The Path to FTC Safeguards Rule Compliance

To keep pace with current technology and potential cyber threats, the FTC has amended the Safeguards Rule, which is intended to ensure that firms covered by the Rule maintain safeguards to protect the security of customer information.?In 2021, the FTC updated the Safeguards Rule and broadened the definition of a ‘financial institution’, requiring many businesses to now become compliant in addition to what had been defined previously.?On June 9, 2023, the latest version of the Safeguards Rule will be enforced.?Will your business be affected?

???What kinds of businesses are affected by the FTC Safeguards Rule??According to FTC Safeguards Rule: What Your Business Needs to Know. (2022, May), businesses that fall under the following descriptions are required to become Safeguards Rules compliant before June 9: ?

16 Types of Business Affected by FTC Safeguards Rules

1. Banks and other depository institutions
2. Credit unions
3. Securities brokers and dealers
4. Investment companies
5. Insurance companies
6. Mortgage brokers
7. Payday lenders
8. Non-bank lenders, including payday lenders, title loan companies, and other types of lenders
9. Tax preparation companies
10. Check-cashing businesses
11. Debt collectors
12. Prepaid card issuers
13. Virtual currency companies
14. Student loan servicers
15. Credit counseling agencies
16. Money transmitters

This list is not exhaustive, and there may be other types of businesses that are also subject to the FTC Safeguards Rule depending on their activities and the types of personal information they handle.

???If the Rule does not directly affect your business, you may still want to participate in the Safeguards Rule requirements, if you deal with companies who are required to be compliant. Compliance will signify to potential partners that their data and information are secure as well as their customers’ information, whom you may also serve.?By developing your business’ own program to satisfy the 9 elements, your firm can save money and headaches by taking advantage of stronger, proven safeguards in circumventing and eliminating cyber threats.?The steps your business will take on the path to compliance will help you enjoy lower risk of data breaches and cyberattacks.?Your firm will have clear policies and procedures set in place if an attack does occur, which can reduce downtime and lost revenue.?These policies and procedures can also reduce or eliminate costs associated with data breaches.?Nakamura, K. (2023, February 1) points out that there are exceptions available for financial institutions maintaining customer information concerning fewer than 5000 consumers. ?

???

???What does your business have to do to become FTC Safeguard Rules compliant??The Safeguards Rule has 9 elements that must be satisfied for your business to be considered compliant.?The nine elements are listed below:

9 Elements for FTC Compliance

1. Designate a Qualified Individual to implement and supervise your company’s information security program.?
2. Conduct a risk assessment.?
3. Design and implement safeguards to control the risks identified through your risk assessment.?
4. Regularly monitor and test the effectiveness of your safeguards.?
5. Train your staff.?
6. Monitor your service providers.?
7. Keep your information security program current.
8. Create a written incident response plan.?
9. Require your Qualified Individual to report to your Board of Directors.

???One of the most essential elements of compliance is to conduct risk and vulnerability assessments.?Vulnerability assessments should be performed once per quarter, and risk assessments should be performed annually.?Once the primary risk and vulnerability assessments have been completed, regular monitoring and future assessments should be scheduled.?

???Univision can provide the necessary components of an IT risk and vulnerability assessment that will pave the path to FTC Safeguards compliance.?The process begins with an inventory of your network assets and an estimate of their value.?This assessment will give our team of Univision technicians and engineers a baseline to create a roadmap to your firm’s goal of compliance. It will also open the door to the next part of the process.

???The first element of the Rule states that a qualified individual must be hired or designated to implement and supervise your company’s information security plan.?For most firms with an IT department, this person already exists within the company structure.?For others, Univision can become the designated entity, or we can help you find or appoint one.?

???The qualified individual is required to report to the board of Directors or the stakeholders of your company.?This position requires a strong technical knowledge of network health and security.?The qualified individual must be able to accurately explain the network, security risks, mitigation, and other factors to the decision makers of the company.

???The strongest tool your business has against most cyberattacks is a well-educated workforce.?When implementing a program to become compliant with the FTC Safeguards rule, it is vital to deploy a comprehensive effort to make sure employees understand how cyberattacks work, how to identify them and what to do when a specific type of attack is recognized.?Cyberattack education should be an important part of your employee onboarding process and should be periodically refreshed for all employees.?

???Most experts agree that it is not a matter of if your business will be attacked but when.?Hackers are already likely at your system’s doorstep looking for an opportunity to be let in.?We read almost daily about data breaches for business such as media sites, banks, crypto brokerages and recently the password managing service, LastPass.?According to Kan, M. (2023, February 28), LastPass lost encrypted password vault data when one of the company’s four DevOps engineers possessing the necessary decryption keys was hacked with a keylogging malware in his remote workstation.?

???The LastPass hack came because of several incidents.?A previous hack of a third-party software, Plex, had occurred earlier, and password data was compromised.?The Plex software was to be updated after the breach, but the update was not performed, and the third-party software was used to infiltrate LastPass’ system.?The hackers had been working their operation for weeks, and when LastPass’ system revealed a vulnerability, the offenders were already in position to take advantage of the situation and expose the company’s data.

???There are individual actions that may have prevented this data breach, but a stronger cybersecurity plan as a whole could stifle an attack such as this one on many levels.?A robust plan, such as what is required to become compliant with the FTC Safeguards Rules, can give your firm more confidence about the safety of your company’s and customers’ data security.?

???It is important that you choose your resources wisely to give your firm the best possible opportunity for a secure environment.?After all, the buck stops with your company.?If your data is breached, it is ultimately your firm that is responsible.?This means that if your company and customer data is breached, your company is on the hook to repair the damage.?Choose a managed service provider and security software that is both progressive in keeping up with what’s current and has a proven track record in keeping business updated and secure. ??