Auto Dealer Compliance

Your Dealership Has Compliance Gaps

The FTC Safeguards Rule requires 9 specific security elements. Most dealerships are missing 6 or more.

After CDK Global took 15,000 dealerships offline, the FTC is watching. Penalties run up to $100,000 per violation — and officers face personal liability.

Get Your Free Compliance ScanSchedule a Call

56+

Dealerships Scanned

8.3

Avg. Issues Found

$100K

Per Violation Penalty

4 Weeks

To Full Compliance

The CDK Attack Changed Everything

In June 2024, the CDK Global ransomware attack took 15,000 dealerships offline for weeks. Sales stopped. Financing froze. Service departments went dark. The attack exposed what the industry already knew: most dealerships have massive cybersecurity gaps.

The FTC isn’t waiting. The amended Safeguards Rule (effective May 2023) requires every dealership that arranges financing to implement a comprehensive security program with 9 specific, measurable elements. A new breach notification requirement took effect May 2024 — dealers must report breaches affecting 500+ consumers to the FTC within 30 days.

Cyber insurers are now requiring compliance documentation for renewals. Lenders are asking about security posture. The CDK attack gave the FTC exactly the ammunition they need for aggressive enforcement against non-compliant dealers.

What We Find in Every Scan

These are real findings from recent dealership compliance scans.

Missing Security Headers

HIGH

No Content-Security-Policy, X-Frame-Options, or HSTS headers. Leaves customers vulnerable to clickjacking and man-in-the-middle attacks.

SSL/TLS Failures

CRITICAL

Expired certificates, mixed content, or no HTTPS at all. Customer data transmitted in plain text over public networks.

Missing Email Authentication

HIGH

No SPF, DKIM, or DMARC records. Attackers can send phishing emails impersonating your dealership domain.

No Privacy Policy or Outdated Policy

MEDIUM

Missing GLBA-required disclosures, or privacy policies that haven't been updated since the 2022 Safeguards amendments.

Third-Party Script Exposure

MEDIUM

Chat widgets, analytics, and lead forms loading scripts from 15+ external domains with no Content Security Policy.

Credit Application Vulnerabilities

CRITICAL

Online credit applications processing SSNs and financial data without adequate transport security or form protection.

Typical Dealership Assessment

$180M

Annual Revenue

3

Locations

13

Compliance Issues Found

Key Findings:

  • 5 missing security headers across all customer-facing properties
  • SSL certificate misconfigured on one subdomain (credit application portal)
  • No DMARC record — domain vulnerable to email spoofing
  • Privacy policy last updated 2019 (pre-Safeguards amendment)
  • 22 third-party scripts loading without Content Security Policy
  • No documented WISP, QI designation, or incident response plan

Outcome: Full compliance program delivered in 3 weeks. All technical findings remediated. WISP, risk assessment, and incident response plan customized to their CDK DMS and 3-location network. Qualified Individual services ongoing.

The 9 FTC Requirements

Miss even one and your dealership is exposed. We handle all nine.

1

Qualified Individual

A designated person responsible for your security program

2

Written Risk Assessment

Formal evaluation identifying and scoring your security risks

3

Documented Safeguards

Access controls, encryption, MFA, data disposal, change management

4

Testing & Monitoring

Annual penetration testing and semi-annual vulnerability assessments

5

Employee Training

Security awareness training for all staff, annually

6

Vendor Oversight

Security assessments and contractual requirements for service providers

7

Evaluate & Adjust

Process to update the program when operations change

8

Incident Response Plan

Written procedures for detecting, responding to, and reporting breaches

9

Annual Board Report

Written report from the QI to the dealer principal or board

Complete Compliance Program

Documentation Package

  • Written Information Security Program (WISP) — 25-35 pages, customized to your DMS
  • Risk Assessment Report — 9-domain evaluation with severity scoring
  • Qualified Individual Charter — formal QI designation document
  • 7 Supporting Policies — access control, incident response, vendor management, and more
  • Operational Forms — vendor questionnaire, incident report, employee acknowledgment
  • Annual Board Report Template

Ongoing Managed Service

  • We serve as your designated Qualified Individual
  • Quarterly compliance monitoring against WISP requirements
  • Annual risk reassessment — full 9-domain review
  • Annual board report delivered to the Dealer Principal
  • Policy updates for regulatory and operational changes
  • Incident response guidance if a security event occurs

Investment

Single Location

One rooftop, complete program

$3,500

one-time setup

+ $750/month

managed service

Year 1: $12,500

Year 2+: $9,000/year

Most Popular

Multi-Location

Multiple rooftops, unified program

$5,500

one-time setup

+ $1,000/month

managed service

Year 1: $17,500

Year 2+: $12,000/year

Documentation Only

Complete package, self-managed

$5,000

one-time

No monthly fee

 

Total: $5,000

QI services not included

How It Works

1

Free Scan

5 minutes

We scan your website for compliance issues, security gaps, and email authentication problems.

2

Discovery Call

45-60 min

We learn your setup — DMS, network, processes, team structure, current security posture.

3

Build & Deliver

2-3 weeks

We build your entire compliance program customized to your operations and walk you through it.

4

Ongoing Service

Monthly

QI services, quarterly checks, annual assessments, audit prep, and incident response support.

Free Compliance Scan

Find Out Where You Stand

We’ll scan your dealership’s website for FTC compliance issues, security gaps, and email authentication problems. Free, no strings attached. You get a branded report with specific findings and severity ratings.

Website Security

SSL/TLS, security headers, third-party scripts, CMS vulnerabilities

Email Authentication

SPF, DKIM, DMARC — can attackers spoof your domain?

Data Practices

Privacy policy, cookie consent, GLBA compliance, credit app security

Request Your Free Scan

Or email hello@fifthsuit.ai with your website URL

Go Deeper

Tell Us About Your Dealership

Complete a short assessment and we’ll send you a personalized report with specific recommendations for your operation.

FTC Compliance Intake

Map your current security posture against the FTC Safeguards Rule. Covers your tech stack, data handling, staff training, and existing controls. Takes about 10 minutes.

Start Compliance Assessment

AI Readiness Assessment

Discover where AI and automation can cut costs and eliminate bottlenecks in your operation. Covers pain points, current tools, and what’s possible today. Takes about 8 minutes.

Start AI Assessment

Get Compliant Before the FTC Comes Knocking

Schedule a 15-minute call. We’ll tell you exactly where you stand and what it takes to close the gaps.

Schedule a Call