United States: FTC finalizes safeguard rule for financial institutions
To print this article, simply register or connect to Mondaq.com.
On October 27, 2021, the Federal Trade Commission (FTC) announcement a recently updated rule under the Gramm-Leach-Bliley Act (GLBA) to require financial institutions to strengthen their data security measures to protect consumers’ financial information. The newly updated rule, the Customer information protection standards (Safeguard Rule), amends the FTC’s Safeguard Rule of 2002, and responds to major data security incidents and cyberattacks in the consumer financial services industry.
The FTC’s safeguard rule applies to non-bank financial institutions, such as check cashing businesses, payday lenders, mortgage brokers, non-bank lenders, personal or real estate appraisers, Professional tax preparers, courier services and credit reporting agencies. These non-bank financial institutions will have to comply with most of the requirements of the new safeguard rule likely by the fourth quarter of 2022.
Unlike previous rules and guidelines promulgated by federal financial regulators, the FTC’s new safeguard rule includes specific criteria for safeguards that financial institutions must implement as part of their information security program. For example, the new backup rule requires financial institutions to implement multi-factor authentication for people accessing networks that contain customer information. This represents an important step in the evolution of data security regulations at the federal level. In the past, similar rules provided only general guidance to regulated companies and not specific technical requirements. In this regard, the new safeguard rule is likely to provide covered financial institutions with greater clarity on their obligations to protect consumers’ financial information.
Here are some of the highlights of the new backup rule:
- Written Information Security Program: The new safeguard rule requires financial institutions to establish a comprehensive written information security program, which must include the designation of a qualified person to oversee and implement the program.
- Risk assessments: The new safeguard rule requires financial institutions to undertake risk assessments and implement safeguard measures to address identified risks. Risk assessments should be in writing and include criteria for assessing, categorizing and identifying security risks, as well as ways to mitigate or accept those identified risks. Periodic risk assessments should be performed to re-examine reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information.
- Appointment of a qualified person: The new safeguard rule requires a financial institution to designate a qualified person to be responsible for the institution’s information security program. This is similar in many ways to the New York Department of Financial Services (NY DFS) Cybersecurity Regulations, which requires covered financial institutions to appoint an Information Security Officer (CISO).
- Penetration tests and vulnerability assessments: The new safeguard rule requires annual penetration tests of information systems. Vulnerability assessments, including systems scans or information systems reviews, should be completed every six months.
- Encryption of customer information at rest and in transit: The new backup rule requires financial institutions to encrypt all customer information, both in transit over external networks and at rest. Encrypting data at rest within financial institution networks can be difficult for many financial institutions. Interestingly, the new safeguard rule allows financial institutions to apply other compensating controls if encryption of customer information is infeasible, whether in transit or at rest – a trade-off that other regulators have. have not granted in other circumstances; for example, the recent executive decree on cybersecurity.
- Service provider monitoring: The new safeguard rule requires financial institutions to take reasonable steps to select and retain service providers that maintain appropriate safeguards for consumers’ financial information. Financial institutions must periodically assess their service providers to ensure their compliance.
- Multifactor authentication: The new backup rule requires financial institutions to implement multi-factor authentication for people accessing networks that contain customer information. Authentication measures may include (1) knowledge factors, such as a password; (2) possession factors, such as a token; or (3) inherent factors, such as biometric characteristics.
- Reports to the Board of Directors: The new safeguard rule requires the qualified person to provide written reports at least once a year to boards of directors or governing bodies on the financial institution’s information security program. The report should include information on the overall state of the financial institution’s information security program and compliance, as well as significant issues related to the information security program (such as risk assessments and recommendations for program modifications). This is similar in many ways to the SEC 2018 Public Company Cyber ââSecurity Disclosure Guidelines.
- Saving and deleting customer information: The new safeguard rule requires financial institutions to develop, implement and maintain procedures for the secure disposal of customer information no later than two years after the last date of use of the information, unless they otherwise required to retain the information. This requirement aligns with the principles of data minimization, which are considered good practice in data security. Likewise, financial institutions should implement policies, procedures and controls designed to monitor and record unauthorized user activity and detect unauthorized access or use or tampering of customer information.
- Extended definition of financial institution: The new safeguard rule expands the definition of âfinancial institutionâ to include entities engaged in activities that the Federal Reserve determines to be incidental to financial activities. The FTC said the change is intended to bring “researchers” – the companies that bring together buyers and sellers of a product or service – within the scope of the new safeguard rule. The FTC has estimated that researchers often collect and maintain highly sensitive financial information about consumers, and that expanding the definition of financial institutions to include researchers will help protect consumers’ financial information.
These measures closely follow regulations recently enacted by state financial regulators, such as NY DFS, which has enacted its own Cybersecurity Regulations in 2017. Like the new backup rule, the NY DFS Cybersecurity Regulation also requires covered financial institutions to implement specific cybersecurity controls such as encryption of data in transit and at rest as well as multi-factor authentication.
The new safeguard rule will take effect within 30 days of its publication in the Federal Register. However, the main requirements of the rule will be delayed by one year. Requirements that will be delayed by one year include qualified individual appointments; written risk assessments; annual penetration testing and semi-annual vulnerability assessments; periodic evaluation of service providers; and a written incident response plan. The remaining requirements, which will take effect within 30 days of posting, largely mirror the requirements of the existing backup rule. Therefore, financial institutions are unlikely to have any obligations until the aforementioned requirements come into effect in a year.
Financial institutions should carefully review the new safeguard rule to ensure compliance.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: United States Finance and Banking