New FTC Cybersecurity Requirements for South Florida Financial Service Firms

New FTC Cybersecurity Requirements for South Florida Financial Service Firms

South Florida financial institutions face heightened expectations for corporate accountability and oversight of data security measures under the Federal Trade Commission’s (FTC) new rule for protecting their consumer information. The FTC recently announced an updated Safeguards Rule, which requires certain financial institutions to develop, implement and maintain a comprehensive security system to keep their customers’ information safe.

Covered Financial Institutions

The updated Safeguards rule, issued under the 1999 Gramm-Leach-Bliley Act, serves as a catchall for financial institutions that other federal regulators don’t cover. Banks and credit unions, for example, are subject to data privacy and security rules from the Federal Reserve and the National Credit Union Administration.

The FTC’s Safeguards Rule expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. It applies to institutions such as:

• Mortgage lenders
• Tax preparation firms
• Wire transferors
• Payday lenders
• Finance companies
• Non-federally insured credit unions
• Mortgage brokers
• Account servicers
• Travel agencies that operate in connection with financial services
• Collection agencies
• Credit counselors and other financial advisors
• Collection agencies
• Non-federally insured credit unions
• Check cashers
• Investment advisors that are not required to register with the Securities and Exchange Commission
• Entities acting as finders (company acting as a finder in bringing together one or more buyers and sellers of any product or service)

Safeguards Rule Updated Requirements

Written Risk Assessment 

Under the Safeguards Rule, a financial institution must perform a risk assessment that identifies reasonably foreseeable internal and external risks that could result in the unauthorized disclosure, misuse, alteration, or destruction of customer information. It must also assess if the safeguards in place can control those risks.

The Safeguards Rule requires that the risk assessment be written and includes:

• Criteria for the evaluation and categorization of identified security risks or threats.
• Criteria for assessing the confidentiality, integrity, and availability of the institution’s information systems and customer information, including the adequacy of the financial institution’s existing controls in the context of identified security risks or threats.
• A description of how the identified risks will be mitigated or accepted and how the information security program will address those risks. Financial institutions must also periodically perform additional risk assessments that reexamine the above risks.

Specific Data Protection Requirements

Whereas the FTC previously left specific aspects of satisfactory information security systems up to the discretion of the company, the FTC now requires that financial institutions address the following:

• Access controls: Financial institutions must implement access controls on information systems and restrict access to physical locations containing customer information only to authorized individuals.
• Qualified Individual: The FTC now requires financial institutions to designate a Qualified Individual to oversee and enforce the information security programs and have that individual provide status reports to the board of directors or similar governing body.
• Data inventory and classification: The Safeguards Rule requires financial institutions to identify and manage the data, personnel, devices, systems, and facilities by their relative importance to business objectives and risk strategy.
• Encryption: The FTC requires customer information to be encrypted, both in transit and at rest. The new amendments provide an exception to this requirement if a financial institution determines that such encryption is not feasible and other compensating controls are used.
• Secure development practices: Financial institutions should adopt secure development practices for internally-developed applications and procedures for evaluating, assessing, or testing externally-developed applications for applications utilized to transmit, access, or store customer information.
• Authentication: Financial institutions will now be required to use multi-factor authentication (MFA) to access any information system containing customer information.
• Information disposal procedures: Financial institutions must develop procedures to secure the disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes.
• Change management: Financial institutions need to develop procedures for change management.
• Oversight of service providers: In addition to conducting due diligence in selecting service providers that can maintain appropriate safeguards for customer information and ensuring such safeguards in a written contract, financial institutions must now periodically assess their service providers based on their potential risk and adequacy of their safeguards.
• Enhanced training requirements: The amendments require financial institutions to update the training for their employees based upon risk assessments and/or changes in practices. Verification that these training requirements have been met is also required.
• Testing: The FTC requires financial institutions to conduct regular testing and continuous monitoring of relevant key controls, systems, and procedures. You can conduct annual and biannual penetration testing based on relevant risks identified by the risk assessment plan or perform vulnerability assessments at least every six months. The FTC commented that larger financial institutions might choose to do both.
• Incident response: Financial institutions are required to create a written incident response plan that addresses, among other things, internal processes for responding to a security incident, responsibilities and decision-making authority of incident response team members, requirements for remediating any identified weaknesses in information systems, and controls, and documentation and reporting regarding the response to security events.

Mandatory Board of Directors Reporting

The new rule now requires that a financial institution’s Qualified Individual or chief information security officer must now report in writing, at least annually, to the financial institution’s board of directors or governing body. If the company does not have a board of directors or equivalent governing body, the Qualified Individual must report to a senior officer responsible for the financial institution’s information security program.

The report must include the following:

• The overall status of the information security program and financial institution’s compliance with the Safeguards Rule.
• Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, testing results, security events or violations, and management’s responses and recommendations for changes in the information security program.

New Exemptions for Small Businesses

Because of the potential impact of the new requirements on small businesses, the Safeguards Rule provides exemptions from the following requirements for covered businesses that collect information on fewer than 5,000 consumers:

• Written risk assessment
• Continuous penetration testing
• An incident response plan
• Annual Board of Directors reporting

ECW Networks & IT Solutions is the go-to Cybersecurity firm in Fort Lauderdale, West Palm Beach, Miami, and South Florida and can help your organization implement the FTC’s new Safeguards Rule. Contact us today to schedule a no-obligation security review of your company’s overall security strategy.

Thanks to Kenny Riley, a member of our Ulistic HPC club for his help with this article. Visit Kenny’s Dallas IT company at https://www.velocityit.net/