Most dealers who put off FTC Safeguards compliance are not careless. They are busy, and the cost of acting is visible while the cost of waiting is not. So let us make the cost of waiting visible.
Doing nothing is not free; it just bills you later, in three ways: regulatory penalties, insurance you can no longer get, and downtime you cannot afford. Here is what each one actually costs, and how it compares to running a managed program.
Cost one: regulatory penalties
The FTC can assess civil penalties for violations of the rules it enforces, and the maximum is set by statute and adjusted every January for inflation. As of the January 2025 adjustment, that maximum is $53,088 per violation. Penalties are assessed per violation and can stack, which is why the figure matters even though most owners assume it would never reach them.
Be precise here, because the rule and the FTC both demand it. That figure is a maximum, it adjusts annually, and a first-time or minor lapse does not automatically trigger a fine. In practice, the FTC weighs the circumstances, and a first failure is more likely to open an investigation than to produce an immediate penalty. The point is not a scary number. It is that non-compliance moves you from "not a target" to "exposed," and the documentation you keep, or do not keep, is what the FTC weighs after an incident.
Assumption, labeled: exact penalties depend on the facts, the FTC's discretion, and the current inflation adjustment. Treat $53,088 as the current statutory maximum per violation, not as a predicted fine.
Doing nothing is not free. It is a bill that arrives later, in the form of fines, lost coverage, or downtime.
Cost two: uninsurable risk
The second cost is quieter, and it arrives sooner than a regulator: your cyber insurance. Underwriting has become a technical audit. Carriers now require multi-factor authentication, endpoint detection and response, tested backups, and a written incident response plan, and brokers cite missing controls as standalone reasons for refusal. A dealership that ignores Safeguards is usually also a dealership that fails the cyber questionnaire. That means higher premiums, narrower coverage, or a flat denial, and it can mean a claim denied after a breach because an answer on the form could not be backed up.
The encouraging part: the same controls the Safeguards Rule asks for are the controls your insurer asks for. Build them once, and you satisfy both.
It is worth being concrete about how a denial happens, because owners assume coverage means coverage. Many policies are written so that the answers on your application are warranties. If you stated that you enforce MFA everywhere and a breach later shows you did not, the carrier can deny the claim, and you absorb the full loss yourself. That is the real trap. Not having coverage is bad, but believing you are covered when one unbacked answer has quietly voided the policy is worse.
Cost three: operational downtime
The third cost is the one CDK made unforgettable. When a dealership goes down, it stops earning while it keeps spending. The 2024 CDK attack knocked roughly 15,000 dealerships offline for close to two weeks and cost the industry more than one billion dollars collectively. Scale that to your lot: deals you cannot fund, service you cannot bill, customers who go elsewhere, and recovery costs on top. For an independent, two weeks offline is not a line item. It is a threat to the business.
And under the Safeguards Rule, a breach affecting 500 or more people also starts a 30-day clock to notify the FTC. Notification is not a formality either. It means letters to affected customers, questions from your insurer, and time you do not have, all while you are trying to get the business running again. The downtime and the cleanup land at the same moment, which is exactly when a dealership has the least capacity to absorb either one.
What enforcement looks like in 2026
Enforcement is not theoretical. The breach-notification requirement has been in effect since 2024, so the FTC now hears about incidents directly. And the agency has stayed active in the auto space. In January 2025, it announced an action against GM and OnStar over how connected-vehicle data was collected and shared, its first case focused on connected-vehicle data. That was a different rule, not the Safeguards Rule, but the signal is the same: the FTC is paying close attention to how the auto industry handles consumer data, and "we did not know it applied to us" is not a defense.
The math against a managed program
Put the two columns side by side. On one side: the cost of a managed security program, a predictable monthly number that covers the controls, the monitoring, and the documentation. On the other: the potential cost of one bad event, a failed renewal, a regulatory inquiry, or two weeks of downtime, any one of which can dwarf years of program cost. You are not buying perfection. You are buying the difference between a manageable monthly expense and an unbudgeted emergency. For most independents, that math is not close.
There is also a quieter benefit to the predictable column: peace of mind, and time back. When the program is owned and running, you stop carrying the low-grade worry that you are one phishing email away from a very bad month, and you stop being the person who has to figure it out at seven in the morning when something breaks. For most owners, that alone is worth more than the line item.
Notice that the three costs are not separate problems. The same missing controls that expose you to the FTC are the ones that fail your insurance questionnaire and leave you defenseless against downtime. That is the good news hiding in the bad. You do not fix three things. You fix one program, and all three risks come down together.
Flynaut becomes your IT and security team: we build the program, run it, keep the proof current, and turn "are we compliant" into a question you can answer with evidence.
This is not legal advice; confirm your specific obligations with counsel.
If you have been weighing whether to act, this is the next step that costs you nothing and tells you exactly where you stand.
Book a free FTC Safeguards readiness check
Sources & notes
- FTC civil penalty inflation adjustment effective January 17, 2025 (maximum $53,088 per violation, adjusted annually).
- FTC Safeguards Rule and breach-notification guidance.
- FTC action against GM and OnStar, January 2025 (connected-vehicle data, a separate matter from the Safeguards Rule).
- Cyber-insurance underwriting guidance, 2025 to 2026.
- Reporting on the 2024 CDK Global attack.
Related reading
What the FTC Safeguards Rule Actually Requires · Nine Controls for a Cyber Insurance Renewal · After CDK: Lessons from the 2024 Attack
