FTC Safeguards Rule Compliance

The Federal Trade Commission (FTC) Safeguards Rule, or Standards for Safeguarding Customer Information, was updated in early 2022 to require all non-banking financial institutions – such as mortgage brokers, auto dealerships, and others – develop, implement, and maintain a comprehensive cybersecurity system to keep customer information safe. The Safeguards Rule amendments require organizations within scope of compliance to implement technology for audit trails and to monitor all unauthorized activity. The purpose of the Safeguards Rule, like most FTC regulations, is consumer protection and data security. The original Safeguards Rule took effect in 2003; however, the 2021 amendment ensures that institutions are keeping pace with current technology to keep consumers’ financial information safe.

Try Blumira for 30 Days

Who Is Affected By The FTC Safeguards Rule?

The FTC defines a financial institution as “any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956.” According to the FTC, financial institutions are not subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA).

What’s new to the inclusion of financial services is the concept of finders: companies that bring together buyers and sellers to negotiate and complete the transaction.

Any organization storing financial information for its customers is affected. Industries include:

Accountants & professional tax preparers
Automotive dealerships that lease vehicles
Career counselors of individuals in financial industries
Check printers
Check-cashing businesses
Courier services
Credit reporting agencies.
Investment advisory company
Mortgage brokers
Nonbank lenders
Payday lenders
Personal property or real estate appraisers
Real estate settlement services
Retailers that extend their own credit
Wire transfer businesses

How Blumira Helps With FTC Compliance

See our compliance checklist for guidance on how to implement a comprehensive security system to meet FTC requirements.

FTC Requirement for Audit Trails

The FTC believes logging user activity is a crucial component of information security because in the event of a security event it allows financial institutions to understand what was accessed and when. Audit trails are chronological logs that show who has accessed an information system and what activities the user engaged in during a given period. Financial institutions are expected to use logging to “monitor” active users and reconstruct past events.

Blumira provides small and medium-sized businesses with an easy and fast all-in-one SIEM solution that combines logging with detection and response. Small teams can deploy the solution within hours to help satisfy FTC requirements. Blumira provides:

Up to one year of log data retention (audit trails), with immediate availability to help with investigation and incident response.
Unauthorized activity monitoring to help identify attacker behavior with real-time automated detection under 50 seconds and guided playbooks to help you respond to threats faster.
Access to our security team to help with guided response, available 24/7 for urgent priority issues.

Incident Response Plan

Part of your response plan should include using data and insights from your SIEM to help figure out what went wrong. Blumira built-in playbooks surface all relevant data in our findings, which can speed up the incident response process by ensuring that all of the data is in one place.

Customer Information Access Controls

Once integrated with your systems, Blumira automatically logs user access and when their access levels change to give you insight into your current access activity and controls.

Data Encryption

While this requirement is about encrypting your customers and organization’s data, Blumira encrypts all log data collected from your systems while it’s in the platform and in transit from your systems. Using Blumira, you can also look for and eliminate legacy protocols in your traffic to further reduce data security risks.

Penetration Testing & Vulnerability Assessments

Testing your Blumira SIEM on a regular basis will help you pass your annual penetration testing with flying colors by verifying your technology can detect attacker behaviors. Blumira detects behavior on a penetration test that most SIEMs will not, such as AS-REP Roasting.

FTC Compliance Updates at a Glance

The Safeguards Rule amendments require organizations within scope of compliance to implement technology for audit trails and to monitor all unauthorized activity.The revised deadline for complying with some of the updated requirements of the Safeguards Rule went into effect on June 9, 2023, with penalties at $45k per violation.

Part 1: Required Policies

Part 1: Required Policies

Designated Qualified Individual – An individual on the IT/security team who oversees the information security program.

Incident Response Plan – Your written incident response plan details a series of actions that the security team must take in the event of a cyber incident.

Customer Information Access Controls, Disposal Plan & Change Management – Information access controls restrict who can make changes and creates an audit trail of all changes to help detect unauthorized access.

Oversee Service Providers & Apps – Review the applications you use and vendors that you share data with. If they are also handling financial data, they too must comply with all of these safeguards.
Part 2: Reports & Documentation

Part 2: Reports & Documentation

Data & Systems Inventory – The FTC requires you to have an inventory of all data you have stored and the systems they’re on, including customer records, financial records where they are stored, and all the software that they touch.

Risk Assessment – This process will vary for every organization, but at a high level it involves identifying threats to an environment, both internal and external, to the security, confidentiality, and integrity of customer information. This written risk assessment must include criteria for evaluating those risks and threats.

Information Security Program – Use this checklist to build out your information security program. Developing one is an ongoing process that requires an understanding and consideration of the different facets of security described here, documented all together in one program.

Report To Your Board of Directors – Your Qualified Individual must give an update to your Board of Directors (or another governing body such as a Senior Officer if there isn’t a board) on a regular basis, at least once a year.
Part 3: Technical Requirements

Part 3: Technical Requirements

Data Encryption – Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.

Multi-Factor Authentication – Enable multi-factor authentication on all systems that employees and contractors log into. MFA is an easy way to add another layer of verification of a user’s identity and prevent the success of attacks like phishing, stolen credentials, and account takeovers

Penetration Testing & Vulnerability Assessments – Penetration testing, vulnerability assessments and continuous monitoring all help to detect both actual and attempted attacks. Continuous monitoring is an excellent way to test your environment.

Monitor and Log Authorized & Suspicious Activity – Implement a solution to monitor when authorized users are accessing customer information on your system and to detect unauthorized or suspicious access.
Part 4: Training Requirements

Part 4: Training Requirements

Employee Security Awareness Training – Provide your people with security awareness training and schedule regular refreshers.

Training & Security Updates For Security Personnel – Provide specialized training for employees, affiliates, or service providers who are hands-on with your information security program and verify that they’re monitoring the latest word on emerging threats and countermeasures.

Part 1: Required Policies

Designated Qualified Individual – An individual on the IT/security team who oversees the information security program.

Incident Response Plan – Your written incident response plan details a series of actions that the security team must take in the event of a cyber incident.

Customer Information Access Controls, Disposal Plan & Change Management – Information access controls restrict who can make changes and creates an audit trail of all changes to help detect unauthorized access.

Oversee Service Providers & Apps – Review the applications you use and vendors that you share data with. If they are also handling financial data, they too must comply with all of these safeguards.

Part 2: Reports & Documentation

Data & Systems Inventory – The FTC requires you to have an inventory of all data you have stored and the systems they’re on, including customer records, financial records where they are stored, and all the software that they touch.

Risk Assessment – This process will vary for every organization, but at a high level it involves identifying threats to an environment, both internal and external, to the security, confidentiality, and integrity of customer information. This written risk assessment must include criteria for evaluating those risks and threats.

Information Security Program – Use this checklist to build out your information security program. Developing one is an ongoing process that requires an understanding and consideration of the different facets of security described here, documented all together in one program.

Report To Your Board of Directors – Your Qualified Individual must give an update to your Board of Directors (or another governing body such as a Senior Officer if there isn’t a board) on a regular basis, at least once a year.

Part 3: Technical Requirements

Data Encryption – Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.

Multi-Factor Authentication – Enable multi-factor authentication on all systems that employees and contractors log into. MFA is an easy way to add another layer of verification of a user’s identity and prevent the success of attacks like phishing, stolen credentials, and account takeovers

Penetration Testing & Vulnerability Assessments – Penetration testing, vulnerability assessments and continuous monitoring all help to detect both actual and attempted attacks. Continuous monitoring is an excellent way to test your environment.

Monitor and Log Authorized & Suspicious Activity – Implement a solution to monitor when authorized users are accessing customer information on your system and to detect unauthorized or suspicious access.

Part 4: Training Requirements

Employee Security Awareness Training – Provide your people with security awareness training and schedule regular refreshers.

Training & Security Updates For Security Personnel – Provide specialized training for employees, affiliates, or service providers who are hands-on with your information security program and verify that they’re monitoring the latest word on emerging threats and countermeasures.

Blumira Features to Satisfy FTC Requirements

Blumira provides small and medium-sized businesses with an easy and fast all-in-one SIEM solution that combines logging with detection and response. Small teams can deploy the solution within hours to help satisfy FTC requirements.

Log Retention Up to one year of log data retention (audit trails), with immediate availability to help with investigation and incident response

Activity Monitoring Unauthorized activity monitoring to help identify attacker behavior with real-time automated detection under 50 seconds and guided playbooks to help you respond to threats faster

SecOps Support Access to our security team to help with guided response, available 24/7 for urgent priority issues

Frequently Asked Questions

What is the FTC Safeguards Rule?

The FTC Safeguards Rule (16 CFR Part 314) requires financial institutions to develop, implement, and maintain a comprehensive information security program. Originally enacted in 2003 under the Gramm-Leach-Bliley Act, the rule was significantly updated in 2021 with amendments that took effect on June 9, 2023. The updated rule added specific technical requirements including encryption, multi-factor authentication, activity monitoring, penetration testing, and incident response. Unlike the original rule, which was largely principles-based, the 2021 amendments include concrete, testable requirements that the FTC can enforce through consent orders and penalties.

Who must comply with the FTC Safeguards Rule?

The FTC Safeguards Rule applies to "financial institutions" as defined by the FTC, which is broader than most people expect. It covers mortgage lenders and brokers, payday lenders, auto dealerships that arrange financing or leasing, accountants and tax preparation firms, travel agencies operating in connection with financial services, real estate appraisers, credit counselors, and retailers that extend their own credit. If your business is "significantly engaged" in financial activities, you likely fall under the rule. The threshold for compliance was raised in the 2021 amendments: organizations that maintain customer information on fewer than 5,000 consumers are exempt from some (but not all) requirements.

What changed in the 2021 FTC Safeguards Rule amendments?

The 2021 amendments added specific technical requirements that the original 2003 rule lacked. Key additions include: designating a single Qualified Individual responsible for the security program, conducting periodic risk assessments, encrypting customer information both at rest and in transit, implementing multi-factor authentication for anyone accessing customer information, monitoring and logging the activity of authorized users, conducting annual penetration testing and biannual vulnerability assessments, developing a written incident response plan, and reporting security events to the board of directors or governing body. These requirements took effect on June 9, 2023, and the FTC has been actively enforcing them since.

Does the FTC Safeguards Rule require a SIEM?

The rule does not use the word "SIEM," but Section 314.4(c)(6) requires organizations to "monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information." This effectively requires centralized log collection, user activity monitoring, and the ability to detect unauthorized access, which are the core functions of a SIEM. For organizations with more than a handful of systems, meeting this requirement through manual log review is impractical and would not withstand FTC scrutiny. The 2021 amendments made monitoring a mandatory technical control, not a recommended practice.

What are the penalties for FTC Safeguards Rule non-compliance?

The FTC enforces the Safeguards Rule through its authority under the FTC Act. Penalties can include consent orders (legally binding agreements to implement specific security measures under FTC oversight), civil penalties of up to $50,120 per violation (adjusted annually for inflation), mandatory third-party security audits at the organization's expense, and public disclosure of enforcement actions. The FTC has been increasingly aggressive in enforcement since the 2021 amendments took effect. Auto dealerships, tax preparers, and mortgage brokers have been among the early enforcement targets. A single data breach affecting thousands of customers can constitute thousands of individual violations.

How does Blumira help with FTC Safeguards Rule compliance?

Blumira directly addresses the monitoring requirement in Section 314.4(c)(6). The platform collects and monitors logs from systems that store or process customer information, including cloud platforms, endpoints, identity providers, and applications through 75+ integrations. It detects unauthorized access attempts, privilege escalation, and anomalous user behavior in real time, with alerts delivered within one minute of detection. Each alert includes a response playbook that guides your team through investigation and remediation. Blumira retains all log data for one year, providing the audit trail that demonstrates ongoing compliance. The platform deploys in hours and takes about 15 minutes a day to manage, making it practical for auto dealerships, accounting firms, and other non-technical organizations that fall under the rule.

What does the FTC Safeguards Rule require for incident response?

Section 314.4(h) requires a written incident response plan that addresses the goals of the plan, internal processes for responding to a security event, clear definition of roles and responsibilities, communication and information sharing procedures (both internal and external), a process for documenting and reporting security events, and a post-incident review process to identify improvements. The plan must be maintained and updated as your environment changes. The FTC also requires that security events be reported to the Qualified Individual designated under the rule, and that the Qualified Individual report at least annually to the board of directors or equivalent governing body on the overall status of the security program and material matters related to it.

Additional Compliance Resources

Your CMMC Certification Playbook (and Pitfalls To Avoid)

Compliance Security Frameworks and Insurance

5 min read | March 3, 2026

OnDemand - Your CMMC Certification Playbook (and Pitfalls To Avoid)

Compliance Security Frameworks and Insurance

10 min read | February 10, 2026

Customer Story: Enhancing Ottawa County’s Security with Blumira Solutions

Compliance Security Frameworks and Insurance

9 min read | January 14, 2026

The New CMMC Compliance Rule: What It Means for Defense Contractors and How Blumira Makes Compliance Achievable

Experience Blumira Today

Tired of fragmented security tools and alert fatigue? Blumira centralizes your security operations, offering deep insights and actionable intelligence to identify and remediate threats before they cause damage. Discover the power of proactive defense.

Get Your Trial