Background
Preferred Warranties, Inc. (PWI) is a leading provider of extended vehicle service contracts for pre-owned cars. Founded in 1992 and now part of Kingsway Financial Group, PWI services a network of over 2,000 independent automotive dealers. Given the sensitivity of the customer and dealer data it manages, PWI needed to enhance its cybersecurity posture to comply with strict regulatory standards, notably the New York Department of Financial Services regulation 23 NYCRR Part 500.
Challenges
PWI faced several key challenges:
- Regulatory Pressure: The primary driver was compliance with 23 NYCRR Part 500, which mandates robust cybersecurity practices for companies handling sensitive financial data.
- Resource Constraints: Without a dedicated in-house cybersecurity team or full-time CISO, PWI risked falling short of regulatory and security best practices.
- Growing Cyber Threats: The evolving threat landscape required proactive measures including regular vulnerability testing and employee training.
Engagement with Alpine Cyber
In January 2022, PWI signed a three-year contract with Alpine Cyber, a Simulint company, to address these challenges. The engagement was structured around the following services:
- Web Application Penetration Testing:
– 2 tests quarterly on two critical applications.
– 3 tests annually on additional applications.
This regular testing identified vulnerabilities early and enabled rapid remediation. - CISO as a Service:
Alpine Cyber provided a Virtual CISO (vCISO) to lead the cybersecurity program, develop policies, and ensure ongoing regulatory compliance.
Client Stakeholders
- CEO: Provided guidance and final approval for 23 NYCRR Part 500 certification
- Director of IT: Served as the primary point of contact (POC) and drove internal remediation efforts.
- Senior VP of Operations : Provided feedback on policy and procedure documentation for 23 NYCRR Part 500 certification.
- VP of Finance: Approved budget and Provided feedback on policy and procedure documentation for 23 NYCRR Part 500 certification.
Implementation Timeline
- January 2022 – Kickoff:
– The engagement began with a comprehensive assessment and a commitment from the CEO and the Director of IT to a roadmap aimed at meeting 23 NYCRR 500 requirements. - 2022 (Year 1) – Foundation Building:
– Alpine Cyber’s vCISO helped establish essential cybersecurity policies.
– Initial penetration tests revealed vulnerabilities, which were promptly addressed. - 2023 (Year 2) – Continuous Improvement:
– Regular pen tests continued, showing progressive improvement. - 2024 (Year 3) – Finalizing Compliance:
– Final rounds of testing demonstrated that vulnerabilities had been reduced to minor issues.
– Comprehensive documentation was compiled to support PWI’s annual compliance certification filing.
– The engagement concluded with a stable, mature cybersecurity program that enabled PWI to confidently meet and exceed regulatory requirements.
Results
The engagement led to measurable improvements:
- Regulatory Compliance:
PWI achieved full compliance with 23 NYCRR Part 500, reducing the risk of fines and regulatory penalties. - Enhanced Security Posture:
Continuous penetration testing and rapid remediation greatly reduced vulnerabilities across PWI’s web applications. - Improved Employee Awareness:
PWI implemented targeted training resulted in a marked decrease in employee click-through rates on phishing tests. - Sustainable Cybersecurity Governance:
With a formalized cybersecurity framework, including documented policies and ongoing management reporting, PWI is now well-positioned to maintain its enhanced security posture beyond the Alpine Cyber engagement.
Conclusion
The three-year partnership with Alpine Cyber allowed Preferred Warranties Inc. to meet stringent regulatory requirements, significantly improve its cybersecurity defenses, and build a culture of continuous improvement. This engagement not only ensured compliance with 23 NYCRR Part 500 but also provided PWI with the tools and processes necessary for long-term security resilience. PWI elected to continue Alpine’s services in 2025.
