Federal Regulations Get Tighter: What It Means for Your Business

March 2023 Newsletter - If you’d like to read this newsletter at the same time as our subscribers, please sign up here .

Federal Regulations Get Tighter: What It Means for Your Business

Before you say no, consider this question carefully: Is your business a financial institution? Does the Federal Trade Commission (FTC) think your business is a financial institution? The answer may surprise you.

The compliance deadline for the FTC Safeguards Rule is June 9. By that date, affected businesses must complete a series of tasks, including hiring a Qualified Individual if they do not have one, securing systems and data, developing written protocols for cyber attack response and recovery, training employees and preparing reports. Businesses that fail to comply face fines of $43,972 per violation per day.

We have seen an increase in people reading and asking about Safeguards Rule compliance. Our answer is constant: Affected businesses need to take action now, for two reasons. First, there is a lot of work to do in some cases. Second, as the deadline nears, you may find it impossible to hire someone to help you with compliance. We fully expect there to be a shortage of Qualified Individuals and qualified Virtual CISOs who can manage compliance, which makes it critical to begin the process as soon as possible.

To help you determine if you are impacted, we prepared Small Businesses Need to Know About the FTC Safeguards Rule , which outlines compliance guidelines and businesses that must comply. In general, if you provide financial services, help your customers get credit, or gather information that is used to facilitate financial transactions, you need to be ready for June 9. You may find our companion article, “Who Is a Qualified Individual? ” helpful as well.

The compliance deadline has already been pushed forward from December 2022. While it could move again, this is not guaranteed. Compliance is far less costly than a data breach or FTC fines, and you will gain the peace of mind that comes from having up-to-date cyber security.

BREAKING:

Biden Administration Unveils National Cybersecurity Policy

On March 2, the Biden Administration unveiled the new National Cybersecurity Policy for the United States. As we discussed in January , the new policy recommendations seek to push the burden for cyber security onto private businesses by moving away from “best” and “good faith” efforts and toward measurable standards.

The scope of the new policy is limited. The Biden Administration can use executive orders to mandate compliance for the Federal agencies it controls, but it will take an act of Congress to formalize standards and laws, and no such legislation is on the horizon.

We see a period of court battles and confusion coming for the new rules, with two real concerns for business owners. All businesses need to consider whether cyber insurance providers will use the new policy to deny claims. Although the policy currently exists only as a framework, an insurer facing a large claim could use it, along with other Federal and state regulations, to challenge a large claim.

Business that hold or seek to hold Federal contracts should also be on notice. Although the Biden Administration has not signaled its intent to do so, it could issue Executive Orders mandating compliance with the National Cybersecurity Policy as a condition of maintaining or bidding for Federal contracts. Past presidents have used this mechanism in recent years to encourage compliance without involving Congress.

The question to ask as a business owner is not, “Is my cyber security good enough,” but, “Does my cyber security meet Federal standards?”

Stat of the Month

124,298

The number of top-level domains (TLDs) with phishing complaints operated by Freenom , a domain name registrar that allowed customers to register domains for free on country-code domains including .cf, .ga, .gq, .ml and .tk.

The company agreed to stop registering new domains after it was sued by Meta for allowing domain spoofing and trademark infringement, techniques employed by cyber criminals to fake well-known domains in the hope of stealing passwords or installing malware. Meta is also seeking the names and locations of 20 John Does who used Freenom to launch phishing attacks against Meta’s users.

Now Booking Q4 Keynote Speeches

Don’t miss the opportunity to have bestselling author, cyber security expert and Protect Now Head of Training Robert Siciliano speak at your conference or gathering. Robert’s speeches drive home the importance of cyber security in dynamic, entertaining sessions that leave audiences excited to practice what they learned and aware of their attitudes toward security in every aspect of their lives.

Robert’s fourth-quarter schedule fills up fast, so contact us online now to secure your event date, or call us at 1-800-658-8311. For additional information, audience reviews and a free webinar, visit protectnowllc.com .

Scammers Prey on People Hoping to Aid Earthquake Victims

Devastating earthquakes in Syria and Turkey have brought suffering and cyber crime. Scammers are actively trolling social media sites and email inboxes with bogus appeals for victim aid.

Those who donate lose in three ways. Their donations never reach the people donors hope to help. Criminals get a payday. They also get a warm lead. As we often say, if you fall for a scam once, all the scammers come knocking on your door.

No matter how gut-wrenching the emotional appeal is, never donate to charities soliciting earthquake aid on social media, via text or via email. Your money will be stolen, and you will find yourself targeted by additional scams, because criminals collect your personal information and share it with others.

If you want to support earthquake relief in Syria and Turkey, make a donation directly through the website of a known charity. The Red Cross and Red Crescent societies are providing significant aid in affected communities. You can learn more and make a donation at redcross.org .?

Most Online Cyber Security Training Fails Fundamentally

Have you ever taken a critical look at your cyber security employee training materials? If you use an online solution, it probably gives a basic overview, asks employees to watch some videos, then ends with a 10-question evaluation. You wind up with employees who can define “phishing” when you need employees who can prevent phishing.

The fundamental failure of most eLearning solutions lies in their generic approach. Employees may learn enough to stop an obvious attack, but they may not know what to do when the attacker impersonates your staff or a client. Our Cyber, Social, Identity (CSI) Protection Certification program was built to address this exact problem. We teach employees to trust their instincts and question the kind of requests that scammers and hackers use to breach cyber defenses. We do this by helping employees recognize the stronger standard they apply to their personal security, then show them how to use that in all situations. Contact us online to get a program that changes security culture, or call us at 1-800-658-8311.

A new era in cyber security has begun. The U.S. government, state agencies and insurance companies are all moving toward greater accountability and regulation for every business that collects, stores or shares information online. To draw an analogy, they all increasingly expect business owners to have locks on the doors, but no one can say what type of locks.

This puts business owners in the unfortunate position of trying to comply with invisible mandates. There may be a temptation to wait until something concrete emerges, or to see if that FTC Safeguards Rule deadline gets pushed back again. You do this at your own peril—not just from fees and fines, but from the risks of a data breach or destructive cyber attack.

The Protect Now team is continually working to deliver the highest standards of employee training, and to seek accreditation and compliance certification where we can get it. We are always here to share what we know and give you our best advice as we navigate the changing cyber security environment. Feel free to reach out to me at any time with your questions, and look forward to concrete updates on regulations and compliance in this newsletter and our cyber security blog .