A reminder to non-bank financial institutions subject to the Gramm-Leach-Bliley Act (GLBA): the deadline to comply with the Federal Trade Commission's (FTC) revised Standards for Safeguarding Customer Information, commonly known as the "Safeguards Rule," is approaching quickly. Covered institutions must comply with the entirety of the rule by June 9, 2023.
As noted in our prior blog post and webinar where we analyzed the Safeguards Rule and discussed compliance strategies, the revised rule, among other things, expanded the definition of "financial institution" to cover entities engaged in activities that are incidental to financial activities, including "finders" – companies that bring together buyers and sellers of products and services. In general, the revised rule is more prescriptive than the original rule, and significantly mirrors the NYDFS Cybersecurity Regulation.
Below is a recap of the new Safeguards Rule to help you prepare for the June 9 compliance deadline.
Overview of the Safeguards Rule
The Safeguards Rule applies broadly to many entities that may not otherwise think of themselves as "financial institutions," including non-bank and alternative lenders, retailers that extend credit to consumers, money transmitters, tax preparers, mortgage brokers, certain investment advisory companies, and others. The Department of Education also takes the position that institutions of higher education participating in certain federal student aid programs, as well as their third-party servicers, are required to comply with the Safeguards Rule. In issuing the new Safeguards Rule, the FTC expanded the definition of "financial institution" to include "finders," or "companies that bring together buyers and sellers of a product or service."
The FTC issued the original version of the Safeguards Rule in 2002. The rule imposed relatively high-level requirements on covered institutions to implement a written information security program, including designating a qualified individual to lead the program, identifying information security risks, implementing and testing safeguards in response to those risks, overseeing service providers, and periodically adjusting the program based on changes to the business and other circumstances. In December 2021, the FTC overhauled the Safeguards Rule by expanding the existing requirements and enumerating new, more detailed ones. The overhauled rule now requires non-bank financial institutions to, among other things:
- Designate a "qualified individual" to oversee a financial institution's information security program and have the qualified individual provide written reports to the institution's board of directors (or other governing body) about the overall status of the information security program and compliance with the Safeguards Rule;
- Develop a written risk assessment and incident response plan;
- Provide written reports to the institution's board of directors (or other governing body) about the overall status of the information security program and compliance with the Safeguards Rule;
- Encrypt customer information in transit and at rest (or use alternative compensation controls where encryption is infeasible);
- Implement multifactor authentication (MFA) for all individuals who access systems that process customer information or that are connected to systems that process customer information;
- Adopt secure development practices for in-house developed software and processes for assessing the security of externally developed applications;
- Regularly test the security program, including through continuous monitoring measures such as penetration testing and vulnerability assessments; and
- Oversee service providers, including by periodically assessing service providers' security practices.
Most requirements of the new Safeguards Rule were set to go into effect in December 2022, but the FTC extended the compliance deadline until June 9, 2023. Several requirements, which largely mirrored the requirements in the original rule, went into effect in January 2022.
Complying with the Safeguards Rule: Five Priority Actions
For many covered financial institutions, compliance with the Safeguards Rule may require significant planning, stakeholder engagement, implementation, change management, and documentation. For institutions still working to bring their security programs into compliance with the rule, we recommend the five priority actions listed below. While these actions are by no means comprehensive, they address foundational Safeguards Rule requirements and can be leveraged to address the remainder of the rule over time.
- Appoint a Qualified Individual
The Safeguards Rule (both the original and new versions) requires institutions to "[d]esignate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program." The qualified individual can be an employee of the institution, its affiliate, or a service provider. In many cases, the institution's qualified individual will be its chief information security officer, chief compliance officer, or someone in a similar role. More important than the qualified individual's specific institutional role is that the qualified individual have the appropriate experience and authority to oversee the institution's security program, make necessary changes to that program, and report candidly to the board of directors or other governing body about the institution's security compliance and risks. An information security program must include not only technical safeguards and measures but also administrative and physical ones, meaning that the qualified individual must have broad visibility into and influence over activities across the organization.
- Conduct a Risk Assessment
Once an institution has a qualified individual in place, the next logical step toward compliance with the Safeguards Rule is to conduct a risk assessment. Risk assessments under the Safeguards Rule are not simply compliance exercises. Rather, they are a cornerstone of how financial institutions must demonstrate the sufficiency of their information security programs. The rule expressly requires financial institutions to base their information security programs on their risk assessments and to design and implement security safeguards to address the risks those assessments identify. At least on paper, the Safeguards Rule provides financial institutions with flexibility in developing their information security program—provided that the program can be justified by the institution's risk assessments.
A recent enforcement action highlights the importance of conducting a risk assessment. Earlier in May 2023, the New York Department of Financial Services (NYDFS) fined bitFlyer USA $1.2M for, among other things, failing to conduct a risk assessment under the NYDFS Cybersecurity Regulation. NYDFS found that although bitFlyer USA had conducted an IT audit of its systems, that audit did not provide the company insight into its security risks or how to mitigate those risks. Accordingly, the company failed both to conduct a compliant risk assessment and to base its security safeguards on that assessment. The FTC expressly modeled the new Safeguards Rule after the NYDFS Cybersecurity Regulation, so the NYDFS action against bitFlyer USA could be precedent for future FTC actions enforcing the Safeguards Rule's risk assessment requirements.
- Map Security Safeguards
Once a risk assessment is complete, financial institutions should document their existing safeguards and map them both to the findings of their risk assessment and the requirements of the Safeguards Rule. This mapping will help institutions assess how their existing safeguards address, or fail to address, their risk assessment and identify compliance gaps. Institutions then should leverage that mapping to develop medium- and long-term plans to mature their security programs and improve their compliance posture. Safeguards required by the Safeguards Rule include:
- Access controls
- Inventory management
- Encryption in transit and at rest (or use of an approved alternative compensating control where encryption is infeasible)
- Secure development practices for in-house software development and processes for evaluating the security of externally developed software
- Multifactor authentication for accessing customer information and related systems
- Data retention and disposal
- Change management procedures
- Activity monitoring and logging
- Triage Third-Party Risks
Third-party cybersecurity risk has been a major area of focus for federal and state regulators. The Safeguards Rule covers two types of third-party risks: those arising from service provider relationships and those arising from software supply chains. To address service provider risk, the Safeguards Rule requires financial institutions to take a three-pronged approach. Institutions must oversee service providers by vetting their security practices up front, requiring them to maintain security safeguards by contract, and periodically reassessing their security compliance and practices. To address supply chain risk, the Safeguards Rule requires institutions to implement processes for assessing the security of externally developed software. In a 2022 blog post regarding the Log4j vulnerability, the FTC made clear its intention to hold companies responsible under GLBA or the FTC Act for failing to identify and patch known vulnerabilities in third-party software.
Effective third-party risk management is a complex, iterative process. Institutions looking to comply with the Safeguards Rule can start this process by assessing their third-party relationships and identifying those that pose the greatest information security risks. Security risks can be identified based on the amount and sensitivity of data held by a third party or system, whether that third party or system could affect the institution's security controls (for example, whether there is a trust relationship between the institution's and the vendor's networks), the reputation of that third party or system's security controls, and other factors. Institutions then should document these riskier relationships and identify appropriate mitigating actions, such as imposing additional contractual obligations and liabilities, conducting heightened security assessments, or migrating to a more secure vendor. Ideally, this triage of third-party relationships will be conducted as part of or in parallel to a risk assessment. While successfully addressing all of an institution's third-party risks can be a daunting task, identifying and addressing its most significant third-party risks is a huge step in the right direction.
- Establish Processes for Monitoring Safeguards' Effectiveness
The Safeguards Rule requires financial institutions to "[r]egularly test or otherwise monitor the effectiveness of" their security safeguards. To monitor information systems, the Safeguards Rule provides a choice: institutions either shall conduct "continuous monitoring" or shall undergo penetration testing annually and vulnerability assessments at least every six months. The FTC described "continuous monitoring" in its proposal to adopt the new Safeguards Rule as "any system that allows real-time, ongoing monitoring of an information system's security, including monitoring for security threats, misconfigured systems, and other vulnerabilities."
Covered financial institutions should decide as soon as practicable how they intend to meet this requirement, as either option involves significant planning and investment. Institutions that elect to undergo penetration testing and vulnerability assessments through third parties should note that many third-party cybersecurity firms require projects to be scheduled months (or more) in advance.
Time to Act
With less than a month to go before the full Safeguards Rule goes into effect, now is the time to focus on compliance. For institutions with considerable work remaining, focusing on a few priority actions, including appointing a qualified individual and conducting a risk assessment, will go a long way to bringing their programs in line with the Safeguards Rule.