Complying With the FTC's Amended Safeguards Rule
Bloomberg Law
Cybersecurity is a looming threat for most businesses. The impact of a major cyber event can resonate for weeks, months, and even years after the initial attack. To mitigate the risks to consumers, there have been several legislative updates to address these evolving threats, including a significant change for entities in, and adjacent to, the financial services space.
Specifically, the Federal Trade Commission (FTC) has updated its Standards for Safeguarding Customer Information (Safeguards Rule). The Safeguards Rule took effect in 2003 and was amended in 2021 to keep pace with evolving technology. The amended Safeguards Rule provides more concrete guidance on how to implement core data security principles for covered financial institutions. The FTC extended the original deadline for certain safeguards by six months, and compliance with the Safeguards Rule is now required by June 9, 2023.
Who Is Covered?
The Safeguards Rule applies to financial institutions that are engaged in an activity that is “financial in nature” or is “incidental to such financial activities,” that are subject to the FTC's jurisdiction, and that are not subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6805. For example, the following are businesses that are deemed examples of financial institutions subject to the FTC's jurisdiction under the Safeguards Rule: mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that are not required to register with the Securities and Exchange Commission (SEC).
Finders
The 2021 amendments to the Safeguards Rule added a new example of a financial institution, now referred to as “finders,” which are companies that bring together buyers and sellers of any product or service for transactions that are covered by the rule. The change to the definition of “financial institution” under the FTC's updated Safeguards Rule brings it into harmony with other agencies’ GLBA rules and expands the scope of the definition.
Activities that are within the scope of acting as a finder include such things as “[i]dentifying potential parties, making inquiries as to interest, introducing and referring potential parties to each other, [] arranging contacts between and meetings of interested parties,” and “[c]onveying between interested parties expressions of interest, bids, offers, orders and confirmations relating to a transaction.” 12 C.F.R. § 225.86(d)(1)(i)(A)-(B). However, the Safeguards Rule only applies to “customers” (i.e., consumers with an ongoing relationship with the financial institution), so it will not apply to finders with only isolated interactions with consumers and that do not receive information from other financial institutions about those institutions’ customers. 16 C.F.R. § 314.1(b).
Small Business Exemption
In an effort to balance the need for information security with the financial burdens on smaller businesses, the FTC added a “small business” exemption, which excludes businesses that “maintain customer information concerning” fewer than 5,000 consumers from several requirements of the new rule that require written work product. 16 C.F.R. § 314.6.
Specifically, small businesses are exempt from the following requirements: written risk assessments; a written incident response plan; an annual written report by the qualified individual; and continuous monitoring or annual penetration testing and biannual vulnerability assessment.
What Are the New Security Requirements?
Access Controls
The amended Safeguards Rule now mandates that a financial institution's information security program contain access controls. Most significantly, financial institutions must implement least privilege—ensuring that employees have only those privileges necessary to perform the requirements of their job and that customers only have access to their own data. 86 Fed. Reg. 70285–86.
Although this requirement works well in theory, it can be difficult to implement. A true least privilege policy requires that companies routinely audit what access is necessary for each employee because job roles often change. Otherwise, employees and contractors may experience privilege creep, wherein they gain more and more access to sensitive information and systems the longer they are employed at the company.
Financial institutions should consider limiting IT staff's access to customer information. Although these employees and contractors must have access to critical infrastructure systems, many of them will not require access to the underlying data itself.
Data Inventory & Classification
Importantly, financial institutions must perform data inventory and classification. This is imperative. “This inventory forms the basis of an information security program because a system cannot be protected if the financial institution does not understand its structure or know what data is stored in its systems.” 86 Fed. Reg. 70286.
Because cyber regulation in the US, including the Safeguards Rule, embraces a risk-management approach, the fundamental job of an information security program is to identify digital assets, recognize the risks that threaten those digital assets, and employ controls and other mechanisms to mitigate those risks. The first step in that process must be to inventory those data assets.
As a practical matter, investing in a proper data inventory and classification program can greatly reduce the cost of responding to a breach by streamlining the investigation and reducing uncertainty—especially considering that breach counsel must separately evaluate whether the data the institution owns constitutes “personal information” under the statutes of each state in which the data subjects reside. For additional information on state laws governing data breach response, see Chart Builder - State Data Breach Notification Requirements.
Data Disposal & Data Retention
The Safeguards Rule now requires that financial institutions’ secure disposal of customer information within two years—once that data is no longer necessary to provision services to the customer—or is otherwise not required for business operations or other legitimate business purposes, by law, or cannot be feasibly deleted. 16 C.F.R. § 314.4(c)(6).
In addition to developing procedures for the secure disposal of customer information, the new rule now requires financial institutions to periodically review their data retention policy to minimize unnecessary retention of information. Together, these requirements provide flexibility for financial institutions to retain data where they have a legitimate business purpose while clarifying that retaining customer information that no longer serves a purpose presents an unreasonable risk of harm to the affected customer.
From a practical perspective, reducing the scope of digital assets the organization must protect can greatly reduce exposure to financial risk and the significant costs associated with data storage, backup, and management. Additionally, financial institutions must take care to ensure data is properly destroyed. For example, policies should include instructions to ensure that hard drives are properly wiped or destroyed before they are recycled.
Encryption of Data Both in Transit & At Rest
The Safeguards Rule now requires the encryption of customer information both at rest and in transit over external networks. 16 C.F.R. § 314.4(c)(3). Although encryption has become easier and more cost-effective to deploy, ambiguity remains over what counts as sufficiently encrypting customer information. Indeed, because the Safeguards Rule takes a risk assessment approach to regulation, the level of encryption required must be determined by examining the value of the data being encrypted and the risks associated with retaining that data.
Encrypting data in transit is the easier task. CISOs can implement policies requiring the use of encrypted virtual private network connections, for example. Encryption at rest is less clear. Many companies encrypt the hard drives of their employee laptops to mitigate the risk associated with data loss if the laptop were ever stolen. How an institution accomplishes data at rest for its server-side applications and files remains less clear, however. Many data center solutions include the option for encrypted hard drives, but unlike laptops, these hard drives are at a significantly less risk of theft.
Multifactor Authentication
The amended Safeguards Rule now requires the use of multi-factor authentication, though the language is very broad. The regulation requires “multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.” 16 C.F.R. § 314.4(c)(5). This broad definition is limited, however, to include those information systems that contain customer information or are connected to such systems. 16 C.F.R. § 314.2(j).
The biggest practical consideration of this language is that it does not limit the multi-factor authentication requirement to only those systems accessed from external sources. Consider an application or service that contains customer information but can only be accessed by company employees while they are in the office at their company computer. The application is not technically exposed to the open internet because it is an internal-only system. Still, it must be protected using multi-factor authentication. Indeed, the FTC was presented with an argument for “a distinction between internal access and external access,” 86 Fed. Reg. 70289, but it nevertheless sided with commentators arguing for equal treatment between external and internal users.
Traditionally, IT security professionals have focused their use of multi-factor authentication on external services such as customer portals and employee remote access. But if the requirement applies to both internal and external systems that contain customer information, then those IT security professionals must be able to identify all places on the internal network where customer information is stored. If a company cannot be sure that it knows where all of its customer information is stored, then that company might be required to enable multi-factor authentication on all network access, under the broad language of the amendment.
Adoption of Change Management Procedures
Financial institutions must now implement change management procedures to ensure that any modifications to the network environment do not compromise security. 16 C.F.R. § 314.4(c)(7). Some commentators noted that these procedures are commonplace for purposes other than security. For example, change management procedures have long been considered an essential control to prevent unexpected service interruptions caused by hasty changes to systems. Though some commentators pointed to financial institutions whose systems have not changed for years, information systems should never remain stagnant.
Even software patching and updates should be processed through a financial institution's change management procedures, and any IT system that has not been updated for years presents an untenable risk of breach. Moreover, because threat actors are constantly updating their attack schemes, IT security engineers must constantly update cyber defenses. Thus, systems that have not evolved for some time must be re-examined and changed to address present risks and vulnerabilities, thus rendering proper change management a crucial part of any information security program.
Monitoring & Logging
Financial institutions must implement monitoring, logging, and testing policies and procedures to ensure the effectiveness of their cybersecurity safeguards. 16 C.F.R. § 314.4(c)(8). These must be designed to detect any attempted cyberattacks and to effectively monitor the activity of cybercriminals once they infiltrate the financial institution's network. This should include periodic penetration testing and vulnerability assessments to establish whether the financial intuition's monitoring and logging systems are properly identifying malicious activity. If the financial institution is unable to implement continuous monitoring, the rule requires that their penetration testing be performed at least annually and must be targeted to identified risks, and vulnerability assessments must be performed every six months or after any material change in business operations or circumstances. 16 C.F.R. § 314.4(d)(2).
Financial institutions should consider going above and beyond the rule's requirement for effective monitoring of its information systems. Serious investments in IT security intelligence and logging systems greatly increases the likelihood that a future post-breach forensics investigation will be able to establish a root cause—and will be able to do so in an efficient, cost-effective manner. Furthermore, because proper logging greatly increases the likelihood of establishing the root cause of a breach, it can also empower an organization with the information necessary to seek redress from other organizations that have been the true source of the attack, like vendors or consultants.
Secure Development Practices
Financial institutions must now develop practices and procedures for secure software development for any applications that transmit, access, or store customer information. 16 C.F.R. § 314.4(c)(4). The most significant impact of this requirement, however, will be for applications that are developed in-house. The FTC noted though that “[s]oftware that has been thoroughly tested by third parties may need little more than a review of the test results, while software that has not been widely used and tested will require closer examination.” 86 Fed. Reg. 70289.
Thus, if a financial institution develops home-grown applications, rather than purchasing established products, those institutions will need to take care to manage the development of those applications and to properly test them. For further information, financial institutions should refer to the National Institute of Standards and Technology's (NIST) Secure Software Development Framework (SSDF).
Oversight of Service Providers
The amended Safeguards Rule requires that financial institutions periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. 16 C.F.R. § 314.4(f). Prior to this change, financial institutions were only required to assess their service providers’ safeguards at the onboarding state, which were broadly defined by contract as maintaining “technical, administrative, and physical safeguards” to meet the objectives set forth in the Safeguards Rule. Now, financial institutions must assess the risks the service providers present and contractually require their service providers to provide adequate safeguards to protect the customer information they access or possess.
Practically speaking, if the financial institution is required to implement certain safeguards, then that financial institution's service providers will be required to protect the customer information in the same manner. Such safeguards must be set forth by contract, and the financial institution must periodically evaluate whether their service providers continue to provide the safeguards required by contract. Although several commenters raised concerns about the burden placed on financial institutions, the FTC reiterated that such expenses are necessary given financial institutions’ duty to ensure its service providers are protecting customer information.
Ultimately, financial institutions must review their service provider agreements and ensure the contractual obligations imposed on its service providers sufficiently describes the safeguards required by the new rule and implement a process for conducting periodic vendor oversight. In the event a financial institution's service provider suffers a breach due to inadequate safeguards resulting in an enforcement action by the FTC, such agreement will be reviewed, as well as actions taken by the financial institution to continuously assess whether the service provider continued to maintain such safeguards.
Designation of Qualified Individual
The amended Safeguards Rule now requires that financial institutions designate a qualified individual to oversee its information security program. 16 C.F.R. § 314.4(a). The individual must provide a written status report at least annually to the board of directors that details the company's compliance with the Safeguards Rule and should address key issues such as risk assessment and mitigation decisions, any security events, and recommendations for improving the financial institution's cyber preparedness. 16 C.F.R. § 314.4(i).
Some commentators involved in the amendment expressed concerns at the cost of requiring all financial institutions to designate an employee as the chief information security officer (CISO). 86 Fed. Reg. 70279-80. For this reason, the amendment mandates that financial institutions designate a qualified individual to lead the written information security program, but it does not require that person to be titled a CISO. The FTC specifically noted that one lower-cost option for smaller companies would be to contract with a virtual CISO, sometimes referred to as a vCISO. Still, in the event a financial institution hires an external individual to act as a vCISO, it must designate an employee to provide the vCISO with direction and oversight.
Training of Personnel
Financial institutions must implement policies and procedures to ensure personnel are able to enact the company's information security program. 16 C.F.R. § 314.4(e). This requires providing security awareness training to both general employees and information security personnel. Such training programs must be updated as necessary to reflect current risks identified in a financial institution's risk assessment.
Information security personnel play a vital role in developing, implementing, overseeing, and managing a financial institution's information security program. As such, a financial institution must not only utilize “qualified information security personnel” to fill this role but also provide information security personnel with security updates and sufficient training on emerging threats and vulnerabilities.
Written Response Plan
A financial institution's written incident response plan must be designed to quickly and effectively respond to cybersecurity events that materially affect the confidentiality, integrity, and availability of customer information. 16 C.F.R. § 314.4(h). Among other things, the plan must clearly define the roles and responsibilities of each member of the response team, articulate internal processes for responding to the security event, and identify the goals of the plan.
The plan must establish procedures for escalating questions to the necessary decision makers without undue delay. The plan should also establish procedures for sharing information within the breach response team and for sharing externally to any press or government authority. The plan should act as a feedback loop wherein lessons learned are added following each tabletop exercise or security event.
Written Risk Assessments
Financial institutions must now perform written risk assessments on a periodic basis. 16 C.F.R. § 314.4(b). Though some commentators argued for less specificity, and some argued for more, the FTC settled on a balanced approach that requires financial institutions to identify risk to their systems and customer information, evaluate those risks as compared to existing safeguards, and then identify how the remaining risks will be mitigated or accepted.
While commentators objected that a written risk assessment would be too costly for smaller financial institutions, the FTC noted that many service providers exist in the industry to assist institutions in performing the assessment. These providers possess significantly greater expertise to identify risks and can assist financial institutions in identifying the universe of strategies available to mitigate those risks. Moreover, these experts will naturally supply financial institutions with a written project deliverable that would satisfy the requirement that the risk assessment be written.
Broader Impact of Amended Safeguards Rule
Although the Safeguards Rule targets financial institutions, it may end up having a much broader impact. It may set a new standard for what constitutes “reasonable security.” FTC consent orders, for example, have sometimes been referred to as a de facto common law for what reasonable security means. With the release of a more prescriptive vision, practitioners could look to the new Safeguards Rule as the next evolution of the common law of reasonable security.
Republished with permission. This article, "Complying With the FTC's Amended Safeguards Rule," was published by Bloomberg Law in June, 2023.