The FTC Safeguards Rule, which is a part of the Gramm-Leach-Bliley Act, or the Financial Services Modernization Act of 1999, is a set of data security guidelines for organizations in the financial sector. The rule was updated in 2021 to provide better guidance for US-based companies that are “significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities”.
What Controls are Required to Safeguard Customer Information?
According to the FTC: “The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. Your information security program must be written, and it must be appropriate to the size and complexity of your business, the nature, and scope of your activities, and the sensitivity of the information at issue”.
The Nine Elements of the FTC Safeguards Rule
The FTC Safeguards Rule includes nine elements that all data security programs must include:
1. Designate a qualified individual to implement and supervise your company’s information security program
Given the shortage of IT security professionals, finding a “qualified individual” is easier said than done. Fortunately, the FTC states that this person can either be an employee within the organization or an outside contractor. In which case, you could even use a virtual CISO (vCISO), or CISO-as-a-service, which is considered to be a cost-effective alternative to hiring a full-time CISO.
2. Conduct a risk assessment
You will need to create an inventory of all critical assets, and carry out an assessment of all risks, both internal and external, to the security, confidentiality, and integrity of customer information. This includes considerations relating to how sensitive data is accessed, disclosed, misused, altered, or deleted. Risk assessments must be conducted on a periodic basis, and anytime there are important changes to your operations.
3. Design and implement safeguards to control the risks identified through your risk assessment
According to the FTC website, the Safeguards Rule requires your company to:
- Implement and periodically review access controls;
- Know what you have and where you have it;
- Encrypt customer information on your system and when it’s in transit;
- Assess your apps;
- Implement multi-factor authentication for anyone accessing customer information on your system;
- Dispose of customer information securely;
- Anticipate and evaluate changes to your information system or network;
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
4. Regularly monitor and test the effectiveness of your safeguards
You will need to periodically test the effectiveness of your safeguards through continuous monitoring of your system. This includes annual penetration testing and vulnerability assessments, and you should also scan your systems for publicly-known security vulnerabilities every six months. Tests should also be carried out anytime there are material changes to your operations or other scenarios that might have an impact on your information security program.
5. Train your staff
You must provide your staff, stakeholders, and third parties with regular security awareness training. Ideally, your employees should be trained to identify emerging security threats and report anything suspicious to the relevant personnel. Consider carrying out mock phishing attacks to identify weaknesses in your training program.
6. Monitor your service providers
You will need to carefully select your service providers to ensure that they have the relevant skills and experience to adequately protect the data they are entrusted with. You must inform them in advance of your security expectations, and ensure that they will allow you to conduct monitoring activities and periodic assessments of their security posture.
7. Keep your information security program current
All security programs must be flexible enough to accommodate changes in business operations and infrastructure. Likewise, changes may occur following a risk assessment, or in response to emerging threats. It is important to actively embrace change and ensure that anything that has a material impact on your information security program is done in a controlled manner and well documented.
8. Create a written incident response plan
An incident response plan (IRP) is a crucial component of any data security strategy. Section 314.4(h) of the Safeguards Rule specifies what your response plan must cover:
- The goals of your plan;
- The internal processes your company will activate in response to a security event;
- Clear roles, responsibilities, and levels of decision-making authority;
- Communications and information sharing both inside and outside your company;
- A process to fix any identified weaknesses in your systems and controls;
- Procedures for documenting and reporting security events and your company’s response; and
- A post-mortem of what happened and a revision of your incident response plan and information security program based on what you learned.
9. Require your qualified individual to report to your Board of Directors
The “qualified individual” that you appointed to implement and supervise your company’s information security program, must regularly report to your Board of Directors, senior officer, or a relevant governing body. They should provide the Board of Directors with an up-to-date assessment of your company’s security posture, and be able to demonstrate that they are able to satisfy the FTC Safeguards Rule. The assessment should cover a wide range of areas, including service provider arrangements, test results, procedures for managing risks, and recommendations for changes in the information security program.