With dealerships changing hands at a record rate, a cybersecurity risk assessment and cybersecurity insurance have become important boxes to check in potential buy-sell deals, experts say.

“Dealers need to understand that there is a major risk here,” says Elliot Schor, vice president of sales for JM&A Group. “If I was buying from a dealer, I would definitely check the store’s policies and procedures.”

JM&A, Deerfield Beach, FL, is a leading supplier of F&I products. It also offers in-store and online training and dealer guidance. Cybersecurity is a growing business area for the company. Fidelity Insurance Agency is a division of the JM&A Group, specializing in cyber risk assessment and insurance policies against cyber security issues.

Some OEMs now routinely require dealers to carry cybersecurity insurance, similar to requirements for other forms of specialty insurance that dealers commonly carry, such as Garage Liability, Schor (photo below left) said in a telephone interview.

Hackers can take many paths to gain access to confidential information stored in dealer files. Access can be gained through vendors or dealership employees, either negligently or sometimes on purpose, he says.

“As dealer technology becomes more entrenched in DMS systems for dealer management, there are more software vendors than ever before. This has created an opportunity for cyber thieves to really tackle to resellers,” Schor says. “There’s no shortage of new ransomware, all sorts of phishing, hacking schemes.”

Phishing is tricking employees into clicking on links or attachments that may contain malware. The so-called spear phishing is more narrowly targeted, such as an email that appears to come from a real dealership account, asking an employee to send money to what looks like a real boss within the organization.

Boris Lopez, general manager and vice president of South Dade Toyota and South Dade Kia, south of Miami, says he’s seen quite a few fake emails and spear phishing attempts.

“They copy my name or my partner. It looks like the email is from you,” Lopez says in a phone interview. “But the way they put the account on the email doesn’t look right. It’s happened at least eight or ten times. We were lucky.

It’s not just luck. The dealership also trains employees to recognize suspicious situations. “We have training that we do, at least twice a year,” says Lopez. “We go through training with all employees who have access to computers. We train them on the consequences of opening a file when they do not know where it comes from.

A documented training program with certain security practices, such as two-factor authentication, can save dealers money on cybersecurity insurance, Lopez says. “They recommend two-step verification on SMS or email. If we apply that, they reduce the price of the policy by almost 20%.

Lopez says an initial quote he got for cybersecurity insurance was $200,000 a year, but by shopping around and taking advantage of discounts for training and security practices, he brought it down to $60,000. per year. “I have friends who pay $160,000 or $170,000,” he says.

Brokers who negotiate buy-sell agreements said in interviews that cybersecurity is usually on the radar of dealers considering buy-sell agreements, but awareness can always be improved.

For example, there are misconceptions that a buyer could be held liable for data breaches or other cybersecurity issues that occurred under the previous owner. That’s unlikely since the buyer’s liability usually doesn’t begin until they become the owner, says Alan Haig, president of Haig Partners, Fort Lauderdale, FL.

“I don’t recall any of our customers being impacted after a claim for a cyberattack,” he said in a phone interview. “I haven’t seen cyber insurance being a factor in normal buy-sell, except that the seller has that insurance, like any other type of insurance,” Haig says.

George Karolis, President of Presidio Group, Duluth, GA, says major dealer groups making acquisitions already have their own fully developed cybersecurity training, practices and assurances in place, which they install on new acquisitions. .

However, Karolis says it’s standard practice before an acquisition to take a hard look at existing corporate culture and business practices across all areas of business, not just cybersecurity.

“In buy-sell, you want to understand that and make sure that controls are in place, to try to understand as a buyer what the existing situation is,” he says. “I didn’t really see it as something that hinders transactions.”


Have you seen that 22-year-old man from Utica?


Three people charged with alleged conspiracies to defraud Land Rover dealerships | USAO-RI

Check Also