FTC 'Safeguards Rule' Strengthens Data Security Requirements and Broadens the Scope of Financial Institutions Who Must Comply
This post was originally issued on November 22, 2021. We've updated this article to highlight changes that will impact a significant number of financial institutions in 2022.
On October 27, 2021, the Federal Trade Commission (FTC) released an update to the Gramm-Leach-Bliley Act’s Standards for Safeguarding Customer Information, or the ‘Safeguards Rule’ (the Rule). In response to widespread data breaches that caused significant harm to consumers, the FTC amended the rule to be more expansive in scope and specific in security controls.
Scope and Definitions
The update has expanded the definition of “financial institutions” under scope to include non-banking institutions, such as finance companies, investment advisors that are not required to register with the Securities and Exchange Commission (SEC), mortgage brokers, and finders. Finders are defined as “companies that bring together buyers and sellers of a product or service.”
Financial institutions that collect information on more than 5,000 consumers are required to maintain a comprehensive security system. A consumer, in the context of the Safeguards Rule, is defined as an “individual who obtains or has obtained a financial product or service… that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.”
Information Security Program Requirements
A significant addition to the Safeguards Rule is the specificity of the security system requirements. Previously the Safeguards Rule outlined a general security system but lacked specific requirements that financial institutions need to implement.
These requirements include the development, implementation, and maintenance of:
- Access controls
- Multi-factor authentication
- Incident response plan
- Data inventory and classification
- Continuous monitoring, or annual penetration testing with bi-annual vulnerability scans
- Penetration testing is defined as “attempt to circumvent or defeat the security features of an information system”
- Along with network penetration testing, social engineering and phishing testing also satisfies this requirement
- Security awareness training for employees
- The encryption of customer data
- Secure testing practices of third-party services
- Secure procedures for disposing customer data
- Required to be deleted two years after the last date the data is used unless the information is required for a legitimate business purpose
- Procedures for identifying and maintaining a list of unauthorized users
- A written risk assessment
- An internal assessment that evaluates identified security risks, the quality of controls that are currently in place, and an explanation of how these risks can be mitigated
Risk Assessment Requirements
Previously, the Safeguards Rule required financial institutions to develop and implement safeguards to address identified risks. The amended Rule has specified criteria that must be included in the risk assessment.
- Evaluation of identified security risks or threats
- Assessment of the quality of existing controls in the context of security risks
- Explanation of how the identified risks will be mitigated based on the risk assessment
Accountability and Responsibility
The FTC has made it a point to emphasize proper accountability for controls maintenance and implementation in the updated Rule:
- A single assigned “Qualified Individual” is required to be responsible for the information security program
- Periodic reports are required to be delivered to a board of directors or governing body
Exemptions and Burden-Relief Measures
While the above requirements may add additional obligations for financial institutions, the FTC has put the following measures in place to help relieve unnecessary burdens.
- Limited the scope of certain written security requirements to only those financial institutions with more than 5,000 consumers
- Revised requirements so exempted financial institutions are not required to perform a written risk assessment, conduct continuous monitoring or penetration testing, prepare incident response plan, or prepare an annual report. However, they will still be required to conduct risk assessments, implement a written information security program, evaluate the program and adjust accordingly, oversee service providers, and train employees
- While these exempted institutions will not be audited for a written risk assessment, the FTC still requires firms to conduct risk assessments, regardless of size
- Created a system that is “process-based, flexible, and based on the financial institution’s size and complexity”
- Extended the effective date of many of the written security provisions of the amended Rule to one year after publication (October 27, 2022)
- Modified a Chief Information Security Officer requirement to be generalized based on the size and complexity of the financial institution
- Limited the requirement for updating employee training programs to “only as necessary”
ACA Guidance
ACA Aponix® highlights that while the revised Safeguards Rule goes into effect November 27, 2021, the information security program requirements, as highlighted in Section 314.4, will go into effect October 27, 2022. Many financial institutions may already have the amended security program requirements in place. We recommend checking that your financial institution’s information security program has satisfied these new requirements by October 27, 2022, if not exempt.
How Aponix Can Help
ACA Aponix offers the following solutions that can help your financial institution develop, implement, and maintain the required information security program:
- Risk Assessments and Regulatory Compliance Testing Services
- Threat intelligence, Phishing Testing, and Monitoring
- Payment and Fraud Risk Assessment Services
- Penetration Testing and Vulnerability Assessments
- Vendor Diligence and Management
- ACA Aponix's PortCo Defend™
- Operational Resilience and Governance