FTC Safeguards Rule & The Rising Cybersecurity Bar
January 11, 2021
As we help companies in regulated industries with their cybersecurity obligations, we try to be a resource for others that are at a more exploratory phase in their journey towards compliance. One particularly misunderstood regulatory obligation that many financial institutions face is the FTC Safeguards Rule. That rule is not misunderstood by 10,000-person financial institutions, and probably not misunderstood by 1,000-person financial institutions, given the resources and expertise that they are able to leverage in their compliance efforts. But our clients tend to be the type of organizations that have several dozen to a few hundred employees, and at that organization size, very few have the resources to have dedicated on-staff cybersecurity professionals studying every nuanced regulatory obligation. And that's where we step in.
FTC Safeguards Rule: Now vs Future
We have much to say about the FTC Safeguards Rule, but let's start with this: the original FTC Safeguards Rule went into effect on May 23, 2003, but the FTC signaled their move towards substantially revising the rule in 2019 -- and has been continuing to signal moves towards that revision (public workshops, requests for comments) ever since. Here, we'll start by talking about the original FTC Safeguards Rule before we move on to what they future may hold. First, though, please be aware that the rule applies to all financial institutions over which the Federal Trade Commission has jurisdiction. If that's you, and you haven't studied the implications of the FTC Safeguards Rule for your organization, please be in touch and we'll help you
The Current Rule
Here are some of the highlights of what financial institutions are required to do, under the current rule:
Required to have an information security plan that includes administrative, technical, and physical safeguards
Required to designate one or more employees to coordinate the information security program
Required to perform risk assessments that evaluate:
possible attacks/intrusions (detecting, preventing and responding)
security obligations enforced in agreements with service providers
testing and monitoring procedures for administrative, technical, and physical safeguards
This isn't a complete list of the obligations that financial institutions have under the current rule; feel free to refer to the full text of the rule for complete details.
The Proposed Rule
The bar is (potentially) rising. The proposed rule that the FTC has publicly discussed since at least 2019, contains a number of additional provisions that increase the breadth and depth of the obligations that financial institutions face. Although we plan to write about the proposed rule in greater depth in a future post, here are some of the highlights:
Required penetration tests and vulnerability assessments
Required security awareness training to personnel
Train security personnel in a manner that ensures that they have up-to-date knowledge
Periodically assess service providers / vendors
Have a written Incident Response Plan (IRP)
Require an annual written report to the board of directors
Have written procedures for the disposal of information that is no longer needed for legitimate business purposes
Implement a change management policy
Monitor activity for unauthorized users.
Maintain audit trails showing detection of security events
Require encryption of customer information in-transit and at-rest
Implement Multifactor Authentication
Again, this is not an exhaustive summary of the proposal, but rather a sampling of some of the obligations that you should be thinking about if the FTC has jurisdiction over your company.
As the FTC Safeguard Rule evolves, companies will need to ensure that their information security program contains everything the rule requires. Although most of the elements of the new rule are security practices that are already adopted by large organizations, we see smaller organizations struggling to comply due to their limited resources and expertise. We're standing by to help -- please get in touch if any of the above items are not in place at your firm, we'll be glad to help.