Business Continuity: How to Sell Cars When the DMS is Dead

Threat Intelligence

Business Continuity: Surviving When Your Vendor Goes Down

In the wake of the CDK Global disaster, many dealers found themselves unable to perform the most basic tasks: selling a car, ordering a part, or processing a warranty claim. Some dealerships were effectively shut down for over two weeks. This is a failure of Business Continuity Planning (BCP), and it is exactly the kind of failure the FTC Safeguards Rule was designed to prevent.

What the FTC Requires

The FTC Safeguards Rule, under 16 CFR 314.4(h), requires every covered financial institution to “establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information.” That phrase, “recover from,” is the business continuity mandate. It is not optional, and it is not satisfied by a one-page document that says “call IT.”

This requirement aligns with broader federal guidance, including NIST SP 800-34 Rev. 1 (Contingency Planning Guide for Federal Information Systems), which provides the framework for building resilient recovery capabilities. While NIST 800-34 is not legally binding on dealerships, it represents the standard of care that regulators and courts reference when evaluating whether your plan was adequate.

What CDK Dealers Actually Experienced

During the approximately 15-day core outage (June 19 through July 4, 2024), dealerships across the country resorted to desperate measures:

  • Hand-written deal jackets using carbon copy forms some dealers had not touched in years
  • Manual service orders tracked on paper, with no access to vehicle history or warranty information
  • Spreadsheets and whiteboards replacing inventory management systems
  • Direct phone calls to lenders to push financing deals through manually, bypassing the electronic funding portals
  • Lost sales as customers walked away from dealerships that could not process transactions in a reasonable timeframe

Dealers who had never planned for a total DMS failure were essentially operating blind. Those who had even a basic continuity plan were able to keep revenue flowing, even if at reduced capacity.

Building a Real BCP: The Essential Elements

1. Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

Before you build a plan, you need two numbers:

  • RTO (Recovery Time Objective): How long can your dealership survive without its DMS before the financial damage becomes critical? For most dealers, the answer is measured in hours, not days.
  • RPO (Recovery Point Objective): How much data can you afford to lose? If your last backup is 30 days old, you have a 30-day RPO, and that means 30 days of deals, service records, and customer data that may be unrecoverable.

These numbers drive every other decision in your BCP.

2. Out-of-Band Communication

How do you talk to your staff if your email, DMS messaging, and phone system are down? You need a pre-configured, secure communication channel that does not depend on your primary infrastructure. Options include Signal, a dedicated emergency messaging app, or a simple phone tree with personal cell numbers.

3. Paper Backups and Manual Procedures

You need a “go-bag” of physical forms for sales, financing, service write-ups, and parts orders. If you cannot print them from the DMS, you need them pre-printed and stored in a known location. Every department manager should know where they are and how to use them.

4. Alternative Funding Paths

If your primary lending portal is down, do you have direct contacts at your floorplan and retail lenders to push deals through manually? Document these relationships now. Include phone numbers, account numbers, and the manual submission process for each lender.

5. Floorplan and Inventory Management

When the DMS is down, your floorplan provider still expects payments and accurate inventory counts. Maintain offline records of your current inventory, floorplan balances, and payment schedules. A spreadsheet updated weekly is better than nothing.

6. DMS Alternatives and Redundancy

Consider whether your dealership should maintain a relationship with a secondary DMS provider or at minimum have evaluated alternatives such as Reynolds and Reynolds, Tekion, or Dealertrack. Full redundancy is expensive, but knowing your migration options before a crisis saves critical time.

Tabletop Exercises: Practice Before the Crisis

The FTC Safeguards Rule’s incident response plan requirement under 314.4(h) implicitly demands that you test your plan. A plan that has never been exercised is just a theory. Run a tabletop exercise at least annually:

  • Scenario: “CDK is down. All systems are offline. Walk through Day 1, Day 3, and Day 7.”
  • Include department heads from sales, service, parts, F&I, and accounting.
  • Document gaps discovered during the exercise and update the plan accordingly.

Insurance Considerations

Does your cyber insurance policy cover business interruption losses caused by a third-party vendor outage? Many policies do not, or they include sublimits that are far below your actual exposure. Review your policy language specifically for “dependent business interruption” or “contingent business interruption” coverage. If it is not there, talk to your broker before the next incident.

Documenting Your BCP for FTC Audit Purposes

If the FTC comes knocking, they will want to see:

  • A written BCP that is dated, signed, and reviewed at least annually
  • Evidence of tabletop exercises with documented findings and remediation
  • Vendor risk assessments showing you evaluated your DMS provider’s security and resilience
  • Recovery procedures that are specific enough to actually follow, not generic templates
  • Training records showing staff know their roles during an outage

At FTCSafeguards, we do not just secure your data; we secure your revenue. We help our clients build resilient systems that can survive the total failure of a primary vendor. The CDK outage proved that dealers who planned ahead kept selling cars while their competitors closed their doors.

Scott Sailors
Scott Sailorshttps://www.hiredhackers.com
Principal Security Consultant with over 20 years of experience in security architecture, engineering, and executive leadership. Holds CISSP, OSCP, CISM, CRISC, Master's and Bachelor's degrees in Cybersecurity with expertise bridging technical teams and senior management to communicate complex security challenges in actionable terms.

Latest articles

Previous article
The CDK Global Cyberattack: A Wake-Up Call for Every Dealer
Next article
CDK and the ‘Unencrypted’ Loophole: Why Encryption is Your Only Shield

Related articles