FTC Safeguards Act - Compliancy due by June 9th 2023
What is it?
A rule requiring financial institutions to take specific steps to protect customer information
Must comply by 6/9/23
Up to $100,000/violation of non-compliance
Who needs to comply with the Safeguards Rule?
An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.
Examples include mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
What does a reasonable information security program look like?
Section 314.4 of the Safeguards Rule identifies nine elements that your company’s information security program must include. See below.
What does the Safeguards Rule require companies to do?
Develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.
Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.
to implement and supervise your company’s information security program (can be a service provider).
safeguards to control the risks identified through your risk assessment.
the effectiveness of your safeguards through continuous monitoring of your system. If you don’t implement that, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly-known security vulnerabilities.
and schedule regular refreshers
Select service providers with the skills and experience to maintain appropriate safeguards.
If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program.