Protecting personal and financial information matters more than ever. Cyberattacks and data breaches are common, and weak safeguards feed identity theft and financial loss.
The scale is real. IBM's Cost of a Data Breach report put the average US breach at $9.4 million in 2022.
In response, the Federal Trade Commission (FTC) revised its Safeguards Rule. The rule is a core part of the Gramm-Leach-Bliley Act (GLBA), which sets security and privacy requirements for consumer financial information.
The rule was first set to take effect on December 9, 2022. The FTC then extended the deadline by six months, citing public comments about staffing shortages and supply chain issues. Financial institutions had to comply by June 9, 2023.
The updated rule is prescriptive. The earlier version let each institution decide what safeguards fit its size, its activities, and the sensitivity of the information it held. The new version names specific elements that every information security program must include.
The 12 requirements at a glance
To comply, a financial institution must do all of the following:
- Name a qualified person to oversee and run the information security program.
- Base the program on a written risk assessment. The assessment identifies foreseeable internal and external risks and judges whether current safeguards control them.
- Put access controls in place. Limit access to customer information to what each job actually needs.
- Encrypt customer information in transit and at rest.
- Use secure development practices for in-house and third-party applications.
- Require multi-factor authentication.
- Dispose of customer information securely, and review retention policies so data is not kept longer than needed.
- Adopt change management procedures.
- Monitor and log activity. Detect unauthorized access through continuous monitoring, annual penetration testing, and vulnerability assessments twice a year.
- Provide security awareness training.
- Oversee service providers.
- Keep a written incident response plan.
The rule also raises accountability at the top. Institutions must report periodically to their board of directors on the state of the security program. Those reports cover material issues such as security incidents and violations, along with recommended changes.
There is a limited small-business exemption. It applies only to institutions that hold nonpublic personal information on fewer than 5,000 customers. Even then, the exemption is partial. Those institutions still need a written risk assessment, an incident response plan, and annual reporting to the board.
Once the rule is in effect, the FTC can act against institutions that violate it. Covered entities include finders, mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, and investment advisers that do not register with the Securities and Exchange Commission.
The takeaway is simple. The updated Safeguards Rule pushes financial institutions to protect customer information and prevent breaches. Meet the requirements early, and you avoid steep penalties for non-compliance.
Found This Useful? Let's Get You Set Up.
Start an application and an expert will tailor the next steps to your situation.