If you’re confused about the FTC Safeguards Rule, then you’re not alone.

Let’s be clear from the outset; If you’re not based in the USA and you’re NOT in the financial sector, then this probably isn’t going to be of much interest.

But if you are a non-banking financial institution such as a mortgage lender, finance company or tax preparation company then you need to be on top of this regulation, and this blog could help you a LOT.

Before we get into this, let’s start at the beginning (but jump ahead if you know the background).

What is the new Federal Trade Commission (FTC) Safeguards Rule?

This is a critical regulation designed to protect the security of customer information held by financial institutions. It was originally enacted in 2003 and updated in May 2024 under the Gramm-Leach-Bliley Act. The updates were made in order to keep pace with evolving technology and security threats that we have seen over the years.

What does the Safeguards Rule require companies to do?

The Safeguards Rule requires covered financial institutions to;

• develop,

• implement,

• and maintain an information security program 

This must be achieved using administrative, technical, and physical safeguards designed to protect customer information. 

This is a big undertaking, as the requirement is not only about developing your own security protocols but also ensuring that your affiliates and service providers maintain adequate safeguards. (Arguably, third-party security risks are the biggest threats and vulnerabilities we face).

What is required by the FTC Safeguards Rule?

The key requirements of the Safeguards Rule is that you;

• Designate a Qualified Individual to implement and supervise your company’s information security program (and report to the Board)

• Conduct a risk assessment.

• Design and implement safeguards to control the risks identified through your risk assessment.

• Regularly monitor and test the effectiveness of your safeguards.

• Train your staff.  

• Monitor your service providers.

• Keep your information security program current. 

• Create a written incident response plan. 

There is a lot to unpack in each of these requirements, not least of which is the design and implementation of safeguards to control the risks you have identified (through your risk assessments … you DO conduct risks assessments, right?!)

What’s the purpose of the Safeguards Rule?

Like the international standard for information security, the objective of your program is to;

• to ensure the security and confidentiality of customer information;

• to protect against anticipated threats or hazards to the security or integrity of that information; and

• to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

This is so close to the classic ‘CIA’ Triad we have discussed in Information Security for more than 25 years; Confidentiality, Integrity and Availability. But even the CIA triad been expanded to include Privacy, and what does this even mean in an ‘AI driven’ world?

What is the confusion?

Like most regulations, they tell you what you need to do, but not HOW to go about it. This is understandable because every non-banking financial company will be different, and therefore will have different requirements.

The confusion often comes because they state that your information security program must be appropriate.

But what does ‘appropriate’ mean? This is something we discuss extensively within our webinars and training sessions, but in essence ‘appropriate’ must be defined by YOU, based on the size and complexity of your business and should conside the nature and scope of your activities. It must also take into account the sensitivity of the information you process.

For example, if you are a small business (1 to 10 people) processing tax returns for 20 or 30 companies and individuals, your security program will look very different to a business employing 100’s of people, across multiple locations, handling mortgage advice and monies to 1000’s of people.

What do you need to do?

Firstly, don’t panic but don’t delay!

Our advice is always to start simple and work out from there, and you can’t protect what you don’t understand.

Start with a Risk Assessment.

This is absolutely key to being in control, and your risk assessment starts with an assessment of what information you hold, where it is held and who has access to it.

From this position of knowledge you can start to identify how the information could be at risk (and from whom). You can then determine what security controls you need, some of which may be administrative, physical, or technical (or a combination of these).

Now you have this insight, you can start to develop an appropriate information security program that works for YOU.

Let me repeat… You need to develop an appropriate information security program that works for YOU.

This is SO important, because we see businesses becoming LESS secure, due to the burden they place on themselves when trying to implement onerous policies or technical controls that cost the earth, but add little value.

Conclusion

“Don’t try and boil the ocean…” It’s something someone said to me many years ago.  Don’t try and do everything at once, because you’ll set yourself up for failure.

My final piece of advice is to suggest that you first designate a suitably qualified Individual to implement and supervise your company’s information security program.  They should report to the Board and be skilled in Information Security, Data Protection and Risk Management.

They will need your support and they may need training. But they will be instrumental in helping you comply with the FTC Safeguards Rule.

Need help?

We offer FREE webinars and advice on Information Security and the FTC Safeguards Rule. We are also running 1 day workshops to help your qualified individual to build a structured plan.

For more information simply click the button below to sign up to our webinar.