Non-compliance can lead to fines of up to $100,000 per violation.
The FTC Safeguards Rule update
The Federal Trade Commission (FTC) Safeguards Rule mandates that financial institutions develop, implement and maintain an information security program that protects sensitive customer information against external threats.
The FTC now defines ‘financial institutions’ as any organization that is “engaging in an activity that is financial in nature”, excluding banks. This includes all other businesses that handle customer financial data, provide credit, wire money between consumers or charge a fee to facilitate financial transactions.
Who needs to comply with the FTC Safeguards Rule?
Some examples of affected businesses that are classed as ‘financial institutions’ by the FTC include:
- Accountants
- Automobile dealerships
- Credit unions
- Collection agencies
- Financial advisors
- Insurance providers
- Investment advisory companies
- Mortgage brokers
- Realtors
- Real estate appraiser
- Retailers that offer store credit cards
Non-compliance after June 9th 2023 could mean potential business disruption, fines of up to $100,000 per violation and even legal action.
Meet the FTC Safeguards Rule requirements
Defense.com™ has everything you need to stay compliant with all nine requirements of the FTC Safeguards Rule.
Designate a qualified individual
Safeguard element: 314.4(a)
If you do not already have someone in your organization responsible for your infosec program, Defense.com™ can provide virtual consultancy to take this task off your plate.
Perform a risk assessment
Safeguard element: 314.4(b)
Our consultancy service can help you evaluate internal and external risks to the security, confidentiality, and integrity of customer information.
Implement controls
Safeguard element: 314.4(c)
With Defense.com™ you can encrypt and keep track of your company devices, control what content your users can access and monitor user activity within your network, all from a single platform.
Test and monitor safeguards
Safeguard element: 314.4(d)
Detect suspicious activity with advanced log monitoring. Schedule regular vulnerability scans and conduct an annual penetration test to assess the security of your systems over time.
Train your staff
Safeguard element: 314.4(e)
Make your staff your best first line of defense by providing them with engaging cybersecurity awareness training videos and exams to test their knowledge.
Monitor service providers
Safeguard element: 314.4(f)
Keep track of all your service providers, conduct supplier due diligence and assess their level of risk to your business with our consultancy service.
Evaluate and adjust your program
Safeguard element: 314.4(g)
All of the features in Defense.com™ work together to show you exactly where your security risks are in order of priority, and what you need to do to fix them.
Establish an incident response plan
Safeguard element: 314.4(h)
With the help of our virtual consultancy you can create a robust incident response plan to promptly respond and recover from any security event that has affected your business.
Report progress annually
Safeguard element: 314.4(i)
Use the dashboards and reports in Defense.com™ to quickly show the status of security threats and test results.
FTC Safeguards Rule compliant packages
With Defense.com™ you can ensure that you are meeting or exceeding all of the requirements. If you service less than 5,000 customers then your organization will be exempt from certain elements of the FTC Safeguards Rule.
Less than 5,000 customers
What’s included:
- Cyber assessment
- Vulnerability scanning
- Staff training videos and exams
- Asset tracking
- User log monitoring
- Endpoint protection
- Incident response triage
Monthly price: $195
Over 5,000 customers
What’s included:
- Cyber assessment
- Vulnerability scanning
- Staff training videos and exams
- Asset tracking
- User log monitoring
- Endpoint protection
- Incident response triage
- External penetration test
Monthly price: $995
We can also provide the following additional services if your business does not have the internal capabilities:
Virtual consultancy: Outsource the ownership of your cybersecurity program and risk management.
Managed SIEM: 24/7 threat detection and log monitoring by expert SOC analysts
Get compliant from just $195 per month
We can help your business comply with the FTC Safeguards Rule, no matter what level of security you currently have in place. Contact us today to find out more.
Here’s what our customers say about us
Protecting the world’s leading brands
Mike Slater Head of IT, AgilicoI couldn’t have been more pleased with the service from Defense.com™, the team are always on hand for support and are quick to respond. I found the digital reporting through the platform particularly beneficial as it enabled us to clearly understand the risks, and quickly remediate them with the helpful guidance provided.
FTC safeguards FAQs
The FTC Safeguards Rule safeguards personal information of customers and employees, with regulations applicable to businesses collecting, maintaining, or sharing such data. It covers names, addresses, Social Security numbers, bank account details, and other identifying information.
According to the FTC:
“The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”
If your business handles customer financial data, and you’re not a bank, then it’s likely that you are now required to comply with the FTC Safeguards Rule.
There are a total of nine safeguards outlined by the FTC:
- Designate a qualified individual responsible for overseeing and implementing your information security program
- Base your information security program on a risk assessment
- Design and implement safeguards to control risks
- Regularly test or otherwise monitor the effectiveness of the safeguards' key controls
- Implement policies and procedures
- Oversee service providers
- Evaluate and adjust your information security program as per testing and monitoring results
- Establish a written incident response plan
- Write and communicate an annual report detailing the status of your information security program
Defense.com™ can help you meet or exceed all of the requirements in the FTC Safeguards Rule update. More detailed information about the requirements can be found here.
If your organization fails to comply with the FTC Safeguards Rule you could face large fines and even lawsuits. When the updated safeguards are enforced on June 9th 2023, the FTC can issue a $100,000 fine per violation, and your customers or employees could take legal action against you if they have been affected.
