On the evening of June 18 CDK, whose dealer management system is used by some 15,000 dealerships, was hit by a cyberattack. The cybercriminals struck again the next day.

The majority of affected dealerships were not back online until after July 4. The Anderson Economic Group estimates the outage cost dealerships more than $1 billion in lost sales.

That seems catastrophic but buy-sell experts told Getting to Go! the CDK cyberattack won’t have a long-term impact on dealership valuations. Nonetheless, the attack should be a wake-up call to dealers to put more focus on cybersecurity to maintain the value of their business, especially if they are thinking of selling.

“Fundamentally, (the CDK attack) won’t change the way we go about doing valuations,” Paul Dumm, firm leader of the business advisory services team at CPA firm Rosenfield & Co. tells Getting to Go!

Rosenfield & Co. “goes through a laundry list of procedures to get an understanding of how the business operates,” Dumm says. “The risks could be many pages long. (Cybersecurity) is part of the mix.”

But the attack will bring the cybersecurity risk more to the forefront when Rosenfield does a valuation, he says. If a dealership needs to make a substantial investment in cybersecurity, the benefits of the investment must be factored in. If two dealerships are alike in every way, but one has a better cybersecurity infrastructure, that will boost the value, Dumm says.

Conversely, if a dealership hasn’t invested enough in cybersecurity, that could affect negotiations. “If I am somebody coming in looking at (the dealership), I am going to reduce what I am going to pay for it.”

At Performance Brokerage Services, the CDK outage slowed the progress of transactions it was working on, partner Matt Wilkins tells Getting to Go! “Deals we were negotiating had to be put on pause.”

It also made the valuation process a bit murkier, Wilkins says. Dealers were just beginning to see a return to normal business after two years of extraordinary profits due to COVID disruptions. Suddenly, two months of business were effectively lost, he says. “It made it our job just a little more interesting,” Wilkins says.

He doesn’t see cybersecurity concerns impacting dealership value much, though it might have a small effect on smaller groups.

“It factors in more when you are looking at a smaller single point store and smaller buyers,” Wilkins says. “Typically, it is still not going to affect the value much though perhaps the value will be a little lower.”

The CDK event hasn’t impacted how Bel Air Partners values dealers, managing director Willie Beck tells Getting to Go!

“For now, we view (such cyberattacks) as one-time events,” he says. “When valuing dealerships, we take a much longer view of items such as historical and forecast earnings, brand, location, sales efficiency, real estate, customer satisfaction” and the like.

But a cyberattack can have a near-term impact on some of a dealership’s intangible assets, Dumm points out.

“Car dealerships have been in communities for generations,” he says. “An attack like this can impact loyalty — you could lose that sense of loyalty in an instant. That certainly affects value.”

Think about cybersecurity daily

Dealerships are investing in cybersecurity not just because it is a good business but because they had to meet the June 9, 2023 deadline of the Federal Trade Commission’s Safeguards Rule regarding protecting customers’ personal information.

A 2023 study by, ironically, CDK, found 17% of dealers surveyed experienced a cyberattack in the past year despite 53% being confident in their current protection. The study also found that 75% of dealers who had upgraded their cybersecurity measures to meet FTC rules were already seeing “vast improvements” in cybersecurity.

Just implementing measures to meet the legal obligations such as the FTC requirements isn’t sufficient, however, especially if a dealer is thinking about selling. Dealerships need to “continually prepare (for a cyberattack) and think about what might go wrong,” Greg Weber, chief product officer at Rosenfield & Co., tells Getting to Go!

“Cybersecurity needs to be an everyday thought,” he says. “I should be secure so my business continues to run so I might be able to sell it at some point.

This article was written for Getting to Go, a buy/sell newsletter from Scali Rasmussen.