The Federal Trade Commission (FTC) has made June 9th the deadline for financial institutions to comply with the new FTC Safeguards Rule, compelling them to put measures in place to protect customer information.
Throughout the very short history of the Internet, hackers have exposed more data records than there are stars in our galaxy … or 10, or even 100 galaxies. So in late 1999, when governments were starting to understand the breadth and depth of threats to critical data systems which underlie almost every pillar of western society, the U.S. Congress enacted the Gramm-Leach-Bliley Act. This law sought to re-organize financial services regulation and as a result, reshaped the entire financial industry.
Fast-forward to June 9, 2023, and you’ll find new provisions (published in 2021) from the FTC coming into effect that expand the definitions and scope of impacted systems, organizations, processes, and procedures. Cybersecurity commissions and experts hope that these changes, which we’ll go into below, will reinforce existing customer information security practices and enable more organizations to adopt meaningful risk-based approaches.
It’s important to note that complying with these requirements is not optional for the financial services industry or related processors of financial data.
Who has impacted data?
A financial institution is any business that handles currencies, has fiduciary responsibilities, business records, customer financial information, and many other aspects of America’s commerce and tax system as their primary activities (although there are certain exceptions which involve some reporting obligations of an information security management plan for businesses with fewer than 5,000 customers).
The 2021/23 update expands the rule from banks and brokerages to include companies not typically considered to be financial institutions, such as car dealerships and preparers. The rule also adds those who provide connections between buyers and sellers on an open exchange or platform that processes transactions on behalf of others. Increasingly, fintechs are falling under the scrutiny of the FTC. As a result, you may find your company on this list.
However, simply using money does not mean you are subject to GLBA and the FTC Safeguards Rule—for example a small retailer who doesn’t have their own credit application system—and would thus not be accountable for the burdensome weight of regulatory oversight. Yet you would still benefit from adopting some of this more rigorous strategy through improved business resiliency and recoverability.
What are you required to do?
Most medium to large businesses who want to gain the trust of customers and partners do so by proactively complying with regulatory mandates. These include broad-reach information security (infosec) standards such as SOC I/II and ISO 27001, and industry-specific regimes such as PCI and FINRA.
This ecosystem generally requires a comprehensive approach to maintaining the CIA, or confidentiality, integrity, and availability of data and infrastructure. Businesses covered by the GLBA-Safeguards Rule need to implement programs for infosec management in a written plan which is defined by the nature, scope, and sensitivity of the data you handle.
You’ll need to understand and defend against known and emerging threats to systems and networks, protect held or processed data (e.g., databases or individual transactions), and document your ability to report on data access and usage—to name just a few. This plan must be reviewed and updated regularly, employees / contractors must be educated on its principles and requirements, and ongoing security rules and monitoring must be established.
What does a reasonable ISMS look like?
An information security management system (ISMS) or plan defines the policies, standard operating procedures, data parameters, access control, logging, and related parameters for complying with an industry standard audit. However, the comprehensiveness of the ISMS program depends on multiple factors, among them business size, data sensitivity, risk profiles, and threat assessments. Given the FTC’s broad definition of what constitutes a financial institution, where applicable you will need to develop, implement, and maintain an information safety program.
As an organization or leadership team, your minimum bar for risk tolerance should be balanced to avoid unduly impeding your business interests. Like performing a pre-assessment for an ISO audit, you should build an infosec baseline that everyone will support. This will define operational costs, people resources, legal exposure, and other important considerations directly impacting your regulatory compliance.
The tasks to meet the regulations fall into “domains” which contain “controls” to guide you in data security management, and can be quite effective if you:
- designate a qualified individual to implement and supervise your company’s information security program
- conduct a risk assessment
- design and implement safeguards to control the risks identified through your risk assessment
- regularly monitor and test the effectiveness of your safeguards
- train your staff
- monitor your service providers
- keep your information security program current
- create a written incident response plan
- require your qualified individual to report to your Board of Directors
It is also important to examine the prerequisites for this program. You should understand data value, location, sensitivity, use cases, time horizon, users, owners, and other asset identifiers that will need to be securely and appropriately gathered and analyzed.
While it does add potential complexity to many businesses that otherwise hadn’t been subject to regulatory oversight, the updated law is important for everyone, not just service providers. We all have sensitive data at financial institutions, sometimes even without our knowledge (recall the Equifax breach). Laws protecting that information are another level of safety assurance for us; enforcing the equitable application of the standard across all service providers benefits our personal financial health, and that of the broader economy.
To comply with the FTC Safeguard Rules, you can leverage Cyera to strengthen your data infosec program and achieve visibility of your customer information. Gaining an understanding of your data is the foundation to implementing effective controls. With Cyera, you can expect to:
- Inventory all your customer information
- Flag compliance violations to customer information
- Automatically assign severity to data exposures
- Continuously monitor the data attack surface
- Identify the users accessing customer information
- Audit the encryption status of customer information
- Improve segmentation of customer information into secure environments
- Audit access and permissions to customer information
- Remediate risks via automated workflows
Cyera’s data security platform provides deep context on your data, applying correct, continuous controls to assure cyber-resilience and compliance.
Cyera takes a data-centric approach to security, assessing the exposure to your data at rest and in use and applying multiple layers of defense. Because Cyera applies deep data context holistically across your data landscape, we are the only solution that can empower security teams to know where their data is, what exposes it to risk, and take immediate action to remediate exposures and assure compliance without disrupting the business.
To learn more about how you can secure customer information under the FTC Safeguard Rules, schedule a demo today.