What Are These New Safeguards Rules?
In recent years, we have seen a number of high-profile data breaches affecting small and large businesses. As a result, data security has been a top priority for regulators, including the Federal Trade Commission (FTC).
On May 24, 2022, The FTC released a new publication that provides guidance to financial institutions and their service providers about the FTC’s revised Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA).
Why Should You Care?
Well, it’s a law and if an organization is found not to have complied with these requirements, impending fines and sanctions will be imposed.
That’s not even the bad part. Taking the initiative and making sure that these guidelines are implemented within an organization can drastically reduce the probability of falling into a data breach. One that could result in a loss of trust, an embarrassment in the public, and ransomware fees in excess of $4M to $10M.
Give Me the Cliff Notes
Let’s cut to the chase, here are the highlighted actions all financial institutions that fall under Federal Trade Commission (FTC) law (That’s a majority of financial services organizations conducting business in the US) must comply with by December, 9th, 2022:
- Base your information security program on a risk assessment
- Implementing and periodically reviewing access controls
- Implement policies, procedures, and controls designed to monitor and log the activity
- Continuous monitoring or periodic penetration testing and vulnerability assessments
- Annual penetration testing of your information systems determined each given year
- Vulnerability assessments at least every six months
- Utilizing qualified information security personnel employed by you or an affiliate or service provider (Teaser: CyberMaxx is your friend)
- Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control
What’s the Gramm-Leach-Bliley Act?
As businesses continue to collect and store more data, it is becoming increasingly important for them to have strong data security measures in place. This is especially true for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), which regulates how these institutions must protect customer information.
Under the GLBA, companies that offer consumers products and services like loans, financial advice, or insurance must explain their information-sharing practices to customers and take measures to keep sensitive data secure.
FTC Safeguards Rule: What Your Business Needs to Know
“FTC Safeguards Rule: What Your Business Needs to Know” is a new publication from the Federal Trade Commission that outlines their continued interest in regulating data security for businesses subject to GLBA. This is something that all businesses under FTC jurisdiction should be aware of, as they may now be more likely to face regulatory action.
In order to protect customer information, financial institutions and their service providers must maintain certain safeguards. These safeguards are outlined in detail in the FTC’s Safeguards Rule.
This Rule broadly defines what counts as a financial institution, including non-banking businesses such as check-cashing services, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and credit reporting agencies.
In December 2021, in response to feedback from financial services companies and their third-party service providers, the FTC amended its Safeguards Rule. This new version of the Rule provides more concrete guidance on what information security safeguards financial institutions must implement as part of their overall program. Unlike previous versions of this Rule and other similar regulations promulgated by federal financial regulators, this new Rule includes specific criteria that must be met in order for a company’s security measures to be considered adequate.
What Can You do to Start Complying?
Your organization may be subject to the Safeguards Rule (most likely it is), so it’s important to take steps to ensure compliance.
1. Identify Your Organization’s “Qualified Individual”
The FTC’s amendments to the rule include designating someone within your organization to be the “Qualified Individual.” This person is responsible for ensuring that your organization complies with the rule and overseeing the development and execution of the organization’s security program. They will also be required to report to the company’s board of directors.
Even if a decision to outsource data privacy and security support to an MDR/XDR provider like CyberMaxx, the organization will still need to designate an internal Qualified Individual.
2. Needed: Encryption Services
Safeguards Rule requires that all sensitive customer data be encrypted at rest and in motion. Data can move in many ways and for a variety of reasons, so this is a broad requirement.
3. Access Controls – Does Your Organization Have Them?
Periodic reevaluation over who in the organization has access to what information, and for how long is a requirement under the new guidelines. One way to reduce the likelihood of data breaches is to restrict access to information on a need-to-know basis. By not permitting all employees to view all data at all times, you make it more difficult for hackers to access sensitive information.
4. Review Applications and Partners
Organizations should take a close look at their in-house applications and third-party partners to make sure they are meeting all of the requirements laid out in FTC’s Safeguards Rule. Despite best intentions, data breaches happen. And when they do, the consequences can be severe – especially when customer data is involved
How Can CyberMaxx Help?
How can CyberMaxx help you with these updated guidelines under the Safeguards Rule?
The real question is what can’t we help you with?
CyberMaxx offers all the services that are required under the Safeguards Rule:
- Penetration Testing
- Vulnerability Services
- Network IDS/IPS Services
- Risk Assessments
- Incident Response Plans and Playbooks
More and more organizations just like yours have been making the switch to our managed security services.
99%, 72, and 1,000+ are the magic numbers security professionals like yourself are seeing to make the change to CyberMaxx.
CyberMaxx has:
- A 99% customer retention rate
- An NPS of 72
- and that’s all while protecting over a thousand locations
Matched with our mature SOC that has over 20+ years of experience, our free trials are showing these organizations the difference we bring while keeping their current protection in place.”
Let’s talk. Time is running out and we want to make sure you aren’t caught by the FTC or a bad actor.