Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Safeguards Rule Requires Auto Dealerships to Do Third-Party Risk Management

6 min read
Featured Image

Originally published August 18, 2022 but has now been updated to reflect regulatory changes.


Under the amended Federal Trade Commission's (FTC) Safeguards Rule, covered financial institutions, including auto dealerships, must develop, implement, and maintain compliant, comprehensive information security programs.

The original due date for compliance was December 09, 2022, has been extended by six months. The SEC is extending the deadline in the wake of reports detailing the lack of qualified personnel necessary for implementing information security programs. Furthermore, supply chain issues may delay the procurement of necessary equipment for upgrading security systems. As a result, financial institutions, especially small ones, may have difficulty meeting the original deadline.

The new deadline for compliance is now June 9, 2023 – so, if you’re an auto dealership, ensure you're ready by then.

What does the amended Safeguards Rule actually entail, and how does it apply to your auto dealership and its vendors? How can proper vendor risk management enhance your compliance with the rule? Let’s dive into that now.

What Is the FTC Safeguards Rule?

A Federal Trade Commission rule, referred to as the Safeguards Rule, seeks to ensure that entities covered by the Rule maintain safeguards to protect customer information. When originally implemented in 2003, auto dealers were designated as financial institutions because they provide financing agreements for their customers. So, while the rule isn’t new for auto dealerships, the Safeguards Rule was amended in 2021 in response to public comments to keep up with technology.

The amended rule now provides more concrete guidance for auto dealerships. It has been refined to highlight core data security principles that all covered companies need to implement. The FTC requires detailed procedures and specific criteria to protect sensitive customer information from data breaches and cyberattacks.

Auto dealerships are required to implement not only changes to protect their own consumer data, but also employee training programs and third-party audits to ensure their vendors follow these guidelines. (The rule applies to all auto dealerships that collect information on more than 5,000 consumers).

The 9 Elements of the Safeguards Rule

Nine elements must be included in an information security program as described in Section 314.4 of the Safeguards Rule:

  • The identification of a "qualified individual" to oversee and implement information security measures at your organization.
  • Assess foreseeable risks and threats using a risk assessment.
  • As a result of risk assessments, design and implement safeguards to control the identified risks.
  • Maintain regular monitoring and testing of safeguards.
  • Maintain staff security awareness by providing regular training and refresher courses.
  • Ensure service providers have adequate safeguards in place (third-party risk management).
  • Update information security programs regularly.
  • Prepare an incident response plan that meets the requirements of the Safeguards Rule.
  • Ensure that the "qualified individual" reports to the Board of Directors or other governing body or committee.

All of these elements must be in place to meet the requirements of the Safeguards Rule. Auto dealer organizations must understand that getting their "own house" in order is paramount. For this to happen, the dealership must identify and assess its internal risks, formalize the protections, and educate its staff. However, once the internal data security rules and protections are in place, auto dealers may find their biggest challenge is their third-party vendors.

third-party risk management auto dealerships

Third Parties and Consumer Data

Nowadays, auto dealers can access a large amount of consumer information, including credit reports, driver's license information, images, account numbers, names, addresses, dates of birth, and credit card information. So, where does all that data come from? Third parties or vendors often provide consumer information to the dealership, including finance partners, advertising agencies, and data and technology partners, among others. And, with each data exchange, there is a risk that data could be compromised.

Unfortunately, dealerships without an established third-party risk management program will require some heavy lifting to comply with the amended Safeguards rule.

For starters, your dealership may need to hire outside counsel or an external firm to help you conduct a proper audit of your vendors and partners. Every possible method by which dealers receive consumer data and information should be taken into account, starting at the top of the sales funnel with advertising and marketing. Other considerations should include data from search engines, social-media promotions, interactions, etc. Don't forget about the information gathered through the service channel.

Suppose your dealership has engaged a third party to audit its existing vendors and partners so it can comply with the December deadline. But then what? Your dealership will need to constantly need to identify, assess, and manage the risks posed by its vendors and partners. What can you do to maintain and update that vendor information?

The answer is simple: implement, maintain, and oversee a formal vendor risk management program.

Oversight of Service Providers = Third-Party Risk Management

The Safeguards Rule clearly outlines the expectations to oversee service providers, and auto dealership organizations can easily meet these requirements when following the best third-party risk management practices and the vendor risk management lifecycle.


Let's see how the Safeguards Rule requirements are answered through third-party risk management and adhering to the vendor risk management lifecycle.
Safeguards Rule Requirement Vendor Risk Management Lifecycle Activities  Lifecycle Stage
Taking Reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issues
  • Risk assessment
  • Due Diligence

Requiring your service providers by contract to implement and maintain such safeguards
  • Contracting
Periodically assess your service providers based on the risk they present and the continued adequacy of their safeguards
  • Ongoing monitoring
  • Periodic Risk Re-Assessment
  • Refreshed Due Diligence

Remember the following benefits of third-party risk management:

  • Implementing a scalable and repeatable third-party or vendor risk management program will help you comply with FTC's Safeguards Rule requirements.
  • Formalized and repeatable third-party/vendor risk management processes will enable your organization to identify, assess, and manage the risk of every vendor and partner from the beginning of each relationship and through until the relationship is terminated.
  • Standardized risk questionnaires can help you identify what consumer data is accessed, processed, transmitted, or stored by the vendor. Robust due diligence processes can validate if the vendor has sufficient controls to manage those data risks.
  • Once the control environment has been analyzed, your organization can document required information security safeguards as a condition of the contract.
  • Constant risk monitoring and periodic vendor risk re-assessment will ensure that your organization identifies any new or emerging risks.

Even though the FTC's Safeguards Rule isn't new, recent amendments require covered financial institutions (including auto dealerships) to meet strict requirements regarding consumer data protection. Organizations are required not only to have specific internal safeguards, but also to have identified and assessed the risks of their vendors and partners who access, process, transfer, or store consumer data.

Properly identifying, assessing, and managing these vendor risks (before the new June 2023 deadline) can be very challenging and costly for organizations with no formal third-party or vendor risk management program. As auto dealerships are racing towards the June 2023 deadline, there has never been a better time to define and implement formalized vendor risk management programs that are repeatable and scalable for the future.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo