The Federal Trade Commission (FTC) Safeguards Rule is a mandate under the Gramm-Leach-Bliley Act. It requires financial services to protect customer information from data breaches. That includes businesses beyond traditional banking, such as debt collection. The rule reflects the FTC's goal of reducing the risk of unauthorized access to sensitive information.
Recent amendments raise the requirements. Non-banking financial entities must adapt quickly to stay compliant and strengthen their defenses. Starting May 13, 2024, all non-banking institutions must report data breaches and other security events to the FTC. Institutions need to build, run, and regularly reassess their information security programs.
Overview of the FTC Safeguards Rule
The Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA). It requires financial institutions to secure sensitive customer information. The rule covers a wide range of entities defined as financial institutions. That includes banks, but also mortgage lenders, payday lenders, finance companies, and other non-banking financial services. These institutions must run information security programs with administrative, technical, and physical safeguards.
Key Requirements of the FTC Safeguards Rule
- Designate a qualified individual. Appoint someone to oversee the information security program and ensure it works.
- Assess risk. Run a thorough risk assessment to find threats to customer information and system vulnerabilities.
- Develop safeguards. Based on the assessment, design and put in place safeguards that address the identified risks.
- Monitor and test. Test and monitor the safeguards regularly so they keep pace with new threats.
- Oversee service providers. Make sure service providers use adequate safeguards to protect customer information.
- Train staff. Run regular training so employees know the security protocols and the threats.
Expanded Coverage and Compliance Requirements
The scope of the rule has grown over time. Recent amendments extended coverage to "finders," which are entities that connect buyers and sellers. That shows how financial services keep evolving.
Compliance is critical. Non-compliance can bring severe penalties. A well-built and well-maintained information security program protects customer data. It also strengthens the institution's reputation and trust in the market.
Implications of the Recent Amendments
The recent amendments add strict requirements for non-banking financial institutions. These changes call for a fast, thorough response to protect consumer data. Here are the key implications.
Enhanced Reporting Obligations
Non-banking financial institutions must now report any data security breach to the FTC within 30 days of discovery. This applies when the breach affects at least 500 consumers. It covers a wide group of entities, including financial technology companies, mortgage brokers, and tax preparers.
Broader Scope of Covered Information
The amendments expand the definition of "customer information." It now includes data gathered through online activity, such as tracking via cookies, not just data provided by consumers. As a result, more types of breaches fall under the reporting requirements.
Tightened Incident Reporting Triggers
Any unauthorized acquisition of unencrypted customer information triggers a reporting obligation. The rule presumes unauthorized access unless the institution can provide reliable evidence to the contrary.
Public Disclosure and Increased Transparency
Once reported, the FTC may make these incidents public. That increases transparency. It can also lead to more public scrutiny, media exposure, and litigation risk.
Preparation for Compliance
Institutions should review and update their policies and procedures now. The amendments take effect 180 days after publication in the Federal Register. That leaves a limited window for updates.
These amendments aim to strengthen protections around consumer data. They also push institutions to improve their security measures. Non-banking financial institutions must make significant changes to meet the new federal standards and protect consumer information against unauthorized access and breaches.
Impact on Non-Banking Financial Institutions
Non-banking financial institutions face heightened scrutiny and higher expectations under the rule. Below are the key measures they must take.
Increased FTC Engagement and Investigative Activity
Expect more engagement from the FTC, especially on cybersecurity risk. The agency is likely to step up its investigations to ensure compliance. The goal is to strengthen security frameworks, reduce breaches, and protect consumer information.
Prioritizing Updates to Incident Response Plans
- Review and update incident response plans. Revisit your response strategy so you can act quickly and effectively during a breach.
- Reassess security and privacy programs. Reevaluate and strengthen existing frameworks to match the new requirements.
- Add new disclosure considerations. Build new disclosure steps into daily practice. Prepare executives and legal leaders with tabletop exercises that simulate breach scenarios.
Comprehensive Security Program Development
The FTC requires every non-banking financial institution to build, run, and maintain a comprehensive security program. It should protect customer information with strong technology and clear administrative protocols. The aim is a secure environment that protects sensitive data and builds consumer trust.
These steps help institutions comply with the rule. They also strengthen defenses against the growing threat of cyberattacks in the financial sector.
Preparing for Compliance
Designation and Training of the Qualified Individual
Appointing a qualified individual is essential. This person can be an employee, an affiliate, or a service provider. They oversee the information security program and ensure compliance with the rule. Regular training keeps this individual and the security staff current on threats and mitigation strategies.
Development of a Strong Information Security Program
- Risk assessment. Start with a written risk assessment that includes criteria for evaluating risks and threats to customer information.
- Implementation of safeguards. Design and put in place administrative, technical, and physical safeguards based on the assessment.
- Regular monitoring and testing. Test and monitor the safeguards so they keep pace with new threats.
Comprehensive Incident Response and Reporting
Build a detailed incident response plan. Cover goals, internal processes, and roles and responsibilities. Include communication strategies, steps for documenting and reporting security events, and a process for post-event analysis. Use what you learn to revise your security measures. The qualified individual should report regularly to the Board of Directors on compliance, risk assessments, and any security events with management's response.
Enhancing Access Controls and Encryption Practices
Use strict access controls to limit and monitor who can reach sensitive customer information. Encrypt sensitive data in storage and in transit to protect its integrity and confidentiality. Require multi-factor authentication, or an equivalent protective measure, for anyone accessing customer information.
Service Provider Oversight and Security Practices Reassessment
Monitor and periodically reassess the security practices of every service provider. Confirm they meet the required standards. Contracts should spell out security expectations and include clauses for regular security audits.
Mitigate Risk with Cyber Insurance
Digital operations face growing regulation, and cyber insurance has become a necessity. The risks of cyberattacks and the potential losses from inadequate coverage are too large to ignore. Businesses should prioritize cybersecurity and invest in comprehensive cyber insurance that covers a wide range of risks.
Full protection calls for standalone, full-coverage cyber insurance. These policies cover a wide range of third-party and first-party cyber risks. They can cover data restoration, lost business income, system failures, reputational harm, and more. Cornerstone can help with your commercial insurance needs. Connect with us today to evaluate the right cyber coverage amount for your company and to build an effective cyber security plan.
The effective date is close, on May 13, 2024. Financial institutions should act quickly to prepare for compliance with the FTC Safeguards Rule. Compliance ensures legal adherence. It also creates a secure, trustworthy environment to operate in. By protecting sensitive consumer information, you also protect your business's reputation.
Found This Useful? Let's Get You Set Up.
Start an application and an expert will tailor the next steps to your situation.