FTC finalizes safeguard rule for financial institutions
On October 27, 2021, the Federal Trade Commission (FTC) announced an updated new rule under the Gramm-Leach-Bliley Act (GLBA) to require financial institutions to tighten their data security measures to protect consumer financial information. The new updated rule, Customer Information Protection Standards (Backup Rule), amends the FTC’s Backup Rule of 2002 and responds to major data security incidents and cyberattacks in the industry. financial services to consumers.
The FTC’s safeguard rule applies to non-bank financial institutions, such as check cashing businesses, payday lenders, mortgage brokers, non-bank lenders, personal or real estate appraisers, Professional tax preparers, courier services and credit reporting agencies. These non-bank financial institutions will have to comply with most of the requirements of the new safeguard rule probably by the fourth quarter of 2022.
Unlike previous rules and guidelines promulgated by federal financial regulators, the FTC’s new safeguard rule includes specific criteria for safeguards that financial institutions must implement as part of their information security program. For example, the new backup rule requires financial institutions to implement multi-factor authentication for people accessing networks that contain customer information. This represents an important step in the evolution of data security regulations at the federal level. In the past, similar rules provided only general guidance to regulated companies and not specific technical requirements. In this regard, the new safeguard rule is likely to provide covered financial institutions with greater clarity on their obligations to protect consumers’ financial information.
Here are some of the highlights of the new backup rule:
- Written Information Security Program: The new safeguard rule requires financial institutions to establish a comprehensive written information security program, which must include the designation of a qualified person to oversee and implement the program.
- Risk assessments: The new safeguard rule requires financial institutions to undertake risk assessments and implement safeguard measures to address identified risks. Risk assessments should be in writing and include criteria for assessing, categorizing and identifying security risks, as well as ways to mitigate or accept those identified risks. Periodic risk assessments should be performed to re-examine reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information.
- Appointment of a qualified person: The new safeguard rule requires a financial institution to designate a qualified person to be responsible for the institution’s information security program. This is similar in many ways to the New York Department of Financial Services (NY DFS) cybersecurity regulations, which require covered financial institutions to appoint an Information Security Officer (CISO).
- Penetration tests and vulnerability assessments: The new safeguard rule requires annual penetration tests of information systems. Vulnerability assessments, including systems scans or information systems reviews, should be completed every six months.
- Encryption of customer information at rest and in transit: The new backup rule requires financial institutions to encrypt all customer information, both in transit over external networks and at rest. Encrypting data at rest within financial institution networks can be difficult for many financial institutions. Interestingly, the new safeguard rule allows financial institutions to pursue alternative compensating controls if encryption of customer information is infeasible, whether in transit or at rest – a compromise that other regulators have failed to achieve. not granted in other circumstances; for example, the recent executive decree on cybersecurity.
- Service provider monitoring: The new safeguard rule requires financial institutions to take reasonable steps to select and retain service providers that maintain appropriate safeguards for consumers’ financial information. Financial institutions must periodically assess their service providers to ensure their compliance.
- Multifactor authentication: The new backup rule requires financial institutions to implement multi-factor authentication for people accessing networks that contain customer information. Authentication measures may include (1) knowledge factors, such as a password; (2) possession factors, such as a token; or (3) inherent factors, such as biometric characteristics.
- Reports to the Board of Directors: The new safeguard rule requires the qualified person to provide written reports at least once a year to boards or governing bodies on the financial institution’s information security program. The report should include information on the overall state of the financial institution’s information security program and compliance, as well as significant issues related to the information security program (such as risk assessments and recommendations for program modifications). This is similar in many ways to the SEC’s 2018 guide to public company cybersecurity disclosures.
- Saving and deleting customer information: The new safeguard rule requires financial institutions to develop, implement and maintain procedures for the secure disposal of customer information no later than two years after the last date the information was used, unless it is not otherwise required to retain the information. This requirement aligns with the principles of data minimization, which are considered good practice in data security. Likewise, financial institutions should implement policies, procedures and controls designed to monitor and record unauthorized user activity and detect unauthorized access or use or tampering of customer information.
- Extended definition of financial institution: The new safeguard rule expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve determines to be incidental to financial activities. The FTC said the change is intended to bring “researchers” – companies that bring together buyers and sellers of a product or service – within the scope of the new safeguard rule. The FTC has estimated that researchers often collect and maintain highly sensitive consumer financial information, and that expanding the definition of financial institutions to include researchers will help protect consumers’ financial information.
These measures closely follow regulations recently passed by state financial regulators, such as NY DFS, which promulgated its own cybersecurity regulations in 2017. Like the new safeguard rule, the country’s cybersecurity regulations NY DFS also requires covered financial institutions to implement specific cybersecurity controls such as encryption of data in transit and at rest as well as multi-factor authentication.
The new safeguard rule will take effect within 30 days of its publication in the Federal Register. However, the main requirements of the rule will be delayed by one year. Requirements that will be delayed by one year include qualified individual appointments; written risk assessments; annual penetration tests and semi-annual vulnerability assessments; periodic evaluation of service providers; and a written incident response plan. The remaining requirements, which will take effect within 30 days of posting, largely mirror the requirements of the existing backup rule. Therefore, financial institutions are unlikely to have any obligations until the aforementioned requirements come into effect in a year.
Financial institutions should carefully review the new safeguard rule to ensure compliance.