Protecting a business starts with protecting its sensitive data, and companies need to take notice of an updated federal mandate that could have costly consequences if they don’t prepare. The Federal Trade Commission’s (FTC) Safeguards Rule mandates that organizations that engage in “significant” financial activities maintain certain security protocols to keep their customers’ information secure. Under the FTC’s definition, many companies are considered financial institutions, including finance companies, mortgage brokers, check cashers, collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, investment advisors, mortgage and payday lenders.
In October 2023, the FTC announced an amendment to the Safeguards rule that mandates financial institutions to alert the FTC as soon as possible — and no later than 30 days — after uncovering a security breach of unencrypted data affecting at least 500 customers. The earlier iteration of the rule did not include notification requirements, and the changes in regulations are necessary to keep up with evolving threats in the security landscape.
According to the FTC, “Receipt of these notices will enable the Commission to monitor for emerging data security threats affecting financial institutions and to facilitate prompt investigative response to major security breaches.”
When alerting the FTC, companies must include specific information about the event, the contact information of the reporting institution, a general description of the security event and the information compromised, the date of the security event and how many customers the breach affected — or potentially affected.
Many businesses think complying with the Safeguards Rule can be daunting and costly. However, it can be even costlier for non-compliant companies, as the FTC can levy stiff penalties. The updated breach notification requirement will take effect 180 days after publication in the Federal Register. However, companies should update their security posture to ensure compliance and defensibility as soon as possible.
The good news is that many processes required for compliance — such as written risk assessments, team security awareness training and regular refreshers, and monitoring and testing safeguards’ effectiveness — are security best practices that companies should employ independent of the Safeguards rule.
TPx offers services to make the process easy and affordable, and helps companies create and maintain a cybersecurity program aligned with the updated Safeguards requirements. The TPx security team stays current and has incorporated the amendment into our Safeguards program. We continually update our security programs to ensure a holistic security posture for our Security Advisory Services customers, so they are prepared to adjust to whatever requirements come next.
Organizations increase their defensibility when they implement and maintain an information security program with safeguards, including administrative, technical, and physical, to protect customer information. An information security program should be tailored to an organization’s size, industry, complexity, and nature of its activities while considering the sensitivity of the information at risk.
A partner like TPx helps ensure companies are defensible to these changes and helps keep infrastructure and data secure. Not sure where to start? Drop us a line to chart a path to compliance and security.