By Ryan Windt | Head of Growth Marketing | Updated April 2026
In June 2024, the BlackSuit ransomware group hit CDK Global, the software platform that powers roughly 15,000 car dealerships across North America. Within hours, dealer management systems went dark. Sales floors switched to pen and paper. Financing ground to a halt. Customers who were supposed to drive home that weekend sat waiting. Two weeks later, after CDK reportedly paid approximately $25 million in ransom, systems began to come back online.
The total damage to dealerships collectively exceeded $1 billion, according to estimates from Anderson Economic Group. New vehicle sales dropped an estimated 7.2% in June 2024 compared to the prior year. The disruption was not limited to small independents. Major publicly traded groups including Lithia Motors, Group 1 Automotive, Penske Automotive, and Sonic Automotive all disclosed material impacts to the SEC.
CDK was not a dealership. CDK was a vendor. And that is exactly what makes this story so important for every dealer still evaluating whether they really need cyber insurance.
Why Car Dealerships Are a High-Value Target
Most people think of a car dealership as a sales business. Underwriters see something different: a financial institution sitting on a large and sensitive data pool, with broad third-party software dependencies and a workforce that turns over faster than almost any other industry.
Here is what a typical dealership holds on any given day:
Customer financial data. Every vehicle purchase that involves financing requires the buyer to provide Social Security numbers, income verification, bank account information, employment history, and credit information. That data lives in your dealer management system and often in multiple third-party platforms simultaneously.
Driver’s license and identity documents. Test drives, trade-in evaluations, and financing applications all require government-issued ID. Dealerships scan and store these documents at scale.
Payment card data. Service departments process hundreds of card transactions per month. If your point-of-sale environment is not properly segmented and compliant, that data creates exposure.
Employee records. High turnover is the norm in automotive retail. Former employees create credential management challenges. Payroll records, W-2 data, and benefits information are also held in systems that may not be hardened to the same standard as your sales floor.
Vehicle inventory and transaction records. Floor plan financing, wire transfers for vehicle purchases, and OEM relationships create financial transaction exposure that ransomware groups specifically target.
The FTC Safeguards Rule, which applies to auto dealerships that facilitate financing, made this data exposure a compliance matter as well as a security one. The 2021 amendments strengthened specific technical requirements, and a 2023 amendment added mandatory breach notification to the FTC within 30 days when customer information is exposed. Those notification requirements took effect in May 2024, just weeks before the CDK attack.
The FTC fine for noncompliance is up to $53,088 per violation. When you account for all of the improperly protected records that stack into a single incident, that figure can grow substantially. Class action lawsuits from customers whose data was exposed are also now a standard outcome of dealership breaches, as CDK’s situation demonstrated.
The combination of regulatory obligation, sensitive data volume, and heavy third-party software dependency puts dealerships in a risk category that many dealers still underestimate.
What Cyber Insurance Actually Covers for Dealerships
Cyber insurance for car dealerships is not just about ransomware. A well-structured policy should address the full range of incidents that are realistically likely for your business.
Business interruption. This is the coverage that matters most in a CDK-style scenario. When your dealer management system goes down and you cannot process sales, financing, or service orders, business interruption coverage compensates for the lost income during the recovery period. For a dealership selling 150 vehicles per month, even a week of disruption is a significant loss. The CDK event showed how quickly this number escalates.
Ransomware and cyber extortion. If your own systems are encrypted, cyber extortion coverage applies to both the ransom payment decision and the costs associated with the negotiation and recovery process. Your policy should be structured so that your insurer’s incident response team is engaged before any payment is made.
Data breach response costs. When customer PII is exposed, you face notification costs, credit monitoring obligations for affected individuals, forensic investigation fees, and legal costs. Cyber insurance covers these first-party expenses. Under the FTC Safeguards Rule, these costs are no longer hypothetical for dealerships.
Regulatory fines and defense costs. FTC enforcement actions, state attorney general investigations, and the legal defense costs associated with responding to them are covered under a properly structured cyber liability policy. Not every policy includes regulatory coverage as a standard component, so this is worth verifying at the application stage.
Third-party liability. If your dealership suffers a breach that exposes customer data and those customers file a class action, third-party liability coverage pays for legal defense and settlements. This is distinct from the costs of breach response.
Business email compromise and wire fraud. Dealerships are targeted for BEC specifically because they handle large wire transfers for vehicle purchases, floor plan payments, and OEM transactions. Fraudulent wire transfer coverage, sometimes called social engineering coverage or eCrime coverage, is often a separate sub-limit within a cyber policy. It should be explicitly confirmed when you apply, and the limit should reflect the size of the wires your dealership routinely sends.
What is typically not covered. Physical damage to vehicles from a cyber-enabled incident, intellectual property theft, and losses from incidents that predate your policy’s retroactive date are standard exclusions. Losses attributed to state-sponsored cyber operations may also be excluded under the war exclusion language that most carriers now include. Your underwriter should walk you through the specific wording in your policy.
The CDK Scenario: What Would Have Covered Your Dealership?
The CDK attack was a third-party vendor incident. CDK was compromised. Your systems were not hacked directly. Your DMS simply went dark because the platform you depended on went offline.
That distinction matters for coverage, and it is a conversation every dealership should have with their underwriter before an incident happens.
A well-structured cyber policy with business interruption coverage would typically respond to losses from a dependent system outage, but the policy wording matters. Some policies require that the triggering incident be a covered event under the policy itself. Others have specific provisions for contingent business interruption that cover losses caused by outages at third-party vendors.
The lesson from CDK is not simply that ransomware is dangerous. It is that your single largest operational risk may not live inside your building at all. It lives in the software you cannot run your business without. Making sure your policy responds to that scenario is worth a direct conversation with your insurer.
What Underwriters Look For When Insuring Dealerships
Dealership applications are reviewed with attention to a specific set of controls. Here is what matters most.
Multi-factor authentication. MFA on email, remote access, VPN, dealer management system logins, and administrative accounts is a baseline requirement. Given that many DMS platforms involve vendor remote access, underwriters will ask specifically about how that access is credentialed and whether it can be disabled when not actively in use. The CDK attack is understood to have involved vendor access pathways, which makes this question more pointed for dealerships than for other verticals.
Endpoint detection and response. EDR on all workstations and servers is now a standard requirement. Traditional antivirus does not satisfy this requirement. Underwriters want to see that you have real-time detection and automated response capability.
Patching and vulnerability management. Dealership environments often include older systems that are difficult to update. Underwriters will ask about patch cadence and what controls you have in place for systems that cannot be patched on a standard cycle.
Vendor and third-party risk management. Given CDK and the broader pattern of third-party incidents, underwriters are paying closer attention to how dealerships manage their software vendor relationships. Do you have an inventory of all third-party systems with access to your environment? Do vendors with remote access use MFA? Can you disable that access quickly if a vendor is compromised? These questions are increasingly common on applications.
Incident response plan. A documented, tested incident response plan is required. For dealerships, this plan should specifically address what happens when a core platform like your DMS goes offline, since that is a realistic scenario rather than a hypothetical one.
Employee security training. Given that social engineering was the entry point for incidents like MGM and continues to be a primary attack vector, underwriters want to see evidence of phishing simulation and security awareness training. Dealership environments with high turnover make consistent training harder to sustain, and underwriters know this.
FTC Safeguards Rule compliance. Carriers underwriting dealerships are increasingly aware of the Safeguards Rule requirements. Documentation of your Written Information Security Program, your designated Qualified Individual, and your risk assessment process signals to underwriters that your dealership has taken its compliance obligations seriously. This reduces perceived risk and can translate directly into better pricing.
Network segmentation. Separating your customer-facing Wi-Fi, your service department systems, your finance office, and your administrative network from one another limits the blast radius of any single intrusion. Underwriters view segmentation as evidence that you have thought through containment, not just prevention.
What Cyber Insurance Costs for Car Dealerships
Pricing is driven by several factors specific to your dealership’s profile. Revenue is the primary underwriting factor, followed by controls posture, claims history, and the complexity of your vendor environment.
A single-point dealership with $20 million in annual revenue, clean controls, and no prior claims can typically expect to pay somewhere in the range of $5,000 to $12,000 per year for a $1 million primary limit. Larger dealer groups with more complex DMS environments, higher revenue, and multiple rooftops will pay more, both because limits need to be higher and because the underwriting involves more scrutiny.
The most common coverage triggers that drive price upward include:
- Prior claims or incidents, particularly if they were not fully remediated
- Absence of MFA on key systems
- Outdated DMS or point-of-sale software without a defined upgrade path
- Poor documentation of vendor risk management practices
- No formal incident response plan or evidence that one has been tested
Controls that consistently produce better pricing include documented EDR deployment, MFA across all remote access and admin accounts, a current and tested IR plan, and evidence of Safeguards Rule compliance. Dealerships that can demonstrate these controls upfront move through underwriting faster and with fewer surprises.
Working directly with an underwriter who specializes in cyber, rather than routing through a generalist commercial lines broker, also tends to produce better outcomes. The underwriting conversation for a dealership is more nuanced than a standard commercial lines application, and a specialist underwriter knows which questions to ask and how to interpret your answers in context.
What Dealers Should Do Before Applying
The application process for cyber insurance is more involved than it was three or four years ago. Underwriters have moved away from simple checkbox questionnaires toward requesting evidence of controls. Here is how to prepare.
Inventory your vendor dependencies. Know which third-party platforms have access to your systems, what level of access they have, and whether that access is authenticated with MFA. CDK is the obvious one, but dealers typically have multiple software vendors with some form of system access.
Document your FTC Safeguards compliance posture. Pull together your Written Information Security Program, your risk assessment, your vendor oversight documentation, and your incident response plan. These documents serve double duty: they satisfy Safeguards Rule requirements and they are exactly what underwriters want to see.
Assess your MFA gaps. Walk through every system that uses a remote login and verify that MFA is enforced. Finance office software, DMS access, payroll systems, email, and remote desktop access are the most common gaps.
Confirm your EDR coverage. Make sure you know what endpoint protection is deployed, on how many devices, and when it was last updated. If you are relying on legacy antivirus, that needs to be addressed before you apply.
Talk to your MSP or IT provider. If you work with a managed service provider for IT support, they should be able to document your current controls posture and identify gaps before your application goes in. Dealerships whose MSPs use security-first approaches tend to have cleaner applications and faster approval timelines.
A Note on How This Coverage Works with Your Existing Policies
General liability does not cover cyber losses. Your commercial property policy does not cover data. Your garage policy covers physical vehicles, not the systems that sell them.
Cyber insurance is a standalone line. It is not an endorsement to an existing policy. It is a separate policy with its own limits, deductibles, and terms, designed specifically for the risks that your other coverage does not address.
If you have a cyber policy already, it is worth reviewing whether your business interruption coverage extends to contingent events caused by third-party vendor outages. If your policy requires that the outage be caused by a direct attack on your own systems, and not a vendor, you may have a gap worth closing at renewal.
Working with SeedPod Cyber
SeedPod Cyber is a direct underwriter specializing in cyber liability and Technology E&O coverage for businesses across a wide range of industries, including automotive dealerships. We work directly with the underwriting process rather than routing through multiple brokerage layers, which means faster decisions, more transparent pricing, and coverage conversations that are grounded in actual underwriting criteria.
If you are evaluating cyber insurance for the first time, or if you have an existing policy and want a second opinion on whether your coverage would have responded to a CDK-style event, we are happy to walk through it with you.