The Federal Trade Commission announced it is extending the Safeguards rule enforcement period by six months. The new deadline for complying with the updated requirements of the Safeguards Rule is now June 9, 2023. Let’s take a closer look at what this rule is, and what this extension means for businesses.
What is the Safeguards Rule?
The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. The rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805.
If your business is one of the following, you are subject to compliance:
- Mortgage lenders
- Payday lenders
- Finance companies
- Mortgage brokers
- Account servicers
- Check cashers
- Wire transferors
- Collection agencies
- Credit counselors and other financial advisors
- Tax preparation firms
- Non-federally insured credit unions
- Investment advisors that aren’t required to register with the SEC
The rule calls for businesses to:
- Designate a qualified individual to oversee their information security program
- Develop a written risk assessment
- Limit and monitor who can access sensitive customer information
- Encrypt all sensitive information
- Train security personnel
- Develop an incident response plan
- Periodically assess the security practices of service providers
- Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information
Organizations that fail to meet these requirements face serious risks and even incur fines from the FTC. These fines can peak at $50,120 per day per occurrence of a breach. Firms that are not compliant also put themselves at an increased level of cyber risk, which can lead to breaches and serious data loss. Along with these breaches comes the reputational damage from failing to protect your customers.
Why is the Deadline Being Extended?
The FTC is extending the deadline based on the shortage of qualified personnel available to implement information security programs. In addition, many organizations are still trying to catch up from 2020 due to COVID-19’s disruption in operations and resources. This extension should give affected organizations more time and flexibility as they adjust their operations accordingly. It also gives organizations more time to make sure they have qualified personnel available who can help them develop robust security programs that will meet FTC standards.
The FTC’s decision to extend its deadline should provide relief for organizations that need additional time or resources as they attempt to comply with updated regulations under the Safeguards Rule. Organizations should use this extra time wisely so that they can ensure compliance before June 9th, 2023.
The required security controls can be quite difficult to implement. Alliant Cybersecurity is a one-stop provider for all a business’s cybersecurity needs. We have a deep bench of cyber experts who are passionate about advising businesses on the implementation of compliance regulations, as well as several solutions to harden your security posture. Reach out today for a gratis cybersecurity consultation to see where you stand on your path toward compliance.