In 2023, finance suffered more data breaches than any other sector. For cybercriminals, financial institutions are a treasure trove of funds and sensitive data. For the organisations and individuals affected, the impact can be devastating.

Not content to sit back while these disastrous breaches unfold, financial authorities like the Federal Trade Commission (FTC) are tightening cybersecurity regulations. The updated FTC Safeguards Rule sets out more stringent requirements, applying to a wider range of organisations.

What is the FTC Safeguards Rule and why was it introduced?

The FTC Safeguards Rule compels financial institutions to keep their customer information safe by taking the necessary cybersecurity measures. It requires affected organisations to have a documented data security program that fits the organisation’s size, complexity, business activities, and the sensitivity of the information they handle. Key requirements include regular risk assessments and appointing dedicated individuals to safeguard customer data.

The Rule was first rolled out in 2003, but it was amended in 2021 after public consultation. The new version aims to provide clearer guidance and keep pace with a cybersecurity landscape that has changed drastically in recent years. Escalating cyberwarfare between states, more sophisticated AI-powered cybercrime tactics, and new security risks caused by remote work mean that organisations need to implement comprehensive, up-to-date cybersecurity measures to keep their data secure. Authorities like the FTC are updating regulations to reflect this.

A further October 2023 amendment also now means that non-bank financial institutions now have to report any breaches of unencrypted data of more than 500 customers within 30 days of discovering them.

The deadline to comply with the new requirements of the revised FTC Safeguards Rule was June 9, 2023.

Who does it apply to?

The Rule applies to financial entities under the Federal Trade Commission's (FTC) watch. However, it’s crucial to understand that their definition of a "financial institution" extends quite far beyond your typical bank with tellers and deposit forms.

Instead, the FTC's Safeguards Rule applies to a variety of businesses. This includes mortgage lenders and brokers, car dealers, payday loan providers, finance firms, account managers, check cashers, money transfer services, debt collectors, credit counsellors, financial consultants, tax preparers, certain credit unions, and investment advisors not registered with the SEC.

To understand whether your organisation is affected, consult Section 314.2(h), which sets out exactly who the FTC considers to be a financial institution, and provides examples of organisations which don’t fall under this definition.

A significant number of affected organisations may not have realised that they fall under the FTC Safeguards Rule. This likely explains a poll showing that most car dealers were not compliant yet even after the deadline had already passed.

What are the consequences of not being compliant?

Failing to comply with the Safeguards Rule can lead to an investigation by the FTC and potential fines. For violations arising from a consent order, the FTC can impose additional daily penalties of up to $43,000 per day.

Aside from fines, being investigated and fined by the FTC is never a good look. Reputational damage is hard to quantify, but very real nonetheless.

Not adopting rigorous cybersecurity measures that comply with the FTC Safeguards Rule also, of course, means risking a data breach. The consequences of cyberattacks often include severe operational disruptions, direct financial losses from dealing with the fallout, loss of consumer trust, and lawsuits from victims.

The fallout can be particularly bad for financial institutions because they handle so much sensitive data. Researchers found that out of all sectors, finance suffered the second highest cost of breaches.

What does the FTC Safeguards Rule require organisations to do?

The FTC Safeguards Rule sets out nine specific requirements for a “reasonable information security program”:

1. Designation of a qualified individual: Assign a knowledgeable person to oversee the cybersecurity program. This individual can be an employee or an external expert. If you choose the latter, this person will still need to be supervised by a senior employee within your own business as the responsibility ultimately lies with the organisation.
2. Risk assessment: Identify and assess internal and external risks to the security of customer information; for example, sensitive data stored in SaaS applications. This process should be documented and include specific criteria for evaluating risks and threats.
3. Design and implementation of safeguards: Develop and enforce measures to mitigate identified risks, including managing access controls, encrypting data, ensuring secure data disposal, and using modern multi-factor authentication solutions.
4. Regular monitoring and testing: Continuously monitor and periodically test the effectiveness of safeguards to detect and respond to potential security breaches.
5. Employee training: Provide ongoing security awareness training to all employees, with specialised training for those directly involved in the information security program. As 95% of breaches involve a human element, making sure that your staff understand their role in acting as a Human Firewall and preventing them is critical.
6. Service provider oversight: Ensure that service providers are taking appropriate security measures, with clear contractual requirements and periodic reassessment of their compliance.
7. Program updates: Keep the cybersecurity program up-to-date to accommodate changes in operations, emerging threats, and findings from risk assessments and testing.
8. Incident response plan: Establish a comprehensive plan for responding to security incidents.
9. Reporting to the Board of Directors: The qualified individual must regularly report to the company's Board of Directors or a senior officer on their overall compliance.

In short, the FTC is asking financial institutions to do more or less everything within their power to prevent data breaches. The intensity of modern cybercrime is such that anything less means putting customer data at risk.

For individuals whose sensitive data is stolen, consequences like identity fraud can be very damaging. Authorities like the FTC are therefore no longer willing to tolerate any cybersecurity negligence from financial institutions.

How can Metomic help?

Metomic’s data security solution allows your financial institution to secure sensitive customer information stored in SaaS applications, helping with FTC Safeguards Rule compliance.

Metomic allows you to:

• Identify and classify sensitive data across your SaaS, cloud, and GenAI tools, ensuring compliance with data protection regulations.
• Use granular access controls to minimise data exposure and guarantee that only authorised staff can access confidential information.
• Monitor data sharing and user interactions within your organisation in real time.
• Customise data protection policies to your specific needs and industry requirements, ensuring complete compliance and strengthening security.

Request a personalised demo with one of our SaaS security specialists to discover how Metomic can boost your financial institution's security posture and regulatory compliance.