Did you know that in six short months, your business must develop, implement, and maintain a comprehensive information security program?
12/08/2022 11:45 A.M.
Safeguards Rule: What Is It?
Part of the Gramm-Leach-Bliley-Act (GLBA), the Safeguards Rule is designed to define standards for protecting the integrity of customers’ private personal information (PPI). It was implemented by the Federal Trade Commission in 2003 and has been used to regulate financial institutions for nearly 20 years to ensure customer data is secure. In 2021, the FTC amended the Safeguards Rule to ensure the law keeps up with modern technology. Now, all affected financial institutions must be compliant by June 9, 2023.
The new rule requires that debt collectors like you, plus mortgage brokers, mortgage lenders, payday lenders, real estate appraisers, check cashiers, tax preparers, and more, protect the security of their customers’ information in various ways. Keep an eye on this blog for more posts about these protections and what’s required of your business.
So, What’s Changed About the Safeguards Rule?
There are five new aspects of the rule that financial institutions should know about:
- Expanding adherence to the SMB – Financial institutions with more than 5,000 records must comply with the additional requirements.
- Organizations that are considered financial institutions – Defined as any institution the business of which is engaging in an activity that is financial in nature.
- Information security program expectations – Must comply with nine elements that strengthen your cybersecurity program (see the section below).
- Detailed definitions of compliance – The Safeguards Rule gives specific instructions on how to reach compliance paving the way for a more secure information security program.
- Reporting guidelines and expectations – Provide written procedures for reporting cybersecurity incidents.
Why Did the Compliance Deadline Change?
Previously required in December 2022, the new June 9, 2023, deadline provides financial institutions more time to reach compliance.
Small and medium-sized businesses might find it more challenging to become compliant by the approaching deadline. Thanks to pressure from ACA International and other groups on behalf of small businesses in the financial sector, the FTC allowed six more months for organizations to become compliant. Like taxes being due, an extension doesn’t mean delaying filing until the night before the deadline. It means taking advantage of the extension and starting to work toward compliance.
Many members don’t realize how much time it takes to have a risk assessment performed, create a security program per the risk assessment results, perform and remediate the findings of vulnerability and penetration scans, and document more than nine security policies. It’s all part of the months-long process to become compliant and avoid hefty penalties. So don’t wait! You’ll want to start today.
What’s at Stake?
It sounds like a challenge. How can your company develop, implement, and maintain a cybersecurity program by June 9, 2023?
The key is to start now. In order to pass the FTC audits beginning in June 2023, you’ll need to be defensible and provide a strong case that your information security program is secure and running smoothly. Claiming you started work on June 8 will not be nearly as defensible and potentially will result in a less-than-desirable report.
Even worse, non-compliant institutions or individuals could face jail time and financial penalties. Avoid up to $100,000 in financial penalties per incident and prison sentences for up to five years by upgrading your internet security program months before the June 2023 deadline.
Here’s What We’ll Do to Make Your Business Safeguards Rule Compliant
ACA has tapped TPx as their Safeguards Security Partner of Choice. We’re ready to implement nine steps to making your business defensible before the June 9, 2023, deadline:
- Identify an organization (like TPx) or a qualified employee to head up your cybersecurity program
- Run a risk assessment
- Deploy safeguards and mitigate risks
- Regularly examine your infrastructure
- Train staff on security awareness
- Monitor progress with the designated service provider
- Run cybersecurity updates
- Create and implement an incident response plan
- Regularly report and document progress
We’re here to help you become defensible and stay secure. As a trusted managed services provider for financial institutions from coast to coast, our certified experts on staff can address all your cybersecurity needs and ensure you’re defensible.
Ask the Experts
It sounds complicated, but TPx experts can help you navigate the complications, translate the rule into simple terms and answer any question you may have. When it’s time to implement the changes, TPx will walk your organization through every step of the process.
As the exclusive ACA International partner, TPx has created unique solutions which are available at discounted pricing for ACA members.