Business Interruptions: Mitigating Cybersecurity Risks from External Hacks
Download MP3So the CDK ransomware hack that's affecting tens of thousands of dealerships in June of 2024 is a very good case study in how businesses can be affected by cyber liability and cybersecurity, even if you're not affected directly.
So what was the CDK hack? Well, CDK is a company that provides automotive dealership services to new and used car dealerships and truck dealerships nationwide. What are those services? It helps them manage their sales department when they have incoming phone calls or if someone buys a car and they have to do all their paperwork for their title, registration, and car loans. It provides the software to handle all that documentation. It also provides software for the service department where they fix cars to handle repairs, warranties, and billing for customers that pay for service. It also handles the parts department, ordering parts, assigning parts to repair jobs, selling parts, and getting inventory from the thousands of parts you have on your shelves out to the repair department. All of those functions, including accounting, are handled in the cloud by this company called CDK, and they had different sections and subsidiaries that did all this.
The hackers found a way to lock up the CDK system. This hack occurred over many weeks, probably many months, where they got into their system, planted a bunch of viruses, collected emails to get information about the company, and eventually launched their attack and locked up the CDK system. Now, the dealership never got hacked, the parts department never got hacked, the service department never got hacked, and individual dealerships never got hacked. The client of CDK never got hacked. But this vendor of software, CDK, got hacked, and they were subject to ransomware. Their system was locked down; it was bricked, and they couldn't use it.
So all these dealerships now depend upon CDK to be able to sell a car, print out paperwork for a customer to sign, buy a car and take it home with them, provide service for repairs, warranty service, and identify parts and find the parts on your shelf. So now, all these dealerships, a lot of them were shut down when this hack was taking place. Some of them went to old school paper and pencil, doing things on paper. But some things you can't do on paper and pencil because you don't have the information.
Now, remember, the dealership never got hacked, so they weren't subject to the actual virus, but their vendor that they relied on for all of their operational control was hacked. This can happen in any industry. Many industries have one bottleneck, one gatekeeper for their industry. For example, if you're in the broadcast news industry, you might get all of your news feeds provided through some cloud provider. If you are in the manufacturing industry, you might have certain engineering going through a provider. You may not even know the actual provider because it might be sold through a third party, it might be provided by Amazon Cloud Service (AWS), or it may go through Google. There may be several providers, and all it takes is one of those links in the chain to be corrupted, and now you're out of business.
These dealerships, many of them are literally out of business for many days. Their salespeople aren't making money selling cars and making commissions. Their service departments can't fix cars, and people's cars are off the road. So this is a very good case study in how hackers can really exploit the bottlenecks. It's good to have efficiency in a market where all of the economy of scale can happen through one company, but now if that one company is holding up the whole industry, if it goes down, everybody's out of business.
So what happens from all this? Where's the liability? Who might be out money? Who might have lawsuits against them? Now, remember, we're not attorneys, we're not giving you legal advice, but consider a couple of possible liability loss scenarios. Let's suppose that you are a car dealership and you were not hacked, you did everything right, but your provider, CDK, does not allow you to function because they got hacked. What if somebody comes in for service and needs to get their car back on the road, and you as a dealership sold them the car with a warranty that says, "Hey, if something goes wrong with your car, it'll get fixed," and now they're off the road for five, six, or seven days, and they have to rent a car? Maybe they can't get to work or a doctor's appointment. Can they sue you as a dealership? Well, you may have third-party liability.
What if your salesperson doesn't make enough money in that week or two to be able to pay their bills? Can they sue you for liability? It's unknown. What if there is a repair shop that depends upon you to get parts for the repairs, and they can't get parts? Do you have liability? It's unknown. Can they make the claim? Certainly, they can make the claim. Would they prevail? It's unknown.
What about upstream from you as a dealership? What about things that you pay for as a dealership? What if you can't pay your rent on your building? We will be back in your video in just a few seconds. In the meantime, remember that actualhuman.com offers you live one-on-one private video consultation with an expert in this exact subject. We want to listen to your story, we want to hear your questions, and we want to give you expert advisement on your options and tell you what we know about your particular situation.
Now, back to your video. What if your service goes down and a vendor that relies on you for transporting cars is not able to transport cars? This may open up a can of worms. This dealership example may not be the greatest example, but in any industry, if you have people that depend upon you for money, services, income, revenue, accounts payable, and accounts receivable, and that gets interrupted for some liability reason, you may have a claim against you.
What if the dealership's customers, maybe 5,000 customers in the last year, have all their information released to the dark web because they were hacked? Every time you sell a car, every time you service a car, that information goes to CDK. What if the hackers got all that information and sell it to scammers, identity theft, and fraudsters? Does that dealership have liability? Well, the dealership didn't get hacked, but their information went through the dealership.
There's a lot of reasons why there may be more liability and what's called perils in the insurance industry that may not be visible to a business owner, which is why it's important to identify those and make sure if you have cyber liability insurance that you find out if it covers third-party liability upstream and downstream. If it doesn't, that's fine if that's what you want, but make sure you ask the question and don't just assume that it's going to cover things because there's many different types of cyber liability insurance. Plus, what are the limits? Many times, a standard general liability policy will have a rider or an endorsement for cyber up to $50,000 or $25,000. That might be a drop in the bucket for a large claim like this. You may want to have a standalone policy.
You also want to look to see if you have a response, incident response. So, let's say your building caught on fire. You probably have fire drill posters on your wall. You know what to do. If there's a power outage, you know what to do. If there's a cyber attack, or let's say in the case of this CDK hack, if you're a dealership, do you know what to do if your computers go down? Who's in charge? Who makes the decisions? You should have a standard response to these types of cyber events already in place.
Now, many cyber insurance policies will provide a response for you. They have a team; you call them up, and they take care of it. But you may want to have your own response too. What is payroll going to do? What is accounts receivable going to do? What is your management going to do to keep morale high? If your salespeople aren't making money, what are you going to do to keep them from going to another dealership that maybe isn't part of this hack? How are you going to communicate with your customers? What if you can't get a hold of your email? How are you going to reach all your customers and let them know that you'll be back in business in a few days? Do you have a response plan, a checklist? Who's going to do what?
Because the last thing you want to do is try to figure it out on the fly when you're in the middle of this storm. And the other thing you want to do is have active monitoring. Prior to this hack, there were signs that this was going to happen. There were dropouts of connections with CDK, and there were blackout periods with CDK, brief ones. That was the hackers starting to roll out and deploy this virus. They probably installed it over the course of many months, and had there been more advanced notice, people could have taken different actions and maybe mitigated some of the losses.
This is a great case study in how hacks and cyber attacks can work, how they can domino effect to people upstream and downstream from the company that actually gets hacked, but also how companies can anticipate it, have a response in place, and there's a lot of great success stories for dealerships that are going to pencil and paper. They're being creative. There's a few dealerships that said, "Well, we'll just shut down and have our salespeople clean out closets for a couple of days." Yeah, I guess that's better than nothing, but why not at least try to do something?
Some dealerships are doing pencil and paper, letting customers know they have to come back in a few days to re-sign. Some dealerships are pulling up their old systems. Some dealerships are finding alternate ways to print out documents. They're finding ways to get access to parts. Sometimes they're writing out repair orders for cars and service, charging the credit card, and then later on making the bill match the payment. Even if they have to eat some money, at least they're being proactive. So, think in advance about what would happen if you walked in one day and all your computers were down. How would you operate? How would you make money? How would you collect from your receivables? How would you keep your staff motivated? How would you keep people from being demoralized?
Those are all important things to have a response plan and to be monitoring this. Have your IT department or your cyber liability insurance company make sure they have active monitoring to keep an eye on your network because the signs are there long before it was a crisis. That would give you maybe a heads-up for a day or two, or even a few hours, to maybe shut some things down so you don't lose data or your customers' data doesn't end up on the dark web.
Thank you for watching. Remember, you can access live one-on-one personal consultations with a licensed private investigator, a licensed commercial insurance broker, a licensed certified real estate title examiner, and a certified civil court mediator. So, if you need to talk to an expert in any of these fields, or even a licensed building general contractor, you can click the link below, actualhuman.com, and arrange a live one-on-one, undivided attention session with a licensed expert where you can ask any questions, get information about your situation, and we'd be glad to help.