Skip to content
Get A Demo
Sign Up Free
    September 20, 2022

    Checklist for Non-Financial Institutions: FTC Safeguards Rule

    Download a PDF copy of the whitepaper

    Part 1: Required Policies
    Part 2: Reports and Documentation
    Part 3: Technical Requirements
    Part 4: Training Requirements
    How Blumira Helps Check Boxes
    Why Blumira?

    FTC Safeguards Checklist For Financial Institutions

    Updates to the FTC Safeguard Rule were originally going into effect on December 9, 2022, but the FTC extended the deadline on some requirements to June 9, 2023. To help, we've highlighted the requirements affected by the extended deadline in yellow. *

    Part 1: Required Policies

    Designated Qualified Individual

    An individual on the IT/security team who oversees the security program. They must have skills that are considered “adequate” for the amount of data you're storing.

    • Current employee with the qualifications (or with training)
    • Service providers can assist, but internal person is ultimately responsible
    Incident Response Plan

    This plan details a series of actions that the security team must take in the event of a cyber incident: preparation; identification; containment, eradication; recovery; and lessons learned.

    • Hire an incident response firm to help
    • Develop an incident response plan internally (example)

    Does This Affect Me?

    Financial institution means any institution that is financial in nature or incidental to such financial activities

    • Auto dealerships
    • Mortgage lenders or brokers
    • Tax preparation firms
    • Payday lenders
    • Finance companies
    • Check cashers or wire transferors
    • Collection agencies
    • Credit counselors
    • Financial advisors

    Dynamic blocklists are an excellent example of a network-based containment technology. Blumira supports several next-gen firewalls that you can configure to perform this containment step automatically

    Information Access Controls, Disposal Plan & Change Management

    Information access controls restrict who can make changes and creates an audit trail of all changes

    Change management details what process you should follow when your technology stack changes.

    A disposal plan lays out the process for secure disposal of customer information. The Safeguards Rule requires a limit of two years — with some exceptions.

    • Request help from your service provider and ensure all of these requirements are being met
    • Hire an experienced security consultant to help create them

    How Blumira Can Help

    Blumira can automate this process by reducing the time necessary to conduct access reviews and directing your attention to access events that matter

    Oversee Service Providers & Apps

    Review your vendors that have access to your customer information. They too must comply with all of these safeguards. Remember, you’re responsible for your data and your service providers who handle it.

    • Research and select vendors with standards-based information security programs or certifications like SOC2

    Share this checklist with your vendors and keep it handy for future vendor discussions. Make sure they’re aware these safeguards apply to them.

    Part 2: Reports and Documentation

    Data and Systems Inventory

    Just like you have to track the cars on your lots, the FTC requires you have an inventory of all data you have stored and the systems they’re on.

    • Ask your service provider, they should already have an asset inventory
    • Find a software solution that track IT assets and detect new ones


    Check out the CIS Critical Security Controls SME Companion Guide for best practices developed by IT experts

    How Blumira Can Help

    Using our saved report, "Blumira Summary: Parsed Source Types And Log Counts" you can export a list of all devices sending logs to Blumira.

    Risk Assessment

    This involves identifying threats to an environment — both internal and external — to the security, confidentiality, and integrity of customer information. This written assessment must include criteria for evaluating those risks and threats.

    • Start with free tools like SimpleRisk and CISAs CSET tool
    • Hire a professional risk assessment consultant

    Prepare Yourself

    While it doesn't replace a professional Risk Assessment, you can use our free threat assessment guide to prepare for the real thing.

    Information Security Program

    Really, this whole checklist is part of your information security program. Developing one is an ongoing process that requires an understanding of the different facets of security described here, and more.

    • Create it in-house
    • Collaborate with a security service provider


    When building a security program, it’s best to work with experts who have experience creating them before. Work with a service provider who already safeguards their own data and has helped numerous customers with their security program. Remember: People, Process, Technology, you need all 3 to make a security program successful.

    Report To Your Board of Directors

    Your Qualified Individual must give an update to your Board of Directors (or a Senior Officer if there isn’t a board) on a regular basis — at least once a year.


    • Match your existing reporting by pulling reports and key insights from the security tools you’ve already implemented.
    • Set up the reports on a standard recurring basis so everyone knows exactly when they are

    Part 3: Technical Requirements

    Multi-factor Authentication

    Enable multi-factor authentication on all systems that employees and contractors log into. MFA is an easy way to add another layer of verification of a user's identity and prevent the success of attacks like phishing, stolen credentials and account takeovers.

    • Ask your service provider to implement
    • MFA vendors such as Duo Security, Okta, Microsoft


    Take advantage of built-in features from tools that you already use. For example, if you already run Microsoft 365, take advantage of the ability to enable MFA for free across your environment.

    How BlumiraCan Help

    Blumira sends a finding to notify when a user bypasses or disables MFA, skips enrollment, or has unusual or impossible logins.

    Data Encryption

    Encrypt customer information at rest and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.

    • Check with vendors to ensure they're encrypting data properly
    • Built-in tools like Bitlocker or FileVault or open source tools like Veracrypt


    • With Blumira, you can review event logs within the safety of our platform, where they are protected by our security controls and encrypted both at rest and in transit.
    • Blumira customers can also use the Report Builder feature to discover legacy connections to financial and security tools with unencrypted data.

    Penetration Testing and Vulnerability Assessments

    Penetration testing, vulnerability assessments and continuous monitoring all help to detect and prevent both actual and attempted attacks.

    Without continuous monitoring, you must conduct annual penetration testing and vulnerability assessments, including system-wide scans every six months to test publicly-known vulnerabilities.

    • Work with a service provider to implement vulnerability scanning tools from vendors such as Tenable, or Qualys
    • Hire a pentesting firm such as 7 Minute Security


    With Blumira, you can test your SIEM to ensure its readiness against an upcoming pentest.

    Part 3 cnt'd: Technical Requirements

    Monitor and Log Authorized and Suspicious Activity

    Implement a solution to monitor when authorized users are accessing customer information on your system and to detect unauthorized or suspicious access.

    • Blumira (built for small teams), Splunk (built for Enterprise SOCs) or ELK (built for teams with developers)
    • Ask your service provider to implement Blumira


    Prioritize a SIEM that fits the resources of your team. Traditional SIEMs, while powerful, take a lot of time and expertise to manage. Blumira, on the other hand, is designed for small teams without expertise and does a lot of the heavy lifting for you, making it easy to run with limited resources.



    Checks This Box

    Built for small teams, Blumira’s cloud-based SIEM provides monitoring and logging along with built-in detections and step-by-step response playbooks

    Part 4: Training Requirements

    Employee Security Awareness Training

    Provide your people with security awareness training and schedule regular refreshers.

    • Outsource to a vendor such as Curricula or KnowBe4
    • Ask your service provider to implement


    Your service provider likely has a solution for this that can be implemented upon request.

    Training and Security Updates for Security Personnel

    Provide specialized training for employees, affiliates, or service providers who are hands-on with your information security program and verify that they’re monitoring the latest word on emerging threats and countermeasures.

    • An outside consultant that specializes in security programs
    • Online certification courses


    This is a great opportunity to promote growth on your team. Helping individuals in leveling up their career is a great way to show support.

    How Blumira Helps Check Boxes

    Boxes We Fully Check

    Monitor and Log Authorized and Suspicious Activity

    It’s what we do. Built for small teams, Blumira’s cloud-based SIEM provides monitoring and logging along with built-in detections and step-by-step response playbooks.

    We Help Support

    Penetration Testing and Vulnerability Assessments

    Blumira detects attacker behavior also used during a penetration test out of the box, without any complex configuration, or weeks of tuning.

    Data Encryption

    Blumira encrypts the data collected from your systems in transit and at rest within our platform. Additionally, Blumira can help you look for and eliminate legacy protocols in your environment.

    Access Controls

    Blumira automatically logs user access and when their access levels change to give you insight into your current access activity and controls.

    Incident Response Plan

    Part of your response plan should include using data and insights from your SIEM (like Blumira) to help figure out what went wrong. Our built-in playbooks provide stacked evidence, which can drastically speed up the incident response process by ensuring that all of the data is in one place.

    Why Blumira?

    Meet compliance controls, save time on security tasks, focus on real threats and protect against a breach faster than ever with Blumira.


    Reduce reliance on humans to complete manual security tasks to save time and refocus efforts


    Accelerate breach prevention and ransomware protection with security automation


    All-in-one open platform simplifies workflows with hybrid coverage, satisfying more compliance controls

    *The FTC has provided documentation around what requirements are included in the six-month extension, but what’s less clear is which requirements are not included. Here, we’ve provided our interpretation on the extended deadline, based on FTC documentation and expert knowledge. Blumira is not acting in any advisory capacity and any impacted companies should seek legal counsel if they need clarification on what requirements may be delayed.

    Erica Mixon

    Erica is an award-winning writer, editor and journalist with over ten years of experience in the digital publishing industry. She holds a Bachelor’s degree in writing, literature and publishing from Emerson College. Her foray into technology began at TechTarget, where she provided editorial coverage on a wide variety...

    More from the blog

    View All Posts