Updated Safeguards Rule – What You Need to Do
On October 27, 2021 the Federal Trade Commission (FTC) announced changes to the FTC Safeguards Rule in order to protect consumer data. The new cybersecurity rules were published on December 9, 2021 and require compliance by December 9, 2022.
Who’s Affected?
The rule applies to financial institutions who:
- Engage in “activities that are financial in nature” per 12 USC 1843(k); and
- Are not “subject to the enforcement authority of another regulator” (e.g., FDIC, FRB, NCUA, OCC, state banking regulators, etc.).
Examples of financial institutions who would now be subject to the rule, including, but not limited to:
|
|
Security Requirements
Companies under rule must take measures to ensure their affiliates and service providers also safeguard consumer data in their care. Some of the newly required security measures include:
- Designate a qualified individual to implement and supervise your company’s information security program.
- Conduct a risk assessment.
- Design and implement safeguards to control the risks identified through your risk assessment, to include: Multi-factor Authentication, Access controls, Data identification, classification, and asset management, Encryption, Secure development practices, Data disposal practices, Change management procedures, User activity logging and monitoring.
- Create a written incident response plan.
- Submit an annual report to the Board, or similar governing body.
What You Need to Do
You have until December 9, 2022 to get your cybersecurity house in order. Implementing multi-factor authentication is a good first start (if you haven’t already). The team at BMT has experience implement necessary requirements for companies to ensure compliancy by deadline and can help. Contact us today for a complimentary Safeguard analysis – we’ll review your security measures, let you know what needs to be updated, and create an execution plan.