We recently told you how a cyber insurance settlement of $30 million boosted Q1-2025 results for Sonic Automative, which was hit by the ransomware attack last year on CDK Global, provider of software for auto dealerships. Now two more of America’s largest auto dealers have made public filings touching on the hack and their actual and potential cyber insurance settlements.
The Asbury Automotive Group, Inc. (NYSE: ABG) days ago in a press release on its quarterly filings announced receiving “$7 million of cyber insurance recovery proceeds.” Oddly, in the actual 10-Q filing to which the release refers, the company cited a larger recovery, which helped with lower than expected gross margins: “Offsetting these negative impacts was the cyber insurance recovery of $10.0 million in March 2025 related to the CDK outage that occurred in June 2024.”
Better Late Than Never to Seek Cyber Insurance Settlements
AutoNation Inc., the giant car dealer, did not disclose any cyber insurance settlements this quarter, apparently because it did not even file a claim until this year. “(I)n the first quarter of 2025, we submitted claims under our cyber insurance policies seeking recovery for estimated business interruption and related losses caused by the CDK outage. There can be no assurance as to the amount or timing of any potential recovery in connection with the CDK outage,” reported the company’s most recent 10-Q.
To File or Not to File
We found it interesting that after the hack, several auto dealers disclosed the attack in SEC 8-K filings, but CDK’s owner did not, at least initially, saying the financial impact of the incident was not expected to be “material.” The SEC cyber disclosure rule has been criticized for lack of clarity on when 8-Ks must be filed.
