On October 27, 2021, the FTC updated its financial services cybersecurity Safeguards Rule and made other revisions to its associated privacy rule. The FTC also issued a request for comment on a new proposed 30-day data breach notification rule for financial institutions subject to its jurisdiction. The updated Safeguards Rule breaks new ground for the FTC by requiring specific security controls and accountability measures expressly modeled on the New York Department of Financial Services cybersecurity rule. For entities covered by the Safeguards Rule, these changes will require prompt review, since many of the newly required controls will take time to implement if they are not already in place. Among other things, the Safeguards Rule will now require multifactor authentication for any individual accessing information systems storing customer information (or compensating controls), encryption of all customer information both in transit and at rest (again with the option of alternative compensating controls), and updates to record retention procedures. The revisions also dictate specific governance controls by requiring reporting, at least annually, to a board of directors or senior officer about the institution’s security posture and the adoption of a formal incident response plan.
The FTC’s version of the Safeguards Rule applies to a broad range of “financial institutions” that are not subject to oversight by another functional regulator such as the SEC. These include mortgage brokers, nonbank lenders, investment advisors not registered with the SEC, and, critically for our asset management clients, entities such as many private funds that meet the criteria for exclusion from regulation under sections 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (“ICA”).
Other Financial regulators, such as the SEC, have adopted their own versions of the Safeguards Rule, and while the FTC’s revisions will not apply to those rules, they are likely to be influential in assessing whether the security programs adopted by organizations are “appropriate” or “reasonable.” Indeed, most of the items in the FTC’s revisions to its Safeguards rules are already part of a typical SEC OCIE cybersecurity exam inquiry.
Background on the FTC’s Safeguards Rule
The drafters of the Gramm-Leach-Bliley Act (GLBA), enacted in 1999, sought to establish new privacy and security standards for the protection of nonpublic personal information processed by financial institutions. Rather than impose specific security measures itself, the GLBA delegates authority to create such standards to financial regulators. These include, among others, the SEC, the Board of Governors of the Federal Reserve System, and the Board of Directors of the Federal Deposit Insurance Corporation. The FTC serves as a backstop of sorts, with authority to establish security standards for financial institutions not subject to another functional regulator.
The FTC first promulgated its version of the Safeguards Rule in 2002 and the Rule became effective the following year. The FTC’s Safeguards Rule, similar to versions promulgated by other regulators, requires financial institutions to develop and maintain a
comprehensive written information security program that includes administrative, technical, and physical safeguards that are “appropriate” to the organization’s size and complexity, the nature of its processing activities, and the sensitivity of any customer data at issue. That requirement remains in place; however, the FTC’s revisions now create additional, more granular security requirements that could necessitate significant efforts by subject organizations to comply. Although it is not surprising that regulator are refreshing nearly 20-year-old cybersecurity rules, it does merit attention that regulators seem to be approaching these new rules with more confidence that they can impose specific requirements, as opposed to requiring merely “appropriate” cybersecurity measures.
FTC’s Updates to Safeguards Rule
The FTC’s recent updates make five primary changes to the Safeguards Rule: (1) they require new specific security measures; (2) they add accountability requirements, including requiring the designation of a single qualified individual to oversee an organization’s security program (previously, multiple individuals could fill that role) and reporting to a board of directors or similar body; (3) they exempt certain financial institutions from some of the more onerous requirements of the Rule; (4) they expand the definition of “financial institution” to cover so-called “finders,” i.e., companies that bring together buyers and sellers of a product or service; and (5) they incorporate definitions into the Safeguards Rule that were previously cross-referenced in separate rules focused on the privacy of customer information. Below, we focus principally on items (1) and (2).
Specific Security Requirements
The Safeguards Rule now requires covered financial institutions to put in place specific security measures that can be most effectively and efficiently achieved through an overall data governance framework. These include:
- Implementing and periodically reviewing access controls, including incorporating the principle of least privilege (i.e., giving the minimum level of access to an account necessary for an individual’s job function);
- Inventorying and classifying data and systems in a risk-based manner (“Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy”);
- Encrypting all customer information, both at rest and in transit, or implementing compensating controls if encryption is infeasible;
- Adopting secure development practices for in-house applications;
- Implementing multi-factor authentication or access controls that are reasonably equivalent or more secure for all access to information systems containing customer information—notably this requirement applies not only to remote access but also to access from inside an organization’s network firewalls (although multi-factor inside of a firewall can be more transparent to the end user);
- Maintaining data retention procedures requiring secure disposal of customer information no later than two years after the information is no longer needed for a business purpose or to comply with law or regulation, unless disposal is infeasible—retention policies must also be periodically reviewed (and can be logically tied to the data inventory and classification process);
- Adopting procedures for change management; and
- Monitoring to detect unauthorized access to, use of, or tampering with customer information.
These measures must be adopted within one year.
Additional measures are applicable to financial institutions with more than five thousand “consumers,” again within one year. These include documenting the institution’s security risk assessment in writing. Moreover, these institutions must test their protections by conducting either continuous monitoring (i.e., real-time, ongoing monitoring of a system’s security) or periodic penetration testing (at least annually) along with vulnerability scanning (every six months).
Governance and Accountability
The revisions also require measures to address governance and accountability. For example, the Safeguards Rule now requires appointment of a single “qualified” individual to oversee and implement the organization’s security program. Previously, an organization could appoint multiple employees to fill that role in coordination. For organizations with more than five thousand consumers, the Rule also now requires periodic reporting to a board of directors or similar body about the status of the information security program, or, if the organization does not have a board, reporting to a senior officer responsible for information security.
The Rule further requires that such organizations develop a written incident response plan that clearly defines roles and responsibilities, addresses both external and internal communications and information sharing, and provides for the documentation and reporting of security events. As with the specific security requirements described above, these measures must be put in place within one year.
Oversight of third-party service providers is also necessary. The Rule already required taking “reasonable steps” to select third parties that “are capable of maintaining appropriate safeguards” and including contractual commitments to such safeguards by these service providers. The FTC’s updates now additional require that an institution “periodically” assess the continued adequacy of the safeguards “based on the risk they present;” that is, having a policy that classifies vendors by risk and then subjects them to re-diligence on a regular basis. Commonly, such periodic review is implemented through annual assessments for high-risk vendors and assessments every two or three years for lower-risk vendors, although the regulations do not dictate any particular cadence.
Financial regulators have recently emphasized the need not only to have appropriate policies and procedures in place but also to ensure they are appropriately implemented, and the
FTC’s updates propose additional measures in line with that guidance. First, they require all subject organizations to implement training and awareness programs that reflect the risks identified by the organization. Second they require organizations to utilize “qualified” security personnel. That requirement may not seem especially onerous, but many organizations may not have that capability in-house. As such, they may need to turn to outside service providers to provide appropriate qualifications.
As should be clear, organizations may need time to implement many of the measures described above. Fortunately, the FTC extended the time period for organizations to come into compliance to one year (the Rule as originally proposed allowed only for six months); however, even with that extended time period, organizations may struggle to meet all of the Rule’s new requirements. We recommend developing a comprehensive data governance strategy as soon as possible to ensure adequate time to prepare. This will start with the identification of data and systems, then the consideration of the risks to those data and systems, and finally the documentation of how the controls mitigate those risks, including by disposing of sensitive data that is no longer needed. Additionally, organizations will need to consider whether certain technical measures such as encryption are feasible for them and, if not, develop alternatives. Organizations must be prepared to justify these alternative measures as reasonably equivalent should the FTC inquire.
Even for organizations that are not subject to the FTC’s Safeguard’s Rule, the FTC’s updates may provide additional guidance as to security measures that may be required by the FTC and by other federal financial services regulators. While most data security laws still rely on generalities such as “reasonable” or “appropriate” security, new laws and regulations are increasingly specifying specific measures required to satisfy these criteria. This trend is not new. The 2009 Massachusetts information security regulations at 201 CMR 17 broke ground here, and other recent examples include the New York SHIELD Act and the New York Department of Financial Services Cybersecurity Regulations – which have now formed the basis of a model rule that has been adopted in more than a dozen states. Organizations should monitor these developments as they continue to review the adequacy of their security programs.
 Note that a “consumer” may include an individual who merely applies for a financial good or service, provided they do so for personal, family, or household purposes.