Add Cyber Security to the Long List of Risks
July 22, 2024: Since January, when sales of light-duty vehicles bottomed out at 15 million vehicles on a seasonally adjusted annual basis (SAAR), the market appeared to be mounting a recovery. Average incentive spending now exceeded 5% of the manufacturer’s suggested retail price (MSRP), and only 16.9% of new vehicles have been sold above MSRP, which is less than half from one year ago. At the same time, retail inventory is now close to 3 million vehicles for the first time in four years because there are now more low-cost options available for consumers. Up until June, consumers appeared to be responding favorably to transaction prices that were made more affordable as a result of rising incentive spending and inventory levels. However, to the surprise of most industry economists, the SAAR sunk back to 15.29 vehicles in June. As a result, the 2024 light-duty vehicle market contracted 0.7% in the second quarter after expanding by 5.6% in the first quarter. The current industry forecasts for 2024 remain between 15.7 million and 16.1 million vehicles, but now most predictions are registering at the low end of the range.
It would be very easy, almost convenient, to blame the market weakness on the global cyberattack that targeted CDK, which supports a dealership management system (DMS) called CDK Drive. Dealerships rely on DMS software like CDK Drive to manage all day-to-day operations in their sales, parts, and service departments. CDK shut off all systems as soon as they discovered the security breach on June 19, and the 15,000 car dealerships had little recourse but to revert back to pencil and paper to keep the doors open. An attempt to reboot the system later that same day was thwarted by a second cyberattack and CDK warned dealers it could take several days before service could be reinstated. Full service was not restored until July 15th. Andersen Economic Group estimated that dealerships lost 56,200 new-vehicle sales and more than $1 billion of lost sales and service work. In comparison, the six-week UAW labor strike in 2023 cost the industry more than $10 billion, including about $2 billion in losses to dealers, customers, and ancillary auto industry workers.
The auto industry isn’t the only segment of the economy vulnerable to system failures. On July 19, only one month following the CDK breach, a broad cross-section of the economy was adversely impacted when a planned software update for Microsoft Windows operating systems failed. Government agencies, school systems, financial institutions, and emergency services all reported problems resulting from the software update. Perhaps the most publicized fallout from the failed upgrade was the thousands of flights cancelled across the country. On July 20, there were 2,136 flights across multiple carriers that were cancelled and more than 21,300 flights delayed. According to the Identity Theft Resource Center, there were 3,205 system compromises in 2023, with more than 350 million victims. Most (2,365) of the breaches were malicious cyberattacks like the one unleashed on CDK, but many (729) were system errors and/or human errors like the Microsoft Windows update. By now, all of us have either been a victim of one of these system compromises, or we know someone who has been a victim. Add cybersecurity to the long list of risks that could compromise future outcomes. Let the recent CDK cyberattack serve as a warning that we need to take this issue seriously.
