How to Devise a Plan for Defensibility

Are you ready to comply with the new FTC Safeguards Rule? You only have few short months left – and a long list of requirements. Here’s a guide to how TPx would help you become defensible.

3/24/2023 12:30 P.M.

A Quickly Approaching Deadline: June 9, 2023

The newly revamped Safeguards Rule affects ACA members directly. It defines standards for financial institutions to protect the integrity of customers’ private personal information (PPI).

The FTC requires all affected financial institutions to be compliant by June 9, 2023. “Financial institutions” include mortgage brokers, accountants, car dealerships (that offer financing), collection agencies, and anyone else who has non-public personally identifiable financial information.

Need a quick reminder of the Safeguards Rule requirements? Check out our TPx’s Safeguards Rule webpage, which provides all the highlights you need to know before the deadline.

It Can’t Be a Big Deal: What Are the Consequences?

Though it may seem like you have some time to get your ducks in a row, getting your security program defensible to the new Safeguards Rule may take months. If audited, organizations can face a hefty fine (up to $100,000 per incident), and leadership of companies can be personally fined and even receive jail time.

Since there are many requirements, we recommend starting now to avoid hasty decisions, shortcuts or penalties.

Safeguards Defensibility Breakdown

When getting started, it’s important to collect key documents that you should have or will need to develop. TPx can help prepare these documents for you. Here are a few of the documents you’ll need:

  • All your existing cybersecurity documentation
  • Previous policy plans, plus gap and vulnerability assessments
  • Heat maps and interview logs

With the previous reporting secured, reviewing further scans and assessments required by the Safeguards Rule may take time.

TPx provides the scans and assessments the FTC Safeguards Rule specifies. We are able to help you with gap assessments, vulnerability and penetration scanning. We can also create an incident response plan for you as well as the following policies that we recommend for you to have:

  • System Security Plan (SSP)
  • Access Control Policy
  • Asset Management Policy
  • Encryption Policy
  • Multi-Factor Authentication (MFA) Policy
  • Data Retention/Disposal Policy
  • Change Management Policy
  • Log/Activity Monitoring Policy

Once the assessments are run, you will need to remediate any issues found. This is likely going to take some time, so it’s good to keep that in mind—and get started early.

Beyond these initial assessments and cybersecurity plans, the FTC requires:

  • An appointed qualified individual or managed service provider like TPx to implement and supervise your company’s information security program—this individual must report in writing regularly to your Board of Directors.
  • A periodically reviewed documentation of access controls—who has customer data and whether they still need it for legitimate business.
  • The encrypted customer information on your system.
  • Regular assessment of your apps—your own or third party.
  • Multi-factor authentication—the rule calls out MFA as a mandatory requirement, regardless of company size.
  • Security awareness training—TPx offers fully-managed security awareness training that follows NIST guidelines and includes phishing simulations.
  • Secure disposal of customer information—for most businesses, it means securely disposing of customer information no later than two years after your most recent use of it to serve the customer.

It can be overwhelming to tackle all the requirements with limited resources. TPx can help guide you through all the steps and make this easy.

Go to to get started.

If you have executive leadership updates or other member news to share with ACA, contact our communications department at [email protected]. View our publications page for more information and our news submission guidelines here.




One moment please...

Share Profile

This site uses cookies. By continuing to use our site, you are agreeing to our use of cookies. Review our Privacy Policy for more information. You may change your preferences on how cookies are stored by reviewing the settings on your browser.

The content on this site is presented for educational, general reference, and informational purposes only; is not intended to serve as legal or other advice; is not intended to be a full and exhaustive explanation of the law in any area; and should not replace the advice of your own legal counsel. By continuing to use our site, you are agreeing to the legal disclaimers in our Terms of Use. Review our Terms of Use for more information.

Friendly Reminder

Get continued access to ACA International’s wide array of resources, which can help you become more profitable, compliant and successful.

Renew your membership today to take advantage of tools you won’t find anywhere else:

  • Discounts on seminars, products, services and events
  • Resources to strengthen your compliance department
  • Industry-specific risk management products and services
  • Participation in ACA’s online community, The Hub
    Members-only website content
  • Professional development and training opportunities, and so much more!

If you have completed your renewal, please disregard this reminder.