What’s New Under the FTC Safeguards Rule?
The biggest change in the newest version of the Safeguard Rule is the expanded definition of what qualifies as a “financial institution.” Prior to this rule, regulated institutions included familiar organizations such as banks and credit unions, along with investment firms and fintech companies.
Under the new iteration, the definition also encompasses many more organizations, including businesses wiring money on behalf of customers, income tax return preparers, mortgage brokers, and colleges and universities accepting Title IV funds. In practice, this means that businesses even peripherally involved in the handling or transfer of funds are subject to FTC oversight.
Under the new rule, financial institutions must also:
- Appoint a “qualified individual” to oversee and implement security programs • Conduct written, expanded risk assessments
- Encrypt financial data and use multi-factor authentication
- Create a written incident response plan
- Submit an annual report to boards or other governing bodies about actions taken to comply with the Safeguards Rule.
The good news is that companies have more time to get ready: While changes to the Safeguards Rule were originally slated to take effect on Dec. 9, 2022, this date has been pushed to June 9, 2023.
What Does the New FTC Safeguards Rule Mean for Businesses?
The biggest impact of the new Safeguards Rule iteration is the risk of businesses being caught unaware that the rule applies to them. As a result, a better-safe-than-sorry mindset should apply. If your company handles or processes any type of financial transaction, even as a mediator or conduit, the rule likely applies.
Next is the ability to meet new requirements. While it’s one thing for companies to be told they must appoint qualified individuals to oversee their information security programs, it’s another to find, hire, train and retain the right people for the job, especially given the shortage of skilled tech talent available across the market.
There are some exemptions. For example, financial institutions with fewer than 5,000 customers are exempt from writing incident response plans and conducting written assessments, but they must still implement multi-factor authentication.
How to Comply With the New FTC Safeguards Rule
Ensuring compliance with the Safeguards Rule starts by recognizing that security is a journey. While it’s always a good time to start, there’s no single endpoint. Instead, security continues to evolve as new threats emerge.
Financial institutions taking stock of where they are in terms of compliance — and where they need to be — is the next step. CDW can help streamline this process. Thanks to a substantial depth of resources, technologies and partners, partnership with CDW makes it possible for firms to stay ahead of the compliance curve rather than running to catch up.
Businesses can start with technology assessments and gap analysis to identify where they meet current requirements and where they need to improve. Security experts can then provide nuanced guidance on how organizations can comply with the Safeguards Rule while solution architects help them select the ideal set of technology partners.
Assessment, analysis and integration solutions from CDW can help financial institutions check the boxes of new Safeguards Rule obligations and ensure they’re ready to meet the next iteration of financial security safeguards.