The Federal Trade Commission (FTC) Safeguards Rule, or Standards for Safeguarding Customer Information, was updated in early 2022 to require all non-banking financial institutions – such as mortgage brokers, auto dealerships and others – develop, implement and maintain a comprehensive cybersecurity system to keep customer information safe.
The Safeguards Rule amendments require organizations within scope of compliance to implement technology for audit trails and to monitor all unauthorized activity.
The newly updated deadline for complying with some of the updated requirements of the Safeguards Rule is now June 9, 2023, with penalties at $45k per violation.
What Is The Purpose of The Safeguard Rule?
Like most FTC regulations, the goal is consumer protection and data security. The original Safeguards Rule took effect in 2003; however, the 2021 amendment ensures that institutions are keeping pace with current technology to keep consumers’ financial information safe.
How Blumira Helps With FTC Compliance
See our compliance checklist for guidance on how to implement a comprehensive security system to meet FTC requirements.
Specifically, Blumira provides small and medium-sized businesses with an easy and fast all-in-one SIEM solution that combines logging with detection and response. Small teams can deploy the solution within hours to help satisfy FTC requirements.
- Up to one year of log data retention (audit trails), with immediate availability to help with investigation and incident response
- Unauthorized activity monitoring to help identify attacker behavior with real-time automated detection under 50 seconds and guided playbooks to help you respond to threats faster
- Access to our security team to help with guided response, available 24/7 for urgent priority issues
Deploy in minutes to see how it works with your Microsoft 365 environment by signing up for Blumira’s free edition.
FTC Guidelines: Audit Trails
The Commission believes logging user activity is a crucial component of information security because in the event of a security event it allows financial institutions to understand what was accessed and when.
Audit trails are chronological logs that show who has accessed an information system and what activities the user engaged in during a given period.
Financial institutions are expected to use logging to “monitor” active users and reconstruct past events.
Other FTC Requirements Blumira Can Help Support
- Incident Response Plan. Part of your response plan should include using data and insights from your SIEM (like Blumira) to help figure out what went wrong. Our built-in playbooks surface all relevant data in our findings, which can speed up the incident response process by ensuring that all of the data is in one place.
- Customer Information Access Controls. Once integrated with your systems, Blumira automatically logs user access and when their access levels change to give you insight into your current access activity and controls.
- Data Encryption. While this requirement is about encrypting your customers and organization’s data, we do encrypt all log data collected from your systems while within Blumira’s platform and in transit from your systems. Using Blumira, you can also look for and eliminate legacy protocols in your traffic to further reduce your data security risks.
- Penetration Testing & Vulnerability Assessments. Testing our SIEM on a regular basis will help you pass your annual penetration testing with flying colors by verifying your technology can detect attacker behaviors. Blumira detects behavior on a penetration test that most SIEMs will not, such as AS-REP Roasting.
Who Is Affected By The FTC Safeguards Rule?
The FTC defines a financial institution as “any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956.” According to the FTC, financial institutions are not subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA).
What’s new to the inclusion of financial services is the concept of finders: companies that bring together buyers and sellers to negotiate and complete the transaction. In other words, any organization that is storing financial information for its customers is affected.
List of Included Industries:
- Accountants & Professional Tax Preparers
- Automotive dealerships that lease vehicles
- Career Counselors of individuals in financial industries
- Check printers
- Check-cashing businesses
- Courier services
- Credit reporting agencies.
- Investment Advisory Company
- Mortgage brokers
- Nonbank lenders
- Payday lenders
- Personal property or real estate appraisers
- Real Estate Settlement Services
- Retailers that extend their own credit
- Wire Transfer Businesses
Required Information Security Program Updates At A Glance
Part 1: Required Policies
- Designated Qualified Individual
An individual on the IT/security team who oversees the information security program.
- Incident Response Plan
This written incident response plan details a series of actions that the security team must take in the event of a cyber incident.
- Customer Information Access Controls, Disposal Plan & Change Management
Information access controls restrict who can make changes and creates an audit trail of all changes to help detect unauthorized access.
- Oversee Service Providers & Apps
Review your applications you use and vendors that you share data with – if they are also handling financial data, they too must comply with all of these safeguards.
Part 2: Reports & Documentation
- Data & Systems Inventory
The FTC requires you have an inventory of all data you have stored and the systems they’re on: customer records, financial records where they are stored, and all the software that they touch.
- Risk Assessment
This process will vary for every organization, but at a high level it involves identifying threats to an environment — both internal and external — to the security, confidentiality, and integrity of customer information. This written risk assessment must include criteria for evaluating those risks and threats.
- Information Security Program
Really, this whole checklist is your information security program. Developing one is an ongoing process that requires an understanding and consideration of the different facets of security described here, and more. And documented all together in one program.
- Report To Your Board of Directors
Your Qualified Individual must give an update to your Board of Directors (or another governing body such as a Senior Officer if there isn’t a board) on a regular basis — at least once a year.
Part 3: Technical Requirements
- Data Encryption
Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.
- Multi-Factor Authentication
Enable multi-factor authentication on all systems that employees and contractors log into. MFA is an easy way to add another layer of verification of a user’s identity and prevent the success of attacks like phishing, stolen credentials and account takeovers
- Penetration Testing & Vulnerability Assessments
Penetration testing, vulnerability assessments and continuous monitoring all help to detect both actual and attempted attacks. Continuous monitoring is an excellent way to test your environment.
- Monitor and Log Authorized & Suspicious Activity
Implement a solution to monitor when authorized users are accessing customer information on your system and to detect unauthorized or suspicious access.
Part 4: Training Requirements
- Employee Security Awareness Training
Provide your people with security awareness training and schedule regular refreshers.
- Training & Security Updates For Security Personnel
Provided specialized training for employees, affiliates, or service providers who are hands-on with your information security program and verify that they’re monitoring the latest word on emerging threats and countermeasures.