Nearly every day we hear about another data breach or security risk. According to the Identity Theft Resource Center® and CyberScout®, 1,579 data breaches occurred in 2017, representing a 44.7 percent year-over-year increase.
Here are some sobering statistics from a 2017 study commissioned by IBM:
- The cost of the average stolen data record at $141
- The average total cost of a security breach was $3.62 million
- The average probability of a company suffering a security breach within the next two years is 27.7 percent.
While breaches such as Equifax and the Internal Revenue Service make headlines, many smaller incursions occur daily – without widespread public knowledge. In fact, it is often the small leaks that sink the ship for many financial institutions. And those leaks have their starting point at the weakest point of a company’s digital infrastructure – often their partners’ access points and consumer touch points.
As auto lenders expand their digital offerings of financial products and services directly to consumers, they increase their potential exposure to cyberattacks. Digital sales/financing is growing exponentially and clearly is the preferred transactional method for millennials and Generation Z. So how can a lender protect itself from data breaches while opening the digital lending window to consumers?
Regulations…and then some
Lending institutions are quite familiar with the regulations surrounding their own data security. Seemingly countless hours and dollars are spent to safeguard consumer data as well as the institutions’ own systems. Auto dealerships are also supported by regulations, specifically the 1999 Gramm-Leach Bliley Act. Under a provision of that legislation known as the Safeguard Rule, dealers are required to implement – and regularly audit – a written “information security program” to protect information about its customers. However, in 1999, digital data breaches were not even a feasible consideration for most dealers. Therefore, many dealerships have not considered the potential of a breach in their internal data security measures or the passage of data through partner connections.
As a security-experienced lender, your first approach is education. The majority of dealerships know how to physically secure private consumer data. In fact, to comply with the Safeguard Rule, many have implemented procedures to lock F&I offices, and to ensure that no private consumer information can be displayed on a desk or computer screen. The next step is ensuring all digital consumer information is transmitted safely. Ask your dealership partners these questions to help them lock down this data:
1. Do your dealer partners have a written information security program that includes procedures for each department that handles private consumer data, both digitally and physically?
2. Is that program based on their own security risk assessment?
- Have they identified all reasonably foreseeable risks that could result in unauthorized disclosure or compromise of their consumer data?
- Have they assessed the adequacy of the safeguards they have in place?
3. Do your dealership partners have a designated person responsible for customer information security, and is that person an employee with the authority to implement the program?
4. How are your dealership partners overseeing service providers that might have access to, or take possession of, customer information?
5. Do their agreements with their service providers require them to implement appropriate safeguards?
6. What are your dealership partners doing to protect customer information from the moment it is collected, all the way through to disposal?
7. Do your dealership partners have sufficient training, oversight and procedures for securing private consumer data?
The future will be risky
Managing the data security of an average single-buyer auto transaction is sufficiently complex. Now, factor in the consumer data security surrounding new ride-sharing models and autonomous vehicles. It’s your responsibility as a lending partner to protect your institution and educate your partners on the required data security measures.
As you well know, data security is not a “one-and-done” proposition. New hacks – and even chip gaps – are being uncovered just as quickly as software companies are developing patches and safeguards. Your lending institution is spending significant capital on protecting its data. Make sure your partners are taking the matter seriously as well.