Update: GLBA Safeguards Rule Extends Deadline from December 9, 2022 to June 9, 2023!
Compliance deadline for some of the FTC Safeguards Rule revised provisions have been extended to June 2023!
This is an edit and update to our previous October article about the December 9, 2022 Safeguards Enforcement Rule – New deadline June 9, 2023
Good news! Regardless of whether you hustled to meet the deadline and have everything ready for inspection and compliant, or have yet to finalize your Information Security Program, the FTC has extended the deadline for six months for certain provisions of the changes made. This change was announced on November 15th, 2022.
The reasons The Commission is extending the deadline are because of reports, including a letter from the SBA Office of Advocacy that state there are not enough people to implement information security programs, and that the supply chain issues plaguing commerce might impact organizations getting systems and resources to address security gaps and upgrading systems. This, along with the interruptions caused by Covid 19 have led to many small business struggling to meet the deadline.
In October 2021, the FTC made updates to the Safeguards Rule to provide better guidelines and specific criteria that financial institutions have to adopt as part of an information security program.
Read our original article below that includes links to the full text. This may take some time to digest, but if you are a financial institution (INCLUDING dealerships that provide their own financing, credit counseling agencies, and others you might not expect (see below or in the FTC changes from October 2021).
Here are the areas that have received an extension (with a resounding 4-0 vote I might add):
- designate a qualified individual to oversee their information security program,
- develop a written risk assessment,
- limit and monitor who can access sensitive customer information,
- encrypt all sensitive information,
- train security personnel,
- develop an incident response plan,
- periodically assess the security practices of service providers, and
- implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
If you would like our help with meeting these objectives, please reach out to us at email@example.com.
December 9, 2022 FTC Safeguards Rule Enforcement Mandate – Are you ready?
There is a timeless truth that says that if you do not understand your goal, your destination, you cannot plot your course. Furthermore, it is exceedingly difficult to reach your goal if you do not have the right tools to determine where you are, help you understand what is important, and point you to the most efficient way to get to where you are going. The same way a sailor can get hopelessly lost in one of our oceans without charts to guide them and instruments to measure, it is next to impossible to effectively navigate cybersecurity and risk management strategy without being equipped with the right tools at your disposal.
Does GLBA and the Safeguard Rule deadline apply to your organization?
The looming December 9 deadline for the FTC Safeguards Rule update applies to more organizations than you might think. Does it apply to yours? You might be surprised to find that it could. If you need assistance confirming the potential impacts, Cyturus can help you determine if you are liable, identify your true current state and help you build an effective remediation strategy.
If you work for a financial institution, you probably are already familiar with GLBA, or the Gramm-Leach-Bliley Act. It was originally enacted on November 12, 1999, to reform the financial services industry. In Cybersecurity and Risk Management, we are focused primarily on the fact that this requires financial institutions (any company that offers consumers financial products or services like loans, financial or investment advice or insurance) – to explain their information-sharing practices to their customers and protect sensitive data. Accordingly, this was put in place to protect PII (personally identifiable information) and consequently build consumer financial privacy.
Don’t think this applies to your organization?
What you may not know is that this has continued to evolve. The definition of “Financial Institutions” is broader than most people realize. This is NOT just banks; it now includes anyone who acts as a finder, bringing together buyers and sellers including companies such as:
- Retailers that issue their own credit cards
- Dealerships that lease automobiles longer than 90 days
- Personal property or real-estate appraisers
- Mortgage brokers
- Finance companies
- Payday lenders
- Non-Federally insured credit unions
- Tax preparation services
- Check Cashing businesses
- Investment advisors not required to register with the SEC (Securities and Exchange Commission)
- Credit counselors
The broad description is because section 225.28 details a sizable list of nonbanking activities that still could potentially expose clients’ financial information. If your organization manages less than 5,000 consumers’ information, some of the rule elements may not apply.
A bit of history
The FTC Safeguards Rule originally took effect in 2003. Based on public comment, the FTC made changes to it to keep up with changing technology which were passed in October of 2021, and. The full text of the Safeguards Rule is found here Part 314 – Standards for Safeguarding Customer Information.
So what does this mean?
The FTC has also published a great resource guide called FTC Safeguards Rule: What Your Business Needs to Know.
In summary, you need a well-documented plan. The right tools of the trade to navigate the treacherous waters of Cybersecurity, GRC (Governance, Risk, and Compliance) and Risk Management must begin with your roadmap. This is the primary requirement of the FTC Safeguards Rule, referred to as an “Information Security Program.” This Program must be documented and followed.
Here is an excerpt from the FTC guide:
“Your information security program must be written, and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program [should be]:
- Ensure the security and confidentiality of customer information;
- Protect against anticipated threats or hazards to the security or integrity of that information;
- Protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.
Section 314.4 of the Safeguards Rule identifies nine elements that your company’s information security program must include. Let’s take those elements step by step.
- Designate a Qualified Individual to implement and supervise your company’s information security program. The Qualified Individual can be an employee of your company or can work for an affiliate or service provider. The person does not need a particular degree or title. What matters is real-world know‑how suited to your circumstances. The Qualified Individual selected by a small business may have a background different from someone running a large corporation’s complex system. If your company brings in a service provider to implement and supervise your program, the buck still stops with you. It is your company’s responsibility to designate a senior employee to supervise that person. If the Qualified Individual works for an affiliate or service provider, that affiliate or service provider also must maintain an information security program that protects your business.
- Conduct a risk assessment. You cannot formulate an effective information security program until you know what information you have and where it is stored. After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information. Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats. Think through how customer information could be disclosed without authorization, misused, altered, or destroyed. The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct periodic reassessments in light of changes to your operations or the emergence of new threats.
- Design and implement safeguards to control the risks identified through your risk assessment. Among other things, in designing your information security program, the Safeguards Rule requires your company to:
- Implement and periodically review access controls. Determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it.
- Know what you have and where you have it. A fundamental step to effective security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience.
- Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.
- Assess your apps. If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security.
- Implement multi-factor authentication for anyone accessing customer information on your system. For multi-factor authentication, the Rule requires at least two of these authentication factors: a knowledge factor (for example, a password); a possession factor (for example, a token), and an inherence factor (for example, biometric characteristics). The only exception would be if your Qualified Individual has approved in writing the use of another equivalent form of secure access controls.
- Dispose of customer information securely. Securely dispose of customer information no later than two years after your most recent use of it to serve the customer. The only exceptions: if you have a legitimate business need or legal requirement to hold on to it or if targeted disposal isn’t feasible because of the way the information is maintained.
- Anticipate and evaluate changes to your information system or network. Changes to an information system or network can undermine existing security measures. For example, if your company adds a new server, has that created a new security risk? Because your systems and networks change to accommodate new business processes, your safeguards can’t be static. The Safeguards Rule requires financial institutions to build change management into their information security program.
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access.
- Regularly monitor and test the effectiveness of your safeguards. Test your procedures for detecting actual and attempted attacks. For information systems, testing can be accomplished through continuous monitoring of your system. If you don’t implement that, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly known security vulnerabilities. In addition, test whenever there are material changes to your operations or business arrangements and whenever there are circumstances you know or have reason to know may have a material impact on your information security program.
- Train your staff. A financial institution’s information security program is only as effective as its least vigilant staff member. That said, employees trained to spot risks can multiply the program’s impact. Provide your people with security awareness training and schedule regular refreshers. Insist on specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program and verify that they’re keeping their ear to the ground for the latest word on emerging threats and countermeasures.
- Monitor your service providers. Select service providers with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job.
- Keep your information security program current. The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program. The best programs are flexible enough to accommodate periodic modifications.
- Create a written incident response plan. Every business needs a “What if?” response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to, or misuse of information stored on your system or maintained in physical form. Section 314.4(h) of the Safeguards Rule specifies what your response plan must cover:
- The goals of your plan;
- The internal processes your company will activate in response to a security event;
- Clear roles, responsibilities, and levels of decision-making authority;
- Communications and information sharing both inside and outside your company;
- A process to fix any identified weaknesses in your systems and controls;
- Procedures for documenting and reporting security events and your company’s response; and
- A post-mortem of what happened and a revision of your incident response plan and information security program based on what you learned.
- Require your Qualified Individual to report to your Board of Directors. Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program. What should the report address? First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program – for example, risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.”
For more information about GLBA click here.
What do we do now?
In light of the approaching deadline, if you have not documented an information security program as listed above, you are running out of runway to get this done. Regardless of how large or small your organization is, the steps above are exceptionally good practices to ensure that your client and prospect data is properly protected and that you have the right internal controls in place to best ensure your business can survive in the event of a breach or accidental issue, as well as put the plan in place to deal with most other compliance mandates as well. The Cyturus C2MA (Cybersecurity Capacity Maturity Assessment) can effectively evaluate your enterprise capacity and capability for cybersecurity. In other words, we can help you figure out your current cybersecurity posture (“situation”) and how to improve it!
The Cyturus Compliance & Risk Tracker (CRT) provides the industry’s best platform to manage building and documenting your information security program.
Whether your program is already in place and mature, or if you are just starting down that path, the CRT can provide value. The CRT cloud-based platform and optional managed services will help you with:
- Documenting the requirements for the Safeguards Rule
- Collecting relevant organizational current state compliance data
- Creating a baseline to which your organization can measure compliance
- Prioritization of key findings to fix any gaps
- Managing remediation
- Tracking success of the program
- Reporting to auditors, regulators and your board
- Providing customers with peace of mind that their data is safe with you
Let us help you meet this mandate, as well as any others you may be concerned with. Reach out to firstname.lastname@example.org or fill out the form below to learn more, schedule a discussion about your cybersecurity or compliance needs, or sign up for a platform demo.