TSLA390.440-4.02%
GM76.885-0.755%
F14.130-0.05%
RIVN16.795-1.005%
CYD44.610-1.26%
HMC28.7550.865%
TM179.6802.76%
CVNA69.570-1.02%
PAG205.3654.965%
LAD337.3405.97%
AN208.3854.845%
GPI328.0358.635%
ABG225.9507.52%
SAH101.8302.1%
TSLA390.440-4.02%
GM76.885-0.755%
F14.130-0.05%
RIVN16.795-1.005%
CYD44.610-1.26%
HMC28.7550.865%
TM179.6802.76%
CVNA69.570-1.02%
PAG205.3654.965%
LAD337.3405.97%
AN208.3854.845%
GPI328.0358.635%
ABG225.9507.52%
SAH101.8302.1%
TSLA390.440-4.02%
GM76.885-0.755%
F14.130-0.05%
RIVN16.795-1.005%
CYD44.610-1.26%
HMC28.7550.865%
TM179.6802.76%
CVNA69.570-1.02%
PAG205.3654.965%
LAD337.3405.97%
AN208.3854.845%
GPI328.0358.635%
ABG225.9507.52%
SAH101.8302.1%


Locking Down Data Security

Important Steps For Every Dealership to Take

By: Barry Carter

We see news headlines daily, for instance: “Credit Card Company Suffers Data Breach” or “Personal Information Potentially Compromised at Major Retailer” and even “Hackers Target Customer Data at Major Lender”

How’s Your F&I Security?

These revelations send consumers scurrying to check their statements and update passwords. But what about data security in the retail automotive F&I office? Dealers work with a significant amount of consumer confidential information, including social security numbers, pay stubs, utility bills and more. In addition, the majority of dealers in the U.S. have migrated to web-based platforms for conducting business, especially with regards to credit applications. Data security is mission critical to successfully conducting business in today’s market.

Not only are dealers managing an increased volume of consumer data, more entities are interested in what dealers are doing with that data. Regulatory agencies including the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC) and the Consumer Financial Protection Bureau (CFPB) are actively investigating data security practices. In fact, the CFPB recently emulated the FTC’s enforcement theory on unfair, deceptive, abusive or practice acts, and could penalize companies for employing “unreasonable” data security practices.

Some would say the risk of a data breach at a dealer is higher than at traditional financial institutions because dealerships do not invest in the latest updated computer systems – or regularly monitor their existing systems for data breaches. How important is data security – and what steps can you take to “lock down” your information technology infrastructure?

But First…Let’s Talk About Accounting

We recently completed a Service Organization Control 1 (SOC 1) Certification under the Statement of Standards for Attestation Engagements 16 (SSAE 16) guidelines from the American Institute of Certified Public Accountants (AICPA).  SSAE 16 is the most widely-recognized standard providing companies with a method for reporting information about the design and operation of internal systems and controls relating to privacy and security regulations.  SOC 1 reports are designed to certify whether a company utilizes uniform and reliable safeguards as a processor of data belonging to their clients and customers.

That sounds like a bunch of gobbledygook – so let’s break it down into something meaningful for a dealership principle.

There are numerous rules and regulations which your accounting department deals with on a daily basis. For example, public companies fall under the Public Company Accounting Reform and Investor Protection Act” or SOX.  There are also a number of provisions of the Act that apply to privately held companies, including the willful destruction of evidence to impede a Federal investigation.

In addition, Sarbanes Oxley requires that companies show effective internal controls covering financial reporting. Conformance to these regulations is proven via an audit process. AICPA has created a series of auditing standards for service organizations that strive to review and certify that an organization is properly reporting their financial details. The SSAE 16 effectively replaced Statement on Auditing Standards (SAS) No. 70 in 2011 as the de facto audit tool. A SOC 1 Type 1 report is an independent snapshot of the organization’s control landscape on a given day.

The AICPA relies on independent third-party auditors, certified to conduct these audits and deliver reports on the performance of both public and private service organizations. So in essence, we have an accounting industry group – AICPA – that has established a series of measurements – SSAE 16 SOC 1 – to judge the financial reporting of a given company – EFG Companies or your dealership.

F&I Components Under Review

For the purpose of EFG’s audit based on our F&I product portfolio, our SSAE 16 audit reviewed the following components:

~ Contracts – data included customer name, coverage type, renewal date and cost

~ Claims – data included claim review/coverage, repair facility, cost, deductible, parts companies and customer authorization

~ Payments – data included customer or provider electronic payment

~ Reporting – data included daily reporting on earnings, claims, commissions, reinsurance, and profit

Our work with the SSAE 16 audit team, feedback from customers and partners, and input from our internal teams created the framework for the review.  These four areas comprise the mission critical portion of our business – and contain the data with greatest impact in the event of a security breach. The scope of the review included our information technology infrastructure and application system.  Your dealership audit framework might include some similar components, but would be customized for your data critical areas. 

Numerous control areas and departments were also involved in the audit. Human resources, information technology, call center, sales, and accounting participated in the pre-audit and audit review process. In addition to the functional workings of the IT and application systems, the SSAE 16 audit team also reviewed important – yet difficult to quantify – control areas:

  • Integrity and ethical values
  • Commitment to competence
  • Management’s philosophy and operating style
  • Human resources policies and practices
  • Organizational structure and assignment of authority and responsibility

While we would all like to believe that our computers and information storage/transmission systems are responsible for our data security, it’s the people behind those computers and information systems that are ultimately responsible. The effectiveness of your processes is only as successful as the people applying those processes. Those employees – and the management supporting them – must be committed to possessing the knowledge and skills necessary to keep the IT system secure.

And while the employees are the hands-on owners, management is responsible for honestly assessing risk and taking appropriate action to safeguard the company and its clients.  The loop is closed when management provides those employees with the tools necessary for successful security – and the authority to responsibly do their job.

There is an old saying when it comes to computer science and IT – garbage in…garbage out. When evaluating your dealership’s data security, resist the temptation to only evaluate the hardware. Review your people system as well, and make sure they have the tools and knowledge to competently guard your data.

Thoughts and Actions for Dealership Management

This process may seem too much to undertake. Honestly, we spent hundreds of man-hours in the pre-audit and audit review. Why did we do it – and why should you? The SSAE examination proved to ourselves and our clients that we had the necessary processes in place to ensure that critical personal and confidential financial information was secure. It also provided the confidence to know that in the event of some unforeseen occurrence affecting our technology, our business will continue to run in a secure and uninterrupted manner.

This is extremely important to ensure our clients can continue running their businesses effectively. We now know we can weather any type of data breach or security hack and our client’s information will not be compromised.

The second reason we undertook this process was to ease the compliance burden for ourselves and our clients. As both dealers and lenders continue to feel significant compliance pressures from government regulators, working with partners that are SSAE 16 SOC 1 certified will give them better footing in demonstrating data privacy and security compliance.

While lenders frequently undergo data security audits, it can be expected for dealers to begin receiving audit requests from a host of regulatory agencies such as the CFPB in the coming years. It is also likely that lenders will pay closer attention to data security – and their partner’s policies and processes. As a dealer principle, knowing that your valuable consumer data is secure provides a strong measure of padlock protection, and enables you to strengthen your relationship with your lender partners.

While EFG was pleased to have achieved this certification, our work in this area is not final. The same holds true for any other entity engaging in the audit process. Those who seek to undermine data security barriers will continue to advance their technology. And we on the other side of that barrier must also continue to fortify our protection. Unfortunately, it’s the world we live in.


More from Articles
Ford files patent for smart tool tracking system in vehicles

Ford files patent for smart tool tracking system in vehicles

- July 16, 2026
On the Dash: Ford patented a system (US 12,682,191) that tells tool theft from tag failure using sensor data. The system checks toolbox temperature and door/window status before issuing a...
Bosch announces $225 million direct funding agreement with the U.S. Department of Commerce

Bosch announces $225 million direct funding agreement with the U.S. Department of Commerce

- July 16, 2026
ROSEVILLE, Calif., July 13, 2026 /PRNewswire/ -- Bosch, a leading provider of technology and services and the largest automotive supplier in the world according to external rankings, announced a definitive agreement...
Stellantis to prioritize four core brands in turnaround strategy, sources say The automaker plans to shift funding toward Jeep, Ram, Peugeot, and Fiat while maintaining its broader portfolio. On the Dash: Expect increased product investment and marketing support for Jeep, Ram, Peugeot and Fiat. Regional and niche brands may see reduced volume but more targeted positioning and shared platforms. Platform-sharing and rebadging strategies could affect inventory mix and model differentiation. Stellantis will concentrate most of its investment on four core brands as CEO Antonio Filosa pushes a turnaround strategy set for release May 21, according to a Reuters exclusive. The automaker has identified Jeep, Ram, Peugeot, and Fiat as its priority brands. It will allocate a “material increase” in funding to them, driven by their stronger global sales and profitability, marking a shift away from the company’s previous approach of distributing investment more evenly across its portfolio. Sign up for CBT News’ daily newsletter and get the latest industry stories delivered straight to your inbox. Stellantis will retain its 14-brand lineup, the largest in the industry, and will not shut down underperforming marques. Instead, the company will reposition secondary brands such as Citroën, Opel and Alfa Romeo to operate in regional or niche roles. These brands will rely on shared platforms and technology developed by the core brands while maintaining distinct styling and market identity. The strategy comes as Stellantis works to regain market share in the United States and Europe while facing growing competition from Chinese EV makers. The company earlier reported a 22.2 billion-euro charge tied to scaling back its EV plans, underscoring the urgency of the strategic shift. Its market valuation has also declined significantly in recent months. To support the transition, Stellantis will expand its use of shared “multi-energy” platforms that support electric, hybrid and internal combustion (ICE) vehicles. Additionally, the company is evaluating rebadging strategies and joint development programs, including collaborations with its Chinese partner, Leapmotor. Executives and investors backing the plan expect the increased focus on core brands to improve efficiency and strengthen financial performance. Analysts say Stellantis could still consider further consolidation if results fall short of expectations. Meta description (140 characters) Stellantis to boost funding for Jeep, Ram, Peugeot and Fiat, shifting strategy while maintaining its 14-brand global portfolio.

Stellantis revives supplier rewards program to drive cost savings

- July 16, 2026
On the Dash: Lower supplier costs could help Stellantis improve profitability while funding future vehicle launches. Changes in supplier contracts may influence production costs, parts pricing and vehicle availability over...
Pricing transparency raises OEM website satisfaction, JD Power finds

Pricing transparency raises OEM website satisfaction, JD Power finds

- July 16, 2026
On the Dash: Pricing transparency is driving satisfaction gains on OEM websites, JD Power finds. Porsche and Dodge rank highest in premium and mass market segments. Shoppers with pricing...
CBT News
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.