently using as far as services and the technology,” he said. “We always take a look at all of that as a big picture to see how it lines up with what we’re currently doing.”
Del Grande Dealer Group in San Jose, Calif., replaced most of the existing computer equipment with its recent purchase of three dealerships in California, CEO Jeremy Beaver said. The group prefers to swap out nearly all existing hardware and other network equipment with new machines.
Beaver said the group gets as much information as it can in the due diligence stage and includes the acquired stores in its next scheduled vulnerability scan, which it does twice a year.
“It’s going to become more day-to-day life for a lot of these dealerships,” Beaver said of cybersecurity. “If you were buying a dealership 10 years ago, I don’t know if it was on anyone’s mind. It was like, can I use the computers?”
Melissa Burden contributed to this report.