BP Tech Support

← All field notes

Cybersecurity

FTC Safeguards Rule for Truck Dealers: A 30-Day Readiness Plan

By BP Tech Support · May 10, 2026

If you arrange financing on truck sales, the FTC considers you a "financial institution" under the Gramm-Leach-Bliley Act and the Safeguards Rule applies. The 2023 amendments raised the bar significantly. This post is the 30-day phased plan we walk new clients through.

Days 1-7: Inventory and assess

  • Identify your "qualified individual." The rule requires a named person responsible for the program. They do not have to be an employee. They can be a vCISO from your MSP. They do have to be named in writing.
  • Map customer information. Every system that holds customer financial info: DMS, F&I systems, deal jacket storage, email archives, scanned credit apps on a fileshare, that one Excel file the BDC uses. List it.
  • Run a baseline risk assessment. Where is data, how is it protected, who has access, how is access reviewed.

Days 8-14: Lock the doors

  • MFA everywhere customer info touches. DMS, M365, VPN, RMM, F&I tools. No exceptions for "the controller doesn't want to do it."
  • Encrypt at rest and in transit. BitLocker on workstations and laptops, TLS on every web app, encrypted backups.
  • Disable shared and generic accounts. "service@dealer" logins held by three people are out.
  • Enforce password manager use for staff.

Days 15-21: Watch and respond

  • Deploy EDR with 24/7 monitoring. Defender for Business, SentinelOne, or similar. Logs forwarded to a SIEM or MDR.
  • Document an incident response plan. Who calls who at 3 AM. What gets unplugged. What law firm and breach coach you call.
  • Run a tabletop exercise. Walk a simulated ransomware event for 45 minutes with the principal, controller, and IT.

Days 22-30: Train, document, and report

  • Security awareness training for all staff. Annual at minimum, with phishing simulations monthly.
  • Vendor risk reviews. Your DMS, your payroll provider, your F&I systems. You need a record of having asked them about their controls.
  • Written Information Security Program (WISP). Pull all of the above into a single document, signed by the qualified individual.
  • Annual report to the board (or principal). The rule requires it.

What auditors and insurers will ask for

Cyber insurance renewals now ask for evidence of MFA, EDR, backups, training, and a WISP. The Safeguards Rule essentially codifies what insurers were already demanding. Doing this once gets you both.

We deliver the WISP, the qualified-individual function, and the technical controls as a package. Start the conversation.

Want this kind of help on tap?

This is what a discovery call sounds like — except about your actual environment, with a written summary at the end.

Book discovery