How a Qualified Individual Protects your Bottom Line

The importance of the Qualified Individual (QI) in today’s auto dealership goes far beyond complying with the FTC Safeguards Rule ISP mandate for a QI be designated within every dealership. Without the QI’s IT oversight and cybersecurity good faith compliance management effort, dealerships are left exposed in a high-risk environment that gets more costly by the day.

The FTC’s 2023 Safeguards Rule mandated and now enforces the QI position because the US faces extensive cyberattacks across industries and sectors, including automotive retail. Further, as of May 2024 data breach reporting directly to the FTC is an additional requirement dealers must comply with. This means that much more visibility into the rising cyber threat dealerships face will be exposed to the public, enabling litigious antagonists easier hunting for class actions and civil suits.

A typical QI job description includes “Working alongside dealership business directors and general managers in concert with IT staff to effectively monitor and maintain the security of dealership applications, databases, computers and websites.” Specifically, QIs are tasked with establishing dealership-wide cybersecurity policies, developing data breach response plans, overseeing IT system update communications and reporting gaps in the information security processes to executive leadership to garner cybersecurity budget.

The QI’s extensive responsibilities include different sectors of security and policy compliance for the dealership, from IT security operations and compliance to IT security threat remediation, governance and elements of risk management. The QI aligns cybersecurity objectives with the dealership’s customer information security policies and programs, such as the federally mandated Information Security Program and Identity Theft Prevention Program.

The need for QIs in dealerships is exploding, fueled by the FTC mandate and the rapid expansion of auto retail’s target-rich, high cyber-threat landscape. The federal mandate and risk environment mean dealership compliance professionals with QI training credentials are going to be in high demand.

Dealer challenges in a QI job market

The first roadblock facing dealers is the dearth of potential “Qualified Individuals” among the existing staff of the average dealership, employees who could add QI responsibilities to their existing job function. It’s likely most dealers will attempt to comply with the mandate using this solution.

If that’s not an option, you may encounter a second roadblock when trying to hire for the QI role – cost. According to Salary.com, the average salary for an in-house Compliance & Privacy Officer ranges from about $90,000 to $120,000 annually. That makes a full-time QI out of reach for many dealerships, especially given the intermittent nature of cybersecurity-related activity.

If your dealership can afford to hire a QI, finding an individual with the proper qualifications in your region could be a challenge. As the QI position is gaining popularity across multiple industries, good fits for the role in retail automotive may require some searching.

Hiring a contract or virtual Qualified Individual (vQI) might be a simple, lower-cost solution for many dealers. A vQI provides your dealership with the same comprehensive cybersecurity management and oversight as a full-time, in-house QI, without the costly price tag and the unending search for a qualified candidate who won’t quit your store.

Whether you hire a full-time QI or a vQI, it’s a crucial step in protecting your dealership from the immense losses associated with a cyber breach, ransomware and noncompliance with federal and state mandates.

No QI = opening the door to chaos and loss

If you think the cost of hiring a QI is a little steep, it’s nothing compared to the average cost of a data breach in the United States – $9.36 million in 2024 according to Statistica.

 As of 2024, the average cost of a data breach in the United States amounted to 9.36 million U.S. dollars..."

 IBM on July 30, 2024, released its annual Cost of a Data Breach Report revealing the global average cost of a data breach reached $4.88 million in 2024, as breaches grow more disruptive and further expand demands on cyber teams. Breach costs increased 10% from the prior year, the largest yearly jump since the pandemic, as 70% of breached organizations reported that the breach caused significant or very significant disruption.

 
Some key findings in the 2024 IBM report include:

>Understaffed Security Teams – More organizations faced severe staffing shortages compared to the prior year (26% increase) and observed an average of $1.76 million in higher breach costs than those with low level or no security staffing issues (NOTE: Dealers have Cybersecurity-related Staffing challenges).

 >Data Visibility Gaps – Forty percent of breaches involved data stored across multiple environments including public cloud, private cloud (NOTE: Your DSPs), and on-premises. These breaches cost more than $5 million on average and took the longest to identify and contain (283 days).

Special Note

>The largest contributor to financial loss in a cyber breach was the negative impact the breach had on customer trust, with a loss of 3.9 percent of customers.

 Double trouble

If the cost of a breach isn’t enough, the chances of experiencing a cyberattack continue to rise. Driving into Danger, the October 2023, article by CDK Global highlighting findings of its 2023 cybersecurity report underscores a rise in auto dealership cyberattacks. The study reports that 17% of dealers experienced a cyberattack or incident in the past year, despite 53% of respondents being confident in their current protection.

Dealers for dinner

According to data provided by the National Automobile Dealers Association (NADA), with over 16,750 dealers nationwide, average annual sales come to about $74 million. This makes the average dealer a juicy target. A breach can result in an irrecoverable impact on a dealer’s bottom line and affect large organizations for years, even after breaches have been discovered and contained.

Having a QI or vQI not only prevents federal penalties for noncompliance, your dealership will benefit from Dealer Service Provider risk assessment, cybersecurity planning and implementation, remediation and ongoing management of your good faith cybersecurity compliance effort that supports your financial, risk management and security goals. With the double whammy of the increased risk of cyberattacks and the skyrocketing cost of a breach, a Qualified Individual can save your dealership millions.

About The Author

Jim Lawrence - is a Co-Founder and COO of Sensitive Data Protect, LLC (aka SDPCompliance.com), CEO/Founder/Owner DealerEFX.com, Founder and Owner of DealerEducationFX.com, LLC, and is a Dealership Compliance SME, has 25+ years automotive retail experience in Dealership Cybersecurity & Compliance Management, Software Product Management, Strategic Partnerships, with core competencies in SaaS-based Dealership Governance, Risk and Compliance (GRC), CRM systems, Email Response and Lead Management software. He was recognized by the Association of Dealership Compliance Officers (ADCO) with a certification and designation as a Dealership Compliance Officer Professional. A dealer systems subject matter expert, he is working with a team in a ground-breaking new business model providing IT Security Managed Services, a One-Stop-Shop concept for enterprise-class FTC Safeguard Rules Compliance, Ransomware Prevention & Cybersecurity Best Practices, PCI DSS Compliance and Consumer Data Privacy Management, to avoid the cost of data and IT infrastructure breaches and minimize the burden of cybersecurity awareness training of a dynamic, high turnover staff at Auto Dealerships.

Reach him at: Jim.Lawrence@SDPCompliance.com or call: 503.318.3621 for a free consultation and needs assessment.