The FTC Safeguards Rule extension will become effective on June 9, 2023. This rule requires financial institutions to develop, implement, and maintain an adequate information and data security program with the proper safeguards in place to protect sensitive customer information. The Safeguards Rule applies to all businesses that are defined as financial institutions under the Gramm-Leach-Bliley Act, which not only includes banks and credit unions, but also many other types of businesses that offer financial products or services to consumers. Non-banking institutions required to implement these elements include mortgage brokers, motor vehicle dealers, and payday lenders.
Although the industries that the FTC Safeguards Rule focuses on are narrow, all small to midsized organizations should take notice and work towards these requirements. Having security programs in place can greatly enhance your security posture and can help drive down cyber insurance costs, aid in obtaining customers, and protect your reputation from possible damage if an incident occurs. Initially, the Safeguards Rule was targeted to become effective on Dec 9, 2022, for the following seven elements:
- Designate a qualified individual responsible for implementing and supervising an information security program
- Conduct written risk assessments*
- Plan and implement safeguards to protect against risks identified through the risk assessment
- Conduct penetration tests and vulnerability assessments*
- Train your staff and oversee security providers
- Create a written incident response plan*
- Submit annual reports to the governing body*
*Any financial institutions with under 5,000 consumers are exempt from these elements.
These elements can be very challenging for a small business to quickly implement. There are many factors that can contribute to the efforts of putting these safeguards in place such as internal resources needed, supply chain issues, finding the budget for technology or hardware purchases, and more. As software and systems continue to become more complex, these challenges grow exponentially.
Although we highlighted the FTC Rule requirements and what goes into them to enhance their cybersecurity program, part two and three will detail the how-to of each of these requirements and their necessity.
Wolf & Company can assist your organization in understanding its cyber and information security needs and help you build the programs and structure to ensure you are not at risk. Building, managing, and maturing your security programs with Wolf & Company can ensure your reputation and organization is protected from cyber threats.
