The Federal Trade Commission (FTC) Safeguards Rule is a set of security guidelines that promotes the robust protection of private customer information from the evolving threats of cyberattacks and security breaches. While initially established in 2003, the FTC recently updated its requirements in 2021 to maintain legal relevancy with technology’s updated functionality. As a result, countless businesses have fallen out of FTC compliance. Consequently, businesses of all sizes are encouraged to familiarize themselves with the updated language of the FTC Safeguards Rule as its wide scope applies to any financial institution that is legally not a bank but also manages customer financial data.
The rule’s official definition of “financial institution” is outlined as the following:
“Any institution or business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 USC § 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.”
Drummond understands this legal definition is confusing to many—to know for certain if your business is considered a financial institution and impacted by the FTC Safeguard Rule check out FTC Safeguards Beginner’s Guide.
If you confirm your business falls under the legal umbrella of the FTC Safeguards Rule, it’s essential to start preparing for its compliance requirements right away, as adhering to the regulations alone can be time-consuming and financially demanding resource intensive for any business just starting its compliance journey.
After hearing this, you might wonder, “How much effort does it take to become FTC Safeguards compliant?”
The answer lies in the rule’s exhaustive list of security-centric processes that the FTC deems necessary for an impacted business to safeguard its customer information effectively.
The complete breakdown of FTC Safeguards requirements can be seen in the following list:
- Maintain a written information security plan (WISP)
- Designate a “Qualified Individual”
- Perform a risk assessment
- Periodically review access controls
- Manage data, personnel, devices, and facilities
- Use encryption at rest and in-transit
- Maintain a secure software development lifecycle (SDLC)
- Actively oversee managed service providers (MSPs)
- Establish an incident response plan
- Implement multifactor authentication (MFA)
- Maintain data retention policy
- Maintain change management process
- Monitor and log activity
- Perform continuous monitoring or penetration testing
- Maintain policies and procedures
- Establish security and awareness training
- Send a report, at least annually, to internal management on the status of compliance
While these compliance requirements are extensive, there are several effective ways to reduce one’s FTC compliance burdens, such as working with a third-party firm that can provide expertise in compliance, risk assessment, vulnerability scanning, and penetration testing. In short, utilizing third party vendors can helps you offload a significant amount of the FTC compliance workload; allowing your organization to enjoy the benefits of compliance without losing focus on your enterprise goals.
Learn how Drummond can help you reduce the effort and expense associated with satisfying FTC requirements by booking a free consultation with a Risk Assessment expert and get answers to your most pressing FTC compliance questions.