OFFICIAL PUBLICATION OF THE NEW CAR DEALERS OF SAN DIEGO

Purchase Ad Space

2024-2025 Pub. 13 Issue 3

ISSUE HOMEPAGE

Dealer Management Systems

Lessons From a Cyberattack

Picture of By Scali Rasmussen

By Scali Rasmussen

Dealer Management Systems; A hoodied figure with a laptop, with an overlay of lighted buildings, with a white background.
Scali Rasmussen article leaderboard ad

The June 2024 ransomware attack on CDK disrupted dealership operations nationwide. For nearly two weeks, many dealers could not process sales, repair orders or routine management tasks. Staff resorted to pen-and-paper record keeping. Transactions stalled, warranty submissions backed up and communication with manufacturers slowed. Anderson Economic Group later estimated that dealers suffered more than $1 billion in direct losses during the outage.

The event underscored a reality every dealer knows: The Dealer Management System (DMS) is not a back-office tool; it is the backbone of the business. Manufacturers require dealers to maintain a DMS for reporting new vehicle sales, warranty claims and service work. Dealers depend on it for financial reporting, payroll, inventory tracking and customer communications. The DMS also houses sensitive information, like customer contact details, Social Security numbers, financial records and other confidential business data.

Because of the sensitivity of this information, both federal and state laws impose privacy and security obligations. Dealers and their vendors must use reasonable safeguards to protect records and, if records are compromised, comply with notification and reporting requirements to regulators and affected consumers. Recognizing how central the DMS is to compliance, some states adopted dealer protection statutes. These statutes confirm that dealers own their data, require vendors to maintain safeguards and prohibit contractual terms that prevent dealers from meeting their obligations under privacy laws.

Even with these protections, many dealers learned after the CDK event that their contracts left them exposed. Typical provisions include:

  • Liability limits that cap damages at the cost of services. For a dealer, this means the vendor’s liability for a weeks-long outage may equal little more than the monthly fee, while the dealer bears the financial and reputational harm.
  • Termination fees that impose heavy costs if a dealer seeks to move to another provider, even after a significant outage.
  • Gaps in coverage for compliance costs. Dealers may have to pay for consumer notices, regulatory filings and third-party claims, even if the trigger was a cyber event affecting the vendor.

To be clear, most DMS providers strive to maintain secure systems and strong contractual relationships. However, the lessons of 2024 highlight the need for dealers to evaluate contracts and coverage with care.

Practical Steps for Dealers

Dealers can take several steps to reduce future risk:

  1. Negotiate liability provisions. Push to eliminate broad limitations of liability or, at a minimum, carve out business interruption losses tied to outages outside the dealer’s control.
  2. Expand indemnity clauses. Ensure the contract requires the vendor to cover costs associated with regulatory compliance, consumer notices and third-party claims linked to a vendor cyber event.
  3. Secure termination rights. Add language confirming that a significant outage or compromise of data constitutes a material breach that allows early termination without penalty.
  4. Review insurance coverage. Cyber and business interruption insurance should cover primary losses and secondary costs like forensic investigations, customer communications and reputational repair.
  5. Establish a response plan. Work with counsel to create a playbook for how the dealership will respond to vendor-related outages, including communication with staff, customers and regulators.

Questions to Ask Your Vendor

Dealers should also engage in proactive dialogue with DMS providers. Helpful questions include:

  • What cybersecurity frameworks and third-party audits do you follow?
  • How often are backups tested and how quickly can service be restored?
  • What is your incident notification process and timeline?
  • How will you support dealers in complying with federal and state privacy laws in the event of a breach?
  • What contractual flexibility exists if a major outage occurs?

These questions foster transparency and demonstrate a dealer’s commitment to partnership.

Looking Forward

The DMS is indispensable to every dealership. Providers and dealers share an interest in resilient, secure systems that protect data and ensure business continuity. Contract negotiations like the ones suggested here only benefit and protect both parties, aligning risk with responsibility and promoting long-term trust.

The CDK incident is not the last cyber event the industry will face. Technology will continue to evolve, as will the threats. Dealers that treat their DMS agreements and insurance coverage as part of their risk-management program will be better positioned to withstand future disruptions.

Conclusion

If the events of 2024 taught dealers anything, it is that a DMS contract is just as critical as a floorplan financing agreement or franchise document. Take the time to review your contracts and insurance policies with experienced auto industry counsel. Doing so now helps ensure that when the next challenge comes, dealers and providers can move forward with resilience.

Get Social and Share!

Sign Up to Receive this Publication in your inbox

More In This Issue