Executive Reporting: Tips to Completing Your Yearly Report

Almost 10 months already? Before we know it, the Safeguards Rule will be one year old! While this isn’t the birthday any of us are particularly excited to celebrate, here’s a quick breakdown on Executive Reporting to help you prepare for your annual report, if you haven’t done so yet.

As part of your dealership’s reasonable information security program, your Qualified Individual must report to your board of directors or governing body. This report, which we will refer to as Executive Reporting, must happen at least annually. This means if you haven’t done so already, you must by June 9th!

What’s in this report?

This report needs to include an overall status update of your dealership’s information security program and your compliance with it. More specifically, be sure to highlight the following:

• Risk assessment results like the number of externally visible vulnerabilities and visible penetration test findings. Ideally, these numbers are one or none!
• Details on your risk management strategy, including the status of all identified risks, and a justification of each of them.
• Service provider arrangements
• Results from security testing
• Security events and how you responded
• Recommendations for changes to the program

You don’t want to rush to put something together at the last minute. Take a deep breath. *In through the nose, out through the mouth* Focus on one section at a time now, then you’ll be the envy of all your procrastinating friends. If you need any more information on the Safeguards Rule or the FTC requirements, click here.