FTC Cybersecurity Financial Service Firms

FTC Cybersecurity Financial Service Firms

The switch to remote work at the onset of the COVID-19 pandemic triggered an unprecedented wave of cyberattacks in the financial industry, with experts warning that the problem will likely worsen in the future. The Federal Trade Commission (FTC) has announced a revised Safeguards Rule to better protect the American public from the fresh wave of breaches and other forms of cyberattacks that result in financial losses. The cybersecurity experts from Centerpoint IT provide a comprehensive overview of the updated Safeguards Rule.

What Is the New Safeguards Rule?

Congress mandated the Safeguards Rule under the 1999 Gramm-Leach-Bliley Act. The Rule provides detailed steps that covered institutions should implement as part of their cybersecurity program, like limiting access to consumer data and leveraging encryption to secure the data. The latest update introduces additional specifics that must be included in the information security program. Specifically, the new safeguards Rule sets forth comprehensive requirements for a financial institution’s information security program.

Who Is Affected?

The previous version of the Safeguards Rules generally applied to financial institutions with a broader mandate than just banks. Now the definition of financial institution has been expanded to cover entities that engage in any financial activity that the Federal Reserve Board has determined to be incidental to financial activities. For example, the FTC stated it intends to include “finders” that typically connect buyers and sellers of financial products or services. In a nutshell, the new Safeguards Rule applies to non-banking entities handling customer financial information. These institutions include:

• Courier services
• Professional tax preparers
• Mortgage brokers
• Payday lenders
• Check cashing entities
• Real estate appraisers
• Non-bank lenders
• Credit reporting agencies
• ATM operators
• Motor vehicle dealers.

Additionally, the modification has also changed several terms, including “Consumer,” to “Customer,” and “Nonpublic Personal Information,” to “Personally Identifiable Financial Information.”

What Are the New Safeguards Rule Requirements?

The updated Safeguards Rule mandates all non-banking institutions to develop, implement and maintain a comprehensive security system that keeps customer information safe. The following are the additional specifics covered under the new rule:

• Designation of a qualified individual: The updated Safeguards Rule makes it mandatory for the covered financial companies to designate one or more employees to implement and manage their information security program. The qualified individual may either be an employee of the institution or an employee of a contracted service provider or affiliate. If the financial institutions designate a qualified individual from an affiliate or service provider, they still have to comply with Safeguards Rule and must appoint one of their internal employees to supervise the Qualified Individual. The modified Safeguards Rule is silent on the Qualified Individual’s specific level of education, experience, or certification.
• Reports to the Board of Directors: The new Safeguards Rule requires designated qualified individuals to provide written reports at least once a year to the board of directors on the company’s information security program and general cybersecurity posture. Specifically, the report must include the overall status of the information security program, compliance with the Safeguards Rule, and any other crucial component related to the information security program.
• Encryption of customer data: The modified Safeguards Rule makes it mandatory for the covered institutions to encrypt all customer data and information at rest and on transit or, in some cases, compensating controls.
• Written risk assessment: The updated Safeguards Rule requires the affected institutions to provide a written risk assessment that addresses specific criteria for evaluating internal and external risks to the security, confidentiality, and integrity of customer information.
• Multifactor authentication: Under the updated Safeguards Rule, covered financial institutions are now required to implement multifactor authentication for anyone accessing resources containing or transmitting customer information. The specific authenticator factors include knowledge factors like inherence factors, biometric characteristics such as fingerprints, and possession factors like a token.
• Service providers: the covered institutions must select and retain service providers to maintain robust safeguards for customer information. Apart from maintaining the safeguards, the service providers should also oversee the handling of customer information.
• Incidence response plan: Covered companies are now required to provide incident response plans designed to respond to and recover from any data security event that could affect customer information
• Penetration testing: The covered institutions are required to continuously monitor and conduct periodic testing and vulnerability assessments to detect and monitor attempted and successful cyberattacks on their IT environment. The new rule states that companies must undertake vulnerability assessments at least once every six months.

Are There Exemptions for the New Safeguards Rule?

The FTC provides some exemptions for financial institutions collecting information from not more than 5000 customers. These smaller financial institutions are exempted from meeting requirements for written assessment or incident response plans. They are also not required to present their Qualified Individual report yearly to the board of directors. However, they must meet all the other criteria of the modification.

What Is the Timeline for the New Safeguards Rule?

The timeframe for compliance with various components of the new Safeguards Rule ranges from one month to a year from the date the amended Rule is published on the Federal Register. The requirements that go into effect one year after publication include:

• Appointment of Qualified Individual
• Adoption of a written risk assessment
• Incorporating specific technical measures into the written information security plan
• Setting up monitoring or scanning and testing
• Adoption of an incident response plan
• Submission reports to the Board

Additional Proposed Changes

The FTC is also seeking comment on additional modifications to the Safeguard Rule through a recent Supplemental Notice of Proposed Rulemaking (SNPRM). The SNPRM proposes adding security incidents to the FTC by covered institutions within 30 days of discovery.

Get Professional Help to Comply with the New Safeguards Rule

In light of the myriads of changes brought by the new Safeguards Rule, covered companies must now closely evaluate their security practices for compliance. At Centerpoint IT, we understand that not all businesses and organizations have the resources and skills to implement robust security practices to comply with the new requirements. That is why we provide managed IT solutions that take the burden of compliance off your hands, so you focus on improving your bottom line. We are Atlanta’s leading IT Company providing a complete range of high-quality IT services tailor-made to meet your unique business needs. Contact us today to learn more.

Thanks for the great team at Orbis Solutions and their Las Vegas IT services team for their insights into this article.