Quick-Start Guide for Implementing the FTC Safeguards Cybersecurity Program

Introduction

The newly effective FTC Safeguards Rule adds new cybersecurity requirements for compliance with the Gramm-Leach-Bliley Act (GLBA) and extends those requirements to other companies that engage in activities that are “financial in nature” or “incidental to such financial activities.”

1. What is the FTC Safeguards Rule?

A new federal regulation, 16 CFR Part 314, requires non-banking financial institutions to protect customer information from unauthorized access, use, or disclosure. It provides specific criteria for what safeguards financial institutions must implement in their information security programs.

2. What organizations are affected by the Rule?

a.      The Rule adds additional requirements for organizations currently regulated under the Gramm-Leach-Bliley Act (e.g., mortgage companies, brokers, creditors, and debt collectors).

b.      It extends the safeguards to “non-banking financial institutions” engaged in activities that are “financial in nature” or “incidental to such financial activities” described in section 4 (k) of the Bank Holding Company Act of 1956. (e.g., other companies, advisers, and finders who collect or maintain information about consumers’ finances, investments, credit, taxes, etc.).

3. What does the Rule require?

Entities must develop, implement, and maintain a comprehensive information security program tailored to their activities’ size, complexity, nature, and scope. Nine areas are defined: assign a qualified individual, conduct risk assessments, implement technical safeguards, security monitoring, testing, and training, manage service providers, incident response, and keep the security program updated.

In addition to written policies, it requires security controls in eight categories consistent with recognized industry standards, such as ISO, NIST, and CIS.

(Note: Some exceptions apply to institutions maintaining customer information on less than 5,000 consumers.)

4. When does it become effective?

The Rule became effective on June 9, 2023, and appropriate controls should be implemented by December 31, 2023.

5. What should you do if you are affected?

Complete security audit and risk assessment, identify deficiencies, prepare/update written security policies, and assign/engage appropriate resources to implement cost-effective safeguards.

6. What is the cost of implementing the requirements?

Cost varies depending on your organization’s size, structure, kind and amount of customer information collected, type of information technology utilized, availability and price of IT resources and suppliers, and company risk tolerance.

The map on the next page shows the 36 safeguards required to implement the Rule for both large and SMB companies.

Non-compliance with the Rule can result in civil penalties of up to $43,792 per violation. Companies also may face legal action from customers whose information is compromised due to a data breach or cyber-attack.

Ten steps to implement a safeguards program

1. Appoint a Qualified Individual

The FTC Rule requires that financial institutions designate a “Qualified Individual” to oversee, implement, enforce, and monitor compliance. This Qualified Individual must also make annual reports to your board or equivalent body regarding the overall status of your cybersecurity and other material matters. FTC clarified requirements for the Qualified Individual: "The person designated to coordinate the information security program need only be qualified.’’ The Rule prescribes no particular level of education, experience, or certification. Accordingly, financial institutions may designate any qualified individual appropriate for their business.

It is important to stress that many cybersecurity requirements are highly technical and require specialists to implement them correctly. Since experts in all these areas are expensive and hard to find, you will likely need consultants or service providers with the appropriate skills to help.

However, based on the FTC clarification, we believe the job description for the Qualified Individual boils down to two essential requirements:

•        Clearly understand the required 36 safeguards and how they relate to your business goals and operations.

•        Have the experience and skills to manage the Safeguards program by engaging the appropriate resources for the highly technical areas.

In other words, you need a “cybersecurity project manager.” This person should be skilled in communication, risk management, organization, and leadership and understand cybersecurity risks and requirements. They do not need to know how to do all the work.

2. Complete a risk assessment

Risk assessment is a fundamental first step in cybersecurity project management. A good project manager should be well-versed in risk management. Risk management auditors and other specialists in organizations like ISA and ISACA can also help with this task. A risk assessment will produce a gap analysis to identify what actions you need to take.

Remembering that the FTC program focuses on protecting consumers’ data is critical to understanding your risk. Thinking of your customer’s information as being radioactive is a good idea. It must be isolated, highly controlled, and accessed by as few people as possible.

Ask how much customer data you keep in your possession. Why do you need it? Can you reduce risk by collecting less data or outsourcing it to a qualified service provider? On the operations side, how is customer data collected, used, stored, and destroyed when it is no longer needed? The measure you have in place to protect customer data at each phase of its lifecycle must be spelled out in administrative policies, technical protections, and staff training.

3. Establish written security policies and procedures

Avoid generic templates; your security policies should be written and tailored to your organization. They should describe the overall structure and functions that need to be performed and how you will measure performance. They should be based on recognized frameworks such as ISO 2700, NIST, CIS, or industry standards like AICPA. GLBA, or IRS rules. Also, you should be mindful of state rules regarding breach reporting, red flag laws, and other regulations. Documents do not need to be lengthy tomes; checklists are effective for defining security requirements and can help maintain status. Many companies like two policies: a Technical Security Policy for your IT staff and an Acceptable Use Policy (AUP) for other folks.

At least one of your policies should carefully define and document how your customer’s information will be collected, used, and protected, such as:

•        Who can access the information, and why do they need this access?

•        How do they gain access? (The only correct answer is a secure, encrypted connection with multi-factor authentication enabled.)

•        Where does the information reside while they are using it? (It must also be secure and encrypted.)

•        Where does the information go when they are finished with it? (Securely stored or destroyed and not left in discarded or forgotten devices.)

•        Don’t forget to include special precautions for people traveling or working remotely.

4. Train your staff and make sure your security team is qualified

Resist the pressure to skimp on initial security training and ongoing security awareness. Human error is a significant factor in opening doors to cyber criminals. Like safety, people need to be reminded frequently about security and how to prevent “cyber-accidents.”

•        Train your staff about security procedures and implement an ongoing security awareness program about phishing, email compromise, and other forms of social engineering. There are many good sources of security awareness training; there is no need to reinvent them.

•        Engage the best IT and security resources you can afford, make sure they are suitably qualified, and keep their skills updated. If your staff is not qualified to implement and manage the needed technical controls, engage consultants or service providers who are.

5. Take the time to engage qualified service providers

Carefully screen all your service providers who use your systems and or can access customers' data. Make sure you have:

•        A copy of the suppliers’ security plan

•        A contract that defines their responsibilities for securing your customers’ information

•        A copy of their SOC2 Certification

•        Performed adequate due diligence, checked their reputation, talked to other customers, and, if appropriate, visited their site(s) where your information will be housed

Only buy thoroughly tested software from reputable sources and follow the appropriate installation and security controls. Finally, implement procedures to verify that your systems are patched, and that software is updated regularly.

6. Implement effective ongoing monitoring and maintenance

You need IT professionals to implement and manage the required technical controls in this place. Some essential controls are configuring and managing identification and authorization controls, automatic monitoring, responding to hardware and software alerts, intrusion detection and response, network configurations and controls, firewalls, and device security. Ensure manufacturers' updates cover your computers and other devices (e.g., Windows 7 is not). The complexity of the technical controls will vary depending on the results of your risk assessment.

7. Arrange for periodic testing and assessments of your security defenses

You must have penetration tests performed at least every six months and a vulnerability assessment at least annually. There are many consultants and service providers to run these tests, and it's likely more cost-effective than using your busy IT staff.

8. Have a tested incident response plan

This is likely one of the most important things you can do. Because threats are evolving so rapidly, no level of security maturity can guarantee that you won’t have a security incident. If you have an incident, you must ensure that your systems’ software and customer data are safely stored elsewhere and can be recovered quickly and efficiently.

Incident response is a complex process, and it’s not a place for amateurs. Many large enterprises and government agencies have difficulty managing incidents. More often than not, security incidents like ransomware, DDOS, and business email compromise are fatal events for small organizations that lack clean backups and a tested incident response plan.

Your incident response plans should be designed and managed by highly qualified professionals, and there are service providers who specialize in managing data backups and incident response services.

Incidentally, since the FTC can fine you about $45,000 for each incident, this is an excellent place to discuss “What is an incident?”

Well, it’s a lot broader than you might have guessed. According to the NIST Computer Security Resource Center, a security incident is defined as “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies” (NIST SP 800-12 Rev. 1, NIST SP 800-128, and NIST SP 800-137).

That’s a mouthful; we hope you never need an attorney to parse it.

9. Evaluate and adjust your information security plan

Evaluating and adjusting is critical to any business process, including your security program. The FTC states that you should assess information security based on the results of testing and monitoring, material changes to your operations and business situations, the results of risk assessments, and any other circumstances that may have material impact.

Your Qualified Individual should report in writing, regularly and at least annually, to your board of directors or equivalent governing body regarding the overall status of your security program and other material matters. Finally, you should schedule periodic risk assessments to assess any new risks that may become evident.

10. How ServiSight can help you implement your Safeguards Program

You didn’t expect us to write all this without adding a commercial, right?

ServiSight LLC is a 20-year-old business services and technology consulting company. We offer a broad range of IT, telecom, cybersecurity, data management, and applications for business and technical needs.

Additionally, we are senior consultants with OTG Consulting and represent over 400 technology providers worldwide to deliver innovative solutions and competitive pricing for a broad range of services and products. We can help you with all phases of developing and implementing your FTC Safeguards program and other technological needs.

We offer a free, no-obligation evaluation of your business situation and technology needs. We will help you plan your program and obtain competitive proposals from qualified suppliers for your cybersecurity and information technology needs.

We hope you find this information helpful and welcome your comments and suggestions.

Contact us:    ServiSight LLC   (720) 507-6494 servisightllc@gmail.com

 Disclaimer: This document is for informational purposes only and does not constitute legal advice. Professional advice about your business requirements should be sought before acting on any of the information given.

©2023 ServiSight LLC