Compliance
Most dealerships that arrange financing are 'financial institutions' under the FTC Safeguards Rule — which means a specific, named cybersecurity program is required by regulation. Here's what's on the list and how to satisfy it.
Yes — if your dealership arranges financing or leasing, you are almost certainly a "financial institution" under the FTC Safeguards Rule, and a specific written cybersecurity program is required of you by federal regulation, not by a vendor's preference. The FTC has said plainly that the Rule "applies to financial institutions subject to the FTC's authority," and "that includes most automobile dealers who finance or lease automobiles" (FTC Safeguards Rule FAQ for auto dealers).
That surprises a lot of owners. The sign out front says "dealership." The regulation treats you like a lender — because every time your F&I office pulls a credit application, you are handling exactly the kind of customer financial data the Gramm-Leach-Bliley Act was written to protect.
This guide covers who's covered, what the Rule actually requires, the two dates that matter, and how to get a defensible program in place without turning your store into an IT shop.
The Safeguards Rule implements the Gramm-Leach-Bliley Act (GLBA), and GLBA's definition of "financial institution" is broad and deliberately non-bank. The FTC's guidance lists 13 kinds of businesses it covers — mortgage lenders, finance companies, tax preparers, and more — and notes that even that list is not exhaustive (FTC Safeguards Rule: What Your Business Needs to Know).
A dealership that helps a customer secure a loan or a lease is "significantly engaged" in financial activities. That triggers coverage. A store that somehow sold only for cash with no financing arm might argue it's out of scope — but that describes almost no modern dealership. If you run an F&I desk, assume you're in.
The Safeguards Rule does not hand you a checklist of products to buy. It requires a comprehensive written information security program appropriate to your size and the sensitivity of the data you hold (FTC auto-dealer FAQ). Inside that program, several elements are explicitly named:
The FTC names these directly: required safeguards "include access controls, encryption of customer information at rest and in transit, multifactor authentication for anyone who accesses your information system, and logging and monitoring activity, among other things" (FTC).
If you have read a cyber-insurance application lately, this list will look familiar. That is not a coincidence — the controls underwriters score and the controls the Safeguards Rule requires are nearly the same controls.
June 9, 2023. The expanded safeguards — the Qualified Individual, the specific technical controls above — became enforceable. A dealership without a written program is already past the deadline, not approaching one.
May 13, 2024. A breach-notification amendment took effect. Covered businesses must notify the FTC "as soon as possible – and no later than 30 days after discovery – of a security breach involving the unauthorized acquisition of at least 500 consumers' unencrypted information" (FTC). For a dealership, 500 customer records is a small number — a single compromised F&I database can blow past it.
The data a dealership holds is unusually rich: Social Security numbers, income, employment, and bank details on every financed deal. That is a premium target. And the industry already has its cautionary tale — the 2024 attack on the CDK Global dealer-management platform took thousands of dealerships offline and is estimated to have cost the industry more than $1 billion (Channel Futures). That was a single-vendor outage; it shows how completely a modern store depends on systems that can be attacked or knocked down.
The point is not fear. It is that the Safeguards Rule is asking for the same things that would have blunted that kind of event: tested backups, segmented systems, monitored endpoints, and a plan for when something goes wrong.
The controls map cleanly onto a managed security program. In practice, getting a dealership compliant looks like this:
That last point matters: the same evidence answers the regulator and the carrier. You build it once.
This is exactly the program Obsidian Ridge operates for dealerships — see the Auto Dealerships security & compliance page for how the controls line up against the Safeguards Rule. If you would rather start by finding the gaps, the Cyber Insurance Readiness Sprint maps your current state against the required controls in a fixed-scope, seven-business-day engagement and produces the written program and evidence you need.
If you finance or lease, the FTC Safeguards Rule applies to you, the deadline has already passed, and the controls it requires are the same ones that protect your store from the kind of event that took the industry offline in 2024. The good news is that one well-run program satisfies the regulation, prepares the cyber-insurance application, and actually reduces the risk — handled for you, so your team can sell cars.
Want to know where your store stands against the Safeguards Rule today? Book a dealership readiness assessment.
Last updated
June 17, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Yes. The FTC has stated that most automobile dealers who finance or lease vehicles are 'financial institutions' under the Gramm-Leach-Bliley Act, and therefore subject to the Safeguards Rule. If your store arranges financing or leasing, the Rule almost certainly applies to you — the showroom sign says 'dealership,' but the regulation treats you like a lender.
Maintain a comprehensive written information security program. That includes designating a Qualified Individual to run it, basing it on a written risk assessment, and implementing specific safeguards: access controls, encryption of customer information at rest and in transit, multi-factor authentication for anyone who accesses the information system, and logging and monitoring, among others.
The Rule has existed since 2003, but the expanded safeguards that most affect dealers became enforceable on June 9, 2023. A separate breach-notification amendment took effect May 13, 2024, requiring notice to the FTC within 30 days of discovering a breach involving at least 500 consumers' unencrypted information.
The Rule is enforced by the FTC, and non-compliance can mean federal enforcement action and penalties — separate from the cost of the breach itself. The customer financing data dealers hold (Social Security numbers, income, bank details) is exactly the kind of information the Rule exists to protect, so a breach plus a missing program is the worst-case combination.
No. PCI DSS is a contractual standard about payment-card data, enforced by the card brands through your payment processor. The FTC Safeguards Rule is a federal regulation about customer financial information broadly. A dealership can be subject to both at once, and they ask for overlapping but different controls.
Related reading
Compliance is one thing; the attack that stops a dealership is another. Ransomware on the DMS, F&I identity data, and vendor outages like the 2024 CDK attack are the real exposure. What actually hits dealers, and how to be ready.
Read articleRIAs, insurance agencies, and small advisory firms sit under overlapping cybersecurity rules — the FTC/GLBA Safeguards Rule and, for registered firms, the SEC and FINRA. Here's which ones actually apply to you, plain-English.
Read articleClosing-wire fraud is the most expensive cyberattack in real estate — and most title and settlement firms don't realize the FTC Safeguards Rule already treats them as financial institutions. Here's the exposure and the fix.
Read article