It’s now common to see safeguard and data transfer clauses in acquisition contracts, said George Karolis, president of investment banking and concession advisory firm Presidio Group.
For example, dealer purchase agreements often include statements that the seller has complied with Gramm-Leach-Bliley and taken reasonable steps to protect its computer systems and customer information, Stephen Dietrich said. , an attorney and partner at Holland & Knight in Denver, who works on dealership transactions.
Going forward, compliance with safeguard rules will likely be added to the list of questions buyers ask about data security in their due diligence process, Dietrich said.
Dealership buyers can begin a risk assessment before a deal closes by asking sellers to provide questionnaires they give to cyber insurance providers, which typically reflect the FTC requirements, Nachbahr said.
Asbury Automotive Group Inc. frequently scans for vulnerabilities in its own systems, as well as in the systems of stores it plans to acquire, company executives said. Last week.
The listed group climbed one place to No. 5 on Automotive News‘ most recent list of the top 150 U.S.-based dealer groups, bolstered by its $3.2 billion purchase last year of Larry H. Miller Dealers’ 61 new and used vehicle stores.
“When you buy a single store, it takes a lot of work and structure on the IT side, especially on the security side,” Asbury CEO David Hult said. “Most small groups have minimal security on their systems. They have it, but it’s minimal. Being a large company, we have layers of protection. So in every acquisition we’ve made, even the most big like [Larry H.] Miller and Park Place [Dealerships], we had to add layers on top of their security, just to get comfortable. Granted, Park Place had a more sophisticated one, as did the Millers. But being public, we made it even better.”