Make sure you are protecting consumer information according to the requirements of the Safeguards Rule.
4/25/2023 1:30 P.M.
The FTC’s Safeguards Rule calls out multifactor authentication (MFA) as a mandatory requirement, regardless of company size.
Under the text of the Safeguards Rule, multi-factor authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics.
The rule tells businesses to “implement multi-factor authentication for anyone accessing customer information on your system.” The only exception would be if your Qualified Individual has approved—in writing—the use of another equivalent form of secure access controls.
So what does that mean for your business?
Financial institutions that are subject to the FTC’s Safeguards Rule must ensure that they have policies and procedures in place to require MFA for remote access to customer information systems.
MFA provides an additional layer of security by requiring users to use more than one form of identification. This can be something the user knows, such as a password or PIN, something the user has, such as a smart card or token, or something the user is, such as a fingerprint or facial recognition.
By requiring multiple factors for authentication, MFA makes it much harder for unauthorized users to gain access to sensitive information. Even if a user’s password is compromised, for example, an attacker would still need access to the user’s phone or other authentication device to gain access to the system.
In addition to the Safeguards Rule, other regulations require multifactor authentication as well. The Payment Card Industry Data Security Standard (PCI DSS) requires MFA for all non-console administrative access to systems handling cardholder data. Similarly, the National Institute of Standards and Technology (NIST) recommends the use of MFA in its Cybersecurity Framework.
MFA is a critical component of your security program. Implementing MFA can not only help you comply with regulations, but also protect sensitive information from unauthorized access and reduce the risk of data breaches.
If you need help with becoming defensible under the FTC’s Safeguards Rule, go to tpx.com/aca to get started.