The CATA encourages dealerships to formally send their concern to CDK Global and then document that communication.

Here is a sample letter:

We are writing to express our concerns regarding the CDK Cyber Security incident which recently occurred. Specifically, [INSERT DEALER] is requesting further details about the incident.

Further, we are requesting information as to whether any dealer or customer data from [INSERT DEALER] was affected by the event. If yes, how many records were compromised? When will CDK provide further details about the records which were compromised?

If CDK is confident that no Dealership or customer data has been compromised, please provide evidence in writing that the data of [INSERT DEALER] has not been affected.

Thank you for your prompt attention to this matter. We look forward to the resolution of these issues and your provision of details regarding the incident so that we can ensure our dealership data is adequately safeguarded.

Assured Partners:  CDK Cyber Attack Fallout (Overview)

Many dealers nationwide have experienced significant disruptions in business and outages due to a cyber attack on CDK Global’s dealer management system. At this point, it is too early to say what exactly happened, but it is being termed a significant cyber attack. The company voluntarily shut down its core systems in a cautionary move and attempted to restore most of them yesterday afternoon. As of this morning many dealer systems were still not operational.

It is not yet clear as to the extent of the intrusion or what data may have been compromised so the scope and a requirement to respond is not yet clear.  At this time, CATA Allied Member Assured Partners is advising all impacted dealers to report the breach to their cyber liability carrier to ensure timely reporting and response to the breach.

There are several coverages in the cyber liability insurance form that may provide protection for dealers impacted by the breach. One being Dependent Business Income loss triggered by a dependent system failure. It is a Privacy Breach, Security Breach or Administrative Error that triggers this coverage, and it appears that CDK Global is an Outsourced Service Provider who has experienced a Security Breach. In most cases the time element waiting period to for a dependent business interruption claim has expired triggering potential loss and restitution of loss income due to the outage to the dealers effected.

As the scope of the breach unfolds and it is determined what if any customer data has been compromised, Privacy laws may require notification to any affected parties. Most cyber liability forms provide coverage for notification. Current review of the CDK contract to determine whether CDK or the dealerships will be responsible for complying with notification in accordance with state and federal privacy laws.

Assured Partners also anticipates that this event will be a recordable incident under the FTC Safeguards Rule. The CATA and Assured Partners will have additional guidance on this as the scope of the claim unfolds in the coming days. If you have any questions, you can contact Chris Schrement (chris.schrementi@assuredpartners.com) at Assured Partners.

Vitu CDK Cyberattack & Manual Title Processing

For dealerships affected by the recent CDK cyberattack, the CATA's recommended digital titling solution, Vitu, provides a way to manually process vehicle titles despite the dealership's DMS being down.

For more information, please call the Vitu customer support line at (312) 883-2332.

Dealer Forms Available

For those impacted by the CDK cyber attack, Reynolds & Reynolds has dealer forms available for immediate shipment. Those forms include the following:

• Buyers Order with Arbitration
• Lease Oder with Arbitration
• Credit Authorization
• All DMV forms, emission control form and power of attorney
• Repair order
• Service ticket
• Repair order

Reynolds & Reynolds customers can order HERE. Non-Reynolds & Reynolds customers can call 1-800-344-0996 to order.

In addition, the CATA offers dealers the following forms free at www.CATA.info:

• Used Car Buyer’s Guide
• Limited Warranty Statement
• Odometer Statement

KPA Dealership Resources for Compliance

This week's cyberattack on CDK Global has been disruptive and stressful, highlighting the urgent need for robust cybersecurity and data privacy measures in our industry.

This incident underscores the importance of protecting sensitive customer information, maintaining regulatory compliance, and ensuring business continuity. Dealers are likely feeling the pressure to ensure their data privacy and cybersecurity structures are sound.

To assist, CATA Recommended Partner KPA has put together some helpful resources and information:

• Why Dealers Should Care about Data Privacy [Blog Post]
• 16 Rules & Regulations Your F&I Department is On the Hook For [EBook]
• Take Control of Your Data [Blog]
• Safeguards Annual Reporting Webinar [On Demand Webinar]
• KPA's Complete Compliance Solution [90s Video]

In light of the CDK cyberattack, it's crucial to fortify cybersecurity and data privacy measures. KPA is here to help safeguard dealership data and maintain customer trust.

Whether it’s an on-site compliance consultant visit to ensure customers’ personal information isn’t left on a desk or using our state-of-the-art Privacy & Safeguards Solution, KPA remains your dedicated partner in keeping people safe and staying compliant. Please reach out to us at 866-356-1735 or info@kpa.io if you have any questions.

Illinois DOR Issues Due to CDK Outage

Dealers that are experiencing issues filing taxes due to the CDK cyber attack are encouraged to use MyTax to file vehicle sales taxes. Most dealers should have at least one employee with access to their ST-556 account on MyTax.

If dealers are unable to use MyTax for operational or other reasons during the outage and receive a bill, they may request penalty waiver by sending an explanation to rev.salestaxcorrespondence@illinois.gov. The email should include:

• Account number
• Account name
• Letter ID of bill for which they wish to request a penalty waiver
• Explanation of why the business was unable to use CVR or MyTax to file

Please note that this email box is for responses to letters only and cannot respond to account questions. If dealers have specific questions on a return, they should call 1-217-785-6606 to speak to a member of my staff. For general taxpayer assistance questions, they may call 800-732-8866.

CVR Customers: Procedures for Processing Title & Registration Through the Secretary of State

For CVR customers only…the Secretary of State provided us information on procedures for processing title & registration with the SOS.

Before processing an application for title and registration, a dealer must first process the tax payment through mytax.illinois.gov.

1. Proceed to the website of the Illinois Secretary of State. www.ilsos.gov.
2. Proceed to online services and choose “apply for title and registration”.
3. Scroll down to “continue to application”.
4. Leave the first page blank and press “begin”.
5. Proceed filling out the application for title and registration.
6. After the application has been completed, a dealer is able to process a TRP. If a dealer has a question regarding the issuance of a TRP, please contact the SOS dealer invoicing section at 217-524-4329.

Once the paperwork has been completed, please mail all documents to:

Illinois Secretary of State
501 South Second Street
Springfield, IL 62756

CDK Cyber Incident: Ensuring Data Protection & Compliance (Webinar)

The cyberattack on CDK has put a spotlight on the growing threat of cyberattacks on the automotive industry and the urgent need for enhanced cybersecurity measures. If your dealership has been impacted by the breach or are concerned about your own cybersecurity initiatives, join KPA and Assured Partners on Thursday, June 27th.

CDK's Cyber Incident: The Dealer's Insurance and Compliance Obligations

• Click here to watch the Webinar

KPA's Adam Crowell, Esq. and Assured Partners' Chris Schrementi, will discuss:

• What's known about the incident
• Whether you should be making insurance claims (e.g., business interruption, cyber, etc.)
• What your compliance and reporting obligations are

Speakers:

• Adam Crowell, Esq., VP of Legal & Corporate Development at KPA, boasts 21 years of legal and strategic expertise in the automotive industry. Formerly President and General Counsel at ComplyNet, he also held roles as General Counsel and VP of Legal and Strategic Affairs at Columbus Fair Auto Auction and Premier Data Management. Passionate about compliance and innovation, Adam is committed to driving progress within the automotive industry, leveraging his extensive experience to navigate complex legal and corporate development challenges.
• Chris Schrementi, Director Of Dealership Programs and VP of Sales, AssuredPartners

FTC’s Guide for Business Data Breach Response

Data Breach Response: A Guide for Business | Federal Trade Commission (ftc.gov)