FTC Safeguards Rule Guide

What is the FTC Safeguards Rule?

The FTC Safeguards Rule is a government-mandated rule implemented in June 2023. This rule applies to all non-banking financial institutions, such as accounting firms, loan offices, motor vehicle dealers, and payday lenders.

On Friday, June 9th, 2024, ByteTime is hosting an informational webinar about the FTC Safeguards Rule. ByteTime’s panel will consist of FTC Safeguards Rule Expert, Marc Ferruzzo, CyberSecurity Expert, Brandon Layhew, and Insurance Expert, Grant Jacobson.

Our webinar will discuss:

The Safeguards Rule requires companies to keep customer data secure and protected from theft and misuse

The Safeguards Rule applies to all businesses that collect, store, transfer, or use customer information.

To be compliant with the Safeguards Rule, businesses must develop, implement, and maintain an information security program with administrative, technical, and physical safeguards to protect customer information.

A reasonable security infrastructure should include:

  • Designate a Qualified Individual to implement and supervise your information security program.
  • Conduct a risk assessment.
  • Regularly monitor and test the effectiveness of your safeguards.
  • Build a human firewall.
  • Monitor your service providers.
  • Keep your information security program current.
  • Require your Qualified Individual to report to your Board of Directors.
  • Implement and remediate your identified risk.
  • Create a written incident response plan.
  • Regulatory scrutiny: Offending businesses can be subjected to costly regulatory audits for years to come.
  • Imprisonment: In the worst cases of non-compliance, business owners, directors, and executives could go to prison for criminal negligence.

Register Now!

Designate a qualified individual

Designate a Qualified Individual to implement and supervise your information security program.

The Qualified Individual can be an employee of your company or can work for an affiliate or service provider. If the Qualified Individual works for an affiliate or service provider, that affiliate or service provider also must maintain an information security program that protects your business.

Conduct a risk assessment

Conduct a thorough risk assessment to evaluate your risks and threats, internal and external.

You can’t formulate an effective information security program until you know your information and where it’s stored. Conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information.

Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats. Consider how customer information could be disclosed without authorization, misused, altered, or destroyed. The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct periodic reassessments in light of changes to your operations or the emergence of new threats.

Regularly monitor and test your safeguards

Regularly monitor and thoroughly test the effectiveness of your safeguards.
  • Implement and periodically review access controls. Determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it.
  • Know what you have and where you have it. A fundamental step to effective security is understanding your company’s information ecosystem.
  • Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience.
  • Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.
  • Assess your apps. If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security.
  • Implement multi-factor authentication for anyone accessing customer information on your system. 
  • Dispose of customer information securely. Securely dispose of customer information no later than two years after your most recent use of it to serve the customer. The only exceptions: if you have a legitimate business need or legal requirement to hold on to it or if targeted disposal isn’t feasible because of the way the information is maintained.
    Anticipate and evaluate changes to your information system or network. Changes to an information system or network can undermine existing security measures.
  • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 

Build a human firewall

Provide your people with security awareness training and schedule regular refreshers.

A financial institution’s information security program is only as effective as its least vigilant staff member. That said, employees trained to spot risks can multiply the program’s impact. Provide your people with security awareness training and schedule regular refreshers. Insist on specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program and verify that they’re keeping their ear to the ground for the latest word on emerging threats and countermeasures.

Monitor your service providers

Your contracts must state your security expectations.

Select service providers, like ByteTime, with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work and provide for periodic reassessments of their suitability for the job.

Keep your information security program current

The best programs are flexible enough to accommodate periodic modifications.

The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program. The best programs are flexible enough to accommodate periodic modifications.

Require your Qualified Individual to report to your Board of Directors

Your qualified individual must report in writing regularly.

Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program. What should the report address? First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program, such as risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.

Implement and remediate your identified risk

Implement and periodically review access controls

Anticipate and evaluate changes to your information system or network. Changes to an information system or network can undermine existing security measures. For example, if your company adds a new server, has that created a new security risk? Because your systems and networks change to accommodate new business processes, your safeguards can’t be static. The Safeguards Rule requires financial institutions to build change management into their information security program.
Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access.

Create a written incident response plan

Every business needs a written response plan in case of a security event.

Every business needs a “What if?” response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form. Section 314.4(h) of the Safeguards Rule specifies what your response plan must cover:

The goals of your plan;
The internal processes your company will activate in response to a security event;
Clear roles, responsibilities, and levels of decision-making authority;
Communications and information sharing both inside and outside your company;
A process to fix any identified weaknesses in your systems and controls;
Procedures for documenting and reporting security events and your company’s response; and
A post mortem of what happened and a revision of your incident response plan and information security program based on what you learned.

Register for our SafeGuards Rule Webinar: