Updated Safeguards Rule – What You Need to Do

On October 27, 2021 the Federal Trade Commission (FTC) announced changes to the FTC Safeguards Rule in order to protect consumer data. The new cybersecurity rules were published on December 9, 2021 and require compliance by December 9, 2022.

Who’s Affected?
The rule applies to financial institutions who:

  1. Engage in “activities that are financial in nature” per 12 USC 1843(k); and
  2. Are not “subject to the enforcement authority of another regulator” (e.g., FDIC, FRB, NCUA, OCC, state banking regulators, etc.).

Examples of financial institutions who would now be subject to the rule, including, but not limited to:

  • Account servicers
  • Automobile dealerships
  • Career counselors who specialize in finance
  • Check cashiers, printers, and sellers
  • Credit counselors
  • Finance companies
  • Financial advisors
  • Finders
  • Higher education institutions
  • Mortgage brokers and lenders
  • Non-federally insured credit unions
  • Non-SEC registered investment advisors
  • Payday lenders
  • Real estate appraisers and settlers
  • Retailers with their own credit services
  • Travel agencies
  • Tax preparation firms
  • Wire transferors

Security Requirements
Companies under rule must take measures to ensure their affiliates and service providers also safeguard consumer data in their care.   Some of the newly required security measures include:

  • Designate a qualified individual to implement and supervise your company’s information security program.
  • Conduct a risk assessment.
  • Design and implement safeguards to control the risks identified through your risk assessment, to include: Multi-factor Authentication, Access controls, Data identification, classification, and asset management, Encryption, Secure development practices, Data disposal practices, Change management procedures, User activity logging and monitoring.
  • Create a written incident response plan.
  • Submit an annual report to the Board, or similar governing body.

What You Need to Do
You have until December 9, 2022 to get your cybersecurity house in order.  Implementing multi-factor authentication is a good first start (if you haven’t already).  The team at BMT has experience implement necessary requirements for companies to ensure compliancy by deadline and can help.  Contact us today for a complimentary Safeguard analysis – we’ll review your security measures, let you know what needs to be updated, and create an execution plan.