Why Do Dealers Struggle With OEM Cybersecurity Rules?

OEM cybersecurity requirements are getting stricter, and many dealerships are struggling to meet them. This article explains the key controls OEMs expect, why dealers fall behind, and practical ways to close the gaps without disrupting daily operations.

Your dealer management system (DMS) often connects directly to manufacturer systems. When your security is weak, you put your dealership and the OEM network at risk.

Connected cars, software updates, and shared data mean OEMs and dealers exchange information constantly. This makes dealerships targets for hackers who want to break into manufacturer networks.

To protect these connections, manufacturers are tightening dealer security standards tied to system access, but many dealerships lack the budget and expertise to meet every requirement.

Intelligent Technical Solutions (ITS) has helped organizations strengthen their IT and cybersecurity, including automotive dealerships. We understand the unique challenges that dealers face when balancing OEM requirements with daily operations.

In this article, we've invited Ed Griffin, ITS Chief Information Security Officer, to share his insights on why OEMs are pushing these requirements and what dealers can do to meet them.

You will learn:

• What security controls do OEMs require to keep system access?
• Why are dealerships struggling to implement these security standards?

What Security Controls Do OEMs Require to Keep System Access?

OEMs want proof that every dealership connecting to their systems is secure. Since dealer tools link to OEM portals, many OEMs require dealerships to meet specific security requirements to maintain access.

Rules vary by OEM and region, but most programs focus on a short list of controls that reduce risk fast. Here are the most common ones dealers are being asked to put in place:

1. Use Multi-Factor Authentication

Turn on multi-factor authentication (MFA) for systems that access OEM portals, remote access, and admin accounts. This adds an extra layer of protection beyond passwords.

2. Encrypt Your Data

Protect data sent to OEM systems and stored on your network. Encryption helps keep customer information, vehicle data, and financial transactions safe from hackers.

3. Keep Security Software Updated

Keep antivirus, anti-malware, and firewall tools up to date. Missed updates can leave known gaps that attackers can exploit.

 

4. Report Problems Fast

Know your OEM and vendor reporting rules, and follow them immediately. Quick reporting can limit damage and keep you in good standing.

"OEMs can't protect their networks if dealerships have weak security," says Ed. "When manufacturers audit your systems and find gaps, they're protecting themselves and every other dealer in their network from a single point of failure." 

This is why OEMs and key vendors run security reviews and ask for proof you meet their requirements. If serious gaps stay open, they may restrict access to OEM systems until you fix them.

 

5. Train Your Staff

Give employees regular security training, especially on phishing. One bad click can let attackers into dealer and OEM systems.

 

6.  Write Down Security Policies

Keep written security policies, an incident response plan, and a schedule for regular security reviews. These documents show your dealership takes security seriously.

 

Download eBook: Creating an Incident Response Playbook

 

Why Are Dealerships Struggling to Meet These Security Standards?

 

OEM requirements can look simple on paper, but meeting them takes time, money, and security skills many dealerships do not have. When you add that work on top of daily sales and service, gaps show up fast.

 

Here are the most common reasons dealers struggle:

 Not Enough Security Know-How

Most small and mid-sized dealers do not have a security specialist. The IT person who keeps the DMS, email, and printers running usually does not have time to manage audits, policies, and advanced security controls.

 

Costs Add Up Fast

Compliance often means new tools, staff training, and outside support. Multi-store groups and dealerships with remote access may also need 24/7 monitoring, which can be hard to fit into a tight budget.

 

Too Technical

OEM checklists can be full of technical terms. Without clear, plain-language steps, dealership leaders may not know what “good” looks like or what to fix first.

 

Legacy Systems and Vendors

Older DMS setups, servers, and dealership apps were not built with today’s security threats in mind. Upgrades can be expensive, and some changes depend on vendor timelines or limited support.

 

Unclear or Changing Guidelines

Some OEMs give detailed instructions, while others give broad goals. When guidance changes or differs by brand, dealers can spend time and money chasing moving targets.

 

 Too Many Rules to Follow

Dealers are already juggling the FTC Safeguards Rule, state privacy laws, insurance requirements, and vendor standards. OEM security adds another set of controls to track and prove.

 

 

How Can Dealers Meet OEM Security Requirements?

 

Here are practical approaches that work for dealerships of all sizes.

 

1. Start With High-Impact Controls

Focus on the security controls that reduce risk the fastest. Turn on MFA for key accounts and encrypt sensitive data, especially anything tied to OEM access and customer records. These controls protect your most sensitive access points without requiring major infrastructure changes.

 

2. Document Your Security Measures

Keep written policies, an incident response plan, and notes from regular security checks so you can prove you're managing risks properly. This documentation also helps show what is in place during an audit.

 

3. Build on Compliance Frameworks You Already Follow

If you handle financing or customer data, you likely already follow the FTC Safeguards Rule. Many OEM requirements overlap with FTC mandates. Build on what you've already implemented rather than starting from scratch.

 

Watch Video: 10 FTC Safeguard Rule Changes & What It Means for Auto Dealerships

4. Partner With Specialized IT Providers

Most successful dealers work with IT providers who specialize in automotive cybersecurity. These partners already know what OEM auditors look for and can implement controls without disrupting your daily operations.

"The right provider handles 24/7 monitoring, manages security updates, and maintains the documentation OEMs require," says Ed. " They also provide advanced threat detection and response to neutralize attacks in real time, plus compliance support for audits and regulatory requirements. This frees your team to focus on selling cars while experts handle the technical complexity." 

Read: 8 Key Benefits of Managed IT Services for Auto Dealerships

Need Help Meeting OEM Security Requirements?

You don't need to build an entire security team to meet OEM requirements. The right partner brings the expertise, tools, and monitoring systems needed to help you stay compliant without pulling your team away from daily operations.

ITS has served automotive dealerships nationwide since 2003, delivering security built for OEM access, audits, and busy day-to-day operations. We help you prepare for OEM reviews, close security gaps, and keep access to the systems you rely on.

We provide:

• 24/7 security monitoring to spot threats early
• Compliance support for FTC Safeguards Rule and OEM security standards
• Certified technicians who understand dealership systems and set up controls with minimal disruption

Schedule a free security consultation to review your gaps and get a clear, practical plan to meet OEM standards.

If you want to see how we work, explore our IT solutions for automotive dealerships.

Want to Learn More?

Explore these resources in our Learning Center:

• 7 Reasons Hackers Target Auto Dealerships (& How to Stay Safe)
• The Ultimate Guide to Managed IT for Automotive Businesses
• 7 Smart Solutions to Improve Your Auto Dealership

Frequently Asked Questions

Q: What happens if my dealership fails an OEM security audit?

A: Many OEMs or OEM-linked portals will ask you to fix issues within a set window and may require proof of remediation. Consequences vary by OEM and can include limited access or potential jeopardy to the franchise agreement until high-risk items are resolved. 

Q: Why are OEM cybersecurity rules getting stricter now?

A: Auto dealer systems connect to OEM portals for sales, service, parts, and warranty work, so a weak login can put more than one system at risk. New data and security rules also push OEMs to ask for proof that you protect customer information.

Q: Can my current IT person handle OEM security requirements alone?

A: If your IT support is one or two people, they’re often focused on keeping systems running day to day. OEM requirements can add security documentation, monitoring, and audit readiness that may require outside help.