The FTC’s Standards for Safeguarding Customer Information (Safeguards Rule) first became law in 2003. Late last year, these standards were finally updated to suit the modern threat landscape, and on the 9th of December 2022, compliance with the revised Safeguards Rule is expected to become mandatory.
Failure to comply with the Final Rule could result in hefty fines, class action lawsuits, and even imprisonment in severe cases.
Though a petition has been put forward to delay the Safeguards Rule enforcement until December 2023, entities subject to the FTC’s jurisdiction should assume the regulation will be enforced on schedule and start implementing compliance strategies immediately.
Read on to learn how to establish a cybersecurity program that complies with the FTC Safeguards Rule.
What is the FTC Safeguards Rule?
The FTC Safeguards Rule requires financial institutions to develop, implement, and maintain an adequate information and data security program with the proper safeguards in place to protect sensitive customer information. Any record considered “non-public personal information” handled by the institution or others must be safeguarded and protected against external threats.
The newly updated FTC Safeguards Rule (16 C.F.R. Part 314) provides further guidance on basic data security principles that financial institutions can follow and implement. Compliance with the new rule can also help organizations meet many of the regulatory standards set by the GLBA.
Who Needs to Comply with the FTC Safeguards Rule?
Entities expected to comply are still classified with the very misleading title of a “Financial Institution,” where “finance” refers to any relations with customer financial data, either through lines of credit, loans, or general financial information.
Some examples of businesses classified as “Financial Institutions” by the FTC include:
- Automobile dealerships.
- Financial career counselors.
- Credit counselors.
- Personal property or real estate appraisers.
- Collection agencies.
- A business that prints and sells checks for consumers.
- A business that wires money between consumers.
- Mortgage lenders
- Payday lenders
- Tax preparation firms
- Check cashing businesses.
- Retailers providing store credit cards
- Accountants and tax preparation services.
- A business that operates a travel agency in connection with financial services.
- Mortgage brokers.
- Credit unions.
- Any business that charges a fee to connect buyers with consumers or loans with lenders and is involved in any financial transactions between these parties (a new financial institution category defined as “finders” by the FTC).
For more information on the rule requirements for classifying financial institutions for large and small businesses, refer to section 314.2(h).
The Federal Trade Commission may continue broadening its definition of a Financial institution as digital transformation shortens the divide between third-party service providers and their influence on financial operations. So if your business isn’t classified as a Financial institution, it could be in the future. Regularly reference the FTC’s definition of a Financial Institution to learn if you’re suddenly expected to comply.
The FTC Safeguards rule is a subset of the Gramm-Leach-Bliley Act (GLBA)
Learn about the Gramm-Leach-Bliley Act >
5 Strategies for Complying with the New Requirements of the FTC Safeguards Rule
An effective compliance program for FTC’s new rules can be summarised with three primary objectives:
- Objective 1: Ensure the security of customer information.
- Objective 2: Implement safeguards against anticipated threats to customer information.
- Objective 3: Prevent unauthorized access to information systems linked to customer information.
The customer information landscape of every Financial Institution is unique. But regardless of the scope of information requiring protection, these five strategies will guide the implementation of appropriate safeguards that could prevent a costly Safeguards Rule violation by supporting compliance with the FTC’s revised rules.
1. Designate a Qualified Individual
Under the FTC Safeguards Rule, a “Qualified Individual” is an official title for a person overseeing the implementation of a customer information security program. This role can either be assigned to an employee or outsourced to a service provider. If you designate this role to a third party, you still need to appoint an internally qualified individual to represent the company’s customer data security program.
A Qualified Individual isn’t required to hold any specialized certifications. The only requirement is experience in managing security operations.
2. Identify all Internal and External Assets
Before customer data integrity can be evaluated, all internal and external assets with access to customer data need to be identified. This process is considerably more difficult for the external digital landscape since assets mapping to customer data could extend to the fourth-party landscape.
All of your internal and external assets could be identified through a process known as digital footprint mapping.
Learn how to map your digital footprint >
Don’t forget to include previous third-party vendors in this analysis. Many regulations stipulate a customer data retention period even after a partnership has ended.
Here are some examples of data retention periods for popular cybersecurity regulations.
- The Federal Information Security Management Act of 2002 (FISMA) - minimum of 3 years
- North American Electric Reliability Corporation (NERC) - 3 to 6 years.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) - 6 years.
- Basel II Capital Accord - 3 to 7 years.
- Sarbanes-Oxley Act of 2002 (SOX) - 7 years.
3. Map the Flow of Customer Data
Once all of your internal and external assets have been identified, map the flow of customer information between them. Address the entire lifecycle of each customer data category, noting where it’s collected, transmitted, stored, and destroyed.
Though the FTC is mainly concerned with the security of highly-sensitive financial information (such as Social Security Numbers, credit card numbers, etc.), your data map should also include general contact information since it could be used in phishing campaigns preceding security incidents.
Learn more about phishing attacks >
According to the FTC Safeguards rule, any record containing nonpublic personal information is classified as customer information.
A customer data flow chart should reflect your company’s customer information ecosystem. Based on this new understanding of when and where customer data is stored, establish a periodic data inventory schedule to ensure your security teams remain informed of the range of customer data being processed.
Your inventory efforts should include any apps, cloud solutions, systems, devices, and departments aligning with your customer data flow chart.
4. Evaluate Your Security Posture with Risk Assessments
Risk assessments are one of the best methods of evaluating an organization’s security posture. These assessments will indicate which regions of your IT ecosystem are most vulnerable to compromise. When this data is compared to your digital asset and customer information flow topographies, the degree of risk to customer data integrity can be identified and quantified, allowing the degree of FTC Safeguard compliance to be quantified.
You can establish an FTC compliance measurement process based on a security risk quantification model focusing on customer data integrity threats. The degree of risks to customer data safety is directly proportional to the degree of Safeguards rule compliance.
Learn more about cyber risk quantification >
Conventional risk assessments based on popular cybersecurity frameworks, like NIST CSF, may be too rigid for such a task. To accommodate for unique asset ecosystems and security inquiries, it’s best to use a custom security questionnaire builder.
Learn about UpGuard’s custom questionnaire builder >
Risk assessments (or security questionnaires) should be used alongside a security rating solution to expedite the discovery and evaluation of attack surface exposures. A real-time security rating solution can monitor security posture improvements internally and across your entire third-party network.
5. Implement Safeguards to Ensure Customer Data Integrity
Risk assessments will identify critical security risks threatening customer data safety. A capable internal cybersecurity team can then deploy necessary remediation responses for each of them. While this effort could elevate your security posture to a level reflective of an exemplary customer data security standard, it’s a point-in-time approach that doesn’t ensure ongoing FTC safeguards rule compliance.
An ongoing compliance program should include the implementation of the following controls.
- Zero-Trust Architecture - A zero-trust architecture forces users to continuously verify their authority to access internal resources, which supports the FTC’s requirement for the implementation and periodic review of access controls.
Learn how to implement a Zero-Trust Architecture > - Implement Multi-Factor Authentication - According to Microsoft, Multi-Factor Authentication could prevent up to 99.9% of account compromise attacks. MFA is a standard inclusion in a zero-trust architecture.
- Encrypt customer data - Encryption is the final safety net if all security controls prevent customer data access fail. Customer data is of little use to cybercriminals if they cannot read it. Advanced Encryption Standard (AES) is the recommended encryption algorithm to use; it’s the standard trusted by the U.S Government.
Learn more about encryption > - Follow secure coding practices - If your company develops apps, enforce secure coding practices and security reviews across the entire development lifecycle.
Learn more about secure coding > - Segment your private network - Network segmentation will make it difficult for cybercriminals to access your sensitive resource even after they gain access to your private network.
Learn more about network segmentation > - Implement security controls across the entire cyberattack lifecycle - To further obfuscate access to customer data in the event of unauthorized access, security controls should be deployed across each milestone of a typical attack trajectory. It’s best to implement controls based on a ransomware attack lifecycle since this is a popular style of cyberattack.
Learn how to deploy ransomware security controls > - Dispose of customer information securely - With the exception of legal requirements and legitimate business needs, customer data shouldn’t be stored for longer than two years. After this point, data should be disposed of securely.
- Continuously monitor the third-party attack surface - Continuous monitoring of your service providers will reveal third-party vulnerabilities that could facilitate customer data breaches.
- Implement a Vendor Risk Management program - Vendor Risk Management packages all of the essential initiatives for securing your entire vendor network, including vulnerability assessments, attack surface monitoring, and remediation planning.
- Create a written incident response plan - Create an incident response plan outlining response sequences for likely security events threatening customer data integrity. An IRP needs to be updated and commonly rehearsed to keep response times at a minimum.
Learn how to create an incident response plan > - Continuously monitor user activity - Regularly revise access logs for suspicious user activity and unauthorized access attempts. Network traffic can be monitored in real time with the free tool Wireshark. Open ports should also be regularly scanned to detect unauthorized access attempts outside your IT network.
- Create a change management policy - Create a change management policy ensuring residual risks are minimized throughout unexpected information system and security measure changes. For example, when a new server is added in response to a sudden scaling requirement.
Learn the difference between residual and inherent risks >
- Implement an annual penetration testing schedule - Pen testers should regularly test the resilience of all deployed security controls.
Learn more about penetration testing > - Implement a cybersecurity program reporting policy - Keep the board of directors and governing bodies updated with annual reports outlining the effectiveness of your FTC safeguard compliance efforts. This amendment is designed to improve the accountability of financial institutions' information security programs by increasing financial activity and security program transparency.
Learn how to write the executive summary of a cyber report >
How UpGuard Can Help Your Organization Comply with the FTC Safeguards Rule
UpGuard can help organizations develop, implement, and maintain a strong cybersecurity program with its comprehensive attack surface management, data leak detection, and third-party monitoring solution. In order to protect sensitive information, safeguards like real-time alerts and continuous monitoring must be implemented while the entire attack surface is assessed for security risks and vulnerabilities.
Organizations and financial institutions can utilize UpGuard’s customizable questionnaire builder to meet the standards set by the FTC Safeguards rule, such as data breach alerts, reporting policy, risk assessment process, security evaluation, outlined incident response plans, and much more.
