On October 27, 2021, the Federal Trade Commission (FTC) announced a newly updated rule under the Gramm-Leach-Bliley Act (GLBA) intended to require financial institutions to strengthen their data security safeguards to protect consumer financial information. The newly updated rule, the Standards for Safeguarding Customer Information (Safeguards Rule), amends the FTC’s 2002 Safeguards Rule, and comes in the wake of significant data security incidents and cyberattacks in the consumer financial services sector.
The FTC’s Safeguards Rule applies to non-banking financial institutions, such as check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and credit reporting agencies. Those non-banking financial institutions will be expected to comply with the bulk of the requirements in the new Safeguards Rule likely by Q4 of 2022.
Unlike previous rules and guidance promulgated by federal financial regulators, the FTC’s new Safeguards Rule includes specific criteria for what safeguards financial institutions must implement as part of their information security program. For example, the new Safeguards Rule requires financial institutions to implement multifactor authentication for individuals accessing networks that contain customer information. This represents a significant step in the evolution of data security regulations at the federal level. In the past, similar rules provided only general guidance to regulated companies and not specific technical requirements. In that regard, the new Safeguards Rule is likely to provide covered financial institutions with greater clarity about their obligations to protect consumer financial information.
Some of the highlights of the new Safeguards Rule include:
- Written Information Security Program: The new Safeguards Rule requires financial institutions to establish a comprehensive written information security program, which must include designating a qualified individual for overseeing and implementing the program.
- Risk Assessments: The new Safeguards Rule requires financial institutions to undertake risk assessments and implement safeguards to address identified risks. Risk assessments must be set forth in writing and include criteria for evaluating, categorizing and identifying security risks, as well as ways to mitigate or accept those identified risks. Risk assessments must be performed periodically to reexamine the reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information.
- Appointment of Qualified Individual: The new Safeguards Rule requires a financial institution to designate a qualified individual to be responsible for the institution’s information security program. This is similar in many respects to the New York Department of Financial Services (NY DFS) Cybersecurity Regulation, which requires covered financial institutions to appoint a Chief Information Security Officer (CISO).
- Penetration Tests and Vulnerability Assessments: The new Safeguards Rule requires annual penetration tests of information systems. Vulnerability assessments, including any systemic scans or reviews of information systems, must be completed every six months.
- Encryption of Customer Information at Rest and in Transit: The new Safeguards Rule requires financial institutions to encrypt all customer information, both in transit over external networks and at rest. Encryption of data at rest within financial institution networks may prove difficult for many financial institutions. Interestingly, the new Safeguards Rule permits financial institutions to pursue alternative compensating controls if encryption of customer information is infeasible either in transit or at rest—an accommodation other regulators have not granted in other circumstances; for example, the recent Cybersecurity Executive Order.
- Service Provider Oversight: The new Safeguards Rule requires financial institutions to take reasonable steps to select and retain service providers that maintain appropriate safeguards for consumer financial information. Financial institutions must periodically assess their service providers to ensure compliance.
- Multifactor Authentication: The new Safeguards Rule requires financial institutions to implement multifactor authentication for individuals accessing networks that contain customer information. Authentication measures may include (1) knowledge factors, such as a password; (2) possession factors, such as a token; or (3) inherence factors, such as biometric characteristics.
- Reports to Board of Directors: The new Safeguards Rule requires the qualified individual to provide written reports at least annually to boards of directors or governing bodies on the financial institution’s information security program. The report must include information on the overall status of the information security program and the financial institution’s compliance, and material matters related to the information security program (such as risk assessments and recommendations for changes to the program). This is similar in many respects to the SEC’s 2018 Guidance on Public Company Cybersecurity Disclosures.
- Logging and Disposal of Customer Information: The new Safeguards Rule requires financial institutions to develop, implement and maintain procedures for the secure disposal of customer information no later than two years after the last date the information was used, unless otherwise required to retain the information. This requirement lines up with data minimization principles, which are considered a data security best practice. Likewise, financial institutions must implement policies, procedures and controls designed to monitor and log the activity of unauthorized users and detect unauthorized access or use of, or tampering with, customer information.
- Expanded Definition of Financial Institution: The new Safeguards Rule expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. The FTC indicated that the change is intended to bring “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the new Safeguards Rule. The FTC reasoned that finders often collect and maintain very sensitive consumer financial information, and that expanding the definition of financial institutions to include finders will help protect consumer financial information.
These measures closely track recently enacted regulations by state financial regulators such as NY DFS, which enacted its own Cybersecurity Regulation in 2017. Like the new Safeguards Rule, the NY DFS Cybersecurity Regulation similarly requires covered financial institutions to implement specific cybersecurity controls such as encryption of data in transit and at rest as well as multifactor authentication.
The new Safeguards Rule will become effective within 30 days after publication in the Federal Register. However, key requirements of the rule will be delayed by one year. Those requirements that will be delayed one year include qualified individual appointment; written risk assessments; annual penetration testing and biannual vulnerability assessments; periodic assessment of service providers; and a written incident response plan. The remaining requirements, which will become effective within 30 days after publication, largely mirror the requirements under the existing Safeguards Rule. As a result, financial institutions likely will have no obligations until the requirements cited above are effective in one year.
Financial institutions should carefully review the new Safeguards Rule to ensure compliance.