Important Steps For Every Dealership to Take
By: Barry Carter
We see news headlines daily, for instance: “Credit Card Company Suffers Data Breach” or “Personal Information Potentially Compromised at Major Retailer” and even “Hackers Target Customer Data at Major Lender”
How’s Your F&I Security?
These revelations send consumers scurrying to check their statements and update passwords. But what about data security in the retail automotive F&I office? Dealers work with a significant amount of consumer confidential information, including social security numbers, pay stubs, utility bills and more. In addition, the majority of dealers in the U.S. have migrated to web-based platforms for conducting business, especially with regards to credit applications. Data security is mission critical to successfully conducting business in today’s market.
Not only are dealers managing an increased volume of consumer data, more entities are interested in what dealers are doing with that data. Regulatory agencies including the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC) and the Consumer Financial Protection Bureau (CFPB) are actively investigating data security practices. In fact, the CFPB recently emulated the FTC’s enforcement theory on unfair, deceptive, abusive or practice acts, and could penalize companies for employing “unreasonable” data security practices.
Some would say the risk of a data breach at a dealer is higher than at traditional financial institutions because dealerships do not invest in the latest updated computer systems – or regularly monitor their existing systems for data breaches. How important is data security – and what steps can you take to “lock down” your information technology infrastructure?
But First…Let’s Talk About Accounting
We recently completed a Service Organization Control 1 (SOC 1) Certification under the Statement of Standards for Attestation Engagements 16 (SSAE 16) guidelines from the American Institute of Certified Public Accountants (AICPA). SSAE 16 is the most widely-recognized standard providing companies with a method for reporting information about the design and operation of internal systems and controls relating to privacy and security regulations. SOC 1 reports are designed to certify whether a company utilizes uniform and reliable safeguards as a processor of data belonging to their clients and customers.
That sounds like a bunch of gobbledygook – so let’s break it down into something meaningful for a dealership principle.
There are numerous rules and regulations which your accounting department deals with on a daily basis. For example, public companies fall under the Public Company Accounting Reform and Investor Protection Act” or SOX. There are also a number of provisions of the Act that apply to privately held companies, including the willful destruction of evidence to impede a Federal investigation.
In addition, Sarbanes Oxley requires that companies show effective internal controls covering financial reporting. Conformance to these regulations is proven via an audit process. AICPA has created a series of auditing standards for service organizations that strive to review and certify that an organization is properly reporting their financial details. The SSAE 16 effectively replaced Statement on Auditing Standards (SAS) No. 70 in 2011 as the de facto audit tool. A SOC 1 Type 1 report is an independent snapshot of the organization’s control landscape on a given day.
The AICPA relies on independent third-party auditors, certified to conduct these audits and deliver reports on the performance of both public and private service organizations. So in essence, we have an accounting industry group – AICPA – that has established a series of measurements – SSAE 16 SOC 1 – to judge the financial reporting of a given company – EFG Companies or your dealership.
F&I Components Under Review
For the purpose of EFG’s audit based on our F&I product portfolio, our SSAE 16 audit reviewed the following components:
~ Contracts – data included customer name, coverage type, renewal date and cost
~ Claims – data included claim review/coverage, repair facility, cost, deductible, parts companies and customer authorization
~ Payments – data included customer or provider electronic payment
~ Reporting – data included daily reporting on earnings, claims, commissions, reinsurance, and profit
Our work with the SSAE 16 audit team, feedback from customers and partners, and input from our internal teams created the framework for the review. These four areas comprise the mission critical portion of our business – and contain the data with greatest impact in the event of a security breach. The scope of the review included our information technology infrastructure and application system. Your dealership audit framework might include some similar components, but would be customized for your data critical areas.
Numerous control areas and departments were also involved in the audit. Human resources, information technology, call center, sales, and accounting participated in the pre-audit and audit review process. In addition to the functional workings of the IT and application systems, the SSAE 16 audit team also reviewed important – yet difficult to quantify – control areas:
- Integrity and ethical values
- Commitment to competence
- Management’s philosophy and operating style
- Human resources policies and practices
- Organizational structure and assignment of authority and responsibility
While we would all like to believe that our computers and information storage/transmission systems are responsible for our data security, it’s the people behind those computers and information systems that are ultimately responsible. The effectiveness of your processes is only as successful as the people applying those processes. Those employees – and the management supporting them – must be committed to possessing the knowledge and skills necessary to keep the IT system secure.
And while the employees are the hands-on owners, management is responsible for honestly assessing risk and taking appropriate action to safeguard the company and its clients. The loop is closed when management provides those employees with the tools necessary for successful security – and the authority to responsibly do their job.
There is an old saying when it comes to computer science and IT – garbage in…garbage out. When evaluating your dealership’s data security, resist the temptation to only evaluate the hardware. Review your people system as well, and make sure they have the tools and knowledge to competently guard your data.
Thoughts and Actions for Dealership Management
This process may seem too much to undertake. Honestly, we spent hundreds of man-hours in the pre-audit and audit review. Why did we do it – and why should you? The SSAE examination proved to ourselves and our clients that we had the necessary processes in place to ensure that critical personal and confidential financial information was secure. It also provided the confidence to know that in the event of some unforeseen occurrence affecting our technology, our business will continue to run in a secure and uninterrupted manner.
This is extremely important to ensure our clients can continue running their businesses effectively. We now know we can weather any type of data breach or security hack and our client’s information will not be compromised.
The second reason we undertook this process was to ease the compliance burden for ourselves and our clients. As both dealers and lenders continue to feel significant compliance pressures from government regulators, working with partners that are SSAE 16 SOC 1 certified will give them better footing in demonstrating data privacy and security compliance.
While lenders frequently undergo data security audits, it can be expected for dealers to begin receiving audit requests from a host of regulatory agencies such as the CFPB in the coming years. It is also likely that lenders will pay closer attention to data security – and their partner’s policies and processes. As a dealer principle, knowing that your valuable consumer data is secure provides a strong measure of padlock protection, and enables you to strengthen your relationship with your lender partners.
While EFG was pleased to have achieved this certification, our work in this area is not final. The same holds true for any other entity engaging in the audit process. Those who seek to undermine data security barriers will continue to advance their technology. And we on the other side of that barrier must also continue to fortify our protection. Unfortunately, it’s the world we live in.