Is your business considered a financial institution? Are you in compliance with the amended FTC Safeguards Rule?

The Federal Trade Commission (FTC) extends the deadline for companies to comply with the updated Safeguards Rule. The new deadline is June 9th, 2023.

If your business was not required to comply before, you might be now. Read on to know what the new FTC Safeguards Rule is and how you can be compliant.

What is the Safeguards Rule?

The FTC Safeguards Rule is a set of data security guidelines for the financial sector. It is a part of the Gramm Leach Billey Act or Finacial Modernization Act of 1999.

You may read the complete requirements here.

"Financial institutions" under the new FTC Safeguards Rule include:

  • Income tax return preparers
  • CPAs & CPA Firms, Accountant & Bookkeeping Firms
  • Retailers extending a credit card
  • Automobile dealerships leasing cars for longer than 90 days
  • Real estate or personal property appraisers
  • Counselors providing career counseling services to individuals associated with financial institutions
  • Businesses that print and sell checks on behalf of customers
  • Businesses engaging in cash-checking services
  • Travel agencies
  • Real estate settlement services
  • Mortgage brokers

Under this Rule, financial institutions must create, implement and maintain information security programs. This is to ensure the safeguarding of consumer data.

The Rule requires information security programs to include the following elements:

1. Designate a “Qualified Individual” to supervise and implement the information security program

Your qualified individual must take full responsibility for the program. This can be an employee within an organization or an outside contractor like a vCISO.

2. Conduct a written risk assessment

Every business must conduct periodic risk assessments. This should include criteria for evaluating threats and mitigating risks.

3. Monitoring of who has access to sensitive customer information

The FTC has outlined eight items that companies must follow:

  • Access control and authentication
  • Data, personnel, devices, systems, and facilities identification and management
  • Encrypting all customer data that you store or transmit
  • Using Multi-Factor Authentication for everyone who has access to information
  • Creating and testing secure applications for sending, accessing, or storing customer data
  • Developing procedures and sticking to deadlines for the secure disposal of customer data
  • Best practices for change management are being documented.
  • Implementing policies, procedures, and controls to track authorized user activity to detect unauthorized access, use, or tampering.

4. Monitor and test the effectiveness of your safeguards on a regular basis

You must test your detection procedures for actual and attempted attacks regularly. Conduct annual penetration tests and vulnerability assessments to test for notorious security vulnerabilities.

5. Train your staff

Provide specialized training for those responsible for implementing your information security program. This includes your employees, affiliates, or service providers. You must also ensure that they are up to date on emerging threats and countermeasures.

6. Assess the security practices of service providers

The FTC Safeguards Rule also requires periodic monitoring of your service providers. This is to ensure that they are up to the tasks you hired them for, as well as your company’s security standards.

7. Keep your information security program current

Your information security programs must be flexible to allow for changes when needed. Observe regular assessments and adjustments of your programs. By doing so, you can safeguard your organization against threats that might emerge.

8. Develop a written incident response plan

This enables you to protect the confidentiality of client information in your network. You may check FTC’s list of requirements that your response plan must have here (refer to section 314.4).

9. Annual reporting to the Board of Directors

The "Qualified Individual" must submit a written report to your board of directors. The report should include the program's status, incident updates, violations, and recommendations.

How can Today Cybersecurity help?

Threats to personal data are rapidly spreading. As service providers, protecting customer information is important in maintaining brand strength. Complying with the new requirements could be a difficult task. Noncompliance with the Safeguards Rule may result in financial or nonfinancial penalties.

Today Cybersecurity can help provide guidance in developing policies, procedures, and assessments. Schedule a FREE consultation with us to learn how we can help with your compliance.