Cyber resilience: could you withstand a cyber attack?
How well prepared is your business to withstand and recover from a cyber attack? Discover best practice advice on how to best prepare.…
Oliver Pinson-Roxburgh
CEO and Co-Founder
25th May 2023
The Federal Trade Commission (FTC) Safeguards Rule is designed to protect personal information against external threats. The regulations apply to businesses collecting, maintaining, or sharing data such as names, addresses, Social Security numbers, bank account details, and other personally identifiable information (PII).
The Safeguards Rule took effect in 2003, and was updated in 2021 to keep pace with current technology. The revised Rule reflects core data security principles that all covered companies need to implement before the deadline of June 9th, 2023.
The FTC has issued a new set of amendments to its Safeguards Rule that requires companies to undertake a series of technical, procedural and contractual measures to protect the personal data of consumers, partners and employees. It’s all part of building an information security program that helps to minimize the risk of cyberattacks or data breaches occurring.
The objective of your information security program should be to:
Ensure the security and confidentiality of customer information
Protect against anticipated threats to the security or integrity of that information
Protect against unauthorized access to that information
The FTC now defines ‘financial institutions’ as any organization that is “engaging in an activity that is financial in nature”, excluding banks. This includes all other types of businesses that handle customer financial data, provide credit services, wire money between consumers or charge a fee for financial transactions.
Here’s what the FTC say:
“The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”
If your business handles customer financial data but you aren’t a bank, you’ll likely need to comply with the FTC Safeguards Rule. This includes businesses such as automobile dealerships, mortgage brokers, realtors and retailers that offer store credit cards.
There’s nine elements highlighted in Section 314.4 of the Safeguards Rule that you must implement in order to stay compliant.
This can be someone internally within your organization or a trusted service provider. There’s no education or experience required for this role, but they must take responsibility for maintaining the information security program that protects the personal data your company holds.
Your organization must complete a risk assessment that assesses internal and external risks to the security, confidentiality and integrity of customer information. This assessment must be written up and include criteria for evaluating the risks identified. You must also conduct periodic reviews due to operational changes or the emergence of new threats.
The Safeguard Rule requires your company to:
This can be accomplished through continuous monitoring of your systems (managed SIEM), but if you do not have this implemented, you’ll need to conduct an annual penetration test as well as periodical vulnerability assessments.
You must provide cyber security awareness training to all staff members. This should include phishing, social engineering, password best practices and information about emerging threats. This training must be refreshed annually as part of your information security program.
It is your responsibility to select service providers that maintain appropriate safeguards and assess their risk profile periodically to ensure they meet your own information security requirements.
You must evaluate and adjust your information security program as changes to your operations happen. This could include new risks identified in your risk assessments, changes in personnel, or new emerging threats. Anything that may have a material impact on your program will need to be accounted for.
This is your response and recovery plan. The goal of this plan is to detail the internal processes your company will take in response to a security event. It should include roles and responsibilities, communications plan, a process for remediation and reporting procedures.
Your Qualified Individual must report in writing regularly to your Board of Directors on the overall status and workings of your information security program. This should include recommendations for changes, risk assessment findings, security events and access control decisions.
It is expected that all companies affected by the FTC Safeguards Rule must be compliant with the latest amendments before the deadline of 9th June 2023. If your organization fails to do so, you could be liable to fines of up to $100,000 per violation. Your customers and employees could also file a lawsuit if they have been affected. Many companies will need to employ the help of an external security provider to meet at least some of the elements included within section 314.4, so it’s important to fully understand how the Safeguard Rule will affect you and what you need to do to stay compliant.
Oliver Pinson-Roxburgh
CEO and Co-Founder
Share this article
We can help your business comply with the FTC Safeguards Rule, no matter what level of security you currently have in place.
How well prepared is your business to withstand and recover from a cyber attack? Discover best practice advice on how to best prepare.…
Learn about the security risks involved with cloud computing, how to secure your data, and risk management best practices.…
Among the many attack vectors at the disposal of cybercriminals, phishing remains the easiest and most common method of attack.…
Find out how ransomware works and read top tips for defending against attacks by securing your UK business with employee training and endpoint protection tools.…
Get actionable cyber security advice and insights straight to your inbox.