Improve Your Security Response with This Mental Model
Improve your cybersecurity decisions with the OODA Loop model. Learn how to respond more swiftly…
The FTC Safeguards Rule aims to protect consumers’ sensitive information held by financial institutions, which includes everyone from payday lenders to auto dealers.
So, what exactly is this rule? Does your business need to comply? And if so, how are you supposed to get started?
While this has been top of mind for many automotive general managers and IT leaders, many are still puzzled in knowing where to start.
This guide will give you a plain-English overview of the FTC Safeguards Rule, including the first steps you can take to ensure you’re staying compliant.
Since compliance is an ongoing process (more like routine maintenance than a one-off job), we recommend choosing a long-term partner to help. It doesn’t have to be us, but you do need to make sure someone has your back on this. We’ll explain what to look for in a minute, but first, let’s dive in.
The FTC Safeguards Rule is a set of guidelines that certain businesses must follow to protect their customers’ private information. More specifically, these businesses are required to “develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.”
In other words, these businesses need to create and follow a security program to keep customer data safe. This plan will be in writing and needs to be appropriate to the size and type of business, as well as consider the importance of the information being protected.
The original effective date was extended, so now businesses subject to the Safeguards Rule must comply with certain provisions by June 9, 2023.
Who is subject to the FTC Safeguards Rule? Does it affect me?
The FTC Safeguards Rule applies to financial institutions under the FTC’s jurisdiction, but “financial institution” is defined more broadly here than you might expect. It includes any businesses involved in activities that are financial in nature, like mortgage lenders, payday lenders, and check cashers, but it doesn’t stop there.
Auto dealers are affected by the FTC Safeguards Rule if they are engaged in activities that are considered financial in nature, such as offering financing or leasing options to customers.
So if you’re a mortgage check cashier or auto dealer, with over 5000 customers, you’re subject to the rule.
What does an “information security program” entail?
The rule talks about setting up and running an information security program. You might be tempted to implement this program yourself, but it’s no simple task. As you read the list here, bear in mind you still have a business to run.
A “reasonable information security program” under the Safeguards Rule should include:
Designating a Qualified Individual to supervise the program.
Conducting a risk assessment to identify security risks and threats.
Designing and implementing safeguards to control identified risks, such as access controls, encryption, app assessment, multi-factor authentication, secure disposal of customer information, change management, and monitoring user activity.
Regularly monitoring and testing the effectiveness of safeguards, including penetration testing and vulnerability assessments.
Training staff to recognize risks and providing specialized training for those responsible for information security.
Monitoring service providers to ensure they maintain appropriate safeguards.
Keeping the information security program up-to-date with changes in operations, threats, or personnel.
Creating a written incident response plan that outlines goals, processes, roles, communication, system fixes, documentation, and reporting of security events.
Requiring the Qualified Individual to report to the Board of Directors or a senior officer on the company’s compliance with its information security program.
To ensure compliance with the FTC Safeguards Rule, businesses should take the following steps:
Download the Compliance and Rule Checklist: Identify any gaps between your dealership’s current practices and the requirements of the Safeguards Rule. A self-assessment test is a good starting point, but it’s not enough to guarantee compliance
Conduct an FTC risk assessment: Work with a reputable provider to assess your risks and ensure compliance. You don’t have to tackle this alone; even if you don’t use our “FTC-as-a-service” offer, you will still need to find a provider to help you achieve and maintain compliance.
When selecting a provider, consider these factors:
Remember, achieving compliance is about more than meeting the minimum requirements—it’s about improving your organization’s overall security posture to mitigate risk and avoid the potentially devastating consequences of a cyber breach.
Treat compliance as an ongoing process — like an insurance policy — to protect your business and customers in the long run.
Helping You Go Further, Faster, Safer
Learn about the services Katalyst offers to keep your organization and its data safe with a tailored cybersecurity solution.
VP, Strategic Partnerships
Jesse leads the client and business development teams at Katalyst. His experience spans multiple technology platforms and infrastructure. He is skilled at helping customers solve business challenges, navigate market trends and make smarter decisions with disruptive technologies.
Improve your cybersecurity decisions with the OODA Loop model. Learn how to respond more swiftly…
There are several reasons organizations engage in security assessment engagements. Learn what you…
What does the future look like for companies with young adults who’ve grown up with technology?…