CDK Global Cyberattack: Guidance and Insurance Implications

Author: John Farley

On June 18 and 19, 2024, CDK Global (CDK), a leading provider of cloud-based software to auto dealerships in North America, fell victim to a two-tiered cyberattack.¹ 15,000 dealerships are potentially impacted, with multiple departments affected, including sales, financing and vehicle maintenance and repair services. Developments are still unfolding, and while the threat actor(s) have not been identified, it has been reported that CDK is negotiating a ransom payment with an Eastern European hacking group.² CDK has not provided a timeline as to when systems will be available, but has indicated that it will take several days before it is operational. ²

Cyber insurance: Steps to take now

Cyber insurance and other insurance policies may provide assistance to organizations that believe they may be impacted by losses related to this incident, directly or indirectly either through vendor or supply chain relationships. Many standalone Cyber insurance policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts. Those with Cyber insurance should be mindful of claim reporting obligations, requirements to use insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.

Specifically, business interruption and extra expense costs may be significant for those affected. Therefore, we recommend the following:

• Quantify the financial impact of the business interruption the cyberattack caused, which may include lost revenue, increased expenses, recovery costs and any other direct or indirect costs associated with the incident. Extra expense costs may include:

• Reasonable and necessary expenses incurred to minimize, reduce or avoid income loss that are over and above the typical operating expenses.
• Overtime paid to hourly personnel necessary because of the attack.
• Amounts paid to temporary or contract employees necessary to help with billings and implementation of a new solution.
• Costs incurred to switch to new vendors.
• Possibly the amount of interest incurred on line of credit usage to mitigate loss resulting from the incident.
• Other costs incurred above and beyond normal costs, if directly related to the event.
• Penalties, if insurable by law, and related to the incident.

• Maintain proper documentation. Keep detailed records of all evidence collected, investigation findings and financial impact calculations. This documentation will be crucial when presenting the evidence to insurers, legal authorities or other relevant parties.
• Consult with insurance providers. If you have Cyber insurance or other applicable insurance coverage, notify your insurance provider as soon as possible and work closely with them throughout the process. They can provide guidance on the evidence required and assist in the claims process. Some insurance coverage may provide reimbursement for costs associated with hiring external forensic accounting experts.

From a compliance perspective, auto dealerships that may have had personal and other sensitive information accessed by unauthorized parties could be subject to mandated notice requirements to affected individuals, regulators and other third parties.

Implications for Cyber insurance coverage

The Cyber insurance market remains laser focused on threats to targets in the supply chain, including those in the automotive sector. The potential for an attack or a system outage such as this one raises concerns around a potential systemic loss, having a cascading impact on multiple insureds around the globe.

As a result, the Cyber insurance marketplace has addressed these concerns by changing and in some cases restricting or excluding coverage. When reviewing Cyber insurance and other policies that may provide a mechanism to transfer cyber risk for both automotive sector providers and those that rely on them, insureds should be mindful of several potential coverage pitfalls, including but not limited to:

• Catastrophic or widespread loss sub-limits and exclusions that may limit or exclude coverage for specific cyber losses that impact a large number of organizations.
• Dependent or contingent business interruption sub-limit or exclusionary language that may apply to organizations that weren't direct targets, but suffer consequences of a supply chain cyberattack.
• Regulatory risks that may limit or exclude coverage for regulatory investigations, lawsuits, fines and settlements.

Additional resources

• Find resources and alerts at CISA's Stop Ransomware page, including a link to the CISA Stop Ransomware Guide for information on ransomware preparedness.
• For the latest cyber threat information and alerts, visit cisa.gov.
• To contact local FBI offices to report suspicious cyber activity, visit fbi.gov or the Internet Crime Complaint Center.
• For a cyber emergency such as a ransomware attack in progress, call the FBI's Cyber Watch (CyWatch) at (855) 282-3937. You can also contact CISA online at www.cisa.gov/cisa-central or by calling CISA Central at (888) 282-0870. All are available 24/7.