As we help companies in regulated industries with their cybersecurity obligations, we try to be a resource for others that are at a more exploratory phase in their journey towards compliance. One particularly misunderstood regulatory obligation that many financial institutions face is the FTC Safeguards Rule. That rule is not misunderstood by 10,000-person financial institutions, and probably not misunderstood by 1,000-person financial institutions, given the resources and expertise that they are able to leverage in their compliance efforts. But our clients tend to be the type of organizations that have several dozen to a few hundred employees, and at that organization size, very few have the resources to have dedicated on-staff cybersecurity professionals studying every nuanced regulatory obligation. And that's where we step in.
We have much to say about the FTC Safeguards Rule, but let's start with this: the original FTC Safeguards Rule went into effect on May 23, 2003, but the FTC signaled their move towards substantially revising the rule in 2019 -- and has been continuing to signal moves towards that revision (public workshops, requests for comments) ever since. Here, we'll start by talking about the original FTC Safeguards Rule before we move on to what they future may hold. First, though, please be aware that the rule applies to all financial institutions over which the Federal Trade Commission has jurisdiction. If that's you, and you haven't studied the implications of the FTC Safeguards Rule for your organization, please be in touch and we'll help you
Here are some of the highlights of what financial institutions are required to do, under the current rule:
This isn't a complete list of the obligations that financial institutions have under the current rule; feel free to refer to the full text of the rule for complete details.
The bar is (potentially) rising. The proposed rule that the FTC has publicly discussed since at least 2019, contains a number of additional provisions that increase the breadth and depth of the obligations that financial institutions face. Although we plan to write about the proposed rule in greater depth in a future post, here are some of the highlights:
Again, this is not an exhaustive summary of the proposal, but rather a sampling of some of the obligations that you should be thinking about if the FTC has jurisdiction over your company.
As the FTC Safeguard Rule evolves, companies will need to ensure that their information security program contains everything the rule requires. Although most of the elements of the new rule are security practices that are already adopted by large organizations, we see smaller organizations struggling to comply due to their limited resources and expertise. We're standing by to help -- please get in touch if any of the above items are not in place at your firm, we'll be glad to help.