On October 27, 2021 the FTC issued a final rule (the “Final Rule”) amending 16 CFR Part 134, Standards for Safeguarding Customer Information (“Safeguards Rule”), after a period of notice and comment. While the existing Safeguards Rule imposes a general obligation on financial institutions to maintain an information security program, the Final Rule outlines these requirements in more granular detail. Importantly for smaller financial institutions, the Final Rule exempts businesses with fewer than 5,000 customers.
The Final Rule now defines key terms rather than incorporating them by reference. Other changes include requiring greater oversight and responsibility of a company’s information security program by designating a qualified individual to maintain the program, requiring annual reports to a company’s board of directors or governing body, and requiring vulnerability assessments and penetration testing. While there will likely be some cost to comply with the new requirements of the Final Rule, the FTC indicated the importance of these requirements justifies any associated costs.
What Businesses are Subject to the New Final Rule
The Final Rule applies to financial institutions that maintain customer information for over 5,000 individuals.
Data Breach Reporting Obligations
The FTC indicated in their discussion of the Final Rule that there may be future reporting obligations of data breaches to the FTC. The FTC requested comments on whether it should require such reporting. While reporting obligations were not added to the Final Rule, the FTC is issuing a Notice of Supplemental Rulemaking to impose data breach reporting obligations.
While not yet imposing data breach notification obligations, the Final Rule does require that covered business implement a written incident response plan.
Designation of a Qualified Individual and Internal Reporting
The Final Rule requires covered institutions to designate a qualified individual to oversee the organization’s information security program. This person need only be qualified and does not need to be an executive or CISO. In fact, this individual need not even be an employee. This allows smaller enterprises to utilize a third-party such as a virtual CISO. Previously, covered institutions were only required to designate an employee to coordinate the company’s information security program.
The qualified individual must now submit written reports to the company’s board of directors or senior officers no less than once a year. These reports must provide status updates regarding the company’s information security program, compliance with the Safeguards Rule, and other material issues such as risk assessments, security events or violations, and recommended changes to the information security program.
Overall, this change appears to be geared toward encouraging the participation of company leadership in information security. As the number of data breaches continue to increase, this change indicates that information security should receive regular consideration from company executives. The FTC stopped short of requiring the board of directors to certify the report, however.
Risk Assessments and Vulnerability Testing
The Final Rule requires companies conduct regular, written risk assessments that include testing for vulnerabilities and penetration testing. Previously, risk assessments could remain fairly high level. Vulnerability assessments and penetration testing, however, are far more granular and technical in nature.
Penetration testing must be conducted at least annually. Not all IT managed service providers are equipped with the ability to conduct this testing. Companies may therefore need to employ additional vendors with increased technical capabilities.
Vulnerability assessments must be conducted every six months or whenever there is a material change in business operations or a material impact on the information security program. Vulnerability assessments are designed to identify and detect publicly known security vulnerabilities.
Increased Security Controls
The Final Rule imposes greater security controls on covered businesses. Here are some of the significant requirements imposed by the Final Rule:
- Encryption – Customer data must now be encrypted both in transit and at rest. Data need not be encrypted while in transit throughout internal business networks, however.
- MFA – Covered businesses are now required to implement multi-factor authentication for all remote connections. Long considered a best practice, the Final Rule now mandates MFA.
- Audit Trails – Information systems must be continuously monitored to detect and log unauthorized access. Logging must be enabled to show when individual users access protected information.
- Change Management – Any change within a company’s technical infrastructure has the potential to introduce new vulnerabilities. The Final Rule requires covered businesses to implement formal change management procedures. This includes identifying potential impact beforehand and thoroughly documenting all changes.
- Secure Disposal – Financial institutions would be required to dispose of customer information when no longer needed or when not required by law to retain the information. This applies to both digital and paper records. The Final Rule requires deletion of customer information not accessed for more than two years.
- Secure Development Practices – Any applications that utilize or access customer information, whether developed in-house or by a vendor, must implement secure development practices. This includes regular testing and security evaluations during the development lifecycle.
The Final Rule identifies the significant risk presented by outside vendors. Covered businesses will be required to take reasonable step in selecting service providers, which includes ensuring service providers implement and maintain appropriate safeguards for customer information. This oversight requirement is not just during the selection of vendors but includes periodic assessments. Covered businesses may no longer simply rely on a vendor’s security certifications or attestations.
The Final Rule will take effect 30 days after the date of its publication in the Federal Register. But certain provisions of the Final Rule will not take effect until one year after publication to give smaller organizations adequate time to comply. Provisions that take effect one year after publication include:
- Designation of a qualified individual and annual written reporting
- Written risk assessments
- Continuous monitoring
- Annual penetration testing
- Biannual vulnerability assessments
- Enhanced training
- Periodic vendor assessments
- Written incident response plan
The Final Safeguards Rule imposes more detailed requirements for the information security programs of financial institutions. Covered businesses should prepare for the additional costs and administrative burden. Notification obligations to the FTC for data breaches may be soon to follow.