WHAT IS THIS?? A reminder to  higher education and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA): the deadline to comply with FTC’s revised Standards for Safeguarding Customer Information, aka “The Safeguards Rule,” is here. Covered institutions must comply by June 9, 2023. 

This revised rule expanded the definition of “financial institution” to cover entities engaged in activities that are incidental to financial activities, including “finders” – companies that bring together buyers and sellers of products and services. This revised rule is more onerous and looks almost identical to the NYDFS Cybersecurity Regulation. For a list of those types of companies that must comply, view them here.

News on the Safeguards Rule

In December 2021, the FTC broadened the Safeguards Rule by creating more detailed requirements. They include;

• Designate a “qualified individual” to oversee a financial institution’s information security program and have the qualified individual provide written reports to the institution’s board of directors (or other governing body) about the overall status of the information security program and compliance with the Safeguards Rule;
• Develop a written cyber risk assessment and incident response plan;
• Provide written reports to the institution’s board of directors (or other governing body) about the overall status of the information security program and compliance with the Safeguards Rule;
• Encrypt customer information in transit and at rest (or use alternative compensation controls where encryption is infeasible);
• Implement multifactor authentication (MFA) for all individuals who access systems that process customer information or that are connected to systems that process customer information;
• Adopt secure development practices for in-house developed software and processes for assessing the security of externally developed applications;
• Regularly test the security program, including through continuous monitoring measures such as penetration testing and vulnerability assessments; and
• Oversee service providers, including by periodically assessing service providers’ security practices.

The requirements went into affect in January, 2022, however the FTC extended the compliance deadline until June 9, 2023.

Complying with the Safeguards Rule: 3 High Priority Actions

For many covered financial institutions, compliance with the Safeguards Rule may require significant planning, stakeholder engagement, implementation, change management, and documentation. For institutions still working to bring their security programs into compliance with the rule, we recommend the five priority actions listed below. While these actions are by no means comprehensive, they address foundational Safeguards Rule requirements and can be leveraged to address the remainder of the rule over time.

1. Appoint a Qualified IndividualThe Safeguards Rule (both the original and new versions) requires institutions to “[d]esignate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.” The qualified individual can be an employee of the institution, its affiliate, or a service provider (i.e.TEKRiSQ). In many cases, the institution’s qualified individual will be its chief information security officer, chief compliance officer, or someone in a similar role. Many businesses do not have in-house cybersecurity staff, and therefore may seek to outsource this person. The qualified individual should have the appropriate experience and authority to oversee the institution’s security program, make necessary changes to that program, and report candidly to the board of directors or other governing body about the institution’s security compliance and risks. An information security program must include not only technical safeguards and measures but also administrative and physical ones, meaning that the qualified individual must have broad visibility into and influence over activities across the organization. This can easily be achieved through an annual NIST-based cyber risk assessment.
2. Conduct a Cyber Risk AssessmentOnce you find a qualified individual in place, compliance with the Safeguards Rule dictates you must conduct a periodic risk assessment. These help to  demonstrate the sufficiency of information security programs, and/or outline recommendations. The rule expressly requires businesses to run their information security programs based on the recommendations of risk assessments and to  implement security safeguards to remediate risks those assessments identify.

   Recent fines highlights the importance of conducting a risk assessment. In May 2023, the New York Department of Financial Services (NYDFS) fined bitFlyer USA $1.2M for, among other things, failing to conduct a risk assessment under the NYDFS Cybersecurity Regulation. NYDFS found that although bitFlyer USA had conducted an IT audit of its systems, that audit did not provide the company insight into its security risks or how to mitigate those risks. Accordingly, the company failed both to conduct a compliant risk assessment and to base its security safeguards on that assessment. The FTC expressly modeled the new Safeguards Rule after the NYDFS Cybersecurity Regulation, so the NYDFS action against bitFlyer USA should be precedent for future FTC actions enforcing the Safeguards Rule’s risk assessment requirements.

3. Deploy Security SafeguardsOnce a risk assessment is complete, businesses should deploy specific Safeguards recommended for compliance, including:
   • Access Controls– Password Management, DNS Blocking & Filtering, etc
   • Encryption Methods– both in transit & at rest (or other methods if encryption is infeasible)
   • MFA– Multifactor authentication for accessing customer information and related systems
   • Backup– Data retention and disposal- often encompassing a suitable, tested backup strategy
   • Activity Monitoring & Logging– often involving the managing of endpoints

Other Tips: Triage Third-Party Risks

Third-party cybersecurity risk has been a major area of focus for federal and state regulators. The Safeguards Rule covers two types of third-party risks: those arising from service provider relationships and those arising from software supply chains. To address service provider risk, the Safeguards Rule requires financial institutions to take a three-pronged approach. Institutions must oversee service providers by vetting their security practices up front, requiring them to maintain security safeguards by contract, and periodically reassessing their security compliance and practices.

Establish Processes To Monitoring Effectiveness

The Safeguards Rule requires businesses to “regularly test or otherwise monitor the effectiveness of” their security safeguards. To monitor information systems, the Safeguards Rule provides a choice: institutions either shall conduct “continuous monitoring” or shall undergo penetration testing annually and vulnerability assessments at least every six months. The FTC described “continuous monitoring” in its proposal to adopt the new Safeguards Rule as “any system that allows real-time, ongoing monitoring of an information system’s security, including monitoring for security threats, misconfigured systems, and other vulnerabilities.”

Time to Get Moving!

With under a month left before the full Safeguards Rule goes into effect, you need to get busy now with compliance.  Let TEKRiSQ help you comply in 30 minutes