The new FTC Safeguards Rule includes updated definitions of “financial institution” that go into effect on 12/9/22.
Is your business considered a financial institution? This inquiry may sound like a silly question, but the definitions are changing. And so are the compliance requirements for protecting customer information.
Are you ready? The FTC is mandating the implementation of new technologies. And the looming December deadline is creating fresh concerns that impact IT strategy, planning, and budgeting.
Since the updated FTC Safeguards (part of The Gramm-Leach-Bliley Act of 1999) appear in a mountain of legalese; we’re answering the critical questions in three easy-to-digest sections:
- Which financial firms are affected by the Safeguards Rule update?
- What new definitions does the Safeguards Rule include?
- How should finance entities use the new Safeguards guidelines to create reasonable information security programs?
Thirteen Financial Institutions Affected by the New FTC Safeguards
According to the National Archives Code of Federal Regulations, your business qualifies as a financial institution under new FTC Safeguards if you’re:
#1 – “A retailer that extends credit by issuing its own credit card directly to consumers.”
#2- “An automobile dealership that leases automobiles on a nonoperating basis for longer than 90 days.”
#3 – “A personal property or real estate appraiser.”
#4 – “A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting, or audit departments of any company.”
#5 – “A business that prints and sells checks for consumers, either as its sole business or as one of its product lines.”
#6 – “A business that regularly wires money to and from consumers.”
#7 – “A check cashing business because money is exchanged.”
#8 – “An accountant or other tax preparation service, completing income tax returns.”
#9 – “A travel agency with related financial services.”
#10 – “An entity that provides real estate settlement services.”
#11 – “A mortgage broker because they transact loans.”
#12 – “An investment advisory company and a credit counseling service.”
#13 – “A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions they negotiate and consummate.”
Even couriers are considered financial institutions. Why not? They serve banks.
Learn More: Are You a Financial Institution?
Seven New Definitions from the New FTC Safeguards
As per Maurice Wutscher, there are seven new terms and one modification.
#1 – IT Change from the New FTC Safeguards
“Authorized User” under new FTC Safeguards “means any employee, contractor, agent, customer, or another person that is authorized to access any of your information systems or data.”
Learn More: Third-Party Data Breaches
#2 – IT Change from the New FTC Safeguards
“Encryption” under new FTC Safeguards “means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.”
Learn More: Why You Need Encryption
#3 – IT Modification from the New FTC Safeguards
“Financial Institution” under new FTC Safeguards has been modified to include “any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. . .”
This pertains to “[a] company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate is a financial institution because acting as a finder is an activity that is financial in nature or incidental to a financial activity listed in 12 CFR 225.86(d)(1).”
#4 – IT Change from the New FTC Safeguards
“Information Security Program” under new FTC Safeguards “means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.”
#5 – IT Change from the New FTC Safeguards
“Multi-Factor Authentication” under new FTC Safeguards “means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics.”
Learn More: Multi-Factor Authentication
#6 – IT Change from the New FTC Safeguards
“Penetration Testing” under new FTC Safeguards “means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.”
Learn More: Penetration Testing
#7 – IT Change from the New FTC Safeguards
“Security Event” under new FTC Safeguards “means an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.”
New FTC Safeguards for a Reasonable Information Security Program
The FTC is staffing up to enforce new safeguards for what they are calling “a reasonable information security program.”
While the following 9-point checklist will probably elicit a few sighs, financial institutions can leverage this blueprint to:
- Make a stronger case for strategic IT investments
- Add structure and objectivity to budgetary recommendations
- Shift the conversation away from a hardware and software mindset to strengthening security across the supply chain
- Hold team members accountable
- Gain marketing appeal
- Avoid breaches, regulatory interventions, fines, bad publicity, and legal fees
It’s time to formalize your data security discipline around a repeatable FTC Approved process that includes:
#1 – A qualified individual responsible for the security program
A qualified individual like a Chief Information Security Officer (CISO) or vCIO should take full responsibility for the program by overseeing, implementing, and enforcing security.
Your CFO or Finance Director could also oversee the program through a partnership with a vCIO from your MSP. In both instances, this “ownership” role goes beyond the previous responsibility, which was coordination.
#2 – Periodic risk assessments
Every business should conduct periodic risk assessments with criteria to evaluate and categorize security risks and threats.
The CIA Triad – confidentiality, integrity, and availability of information – is an established criteria framework to assess the adequacy of the existing controls.
Risk assessments should also include requirements for identifying and mitigating risks and the criteria for accepting certain risks (because they are manageable for the time being).
#3 – Safeguards to control the risks identified through risk assessments
Risk assessments produce insights for managing risks with policies and procedures, including physical and technical access controls.
Initiatives and IT stack details cover:
- Authenticating and limiting access
- Identifying and managing data, personnel, devices, systems, and facilities
- Encrypting all customer information you’re storing or transmitting
- Implementing Multi-Factor Authentication for anyone accessing information
- Developing and testing secure applications used for transmitting, accessing, or storing customer information
- Creating procedures and following timelines for the secure disposal of customer information
- Documenting best practices for change management
- Rolling out policies, procedures, and controls to monitor and log the activity of authorized user activity and detect unauthorized access, use, or tampering
#4 – Monitoring and testing the effectiveness of safeguards regularly
The FTC makes a special note regarding monitoring and testing safeguards, “This general requirement is currently in effect, but new requirements effective Dec. 9, 2022, and not applicable to small businesses, are:
- Annual penetration testing
- Vulnerability assessments
The term “small business” means different things to different people. Do you have 20 people or 450? Integris has 450 people, and ADP puts us in the small business category.
Before committing to annual pen tests and vulnerability assessments, please get a second opinion.
#5 – Train staff regularly on cybersecurity awareness
Training your team with an ongoing cybersecurity awareness curriculum is an easy win.
Several dozen Software as a Service companies offer training. Every month, I go through new modules from Info Sec IQ and always pass the quizzes.
However, cybersecurity is a big part of my job. So, I’m an outlier. You may need to incentivize your team to stay engaged. Talent LMS reports, “69% of respondents have received cybersecurity training from their employers, and yet, when we asked them to take a basic quiz, 61% failed.”
When a qualified security professional manages the program, they motivate the team, make content updates, and take countermeasures to address new risks.
#6 – Service provider oversight
Service provider oversight means your partners are contractually obligated to maintain appropriate safeguards. This two-pronged requirement is not new.
However, periodically assessing their risk and the adequacy of their safeguards will go into effect on 12/9/2022.
There has never been a better time to ensure your strength isn’t compromised by your weakest link.
This mindset is one of the reasons so many companies are merging. Hospitals are buying physician offices. Money management boutiques are merging with larger firms. And smaller MSPs with insurance and compliance gaps are joining forces with larger MSPs.
#7 – Keeping information security program current to safeguard against emerging threats
You should evaluate and adjust your information security program to reflect new and emerging threats, new equipment added, and new clients.
Use testing, tracking, and monitoring results to stay ahead of material changes to your IT stack.
Do you have any Cisco solutions in your network? They’re a market leader in network security, so you probably do. Last May, Yanluowang Ransomware Operators breached their network.
Every business gets hit, which forces everyone in the supply chain to pivot.
#8 – Creating a written incident response plan
Creating a written incident response plan empowers you to protect the confidentiality, integrity, and availability of client information in your network.
To respond quickly and recover, the FTC recommends an incident response plan that addresses the following areas:
#1 – “The goals of the incident response plan.”
#2 – “The internal processes for responding to a security event.”
#3 – “The definition of clear roles, responsibilities, and levels of decision-making authority.”
#4 – “External and internal communications and information sharing.”
#5 – “Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls.”
#6 – “Documentation and reporting regarding security events and related incident response activities.”
#7 – “The evaluation and revision necessary for the incident response plan following a security event.”
#9 – Annual reports to boards of governors on security program
Require your CISO, vCISO, CIO, vCIO, CFO, or another qualified individual to deliver written annual reports to your board of directors or equivalent governing body.
Their documentation should include the program’s status, compliance, incident updates, violations, and change recommendations.
Navigating Your FTC Safeguards Journey
There’s nothing like a deadline to inspire action and innovation. In fact, The Gramm–Leach–Bliley Act is also known as the Financial Services Modernization Act of 1999.
Are you a financial services entity with a desire to evolve?
Do you have any questions about the new FTC definitions and their effect on your security program?
Schedule a free consultation to explore the competitive benefits of aligning IT with proactive compliance.