Cybersecurity and ransomware attacks have made increasing news in recent months as companies such as Colonial Pipeline said they paid millions to regain access to critical data.
RV dealerships with systems storing consumer information in the cloud might believe the practice protects the dealer from liability. One consultant said the opposite is true.
“When dealers’ information is stored in the cloud, if there is a breach, then that company can go back to its agreement with the dealer,” said Tom Kline, lead consultant and founder of Better Vantage Point. “The agreement typically includes the dealer indemnifying the company that keeps the information in the cloud. It affords the dealer zero protection if there is a breach.”
Cyberattacks are rising quickly. Supply-chain attacks are up 420% in the past 12 months, according to Retarus, a global information logistics firm headquartered in Germany. Google reported a 27% increase in phishing sites in the 12 months leading to January 2021.
Microsoft on Friday reported a new cyber breach. Kline said if Microsoft could be a cyberattack subject, dealerships can, too.
“There is going to be a data breach at your dealership,” Kline said. “It is not an if; it is a when.”
Dealers concerned about liability can explore cyber insurance coverage. A good cyber policy will cover various items, Kline said, and is not prohibitively expensive.
Items Kline said dealers should ask about in a cyber policy include:
- Does the cyber coverage cover legal expenses related to regulatory issues and penalties, at the state and federal levels?
- Does the cyber coverage pay for forensic, public relations and crisis management expenses?
- Does the coverage pay for business interruption loss? A business interruption component can include security breaches, system failures, data recovery costs and claims expenses.
- Does the policy pay for extorsion losses and data recovery losses?
Kline said some policies will pay for telephone fraud and funds transfer fraud, often under an umbrella called invoice manipulation. Other potential coverages include reputational loss and employee cell phone breach coverage.
“Do not get a case of the ‘yet’s as one dealer described it to me,” Kline said, adding the dealer told him, “It has not happened yet to me.”
Dealers often discuss cyber coverage when setting up initial insurance policies. Kline said if a dealer has not yet had a conversation about cyber coverage, now is the time.
He said dealers should reach out to their current insurance agent and determine whether they have access to the cyber markets. If not, he suggested considering a large insurance provider that can be found through RVDA.
Cyber protection is among numerous risk mitigation steps dealers should be exploring regularly, Kline said. He defined risk mitigation as the process of identifying risks and seeing how the risks can be transferred, so the dealer/dealership is not responsible.
“Dealers are at risk every day and their assets are at risk every day,” Kline said. “Most problems start with customers and employees, and secondarily, advertising problems. Protecting the assets requires vigilance and constant attention.”