What is the FTC Safeguards Rule?
Initially established in 2003, the FTC Safeguards Rule outlines data security guidelines for organizations in the financial sector. It is part of the larger 1999 GLBA (Gramm-Leach-Bliley) or financial modernization act which first required financial institutions to document their handling of sensitive customer information.
It goes without saying, however, that rules concerning technology and information security from almost two decades ago are pretty ancient. In a much-needed effort to modernize the original regulation, the rule has been updated as of 2021 to provide better guidance for businesses and refresh its contents. Now, financial organizations will need to go over what this update to the FTC Safeguards Rule covers and ensure that they are compliant with all of the outlined expectations.
What is Considered a Financial Institution?
One point that the FTC makes in their own article on the updates is that your business has more than likely evolved if you were around back when the rule was first implemented. In other words, even if you were not originally required to follow the regulations outlined in the original Safeguards Rule, your business may be required to now.
The FTC’s advice is to remain updated on the definition of a “financial institution” as outlined in the regulation text to see if your business could be included now, or at some point in the future. The FTC also concedes that the definition found in the Safeguards Rule covers more businesses than are ordinarily referred to as “financial institutions”.
The current definition of “financial institution” found in the glossary (part 314.2 of the rule as of June 2022) is as follows:
“(1) Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.”
The Safeguard Rule requirements also outline examples of companies that do and do not qualify as financial institutions, which serves to clear up some of the most common questions. Additionally, organizations that “maintain customer information concerning fewer than five thousand consumers” are exempt from certain requirements. More information on this exception can be found here.
The FTC lists thirteen examples of businesses that are considered to be financial institutions and four that are not. Some potentially unexpected examples of businesses that are considered financial institutions are retailers that issue store credit cards, property appraisers, career counselors who work with clients in the finance industry, finders, and mortgage brokers to name a few. The full list can be found here.
The examples of businesses that are not considered financial institutions by the FTC are as follows:
- Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
- The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.);
- Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights), or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a non-affiliated third party other than as permitted by §§ 313.14 and 313.15; or
- Entities that engage in financial activities but that are not significantly engaged in those financial activities, and entities that engage in activities incidental to financial activities but that are not significantly engaged in activities incidental to financial activities.
Source: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#314.2
What Types of Controls are Required to Safeguard Customer Information?
Now that we’ve established who needs to comply with the regulations, let’s go over what is expected of those organizations named in the rule. In their own words, the FTC states:
“The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. Your information security program must be written, and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.”
They go on to outline three objectives that your company’s information security program should seek to achieve: to ensure the security and confidentiality of customer information, to protect against threats or hazards to that information, and of course to protect against unauthorized access as well.
To help organizations understand what constitutes a compliant information security infrastructure, the FTC Safeguards Rule has also outlined nine elements that every program must include. Here we’ll break down each of the nine requirements and link any resources that might be helpful to you as you work your way through the list.
1. Designate a qualified individual to implement and supervise your company’s information security program
Companies with limited staffing budgets will no doubt find it difficult to hire dedicated security personnel to fulfill this role. Dedicated IT professionals with the qualifications necessary to oversee an information security program certainly aren’t a dime a dozen. Fortunately, the FTC states that this person can either be an employee within the organization or an outside contractor.
In light of this, a vCISO (Virtual CISO) could be your team’s best bet. Many security providers offer this service, giving your organization a professionally certified CISO who will work with your current IT department on security initiatives. A vCISO can help you understand what needs improvement within your existing program, act as a general security advisor, and help you understand how to prioritize your efforts and security spending to get the most value for your time and money.
If you need more information to decide whether an in-house security professional or a vCISO is best for your team, we have another piece on just that topic.
2. Conduct a risk assessment
At FRSecure, risk assessments are a service we recommend highly in order to determine where your efforts should be focused and understand how to maximize the impact of your security budget. In fact, our vCISO team always conducts a risk assessment as part of every new engagement so that they can make the best recommendations for each client.
Not only does a comprehensive risk assessment help prioritize budget dollars within a security program, but it also serves to get everyone on the same page about where an organization’s most critical vulnerabilities lie. This fosters a company-wide security culture in which improvement efforts can be concerted and growth is maximized.
3. Design and implement safeguards to control the risks identified through your risk assessment
Once you’ve conducted a risk assessment, you’ll be required to take what you’ve learned and put it into practice. In addition to working through that to-do list, the FTC has outlined eight items that are required for your company to be considered compliant.
While your risk assessment should have uncovered these issues if they exist, it’s important to know the exact expectations that have been laid out within the Safeguards Rule requirements, so that you can be confident in your organization’s efforts.
- Control who has access to customer information and review that access regularly
- Understand, document, and regularly review where things are stored on your organization’s network, and where data is located and transmitted. We have a free asset management policy template you can work from to help make this step a little easier
- Encrypt customer information on your system and when it’s in transit
- If your company uses apps to store, access, or transmit customer information, ensure that those programs are secured
- Implement multi-factor authentication for any accounts that have access to customer information in your network. We wrote about different kinds of MFA and our recommendations in another post last year
- Dispose of customer information securely. The FTC also requires that this data be disposed of no later than two years after it has most recently been used to serve the client. The only listed exceptions are: “if you have a legitimate business need or legal requirement to hold on to it” or “if targeted disposal isn’t feasible because of the way the information is maintained.”
- Anticipate and manage any changes to hardware or software within the existing network, and adjust your information security program to address them
- Log all authorized user activity when accessing customer information and monitor your network for signs of unauthorized access
4. Regularly monitor and test the effectiveness of your safeguards.
As you work through the items outlined by the FTC and in your risk assessment, you will want to circle back and ensure that the changes made have truly addressed the initial security concern and have not introduced any new vulnerabilities for threat actors to exploit.
The most effective way to do this is to conduct a penetration test with a trusted outside security provider. We have a useful blog post written by our in-house attack simulation experts that goes into detail about what a penetration test is, what a thorough test should include, and how to vet the team responsible for conducting yours.
In addition to penetration testing, it’s worth mentioning that risk assessments, like the one you’ll have completed in step 2 are another way to monitor safeguards, especially after big changes are made in your infrastructure. Risk assessments aren’t just a one-time engagement, they can help catch problems, especially ones that penetration testing might miss.
5. Train your staff.
We often say that people can be a security program’s biggest weakness without the proper training, but with a little education, your staff can also be a great strength. Providing regular training for all users in your network doesn’t just further educate your team but maintains an emphasis on security at every level in your organization.
Staff members who have recently undergone training will be less likely to stumble into common pitfalls that hackers use to gain access to a network.
6. Monitor your service providers
Not only does your organization need a reliable contractor to work on things like penetration tests and risk assessments, but software companies and outside agents that may be handling things like HR or payroll for you need to be up to your security standards as well.
The FTC Safeguards Rule requires that you monitor all outside partners, and ensure that they are up to both the task you’ve hired them for, and your company’s security standards. Keep track of your service contracts, be sure that they spell out your expectations, and double-check that they enable you to monitor the work being done so you can ensure those expectations are upheld.
7. Keep your information security program current
The threat landscape is always evolving, and so is the technology and software in use at your organization. Last year in 2021, the NIST (National Institute of Standards and Technology) logged a staggering 18,378 vulnerabilities, 4,067 of which were considered high severity as determined by their CVSS V2 Base score. With this in mind, it’s easy to understand why the FTC Safeguards Rule includes this requirement in order for businesses to be considered compliant.
It goes without saying that your program should be flexible enough to allow for changes, updates, and modifications as new threats and vulnerabilities are uncovered over time. Changelogs should be kept updated, and your security team should be well versed on any critical vulnerabilities affecting the software in use at your organization.
One place you can find this information is through our volunteer-based threat hunting initiative, Project Hyphae. Project Hyphae is a charitable project run by FRSecure’s award-winning technical services team, and features a threat feed on the site that covers the most pressing vulnerabilities we see in the field.
8. Create a written incident response plan
The FTC Safeguards Rule also requires that your organization drafts and maintains an incident response plan. The requirements that your plan must meet are listed in part 314.4 of the official rule text.
Having an incident response plan is crucial for any business, not just those in the financial sector, and there’s no better way to prepare for a security event than to make sure yours is thorough, vetted, and practiced by the people who would be involved if a real security incident took place.
If you need help or don’t know where to start, we have a free incident response plan template that will have you covered from start to finish.
9. Require your qualified individual to report to your Board of Directors
Lastly, the FTC Safeguards Rule requires that your appointed “qualified individual” reports to your board of directors or governing body at least once per year. The expectations for this report are straightforward:
“What should the report address? First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program – for example, risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.”
In addition to reporting up, we always recommend keeping communication around security issues open from top to bottom in your company as much as is feasible. This helps ensure that everyone understands their role in the greater security program, and helps your staff speak the same language to avoid confusion and foster an effective security culture.
Security isn’t just an IT issue, it’s a business issue as well. Downtime because of an incident is costly, and worse yet- financial losses incurred during a full-blown ransom event can be enough to shutter a business in many cases. A good vCISO will know how to communicate with leaders and decision-makers to break down any barriers that stand in the way of the long-term success of your security program.
Final Thoughts
While the FTC Safeguards Rule requires a lot from your organization to be considered compliant, it’s important to realize that this is for good reason. As we touched on earlier, the number of security threats is, frankly, staggering. The volume of new vulnerabilities and developments is always on the rise, and for the sake of everyone associated with an organization, we all need to do our part in managing risk.
If you need assistance with anything covered in this article, or within the Safeguards Rule, please don’t hesitate to drop us a line. We are always happy to help in any way that we can.