The protection of consumer information is one of the major concerns of the businesses involved in nearly any sector of the economy, particularly financial institutions. The Federal Trade Commission (FTC) Safeguards Rule is a critical requirement for these organizations. It provides specific requirements for certain financial institutions, including a plan for ensuring compliance with the regulation, identified challenges in meeting the rules, and a process to audit for compliance.

What is the Safeguards Rule by the FTC?

The Safeguards Rule was issued in 2003 under the Gramm-Leach-Bliley Act (GLBA). Over time, the FTC has occasionally updated these rules to expand coverage and catch up with new and rising cybersecurity threats.

Under the Safeguards Rule of the FTC, an organization must design, implement, and maintain a  comprehensive information security program to secure consumer information. While these security requirements are the norm in most financial contexts, this law places these rules in the non-banking financial industry sector – specifically in lending (mortgage brokers, car dealerships, payday lenders, etc). 

The core reason for the Safeguards Rule is to create a responsibility in such organizations, forcing them to take steps to protect sensitive consumer information from threats. 

What Are the Requirements for FTC Safeguards?

The Safeguards Rule requires that financial institutions’ cybersecurity is sturdy, adaptive, and effective so that unauthorized access and threats against consumers’ personal information cannot occur.

Some of the requirements expected to help support this mission include:

• Designate a Qualified Individual: The financial institution must designate one qualified individual to implement the information security program. This person must have experience in security and compliance and can be either an internal or vendor-supplied service.
  
• Create a Written Information Security Plan (WISP): The law requires that organizations fulfill a WISP, the comprehensive security plan they intend to implement (or have already implemented). Templates and guidelines for WISP are typically found in IRS publications (several IRS requirements include a WISP). 
• Design and Implement Safeguards: The organization has to design and implement safeguards to control the risk if it has been identified. This could imply measures to detect attacks or system failures and to prevent and recover from such attacks or failures in cases where a breach occurs.
• Tests Safeguards: The financial institution must continually or periodically monitor the safeguards’ effectiveness. The financial institution should also change its security practices with the monitoring and testing results and changes in operations or circumstances that may change the security program’s effectiveness.
• Oversight of Service Providers: The financial institution must ensure that it only retains those service providers capable of maintaining appropriate safeguards for information provided by the institution to the service provider. A contract must ensure that service providers implement and maintain such safeguards and require service providers to have implemented an incident response plan. 
• Evaluation and Adjustment of the Program: The institution should evaluate and adjust the information security program in light of technological changes, sensitivity to customer information, and threats to their information.
• Writing Incident Response Plan: An institution shall develop and implement an incident response plan in writing per the rule’s requirement. The institution will create a plan describing what it will do after a security event and has compromised customer information concerning its confidentiality, integrity, or availability.
• Reporting to Boards: The information security program will report on its overall status to the institution’s board of directors or a body performing a similar function at least annually. The report will also describe the institution’s compliance with the Safeguards Rule.

Strategies for Compliance with the FTC Safeguards Rule?

It’s not the case that you must approach these regulations cold… with the right preparation and strategy, compliance is natural and straightforward. It’s just important to make sure that you have a plan. 

Some steps to take include:

• Develop a WISP: Develop a fully written information security plan that details the specific actions the organization will take to protect consumer information. The written information security plan should be based on the unique risks faced by the organization and the firm’s operation. This will help you better understand your baseline capabilities and limitations.
• Training and Awareness of Employees: This further makes regular training and awareness programs essential to educate employees on the best data security practices and increase awareness of their responsibility towards guarding consumer information. 
• Access Control: Implementing rigid access controls that enable access only to authorized personnel related to role or other criteria.
• Data Protection and Encryption: A base level of encryption should be present where sensitive data is stored or transmitted by default. 
• Regular System Update and Patching: Software, firmware, and hardware creators consistently create patches to handle the latest security issues. By keeping your infrastructure updated, you can be sure that, at the very minimum, you are keeping up with the latest known threats. 
• Incident Response Plan: Develop a detailed incident response plan based on a timely and well-organized set of vulnerabilities and threats to reduce the likelihood of breaches becoming larger-scale problems.
• Self-Audits: Maintain regular audits and monitor information security practices within your business. These can help you quickly identify and deal with weaknesses or compliance gaps.
• Documentation and Record Keeping: Keep proper records of your policies, procedures, security incidents, and any steps you’ve taken to address security issues. 
• Reporting to the FTC: In the incidence of a data breach, a company needs to notify the FTC within the FTC’s prescribed time limits. Otherwise, companies would face stiff penalties from the FTC for failing to report such information about a data breach.

Get Ready for FTC Safeguards Compliance with Lazarus Alliance

If you’re a non-bank lender looking to meet and maintain your obligations under the FTC Safeguards rule, trust Lazarus Alliance to support your compliance strategy.