FTC Expands Cybersecurity Rule for Los Angeles Financial Service Firms
The Federal Trade Commission (FTC) recently finalized a long-debated update to its Safeguards Rule that includes more definitive criteria for what financial institutions must enact as part of their information security programs. Among other essential changes, many organizations in Los Angeles will likely be impacted by an expansion of the rule’s reach to include “finders,” which may allow organizations to avoid the current weight of regulatory responsibilities and the uncertainties of state law requirements.
The new rule reinforces the necessary security safeguards for customer data. This includes risk assessments, penetration testing, and vulnerability scanning(in addition to other safeguards and best practices).
What Is The Safeguards Rule?
The Gramm-Leach-Bliley Act (GLBA) requires a range of financial institutions to protect customer information. Enforcement of the Gramm-Leach-Bliley Act is separated between different federal agencies. In the past, the Safeguards Rule left the information security program implementation details up to the financial institution.
The Safeguards Rule’s extensive definition of financial institutions includes non-bank businesses that offer financial products or services, such as the following:
- Auto dealers
- Mortgage brokers
- Non-bank lenders
- Real estate appraisers
- Tax preparers
Customer information includes records that consist of non-public Personal Identifiable Information (PII) about a customer that will be used by a financial institution. The Rule also applies to credit reporting agencies and other companies that receive information about the customers of other financial institutions.
The Revised Safeguards Rule
Many of the updates to the Safeguards Rule are centered around strengthening requirements for how financial institutions and how they should develop and implement their security programs. The Safeguards Rule contains the following modifications:
- Additional specifics and guidance on how to create and implement Written Information Security Programs.
- Provisions that have been designed to improve the accountability of Written Information Security Programs.
- Requires financial institutions to name a qualified individual to oversee their security programs.
- The exemption of some financial institutions that do not collect as much customer information.
- Broadening the definition of financial institutions to include companies that bring buyers and sellers of a product or service together.
- Expansion of the safeguards that financial institutions must implement as part of their information security program.
The Safeguards Rule supports the common subjects that arise from the variety of legal, regulatory, and industry requirements. The Rule requires that Written Information Security Programs be based on risk assessments and establishes key areas that the risk assessment must address:
- Standards for evaluating risks that financial institutions face
- Standards for assessing the security of a financial institution’s information systems
- How the risks will be addressed moving forward.
Financial institutions have the opportunity to carry out their own risk assessments as long as their method of conducting the risk assessment will identify foreseeable risks. It is important to note that the Rule does not regard financial institutions throwing out their Written Information Security Programs and starting over with a new risk assessment. The rule does contemplate financial institutions comparing their existing Written Information Security Programs and addressing any vulnerabilities.
As the Federal Trade Commission continues to examine how to update its approach to address the variety of data privacy and security challenges that organizations will continue to face, financial institutions should take this time to assess their cybersecurity posture. The revised Rule will become effective in January 2022, but most of the meaningful provisions will take effect one year from the publication date. So, financial institutions will have one year to develop and implement best practices, policies, and procedures that comply with the updated Rule.
Generation IX can help you conduct a risk assessment of current compliance under the Rule and implement FTC’s updated Safeguards Rule. Contact us today to schedule a no-obligation security review of your firm’s overall security strategy.
Thanks to the team at Velocity IT in Dallas for their help with this article.
Everyday, I work to ensure organizations are leveraging technology to optimize their business, improve employee performance and satisfaction, and protect themselves from cybersecurity threats. I love my role in business development because it allows me to connect with all facets of a business. My primary focus is working with new prospective clients and introducing them to the Generation IX way of IT services and support. Additionally, I evaluate new technology and potential vendor partnerships. We are constantly looking for the best solutions for our clients.