FTC Expands Cybersecurity Rules for Financial Institutions
The Federal Trade Commission (FTC) recently announced a newly updated Safeguards Rule (referred to as the Final Rule) that strengthens the data security safeguards that financial institutions must put in place to protect their customers’ financial information. The updates are intended to enhance the security of consumer financial information and protect related cyber data and facilitate greater transparency.
While the Safeguards Rule has always applied to “financial institutions” with a broader scope than just banks, the definition has now been expanded to cover institutions that substantially engage in activities incidental to financial activities, like “finders” that bring together buyers and sellers of financial service or product. The Safeguards Rule does not apply to banks, but it does apply to non-banking entities, including:
- Check-cashing businesses
- Payday lenders
- Mortgage brokers
- Non-bank lenders
- Personal property or real estate appraisers
- Professional tax preparers
- Courier services,
It also includes businesses such as credit reporting agencies and ATM operators that receive information about the customers of other financial institutions.
New Safeguards Rule Requirements
The updated Safeguards Rule requires non-banking financial institutions to develop, implement, and maintain comprehensive cybersecurity systems to keep their customers’ information safe. In addition to developing their own safeguards, financial institutions covered by the Safeguards Rule are responsible for ensuring that their affiliates and service providers comply with the safeguarding of the customer information in their care.
The updated Safeguards Rule now contains additional specifics that must be included in the written information security program and how the program must be implemented, such as:
- Designate a Qualified Individual: The covered financial institution must designate one or more employees to coordinate and enforce its information security program. The Qualified Individual can be an employee of the financial institution or employed by an affiliate or service provider. However, the financial institution still retains responsibility for compliance with the Safeguards Rule and must designate one of its own employees to direct and oversee the Qualified Individual.
- Reports to Board of Directors: The new Safeguards Rule requires the qualified individual to provide written reports at least annually to boards of directors or governing bodies on the financial institution’s information security program.
- Multifactor authentication: The new Safeguards Rule requires financial institutions to implement multifactor authentication for individuals accessing networks that contain customer information. Authentication measures may include knowledge factors, such as inherence factors, biometric characteristics such as a password, and possession factors, such as a token.
- Penetration testing and vulnerability assessments: Covered financial institutions must continuously monitor or conduct periodic penetration testing and vulnerability assessments to detect attempted and actual cyberattacks on the company’s information systems. Under the new rule, you must perform vulnerability assessments at least once every six months.
- Service providers: Covered financial institutions should select and retain service providers that can maintain appropriate safeguards for customer information and ensure the contract with service providers requires them to maintain those safeguards and oversee their handling of customer information.
- Written risk assessments: The amended Safeguards Rule requires covered entities to have written risk assessments that address certain criteria for evaluating security risks or threats, and that also must assess the confidentiality, integrity, and availability of information systems and customer information.
- Encryption of customer information at rest and in transit: The new Safeguards Rule requires covered institutions to encrypt all customer information, both in transit over external networks and at rest, subject to certain compensating control exceptions.
The timeline for compliance with various elements of the expanded Safeguards Rule ranges from 30 days to one year following publication of the amended Safeguards Rule in the Federal Register. Some aspects of the amended Safeguards Rule, including those relating to appointing a Qualified Individual, implementing safeguards, undertaking a written risk assessment, and conducting continuous monitoring or annual penetration testing, are effective one year after the date of publication (October 2022). The other portions are effective 30 days after publication.
Alveraz Technology Group can help you implement FTC’s updated Safeguards Rule. Contact us to schedule a consultation or to find out more about our IT services!