The CDK Global Cyberattack: A Wake-Up Call for Third-Party Risk Management in the Auto Industry

Unraveling the Complexities and Implications

Introduction

In an increasingly interconnected world, the importance of a robust Third-Party Risk Management (TPRM) program cannot be overstated. The recent cyberattacks on CDK Global, a major software provider to car dealerships, have highlighted the cascading impact that a single vulnerability can have on an entire industry. This incident has left nearly 15,000 car dealerships across North America grappling with significant operational, financial, and legal challenges. Let’s explore the lessons learned from this attack and the critical role of TPRM in mitigating such risks. 

The Ripple Effect of the CDK Global Cyberattack 

The cyberattacks on CDK Global began on June 19, 2024, and resulted in a complete shutdown of their systems. Dealerships were forced to revert to manual processes, severely disrupting their operations. This included delays in sales, financing, repairs, and maintenance services. Major chains like AutoNation, Lithia Motors, and Group 1 Automotive were among those affected, highlighting the widespread dependency on CDK’s services. 

Dealers struggled to maintain business continuity, resorting to pens and paper and facing significant financial losses. The full restoration of CDK’s services is expected to take several days, if not weeks, further compounding the financial impact on dealerships. 

The heart of your blog is your content. High-quality, original content is key to attracting and retaining readers. Be authentic and provide value. Whether it’s how-to guides, personal stories, industry insights, or entertaining posts, ensure your content is engaging and adds value to your readers.

The Role of a Solid TPRM Program 

The CDK Global incident underscores the critical need for a solid TPRM program. Here are key aspects of TPRM that could have potentially mitigated the impact of this cyberattack: 

Risk Identification and Assessment: 

Would a solid TPRM program have identified the potential prior to the attack? 

A comprehensive TPRM program involves regular risk assessments and continuous monitoring of third-party vendors. This could include evaluating the vendor’s cybersecurity posture, history of breaches, and overall risk profile. While it’s challenging to predict every cyberattack, a thorough assessment might have highlighted vulnerabilities within CDK Global’s systems, prompting proactive measures. 

Red Flags and Warning Signs:

Were there any “red flags” that car dealers might have seen ahead of time? 

Indicators of potential risks could include frequent system downtimes, delays in software updates, or known vulnerabilities that were not addressed in a timely manner. Regular communication with vendors about their cybersecurity practices and any ongoing threats is crucial. Dealers should also stay informed about industry trends and potential threats that could impact their key vendors. For example, if a vendor repeatedly experiences minor security issues or fails to comply with industry standards, these could be red flags that warrant further investigation. 

Preparedness and Contingency Planning: 

Was there any way to prepare for this if you were a client of CDK? 

Business Impact Analysis (BIA): A solid BIA helps identify critical business functions and the impact of their disruption. Dealerships with a BIA in place would better understand the potential consequences of a vendor outage and could prioritize their response efforts. 

Disaster Recovery Plan (DRP): A DRP ensures that critical business operations can continue in the event of a disruption. For dealerships, this could mean having backup systems or alternative vendors in place. 

Incident Response Plan (IRP): An IRP outlines the steps to take immediately following a cyber incident. This includes communication protocols, steps to contain the breach, and recovery strategies. 

CDK Global’s Preparedness: 

Do we know if CDK was adequately prepared for this? 

The available information suggests that CDK Global took immediate action by shutting down their systems to prevent further damage and began a restoration process. However, the effectiveness of their Business Continuity Plan (BCP) is still under scrutiny. The fact that the restoration is taking several days indicates that while some measures were in place, there might have been gaps in their preparedness. 

Historical Context and Precedents 

The automotive industry is no stranger to cyberattacks. In recent years, several high-profile incidents have highlighted the vulnerabilities in this sector. For instance, in 2019, a ransomware attack on a major automotive supplier led to significant production delays. Similarly, the 2021 cyberattack on the Colonial Pipeline, though not directly related to the automotive industry, showed how critical infrastructure could be brought to a standstill, emphasizing the need for robust cybersecurity measures. Comparing these incidents with the CDK Global attack provides valuable insights into the evolving nature of cyber threats and the increasing need for robust cybersecurity measures. 

Impact on End Customers 

The impact of the CDK Global cyberattack extends beyond the dealerships to the end customers. For many customers, the inability to complete necessary vehicle recalls or repairs is more than an inconvenience—it’s a safety concern. Customers who had their vehicles in for service experienced delays, uncertainty, and frustration. New car buyers faced prolonged wait times, and those seeking financing or insurance services encountered additional hurdles. This ripple effect underscores the importance of ensuring that vendors like CDK Global have robust cybersecurity and contingency plans to minimize disruptions. 

Legal and Regulatory Considerations 

Cyberattacks involving third-party vendors often lead to significant legal and regulatory repercussions. In the case of CDK Global, the cyberattack has already sparked multiple class-action lawsuits from former customers and employees claiming that the company failed to protect their personal information. Regulatory bodies may impose fines and sanctions on companies that fail to comply with data protection regulations. For dealerships, this incident highlights the need to ensure that their vendors comply with relevant legal standards and that their own contracts include clauses that protect them from the fallout of third-party breaches. Additionally, dealerships must be prepared to handle regulatory inquiries and potential litigation arising from such incidents. 

How to Properly Evaluate a Vendor 

Evaluating a vendor is a critical component of a robust TPRM program. Here are some steps to ensure that you are partnering with vendors who meet your cybersecurity standards: 

Initial Assessment: 

  • Conduct a thorough assessment of the vendor’s security posture. This includes reviewing their cybersecurity policies, procedures, and past incidents. 
  • Ensure that the vendor complies with industry standards and regulations relevant to your business. 

Continuous Monitoring: 

  • Implement continuous monitoring of the vendor’s security practices. This can include regular audits, vulnerability assessments, and penetration testing. 
  • Utilize tools and platforms that provide real-time monitoring and alerts for any suspicious activities or potential breaches. 

Use of CIS Critical Security Controls (CSC): 

  • The Center for Internet Security (CIS) provides a set of best practices known as the Critical Security Controls (CSC). These controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. 
  • Key controls to expect at your critical vendors include: 
  • Inventory and Control of Hardware Assets: Ensure the vendor maintains an accurate inventory of all hardware devices within their network. 
  • Inventory and Control of Software Assets: The vendor should have an inventory of all software in use and only allow authorized software to be installed. 
  • Continuous Vulnerability Management: Regularly scan for vulnerabilities and remediate identified issues promptly. 
  • Controlled Use of Administrative Privileges: Ensure that administrative privileges are managed and controlled. 
  • Secure Configuration for Hardware and Software: Maintain secure configurations for all devices and software. 
  • Maintenance, Monitoring, and Analysis of Audit Logs: Ensure that audit logs are maintained, monitored, and analyzed to detect and respond to incidents. 

Contractual Safeguards: 

  • Ensure that contracts with vendors include clauses that mandate compliance with cybersecurity standards, regular security audits, and prompt notification of any security incidents. 
  • Include provisions for penalties or termination of the contract in case of non-compliance or failure to meet security standards. 

Training and Awareness: 

  • Ensure that the vendor’s staff is trained in cybersecurity best practices and aware of the latest threats and vulnerabilities. 
  • Encourage a culture of security awareness and continuous improvement within the vendor organization. 

Conclusion: The Imperative of Robust TPRM 

The CDK Global cyberattack serves as a stark reminder of the vulnerabilities inherent in relying heavily on third-party vendors. A robust TPRM program, coupled with solid BIA, DRP, and IRP, can significantly mitigate the impact of such incidents. For car dealerships and other businesses, the key takeaway is clear: proactively managing third-party risks and ensuring comprehensive contingency planning are essential to safeguarding operations and maintaining business continuity in the face of cyber threats. 

By learning from the CDK Global incident, organizations can better prepare for future disruptions and protect themselves from the wide-reaching effects of cyberattacks on their critical vendors. As we navigate the aftermath of this incident, the value of TPRM becomes undeniably clear—not just for businesses, but for the countless customers who rely on them. 

Timothy J. Marley, CPA, CISSP, CISA, CISM, CIA, CDPSE

Founder and Principal Consultant, Prism One

Timothy J. Marley, founder and principal consultant of Prism One, is a seasoned cybersecurity executive with over two decades of experience in information technology, risk management, and compliance. Tim’s extensive expertise helps organizations navigate the complex landscape of cybersecurity and risk management.

Tim’s mission is to empower organizations to build resilient security postures in an ever-evolving threat environment. At Prism One, he continues to provide tailored, high-quality cybersecurity solutions to meet the unique needs of each client.

Similar Posts