TPRM and the Safeguards Rule: How Your Organization Can Comply

As part of the Federal Trade Commission’s (FTC) recently updated Safeguards Rule, financial institutions such as auto dealerships, will be required to follow new guidelines for developing, implementing, and maintaining information security programs.

While the original due date required that the covered institutions comply with the amendments by December 2022, there has been a six-month extension. Reports detailed that smaller institutions might have had a challenging time meeting the original December deadline from factors such as a lack of qualified experts needed to implement the information security programs and difficulties obtaining proper equipment resulting from supply chain disruptions.

Covered institutions will be required to comply by the new deadline: June 09, 2023.

What Is the FTC Safeguards Rule?

The FTC first created the Safeguards Rule in 2003 for the purpose of protecting consumer information. However, as technology has advanced significantly since its inception, the Safeguards Rule was updated in 2021 with amendments to account for core data security principles that any FTC covered entity needs to implement.

One of the most notable changes made was a requirement for employee training programs and third-party audits to verify whether a vendor complies with these guidelines.

Through these amendments, the Safeguards Rule applies to covered financial institutions such as the following:

• Account servicers
• Automobile dealers
• Check cashers
• Collection agencies
• Credit counselors and other financial advisors
• Finance companies
• Investment advisors that are not required to register with the SEC.
• Mortgage brokers
• Mortgage lenders
• Non-federally insured credit unions
• Payday lenders
• Tax preparation firms
• Wire transferors

Requirements for an Information Security Program

To properly comply with the Safeguards Rule, the following elements must be included into an information security program, as described by Section 314.4:

1. A “qualified individual” who is responsible for overseeing and implementing the information security measures. This individual will also report their findings and activities to the Board of Directors
2. A process for using a risk assessment to assess potential risks
3. Controls for mitigating any risks identified in the risk assessment
4. Ongoing monitoring and control testing plans
5. Regular employee awareness training and refresher courses
6. A process for assessing and updating the information security practices on a regular basis
7. Effective third-party risk management programs to ensure vendor and subcontractor compliance
8. An incident response plan

Financial institutions covered by the FTC will need to take the proper steps and ensure that they comply with the amendments to the Safeguards Rule by June 2023. As part of these amendments, institutions will need to follow third-party risk management best practices for assessing their vendors, identifying potential risks, and developing controls that are capable of protecting their private information and customer data. While third-party risk management can be difficult and expensive, especially for smaller organizations, having a sufficient and repeatable process is essential to protect against vendor risks and severe threats.