How to Prepare for the FTC’s Updated Safeguards Rule

How to Prepare for the FTC’s Updated Safeguards Rule  

New amendments to the FTC’s Safegaurds Rule will require some businesses to take additional steps to ensure customer data is properly protected. With the requirement date of June 9th, right around the corner, the Cyber Readiness Institute (CRI) is here to help you get up to speed. 

Do I need to comply? 

First, let us make sure the requirements apply to your business.

Traditionally, the Safeguards rule applies to any business engaging in an activity that is financial in nature or incidental to such financial activities. Examples include mortgage lenders and brokers, automobile dealerships, finance companies, check cashing concerns, collection agencies, accounting firms, and investment advisors. The new amendments expand that scope to include “finders” or companies that bring together buyers and sellers to negotiate and consummate a transaction.

Additionally, if your business maintains customer information concerning fewer than five thousand consumers, you are exempt from some elements of the Safeguards Rule such as having an Incident Response Plan.   However, CRI does recommend having a Business Continuity Plan, which should include an Incident Response Plan regardless of size. 

How do I comply?  

The Safeguards Rule requires the businesses described earlier to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. This means you must protect both information about your own customers and information about customers provided to you by other financial institutions.  

What must be in my “information security program”?  

Follow these 9 steps to develop an information security program compliant with the FTC’s Safeguards Rule. 

  1. Designate a Qualified Individual to implement and supervise your company’s information security program. Whether it is someone in your business, or an outside service provider, you must designate someone responsible for managing your information security program. Like the Cyber Leader in CRI’s Cyber Readiness Program this can be an employee of your company who does not need extensive credentials and experience. 
  2. Conduct a risk assessment.  Inventory your hardware and software and conduct an assessment to determine risks and threats. Determine how customer information could be misused, altered, destroyed, or accessed by someone without permission. As your business and the threats to it change it is important to conduct additional reassessments. CRI’s Software Update Management Tool is a great place to get started on this assessment.  
  3. Design and implement safeguards to control the risks identified through your risk assessment. 
    • Implement and periodically review access controls. Regularly review who has access to data and if they still need it.  
    • Know what you have and where you have it. Conduct inventory of data, noting where data is collected, stored, or transmitted.  
    • Encrypt customer information on your system and when it is in transit. If it is not possible, work with a qualified individual to introduce alternative controls. 
    • Assess your apps. If your company develops or uses applications, it is important to have specific security procedures in place 
    • Implement multi-factor authentication (MFA) for anyone accessing customer information on your system. Check out CRI’s MFA Guide for tips and tricks on implementing MFA at your business.  
    • Dispose of customer information securely. Unless you have a legitimate business need or legal requirement to hold on to this information, this information should be securely disposed of within two years of the most recent use of it to serve a customer. 
    • Anticipate and evaluate changes to your information system or network. As your systems and networks change to accommodate new business processes, your safeguards cannot be static. Focus on building change management into your information security program. Check out CRI’s Cyber Readiness Program or details on how to create a cyber ready culture.  
    • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Implement procedures and controls to monitor users. 
  4. Regularly monitor and test the effectiveness of your safeguards.  You can test the effectiveness of your procedures with continuous monitoring of your system. If you do not have the resources for that, you must conduct annual penetration testing and vulnerability assessments. Additionally, test whenever there are changes to your operations or business arrangements and whenever there are circumstances you know or have reason to know may have a material impact on your information security program. 
  5. Train your staff.  Provide your employees with security awareness training. The Cyber Readiness Program has information, templates, and other resources for employee training. Additionally, CRI’s YouTube has easily sharable videos to train your workforce on key cyber issues.  
  6. Monitor your service providers. If you use an outside service provider, your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job. Use this Guide from CRI to learn more about managing your relationship with outside security providers.   
  7. Keep your information security program current. The best programs are flexible enough to accommodate periodic modifications. Make sure to follow and subscribe to CRI on Twitter, Facebook, and YouTube for updates on threats and best practices.   
  8. Create a written incident response plan. Your plan must cover: the goals of your plan; the internal processes your company will activate in response to a security event; clear roles, responsibilities, and levels of decision-making authority; communications and information sharing both inside and outside your company; a process to fix any identified weaknesses in your systems and controls; a procedures for documenting and reporting security events and your company’s response; and a post mortem of what happened and a revision of your incident response plan and information security program based on what you learned. CRI can get you started with an Incident Response Plan in our Business Continuity Plan Template
  9. Require your Qualified Individual to report to your Board of Directors. Your Qualified Individual must report at least annually – to your Board of Directors or governing body. The report must include an overall assessment of your company’s compliance with its information security program, a risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program. CRI’s Playbook is a great starting point for this report.  

Following these steps to develop an information security program will protect both your customers and your business. Learn more about the Safeguards Rule here.