FTC Order May Affect Cybersecurity Requirements for Service Providers That Process Consumer Financial Information

In the latter half of 2019, the Federal Trade Commission (FTC) issued a final order settling charges against a software provider that allegedly “failed to take reasonable steps to secure consumers’ data, leading to a breach that exposed the personal information of millions of consumers.” In its complaint, the FTC alleged the company “failed to implement readily available and low-cost measures to protect the personal information it obtained from its clients” such as publishing a system security policy, providing employee security awareness training, and conducting regular vulnerability scanning and penetration testing that would have detected the problem.

The FTC alleged the company’s failures resulted in violations of both the FTC Act and the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule. The FTC alleged these failures led to a breach of the company’s backup database that was accessed by a hacker. The hacker was purported to have gained unauthorized access to millions of consumers’ data during at least a 10-day period and downloaded the data of approximately 70,000 individuals. Unfortunately, the company did not detect the breach until it was notified by one of its customers.

As part of the settlement with the FTC, the company is prohibited from sharing, collecting, or maintaining personal information unless it implements and maintains a comprehensive information security program designed to protect the personal information it collects. The proposed settlement also requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must document controls and identify evidence that supports conclusions and conduct independent sampling, employee interviews, and document review. In addition, the order requires a senior corporate manager responsible for overseeing the company’s information security program to certify compliance with the order every year. Finally, the order grants the FTC the authority to approve the assessor for each two-year assessment period.

What does this mean for me?

The FTC has imposed data security requirements on a financial service provider that goes further than any previous settlement. Going forward, it is expected the FTC will extend similar cybersecurity requirements for all financial services companies—including those that process consumer information even if they do not directly interact with consumers.

What can BKD do to help?

BKD professionals routinely provide security and control solutions to help organizations and businesses understand and mitigate the risks associated with complex and ever-evolving information systems. By combining technical knowledge and industry perspective, we can evaluate your cybersecurity processes as they relate to core business functions. BKD offers multiple solutions to address potential FTC requirements, including System and Organization Controls (SOC) reports, cybersecurity risk assessments, and general IT controls assessments including GLBA.

SOC Reports

For companies providing services to other businesses, SOC 2 attestation reports are intended to provide confidence to customers and stakeholders about their internal processes and controls. The reports describe your approach to mitigating security and operational risks. A SOC for Cybersecurity report can provide assurance over the effectiveness of controls within your cybersecurity risk management program for noncustomer-facing systems. The nature of a SOC examination requires a qualified firm to provide guidance and support to management as you prepare for your SOC project—whether you’re preparing for your first report or working to improve your current SOC report—as well as attestation services for Type 1 (control design) and Type 2 (control design and operating effectiveness) SOC reports.

Cybersecurity Risk Assessment

A risk assessment is the foundation of a cybersecurity program. Without a secure profile, you risk giving electronic intruders the keys and codes to your company. Although an IT risk assessment is not an attestation report like the SOC, it provides you with an independent assessment of your cybersecurity program and identifies gaps that require remediation. Our service methodology is rooted in three key principles:

• Efficiency: Our team of highly skilled professionals can work with you to tailor an approach based on your timing requirements. We use the BKD Cybersecurity Framework Assessment Tool (CFAT):
  • BKD CFAT, powered by ROFORI^®, is a web-based cybersecurity framework assessment tool that leverages various industry and regulatory risk frameworks to help assess both inherent and residual cybersecurity risks to organizations. CFAT also provides a repository for control implementation descriptions as well as the ability to attach supporting evidence. You may license this tool, preloaded with your assessment information, for your own use for a separate licensing fee.
• Integration: By leveraging multiple control frameworks and standards, we can incorporate best practices gained from our extensive experience across multiple industries.
• Collaboration: As we evaluate the control environment, we can assist you in developing an effective cybersecurity approach that looks beyond the technology driving the processes.

General IT Controls Assessment Including GLBA

GLBA seeks to protect consumer financial privacy. Its provisions limit when a financial institution may disclose a consumer’s “nonpublic personal information” to nonaffiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain financial activities. BKD’s risk-based general IT controls engagement is consistent with GLBA, certain portions of the Information Technology Examination Handbook issued by the Federal Financial Institutions Examination Council (FFIEC), the Information Technology Risk Examination program, as well as Control Objectives for Information and Related Technology created by ISACA^® and security best practices. The procedures will include evaluating certain policies, evaluating controls, and observing procedures to test the internal controls over IT as recommended by the FFIEC.

For more information, reach out to your BKD Trusted Advisor™ or submit the Contact Us form below.

BKD Cyber is dedicated to helping organizations assess their cybersecurity risks, improve their cybersecurity protections, and prepare to respond to a breach. For insights on how BKD can evaluate your network security posture or to discuss how BKD can help your organization identify best practices to help prevent and detect cyberthreats, use the Contact Us form below or visit bkdcyber.com.