The Federal Trade Commission created the Safeguards Rule, which requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. The FTC updated the Rule in October 2021 to include more specific criteria for the safeguards that financial institutions must implement as part of their information security programs (listed below). The original deadline for compliance was December 9, 2022 but the deadline was recently extended to June 9, 2023. The Safeguards Rule applies to the following types of businesses:
- income tax preparation firms
- motor vehicle dealers
- mortgage lenders,
- payday lenders,
- finance companies,
- mortgage brokers,
- account services,
- check cashers,
- wire transfer companies,
- collection agencies,
- credit counselors and other financial advisors,
- tax preparation firms,
- non-federally insured credit unions, and
- investment advisors that aren’t required to register with the SEC.
The FTC Safeguards Rule requires a fair bit of work even with the deadline extension, and if your business is affected it would be more sensible not to wait until the deadline. Here’s what you need to do in order to be considered compliant with the Safeguards Rule:
- Perform a Risk Assessment across your organization
- Implement & Maintain a Written Information Security Plan (WISP)
- Designate a qualified individual to lead information security (i.e. vCISO)
- Maintain written Policy and Procedures
- Establish and test an Incident Response Plan
- Perform monitoring/penetration testing on your network
- Maintain a data retention policy for all data, including customer data
- Complete annual, formal reporting about your information security program and status
This may seem like a lot, and it is, so you might be tempted to ignore the rule changes. But non-compliance can lead to significant penalties (up to $46,000 per day per violation), so if you are on the list of affected businesses it’s definitely in your interest to look into the Rule and how it might affect you.
Fortunately, you don’t have to do this on your own. Opticom has partnered with CyberCompass, a leader in Cybersecurity and regulatory compliance, to offer FTC Compliance as a Service (CaaS). This program provides you everything you need to comply with the Safeguards rule for 1/2 to 1/3 the cost of doing it on your own.
If your business falls into any of the categories above and you are wondering what your options are to get started on compliance, you are welcome to reach out to us to talk about it.