Good morning , good afternoon or good evening and welcome back to the Cyber Law Revolution podcast . I'm your host , spencer Pollack , cybersecurity , data protection and privacy attorney with McDonald Hopkins . As always , keep the questions calls comments coming 410-917-5189 , or email me at spollack . That's S-S-S-P-O-L-L-O-C-K at mcdonaldhopkinscom .
Today let's talk about again and I think it's a frequent topic , but I got to keep harpy on it third-party risk management . Big issue that happened about a month ago was the CDK breach . Cdk provides auto dealerships with a whole range of services , including CRM , customer relationship management , invoices .
I think they were running credit reports , services , sales , cybersecurity I mean the whole gambit . Dealerships were very dependent on that . Unfortunately , cdk had a ransomware attack , took down their systems , which then crippled about 15,000 auto dealers , took about a week and a half to recover from that and we're still seeing problems .
The other big issue that we're seeing is that CDK houses a lot of sensitive non-public customer information for 15,000 dealerships , which is a massive headache . So what are some of the lessons that we should be thinking about from this ? First , we need more redundancies in place .
Dealerships were way too reliant on cdk and I'm not knocking dealerships , it was an easy solution , it was right . Cyber security , crm , sales , service parts . It's everything it's we are , we love practicality and we love ease , but that creates massive dependencies and then we forget about the rule . The rule two is one . One is none we need redundancies .
You know someone like cdk . You can only do so much due diligence and you can only hope that they've got the proper procedures , protocols in place , proper backups . The fact that it took about two weeks to get back up and running , I'm not really sure , but it didn't really appear that they did have the proper backups . That's just .
That's not a fact , that's an opinion . But the fact that it took them so long , really big issue . So first lesson we need to learn is we need redundancies in place . Second lesson we need to learn in incident response planning .
I'm not here to knock CDK's incident response , but you know I think the communications were interesting , especially from the day of moving forward .
I think , having communications , it appeared that they're having different communications with different stakeholders with different messaging , which caused a lot of confusion and they weren't communicating effectively to the dealerships , which caused a lot of anger .
So what we really need to do is get the communication plan buttoned up and understand how we're going to communicate in an event like this On the dealership side , we really need to know how we're going to communicate with our customers and employees if one of our third-party vendors go down and then we go down .
So really being able to control that narrative to provide the necessary facts and not speculate such a huge part of those first 72 hours and so really hammering about that . Third part is we really need to emphasize again what sort of auditing we're doing of our third parties . I get CDK is big , but what sort of aspects are we going to be looking at ?
Did we get a SOC to report from them ? Were we asking them about their insurance ? Were we asking them about their backup procedures ? Likely not , because I get it large software service provider , but it's time that we really start thinking about that because if we don't , it's hard to message it after an event .
Fourth part is business interruption loss and I know there's a lot of discussions right now between dealerships and brokers versus carriers about what qualifies for business interruption laws . So really being able to document that , understanding what you need to demonstrate that and understanding the policy intricacies so you can really pursue those claims .
Fifth , understanding what is at risk . Cdk houses a lot of customer information . How are we dealing with that ? How are we going to deal with the exposure ? The hope is that CDK takes on the responsibility and pushes out notifications on behalf of dealerships , but we have to be prepared . We have to be thinking about the likelihood .
If they don't , how are we going to be communicating with customers ? What's our notification plan ? What are we doing in an event of a regulatory investigation or class action ? I'm a broken record , but it's about due diligence . It's about creating a narrative around what we did to show what we did was reasonable . This is all about reasonableness .
So I encourage everybody out there to start thinking about going and making a vendor inventory list . Rank and prioritize pain points . Cdk is a huge pain point for dealerships . In your business . Who's your biggest one ? Maybe it's your EHR if you're a hospital . Maybe it's a payroll processor that you can't pay your employees .
Maybe it's a supply chain event Supplier if you're a manufacturer . I'm not sure it's industry specific , but I know one is out there . Maybe it's a supply chain event Supplier if you're a manufacturer . I'm not sure it's industry specific , but I know one is out there . Maybe it's your man service provider . I'm not sure , but we need to start going through this .
You need to engage internal and external legal and cybersecurity experts to help you bear this burden , because no longer can we just put our heads in the sand and accept that third parties are going to do it . We need to get on them about that . Short and easy again today . Appreciate you stopping by .
Keep the questions calls , comments coming , 410-917-5189 , or email me at spollock at mcdonaldhopkinscom . Have a great morning , great afternoon or great evening , and I'll see you in the next one .