Financial Institutions Have 7 Weeks Until New FTC Safeguards Rule Becomes Effective

The FTC revised the Standards for Safeguarding Customer Information aka the Safeguards Rule in 2021 and in about 7 weeks the changes become effective. The FTC updates this rule every 20 years or so to make sure that it is still state of the art. The new rule borrowed a lot from New York’s financial regulator DFS and it’s cybersecurity rule, DFS 500. Here are some of the changes:

• Who is covered? Financial institutions like mortgage lenders and brokers, payday lenders, finance companies, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors who are not required to register with the SEC and others. Note that banks who are regulated by other federal financial regulators like the OCC and FRB are not covered by this regulation.
• Designate a QUALIFIED individual to implement and supervise your company’s information security program. Like in New York this can be outsourced, but then it must be overseen by an officer.
• Conduct a risk assessment. This seems obvious; what you don’t know cannot be managed.
• Design and implement safeguards to control the risks identified through your risk assessment. This includes implementing and periodically reviewing access controls, knowing what you have and where you have it, encrypting customer information at rest and in motion, assessing your apps security, implementing multifactor authentication for ANYONE accessing customer information on your system, disposing of customer information securely, anticipating and evaluating changes to your systems or network and maintaining a log of users’ activity and detecting unauthorized access.
• Regularly monitor and test the effectiveness of your safeguards.
• Train your staff.
• Monitor your service providers.
• Keep your information security program current.
• Create a written incident response plan.
• And, require that your qualified individual report to your Board of Directors of if you don’t have a board, then to the senior company officer responsible for your information security program.

This last item is so that the feds know who to arrest and charge in case of problem.

Seriously, we are seeing more lawsuits charging the Board and Executive Management with negligence for not implementing and overseeing an effective cybersecurity program.

We could, of course, write a book about these changes, but if you have questions about it or if you need help becoming compliant, please contact us.

by