Information SecurityNewsPenetration TestingRisk AssessmentsvCISO
Initially established in 2003, the FTC Safeguards Rule outlines data security guidelines for organizations in the financial sector. It is part of the larger 1999 GLBA (Gramm-Leach-Bliley) or financial modernization act which first required financial institutions to document their handling of sensitive customer information.
It goes without saying, however, that rules concerning technology and information security from almost two decades ago are pretty ancient. In a much-needed effort to modernize the original regulation, the rule has been updated as of 2021 to provide better guidance for businesses and refresh its contents. Now, financial organizations will need to go over what this update to the FTC Safeguards Rule covers and ensure that they are compliant with all of the outlined expectations.
One point that the FTC makes in their own article on the updates is that your business has more than likely evolved if you were around back when the rule was first implemented. In other words, even if you were not originally required to follow the regulations outlined in the original Safeguards Rule, your business may be required to now.
The FTC’s advice is to remain updated on the definition of a “financial institution” as outlined in the regulation text to see if your business could be included now, or at some point in the future. The FTC also concedes that the definition found in the Safeguards Rule covers more businesses than are ordinarily referred to as “financial institutions”.
The current definition of “financial institution” found in the glossary (part 314.2 of the rule as of June 2022) is as follows:
“(1) Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.”
The Safeguard Rule requirements also outline examples of companies that do and do not qualify as financial institutions, which serves to clear up some of the most common questions. Additionally, organizations that “maintain customer information concerning fewer than five thousand consumers” are exempt from certain requirements. More information on this exception can be found here.
The FTC lists thirteen examples of businesses that are considered to be financial institutions and four that are not. Some potentially unexpected examples of businesses that are considered financial institutions are retailers that issue store credit cards, property appraisers, career counselors who work with clients in the finance industry, finders, and mortgage brokers to name a few. The full list can be found here.
The examples of businesses that are not considered financial institutions by the FTC are as follows:
Now that we’ve established who needs to comply with the regulations, let’s go over what is expected of those organizations named in the rule. In their own words, the FTC states:
“The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. Your information security program must be written, and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.”
They go on to outline three objectives that your company’s information security program should seek to achieve: to ensure the security and confidentiality of customer information, to protect against threats or hazards to that information, and of course to protect against unauthorized access as well.
To help organizations understand what constitutes a compliant information security infrastructure, the FTC Safeguards Rule has also outlined nine elements that every program must include. Here we’ll break down each of the nine requirements and link any resources that might be helpful to you as you work your way through the list.
Companies with limited staffing budgets will no doubt find it difficult to hire dedicated security personnel to fulfill this role. Dedicated IT professionals with the qualifications necessary to oversee an information security program certainly aren’t a dime a dozen. Fortunately, the FTC states that this person can either be an employee within the organization or an outside contractor.
In light of this, a vCISO (Virtual CISO) could be your team’s best bet. Many security providers offer this service, giving your organization a professionally certified CISO who will work with your current IT department on security initiatives. A vCISO can help you understand what needs improvement within your existing program, act as a general security advisor, and help you understand how to prioritize your efforts and security spending to get the most value for your time and money.
If you need more information to decide whether an in-house security professional or a vCISO is best for your team, we have another piece on just that topic.
At FRSecure, risk assessments are a service we recommend highly in order to determine where your efforts should be focused and understand how to maximize the impact of your security budget. In fact, our vCISO team always conducts a risk assessment as part of every new engagement so that they can make the best recommendations for each client.
Not only does a comprehensive risk assessment help prioritize budget dollars within a security program, but it also serves to get everyone on the same page about where an organization’s most critical vulnerabilities lie. This fosters a company-wide security culture in which improvement efforts can be concerted and growth is maximized.
Once you’ve conducted a risk assessment, you’ll be required to take what you’ve learned and put it into practice. In addition to working through that to-do list, the FTC has outlined eight items that are required for your company to be considered compliant.
While your risk assessment should have uncovered these issues if they exist, it’s important to know the exact expectations that have been laid out within the Safeguards Rule requirements, so that you can be confident in your organization’s efforts.
As you work through the items outlined by the FTC and in your risk assessment, you will want to circle back and ensure that the changes made have truly addressed the initial security concern and have not introduced any new vulnerabilities for threat actors to exploit.
The most effective way to do this is to conduct a penetration test with a trusted outside security provider. We have a useful blog post written by our in-house attack simulation experts that goes into detail about what a penetration test is, what a thorough test should include, and how to vet the team responsible for conducting yours.
In addition to penetration testing, it’s worth mentioning that risk assessments, like the one you’ll have completed in step 2 are another way to monitor safeguards, especially after big changes are made in your infrastructure. Risk assessments aren’t just a one-time engagement, they can help catch problems, especially ones that penetration testing might miss.
We often say that people can be a security program’s biggest weakness without the proper training, but with a little education, your staff can also be a great strength. Providing regular training for all users in your network doesn’t just further educate your team but maintains an emphasis on security at every level in your organization.
Staff members who have recently undergone training will be less likely to stumble into common pitfalls that hackers use to gain access to a network.
Not only does your organization need a reliable contractor to work on things like penetration tests and risk assessments, but software companies and outside agents that may be handling things like HR or payroll for you need to be up to your security standards as well.
The FTC Safeguards Rule requires that you monitor all outside partners, and ensure that they are up to both the task you’ve hired them for, and your company’s security standards. Keep track of your service contracts, be sure that they spell out your expectations, and double-check that they enable you to monitor the work being done so you can ensure those expectations are upheld.
The threat landscape is always evolving, and so is the technology and software in use at your organization. Last year in 2021, the NIST (National Institute of Standards and Technology) logged a staggering 18,378 vulnerabilities, 4,067 of which were considered high severity as determined by their CVSS V2 Base score. With this in mind, it’s easy to understand why the FTC Safeguards Rule includes this requirement in order for businesses to be considered compliant.
It goes without saying that your program should be flexible enough to allow for changes, updates, and modifications as new threats and vulnerabilities are uncovered over time. Changelogs should be kept updated, and your security team should be well versed on any critical vulnerabilities affecting the software in use at your organization.
One place you can find this information is through our volunteer-based threat hunting initiative, Project Hyphae. Project Hyphae is a charitable project run by FRSecure’s award-winning technical services team, and features a threat feed on the site that covers the most pressing vulnerabilities we see in the field.
The FTC Safeguards Rule also requires that your organization drafts and maintains an incident response plan. The requirements that your plan must meet are listed in part 314.4 of the official rule text.
Having an incident response plan is crucial for any business, not just those in the financial sector, and there’s no better way to prepare for a security event than to make sure yours is thorough, vetted, and practiced by the people who would be involved if a real security incident took place.
If you need help or don’t know where to start, we have a free incident response plan template that will have you covered from start to finish.
Lastly, the FTC Safeguards Rule requires that your appointed “qualified individual” reports to your board of directors or governing body at least once per year. The expectations for this report are straightforward:
“What should the report address? First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program – for example, risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.”
In addition to reporting up, we always recommend keeping communication around security issues open from top to bottom in your company as much as is feasible. This helps ensure that everyone understands their role in the greater security program, and helps your staff speak the same language to avoid confusion and foster an effective security culture.
Security isn’t just an IT issue, it’s a business issue as well. Downtime because of an incident is costly, and worse yet- financial losses incurred during a full-blown ransom event can be enough to shutter a business in many cases. A good vCISO will know how to communicate with leaders and decision-makers to break down any barriers that stand in the way of the long-term success of your security program.
While the FTC Safeguards Rule requires a lot from your organization to be considered compliant, it’s important to realize that this is for good reason. As we touched on earlier, the number of security threats is, frankly, staggering. The volume of new vulnerabilities and developments is always on the rise, and for the sake of everyone associated with an organization, we all need to do our part in managing risk.
If you need assistance with anything covered in this article, or within the Safeguards Rule, please don’t hesitate to drop us a line. We are always happy to help in any way that we can.
