By Mark Sanborn
Senior Product and Regulatory Counsel
Fact: Endpoint Detection and Response technology (“EDR”) only satisfies one of the three elements of “continuous monitoring” as that term is used in the Revised Safeguards Rule. In the absence of full continuous monitoring, dealers must conduct annual penetration testing and vulnerability assessments at least twice per year.
Fiction: Implementing an EDR solution alone satisfies the requirement for “continuous monitoring” under the Revised Safeguard Rule.
Hey there, compliance enthusiasts! It’s time for another installment about your favorite topic: the Revised Safeguards Rule (“Revised Rule”). If you’re a dealer covered by this Rule, you’ve got some serious monitoring and testing to do. And no, we’re not talking about taste-testing the latest batch of office coffee (although that’s important too).
Under the Revised Rule, you need to keep a close eye on your information systems’ key controls, systems, and procedures, including the systems that you use to detect and prevent intrusions into, and attacks on, your information systems. Think of it like being a helicopter parent but for your data security. You’ve got to make sure those systems are behaving themselves and not getting into trouble with any pesky attacks, intrusions, or shady characters.
Continuous Monitoring
Now, if you want to be the cool kid on the block, you can opt for continuous monitoring. It’s like having a 24/7 security guard for your information systems. Continuous monitoring is a system that allows real-time, ongoing monitoring of an information system’s security, including monitoring for security threats, misconfigured systems, and other vulnerabilities. But be warned, this high-tech solution comes with a high-tech price tag. The FTC heard an earful about the costs when they were putting together the Revised Rule.
Penetration and Vulnerability Assessments
If continuous monitoring isn’t your jam, or if your budget is more “ramen noodles” than “caviar,” fear not! You can still comply by conducting annual penetration testing and vulnerability assessments every six months. Penetration testing is basically sanctioned hacking – you get to play the role of the bad guy and try to break into your own systems. It’s like a high-stakes game of cops and robbers, but with fewer water guns and more keyboards. During a penetration test, assessors try to circumvent or defeat the security features of your information system by attempting penetration of databases or controls from outside or inside the information system.
Endpoint Detection and Response
Now, some vendors out there might try to sell you on Endpoint Detection and Response (EDR) technology as the ultimate solution; claiming it’s the “continuous monitoring” silver bullet that gets you out of all that pesky testing. But hold your horses! While EDR is a fantastic tool that acts like a security camera and alarm system for your computers, it’s not a magic wand. It won’t detect misconfigured systems or other vulnerabilities (and therefore does NOT constitute continuous monitoring under the Revised Rule). So, don’t put all your eggs in the EDR basket, folks.
A Multifaceted Approach
All kidding aside – these steps are critical to ensuring the safety of your systems and the data in those systems, and you should consider your approach carefully. While it may not always be easy, the stakes are high and only getting higher. Nothing is perfect, but the good news is that these tools can help. To really cover your bases, you’ll need to combine EDR with other security measures, such as penetration testing, software updates and patches, encryption tools, MFA, and expanded Phishing prevention tools.
What About Phishing Tests?
Some compliance companies might try to pass off a phishing test as a substitute for a penetration test, but that’s like bringing a knife to a gunfight. Phishing tests are great (and should not be ignored), but they’re no replacement for a proper penetration test that tests for broader vulnerabilities. In light of recent cybersecurity incidents targeting the automotive industry, and FTC reporting requirements for data security incidents, dealers cannot afford to take half measures when it comes to securing their systems and data.
How Can We Help?
With ComplyAuto, performing a penetration test is easier than ever: with our patent-pending remote gateway, penetration tests can be performed remotely–no more need to bring personnel and equipment to your dealership to perform the test.
So, there you have it – the lowdown on continuous monitoring and its alternatives under the Revised Safeguards Rule. It might seem like a lot of work, but just remember: compliance is cool, and data breaches are definitely not. Stay safe out there, and happy monitoring!