In 1999, Congress passed the Gramm-Leach-Bliley Act, which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.[1] The Act mandated the passage of the Safeguards Rule, which was promulgated by the Federal Trade Commission (FTC) in May 2002 and made effective May 2003.[2] In 2019, the FTC began working on amendments to the Safeguards Rule, and on December 9, 2021, the FTC finalized these amendments.[3] Depending on the classification of their financial institution, clients will need to understand the following rule changes and properly abide by the new FTC regulations.
The Safeguards Rule
The Amendments to the Safeguards Rule made four primary modifications. These modifications (1) broadened the definition of “financial institution”; (2) heightened information security requirements; (3) improved accountability of financial institutions’ information security programs; and (4) set exemptions for smaller financial institutions.[4]
1. Broader Definition of "Financial Institution"
The Safeguards Rule initially only applied to financial institutions directly engaged in financial activities, such as banks.[5] The broadened definition of “financial institution” now includes businesses engaging in an activity that is financial in nature or incidental to such financial activities.[6] Some examples of these businesses provided by the FTC include, but are not limited to, “mortgage lenders, ‘pay day’ lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders.”[7]
2. Heightened Information Security Requirements
The Amendment to the Safeguards Rule requires that the information security program be based on a risk assessment and that the risk assessment must follow specific criteria laid out by the FTC.[8] The risk assessment must be written and must include: (1) criteria for the evaluation and categorization of identified security risks or threats; (2) criteria for the assessment of the confidentiality, integrity, and availability of the financial institution’s information systems and customer information; and (3) requirements describing how identified risks will be mitigated or accepted and how the information security program will address the risks.[9] The financial institution must also periodically perform additional risk assessments to re-examine foreseeable risks to the security, confidentiality, and integrity of customer information. [10]
The FTC mandated additional security procedures that include annual penetration testing of the information systems based on the risks identified in the risk assessment and vulnerability assessments at least every six months and whenever there are material changes to the operations or business arrangements that may impact the information security program.[11] The FTC also mandates that the financial institution implement policies and procedures like mandatory training and security updates that ensure personnel is able to enact the information security program.[12] Finally, companies covered under the Safeguards Rule amendments must establish a written incident response plan to protect customer information in their control,[13] and evaluate and revise the incident response plan following a security event.[14]
3. Improved Accountability of Financial Institutions’ Information Security Programs
The amendments to the Safeguards Rule provide for accountability of financial institutions’ information security programs in two ways. First, the requirement of a Qualified Individual to run the information security program.[15] Second, the requirement of the Qualified Individual to make reports to the board of directors or governing bodies.[16]
The amended Safeguards Rule allows financial institutions to use service providers to meet the requirements of this Rule by hiring them as the Qualified Individual in charge of the information security program as required by the Safeguards Rule.[17] The Rule defines a service provider as “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.”[18]
4. Exemption for Small Financial Institutions
The FTC’s Amendment provides an exemption for small financial institutions that maintain customer information concerning fewer than five thousand customers.[19] These institutions are exempt from the required content in the risk assessments, the requirements for annual penetration tests and vulnerability assessments, the requirement for a written incident response plan, and the reporting requirement.[20]
How Does Your Security Program Meet The New FTC Requirements?
To respond to the Amendment in the Safeguards Rule, ProCircular encourages financial institutions to create a cybersecurity plan or update one already in place to abide by the new rule requirements (i.e., creating an incident response plan, getting annual penetration tests, etc.). Clients should also determine whether they fall into the exemption provided for by the Amendment if they maintain information on less than 5,000 customers. If they do, the client will need to evaluate what portions of the Safeguards Rule apply to them and which they are exempted from.
ProCircular has the right experts to guide you to an improved security posture. Proudly serving Iowa, Minnesota, and the entire Midwest, ProCircular is among the nation’s best cybersecurity companies. Whether you’re looking for technical controls, procedural development, or both, contact our experts at ProCircular, give us a call at 844-95-SECUR (73287) or email us at sales@procircular.com with any questions you have.
References:
[1] 15 U.S.C. § 6801.
[2] Standards for Safeguarding Customer Information, 67 Fed. Reg. 63,493 (May 23, 2002) (codified at 16 C.F.R. pt. 314).
[3] FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches, Fed. Trade Comm’n (Oct. 27, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial-information-following-widespread-data; see also 16 C.F.R. pt. 314.
[4] 16 C.F.R. pt. 314; see also FTC Amendments Affecting Financial Institutions, JDSupra (April 14, 2022), https://www.jdsupra.com/legalnews/ftc-amendments-affecting-financial-7315012/.
[5] 16 C.F.R. pt. 314 (2002).
[6] Id.
[7] Id.
[8] 16 C.F.R. § 314.4(b)(1).
[9] 16 C.F.R. § 314.4(b)(1)(i)-(iii).
[10] 16 C.F.R. § 314.4(b)(2).
[11] 16 C.F.R. § 314.4(d)(2).
[12] 16 C.F.R. § 314.4(e).
[13] 16 C.F.R. § 314.4(h).
[14] 16 C.F.R. § 314.4(h)(1)-(7).
[15] 16 C.F.R. § 314.4(a).
[16] 16 C.F.R. § 314.4(i).
[17] 16 C.F.R. § 314.4(a).
[18] 16 C.F.R. § 314.2(q).
[19] 16 C.F.R. § 314.6.
[20] Id.