The deadline for compliance with the updated Federal Trade Commission (FTC) Standards for Safeguarding Customer Information (the Safeguards Rule) is only a few days away! The Safeguards Rule updates data security requirements for many organizations that will now face a myriad of specific safeguards and technical control requirements that they have previously not had to consider.
The Safeguards Rule was developed in response to the number of widespread and high-profile data breaches that continue to occur in the current threat landscape. The FTC is acting in response to less-regulated industries that, from its perspective, have not implemented sufficient information security safeguards, resulting in significant losses of financial data privacy for the public.
To Whom Does This Apply?
The updates to the Safeguards Rule apply to any “financial institution” that is not already subject to Gramm-Leach-Bliley Act (GLBA) regulation by a different agency, e.g., the FDIC, NCUA, or state insurance regulators. The definition of a “financial institution” is intentionally broad and includes any business that significantly engages in financial activities that cause it to maintain “nonpublic personal information about a customer of a financial institution.” This will likely include most organizations in the following industries and more:
- Mortgage lenders and brokers
- Higher education financial aid offices
- Dealerships that act as “finders” (meaning any dealerships that connect their customers with financers)
- Credit unions that are not NCUA insured
- Financial advisors, tax preparation firms, and investment advisors
- Retailers that issue their own credit cards
- Mutual fund companies
- Payday lenders
- Collection agencies
The December 9, 2021 updates to the Safeguards Rule went into effect on January 10, 2022. To provide organizations with more time to adopt these compliance requirements, the compliance date was pushed to June 9, 2023.
Safeguard Rule Requirements
Here is a breakdown of a few key Safeguards Rule components to help you understand the new compliance impacts on your financial institution (FI).
- Designate a “qualified individual” (QI) responsible for developing, overseeing, monitoring, and enforcing the FI’s information security program.
- Conduct and review a written* information security risk assessment at least annually to assess whether internal and outsourced information assets—and threats to the information security of assets—have been identified and whether mitigating controls in place are sufficient.
- The risk assessment conducted above drives the implementation of a written information security program that includes the policies and procedures necessary to help sufficiently safeguard confidential customer information.
- Establish a written* incident response (IR) plan designed to promptly respond to and recover from an event materially effecting information security.
- Encrypt all customer information while at rest and in transit over untrusted or insecure networks.
- Implement secure access provisioning procedures to information systems.
- Periodically inspect system access for appropriateness, limiting user access to only what is required.
- Implement multi-factor authentication for access to any business information systems.
- Perform periodic technical penetration tests and vulnerability assessments* to help identify and mitigate risks due to vulnerabilities or exploitable network configuration weaknesses. These tests should be completed or overseen by a competent individual independent from those responsible for system security and maintenance, OR:
- Implement “continuous monitoring”* such as real-time intrusion detection and prevention systems (IDS/IPS) in the form of Managed Detection and Response (MDR), Extended Detection and Response (XDR), or a Security Operations Center (SOC) where continuous systems security (monitoring) is performed and acted upon in real time (24x7x365).
- Perform regular employee information security training such as online or in-person seminars, social engineering testing (phishing or vishing), and courses to raise awareness about risks and how to identify threats.
- Require regular security training for IT and security staff. Management must enforce ongoing education that provides information security personnel with training sufficient to maintain current knowledge of changing information security threats.
- Implement a vendor oversight program to evaluate whether new and current vendors have sufficient controls in place to help safeguard customer information on an ongoing basis.
- Periodically, independently assess the effectiveness of safeguards implemented as part of the FI’s audit program.
- Report to the board (or equivalent) at least annually* on the status of the information security program.
*For financial institutions that maintain customer information concerning fewer than 5,000 consumers—inclusive of any historical consumers on whom the FI maintains records—these specific safeguards are either not required or are not required to be written.
FORVIS can and frequently does assist FI clients with their IT risk and compliance requirements. We assist clients via independent IT control testing pursuant to the Safeguards Rule, internal and external network vulnerability assessments, and penetration testing, or help with social engineering testing. We also can consult on Safeguards program implementation.
As always, remember: “compliant” does not mean “secure.” Validating the security of a business or organization is broader than these limited controls established with the Safeguards Rule. For more information on our services and how FORVIS can help, please reach out to one of our professionals or use the Contact Us form below.