FTC’s New Updated Cybersecurity Safeguards

Feb 11, 2022

Reading Time : 5 min

Effective as of January 10, 2022, the updated new final Safeguards Rule (the “Final Rule”) is the FTC’s latest measure against increasing cyberattacks, containing new requirements and definitions for financial institutions to develop, implement and maintain comprehensive security systems to secure consumer information. In the same announcement, the FTC also released a notice of proposed rulemaking (NPRM) that would require certain cybersecurity events to be reported to the FTC.

While some parts of the Final Rule are now effective, most of the more substantive provisions will not go into effect until December 9, 2022.

Specific Requirements and New Definitions

The Final Rule, which incorporates public commentary dating back to 2019, is the first update to the Safeguards Rule since its 2003 effective date. The Safeguards Rule was instituted to fulfill the FTC’s mandate under the Gramm-Leach-Bliley Act (GLBA) to create rules for the processing and protection of personal information by nonbanking financial institutions under its jurisdiction. While the Safeguards Rule required these institutions to develop written information security plans, it did not generally dictate specific security measures, instead requiring plans tailored according to an institution’s individual risk.

The Final Rule makes five key changes to the 2003 Safeguards Rule:

1. Information Security Program Criteria

The Final Rule adds specific requirements for financial institutions to implement an information security program, including access controls, data inventory and data classification, authentication, encryption, disposal procedures, incident response and conducting risk assessments. While the Final Rule retains previous employee training and service provider oversight requirements, it adds measures to ensure those requirements are implemented effectively: requiring training programs updates as necessary, and assessment of service providers’ risk and safeguard adequacy.

2. Designated Information Security Program Coordinator

Instead of the previously required one or more employee coordinators, financial institutions will now be required to appoint a single “qualified individual” to oversee the information security program. This does not have to be a Chief Information Security Officer (CISO) position, nor does the Final Rule specify any particular expertise or certifications. While a third party service provider may fulfill this role, the financial institution is ultimately responsible, and must still maintain oversight of the service provider.

3. Exemptions for Small Companies

Although there is not an entity level exemption for small companies, the FTC did recognize that certain requirements may impose too large a burden on these companies. Thus, financial institutions that collect information on fewer than 5,000 customers will have specific exemptions from the requirements for written risk assessments, continuous monitoring or annual penetration testing and bi-annual vulnerability assessment, written incident response plans and annual reporting to the board of directors. They still must meet other requirements under the Final Rule: namely the requirement to appoint a qualified individual to oversee information security, conduct risk assessments, implement a written information security program, evaluate and adjust the program as needed, oversee service providers and train employees.

4. Expanded Definition of “Financial Institution” and New Regulation for “Finders”

The Final Rule expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be “incidental to financial activities,” namely the activities of “finders.” Now under the scope of the Safeguards Rule, “finders” are companies that bring together buyers and sellers “of any product or service for transactions that the parties themselves negotiate and consummate.” Examples of finder activities include identifying and referring potential parties to each other, arranging meetings and conveying expressions of interest, bids and offers relating to a transaction. The scope is narrower than it may first appear, as the Final Rule clarifies that only finder activities that involve commercial transactions are covered, and only information from customers with which the financial institution has a continuing relationship.

5. New Definitions and Examples

Several new definitions and examples are added into the Safeguards Rule itself rather than incorporating them through references from related FTC rules. These include terms such as “personally identifiable financial information” and “financial institution,” which readers can now examine without needing to reference the Privacy of Consumer Financial Information Rule (the “Privacy Rule”) as they did previously.

Scope

The Final Rule applies to nonbanking financial institutions, such as mortgage lenders, motor vehicle dealers, finance companies, pay day lenders, certain investment advisors, travel agencies operated in connection with financial services, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, tax preparation firms and credit counselors along with other financial advisors and financial institutions that are not otherwise subject to another financial regulator under Section 505 of the GLBA, 15 U.S.C. §6805.

Compliance Deadlines

Most provisions (those under Section 314.5) will not take effect until one year after December 9, 2021, when the Final Rule was published in the Federal Register. However, several requirements are effective now:

  • Regular Testing and Monitoring

The requirement of testing detailed in Section 314.4(d)(1) continues to be effective and companies presently must have key controls, systems and procedures will need to be routinely tested and monitored for effectiveness, including those intended to detect actual and attempted attacks or intrusions. The specific testing requirements outlined in Section 314.4(d)(2), however, will not be effective until December 9, 2022.

  • Service Provider Oversight

Financial institutions must take reasonable steps to select and retain service providers that are capable of maintaining reasonable safeguards for protecting customer information. Contractual provisions requiring service providers to implement and maintain appropriate safeguards will also be required.

  • Re-evaluating Written Information Security Programs

Financial institutions must evaluate and adjust their information security programs based on (1) the results of the regular testing and monitoring, (2) any material changes to their operations or business arrangements, (3) the results of risk assessments or (4) “any other circumstances that they know or have reason to know may have a material impact” on their information security program.

  • Risk Assessments

Separately from the detailed written risk assessments required one year from publication, financial institutions will have a more immediate requirement to conduct additional periodic risk assessments that “reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.” The re-evaluation of the written security program will be in part based on these assessments.

Proposed Cybersecurity Event Reporting Requirement

In addition to the updates in the Final Rule, the FTC has announced it will now seek comment on whether to further amend the Safeguards Rule to include reporting requirements for certain cybersecurity incidents. When (1) a covered financial institution determines customer information has been or is reasonably likely to be misused and (2) at least 1,000 customers have been affected or reasonably may be affected by the incident, the financial institution will be required to report the incident to the FTC, according to the supplemental notice. Notification would have to be made as soon as possible but no later than 30 days after discovery of the incident, using a form on the FTC website.

The period for public commentary ended on February 7, with industry groups and the U.S. Chamber of Commerce calling for more streamlining of reporting regulations. In its commentary, the U.S. Chamber of Commerce called on the FTC to pause the rulemaking until it can come up with a plan to “harmonize the myriad regulations” from the Safeguards Rule.

Takeaways

Financial institutions covered by the GLBA (including financial technology companies) now face detailed prescriptive requirements for cybersecurity protections and should begin reexamining their information security programs. The high-level elements prescribed by the old rule have been replaced with a more detailed regime that views the protection of customer information as a critical organization-wide effort.

Please contact a member of Akin Gump's cybersecurity, privacy and data protection team if you have any questions about how this updated rule may impact your company or your company's information security program.

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.