FTC Extends Cybersecurity Regulations for Financial Institutions
In October 2021, at the conclusion of a process that began in 2016, the Federal Trade Commission (FTC) published amendments to data cybersecurity requirements for financial service firms.
The Safeguards Rule (Rule) implemented under the Gramm-Leach-Bliley Act (GLBA) preserves the privacy and security of consumer data from financial institutions. The changes will seem familiar to any company already under the cybersecurity regulations. However, most institutions are likely new to the updated requirements in the Safeguards Rule.
The old version of the Safeguards Rule demanded that financial institutions implement written, extensive information security programs that fit the size and complexity of the company. The program should explain the administrative, technical, and physical measures used to cover customer data from unauthorized access in a clear, organized way.
The updated version contains additional particulars that should appear in the information software for enforcing the program.
Who Does It Apply To?
Previously, the Safeguards Rule had regulated financial institutions under a broader range beyond banks. Under the new implementation, the definition of financial institutions covers companies that undertake activities incidental to financial activities. It includes banks and “finders” that facilitate business transactions of any products or services.
The amendments implemented under the GLBA demand the privacy and data security measures of financial institutions, stated to include:
- Check-cashing businesses
- Payday lenders
- Mortgage brokers
- Non-bank lenders
- Personal property or real estate appraisers
- Professional tax preparers
- Courier services
- Credit reporting agencies
- ATM operators
Specific Safeguards Rule Requirements
The new Safeguards Rule outlines detailed needs for a financial institution’s data security program. Comprehensive written data security plans must now consider:
- Access controls validate and allow access to authorized users only and restrict authorized users’ access to data such users need to know.
- Analysis and regulation of data, personnel, devices, systems, and facilities allows the company to accomplish business purposes following their relative influence on business policies, risks, and schemes.
- Encryption of all customer data, held or shared with external networks.
- Multi-factor authentication
- Logging of unauthorized users and detecting unauthorized activity
- Safe development policies for internally created software and protocols to certify the security of externally created software
- Continuous surveillance, or yearly penetration testing and bi-annual vulnerability tests
- Security protocol training for employees
Documentation of Risk Assessment
Unlike the previous Safeguards Rule that demanded a risk assessment pointing out the internal and external threats to the confidentiality and integrity of customer data, the new Rule holds the following requirements:
- Standards for the assessment and categorization of the established security threats faced.
- Standards for the evaluation of the confidentiality, integrity, and availability of data systems and customer data, outlining the adequacy of current controls regarding the established security threats
- Explanation of how a firm will mitigate or accept established threats and how the data cybersecurity will address the threat
Incident Response Plan Requirements
The Safeguards Rule requires a comprehensive written incident response plan intended to respond to and recover from any cybersecurity situation that would compromise customer data confidentiality, integrity, or availability. The rules dictate that the program must address:
- The incident response plan goals
- The internal protocols for responding to a security threat
- Distinct roles, responsibilities, and levels of decision-making personnel
- External and internal communications and information sharing
- Description of requirements for the remediation of any established flaws within information systems and associated controls
- Documents and reports concerning security threats and related incident response activities
- Assessment and modification (as necessary) of the incident response plan following a security threat
Designation of a Responsible “Qualified Individual”
Authority over implementing and managing the information security program must go to a “Qualified Individual”. The person can be an employee of the company or an agency employed by an affiliate or service provider. However, the financial institution must remain compliant with the Safeguard Rule and designate one of its employees to oversee the Qualified Individual.
The rule doesn’t require the qualified to be of a particular level of education, experience, or certificate. However, he must submit regular written reports to the financial institution’s board of directors outlining the overall status of the cybersecurity compliance with the Rule.
The changed rule customizes the scope of the mentioned financial institutions into two branches:
- To add “finders” as covered financial institutions. The Rule defines this new concept as bodies that congregate buyers and sellers for trade that the involved parties themselves arrange and finish.
- To include businesses such as credit reporting agencies and ATM operators that handle information on customers of other financial institutions.
- To exempt smaller financial institutions that hold customer data for less than five thousand individuals from having to observe some sections of the rules, like the incident response plan
The reasonable next steps for your financial institution likely depend on which of the following three categories applies to you:
- Companies that the FTC’s Safeguard Rule has always covered should consider whether their current policies measure up to the new demands and take a step to adjust areas where their policies may fall short.
- Companies that suddenly find themselves covered by the Rule due to the extended scope should consider whether the business transactions that put them in the range are worth the compliance cost and risk. If so, they should take action to adjust themselves into compliance.
- Companies liable to the FTC’s collective jurisdiction must monitor progress and consider including these policies in their programs.
- The FTC has extended the definition of “Financial Institutions” to cover more types of companies, although smaller companies maintain exemption from more demanding requirements.
- Financial institutions must appoint a “Qualified Individual” to supervise their cybersecurity compliance.
- Companies must produce a comprehensive written data security plan, an incident response plan, and a detailed risk evaluation.
- Thorough security measures are required, including multi-factor authentication, logging, scanning, and testing.
- Employee training is mandatory.
- Vendor management and supervision will be crucial.
The allocated compliance period with specific elements of the extended Safeguards Rule ranges from 30 days to a year after the publication of the amendments.
Thanks to Holden Watne with GenerationIX in Los Angeles for his help with this article.