Getting Ready for the FTC Safeguards Rule

A Company can never be too safe in making sure that its systems are protected from cyberattacks. Responsibility of information security does not only lie with your Information Security Group but also at the highest levels within a company.  Based on a recent ruling by the FTC, CEOs are now responsible for their company’s compliance, and cybersecurity of an organization needs to become a top priority, if it isn’t already.

As of July 9, 2023, the FTC will put into effect the Safeguards Rule to ensure  that all financial institutions have a proper information security program implemented. This is good news for those of you that have already been working hard on implementing security provisions to comply with the rule, as the FTC just announced this deadline as an extension from the original date of December 9, 2022. Be sure not to waste the extra time given for companies to create a more comprehensive security approach.

Not sure if this applies to you? The types of entities that are considered a ‘financial institution’ for the FTC is defined as any entity that is significantly engaged in financial activities, but if you have data for fewer than five thousand consumers, you’re exempt.

Examples of financial institutions covered by the Safeguards rule include:
  • Collection agencies
  • Mortgage brokers
  • Finance companies
  • Credit counselors/ financial advisors
  • Automobile dealership
Creating an effective security program can be daunting, but here are the nine (9) steps you can take for your company’s information security program to help comply with the FTC’s Safeguard Rule.
  1. Make sure you have a qualified individual with adequate information security experience to oversee your program; designate someone you trust who can supervise the process.
  2. Conduct a risk assessment. The Safeguards Rule requires the risk assessments to be in writing. The risk assessment should be a continuous process allowing for you to regularly evaluate your system and identify where there might be foreseeable security risks based on the changing landscape within and outside your organization.
  3. Create and implement controls based off your risk assessment. Here are some controls you can put in place to help prevent or detect security risks:
    1. Perform periodical user access reviews (logical and physical) across the various systems (applications and infrastructure) within your organization.
    2. Implement a continuous process to maintain an accurate inventory of all systems and data and where the reside.
    3. Encrypt your customer data, and if you can’t because of certain technical limitations, use alternate manual controls to help ensure that access is limited only to you and your clients.
    4. Do you use an app or develop an app to store, process, or transmit data? Make sure you have a procedure for evaluating and ensuring its security.
    5. Implement multi-factor authentication. There must be at least two different authentication factors to access data.
    6. Make sure you are not holding on to old client data. Do you have customer information that is older than two years? Unless you have a legitimate or legal need for it, dispose it.
    7. Be ready for changes! When your system is changing, be ready to evaluate a new security risk that may emerge. With ever changing technology, make sure you have a change management built into your program.
    8. Keep track of authorized users accessing private information via detailed access logs and be ready to detect unauthorized activity.
  4. Check that your safeguards are working effectively. Besides continuously monitoring your system, you need to be conducting a penetration test at least annually, in addition to periodical vulnerability scans.
  5. Train your staff. As stated in one of my previous articles, what could be worse than clicking on a malicious email is not reporting it. Provide your employees with adequate security training on how to spot potential risks.
  6. Monitor your vendors. If you are working with third-party providers, make sure that your contracts spell out your expectations to maintain safeguards and the ways that you will monitor your service providers’ work, including a right to audit clause.
  7. Keep the information security program current! With changes thrown at your organization from outside of your control, your program should be changing to stay up to date as well.
  8. Create a response plan. What is going to happen if there is a security breach? Consider the following requirements to address from the Safeguards Rule.
    1. The goal of your plan
    2. The internal standard procedure for responding to an event
    3. Clear roles and responsibilities of those with decision-making authority
    4. External and internal communications or information sharing
    5. Identification of what is necessary for remediation
    6. Documentation and reporting of security breach
    7. The evaluation and revision of the incident response plan for a potential future breach
  9. Have your qualified individual (from step 1) deliver a report to a Board of Directors or higher supervisor at least annually to cover the overall status of your company’s security in addition to all the components of the information security program.
If you are looking to take the extra steps and better organize your cybersecurity risks internally, you may consider getting a NIST Cybersecurity Assessment. Not only does this closely align with the FTC Safeguards Rule, but it will also help you benchmark your company’s security posture and provide documentary evidence of your information security program. If you are looking to demonstrate to your customers, potential clients and any other external stakeholders that your organization is committed to cybersecurity, you should consider a SOC 2 Examination. You can never be too safe against malicious attacks, but with the right plan, you can minimize and prepare for the risks.
Co-authored by
Neil Gonsalves (Founder & CEO, AARC-360) &
Mihika Madhavan (Client Relationship Manager),