Are you ready to comply with the new FTC Safeguards Rule? You only have few short months left – and a long list of requirements. Here’s a guide to how TPx would help you become defensible.
3/24/2023 12:30 P.M.
A Quickly Approaching Deadline: June 9, 2023
The newly revamped Safeguards Rule affects ACA members directly. It defines standards for financial institutions to protect the integrity of customers’ private personal information (PPI).
The FTC requires all affected financial institutions to be compliant by June 9, 2023. “Financial institutions” include mortgage brokers, accountants, car dealerships (that offer financing), collection agencies, and anyone else who has non-public personally identifiable financial information.
Need a quick reminder of the Safeguards Rule requirements? Check out our TPx’s Safeguards Rule webpage, which provides all the highlights you need to know before the deadline.
It Can’t Be a Big Deal: What Are the Consequences?
Though it may seem like you have some time to get your ducks in a row, getting your security program defensible to the new Safeguards Rule may take months. If audited, organizations can face a hefty fine (up to $100,000 per incident), and leadership of companies can be personally fined and even receive jail time.
Since there are many requirements, we recommend starting now to avoid hasty decisions, shortcuts or penalties.
Safeguards Defensibility Breakdown
When getting started, it’s important to collect key documents that you should have or will need to develop. TPx can help prepare these documents for you. Here are a few of the documents you’ll need:
- All your existing cybersecurity documentation
- Previous policy plans, plus gap and vulnerability assessments
- Heat maps and interview logs
With the previous reporting secured, reviewing further scans and assessments required by the Safeguards Rule may take time.
TPx provides the scans and assessments the FTC Safeguards Rule specifies. We are able to help you with gap assessments, vulnerability and penetration scanning. We can also create an incident response plan for you as well as the following policies that we recommend for you to have:
- System Security Plan (SSP)
- Access Control Policy
- Asset Management Policy
- Encryption Policy
- Multi-Factor Authentication (MFA) Policy
- Data Retention/Disposal Policy
- Change Management Policy
- Log/Activity Monitoring Policy
Once the assessments are run, you will need to remediate any issues found. This is likely going to take some time, so it’s good to keep that in mind—and get started early.
Beyond these initial assessments and cybersecurity plans, the FTC requires:
- An appointed qualified individual or managed service provider like TPx to implement and supervise your company’s information security program—this individual must report in writing regularly to your Board of Directors.
- A periodically reviewed documentation of access controls—who has customer data and whether they still need it for legitimate business.
- The encrypted customer information on your system.
- Regular assessment of your apps—your own or third party.
- Multi-factor authentication—the rule calls out MFA as a mandatory requirement, regardless of company size.
- Security awareness training—TPx offers fully-managed security awareness training that follows NIST guidelines and includes phishing simulations.
- Secure disposal of customer information—for most businesses, it means securely disposing of customer information no later than two years after your most recent use of it to serve the customer.
It can be overwhelming to tackle all the requirements with limited resources. TPx can help guide you through all the steps and make this easy.
Go to tpx.com/aca to get started.