The Federal Trade Commission (FTC) has announced a revised Safeguards Rule to better protect the American public from the fresh wave of breaches and other forms of cyberattacks that result in financial losses.
The switch to remote work at the onset of the COVID-19 pandemic triggered an unprecedented wave of cyberattacks in the financial industry, with experts warning that the problem will likely worsen in the future. The Federal Trade Commission (FTC) has announced a revised Safeguards Rule to better protect the American public from the fresh wave of breaches and other forms of cyberattacks that result in financial losses. The cybersecurity experts from Centerpoint IT provide a comprehensive overview of the updated Safeguards Rule.
Congress mandated the Safeguards Rule under the 1999 Gramm-Leach-Bliley Act. The Rule provides detailed steps that covered institutions should implement as part of their cybersecurity program, like limiting access to consumer data and leveraging encryption to secure the data. The latest update introduces additional specifics that must be included in the information security program. Specifically, the new safeguards Rule sets forth comprehensive requirements for a financial institution’s information security program.
The previous version of the Safeguards Rules generally applied to financial institutions with a broader mandate than just banks. Now the definition of financial institution has been expanded to cover entities that engage in any financial activity that the Federal Reserve Board has determined to be incidental to financial activities. For example, the FTC stated it intends to include “finders” that typically connect buyers and sellers of financial products or services. In a nutshell, the new Safeguards Rule applies to non-banking entities handling customer financial information. These institutions include:
Additionally, the modification has also changed several terms, including “Consumer,” to “Customer,” and “Nonpublic Personal Information,” to “Personally Identifiable Financial Information.”
The updated Safeguards Rule mandates all non-banking institutions to develop, implement and maintain a comprehensive security system that keeps customer information safe. The following are the additional specifics covered under the new rule:
The FTC provides some exemptions for financial institutions collecting information from not more than 5000 customers. These smaller financial institutions are exempted from meeting requirements for written assessment or incident response plans. They are also not required to present their Qualified Individual report yearly to the board of directors. However, they must meet all the other criteria of the modification.
The timeframe for compliance with various components of the new Safeguards Rule ranges from one month to a year from the date the amended Rule is published on the Federal Register. The requirements that go into effect one year after publication include:
The FTC is also seeking comment on additional modifications to the Safeguard Rule through a recent Supplemental Notice of Proposed Rulemaking (SNPRM). The SNPRM proposes adding security incidents to the FTC by covered institutions within 30 days of discovery.
In light of the myriads of changes brought by the new Safeguards Rule, covered companies must now closely evaluate their security practices for compliance. At Centerpoint IT, we understand that not all businesses and organizations have the resources and skills to implement robust security practices to comply with the new requirements. That is why we provide managed IT solutions that take the burden of compliance off your hands, so you focus on improving your bottom line. We are Atlanta’s leading IT Company providing a complete range of high-quality IT services tailor-made to meet your unique business needs. Contact us today to learn more.
Thanks for the great team at Orbis Solutions and their Las Vegas IT services team for their insights into this article.