There’s been a lot of chatter about changes to the Gramm-Leach-Bliley Act Safeguards Rule–especially for industries looped in through the inclusion of financial “finders.” For these businesses, the Safeguards Rule is new territory.
To financial institutions that have been complying with the FTC Safeguards Rule since 2002, particularly ones that fit the traditional idea of a consumer finance business, the 2021 amendment may be perceived as another minor rule change. But don’t kick up your feet yet: There are still regulatory changes that will affect the way that your infosec program is configured.
Data security is a marathon, not a sprint. While many organizations have their eye on the December 9 FTC Safeguards deadline, this is just the beginning: You'll want to put foundational data protection frameworks in place to serve you well for years to come.
But, first, it's important to break down the basics of the Safeguards Rule and who it covers.
When most people think of a financial institution, they typically think of banks. But for the FTC, a financial institution means something a little bit different, and it’s been broadened with the recent amendment. Per the text of the rule, a financial institution is defined as:
“Any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.”
Here’s a list of who that applies to specifically:
Banks, federal credit unions, and savings and loan institutions aren’t under the FTC’s jurisdiction.
Instead, the Federal Reserve, Office of the Comptroller of the Currency, The Federal Deposit Insurance Corporation, and more federal and state regulators have a litany of regulations for banks to adhere to. Credit unions are overseen by the National Credit Union Administrations and various other state regulators.
The FTC is primarily concerned with businesses that participate in consumer finance—and in some ways acts as a catch-all for institutions not overseen by other major finance regulators.
Traditional consumer finance firms like mortgage brokers, accountants, or tax preparers may not need to do all that much when it comes to the Safeguards Rule amendment.
Not because they’re exempt, but because they have other reasons for keeping up with the market. The consumer base for financial services is already wary of sharing private information, and this alone compels businesses to tighten up on their security posture to grow credibility and increase market share. Many of these businesses keep each other accountable contractually in partnerships. I’ll protect your data if you protect mine.
For the smaller finance firms or businesses that facilitate financial dealings, it may be a different story. In the first iteration of The Safeguards Rule, the directives were brief and broad, and left a lot up to the financial institutions themselves to determine. In the 2021 amendment, there are more numerous and detailed directives, and financial institutions must check off every box. Here’s the compare-and-contrast for financial firms.
This is where the “Safeguards” part of the rule comes into play.
The Final Rule states that financial institutions collecting data from less than 5,000 consumers is exempt from completing the written risk assessment, the incident response plan, and the annual report to the Board of Directors.
The FTC is requiring financial institutions to designate a “qualified individual,” a.k.a. someone who is responsible for building and leading the infosec program. Your organization likely already has one, in the form of your CISO or a CIO. This person will need to report to the highest level of your company, like the CEO or Board of Directors.
The Safeguards Rule amendment pulls no punches in putting the responsibility on financial institutions to protect customer data. The stakes are higher than ever when it comes to security threats, and part of protecting customer data from attacks is preventing them.
The FTC emphasizes the importance of risk assessment and planning. First, financial institutions are required to complete risk assessments, report their findings, and draft processes and procedures for responding to the discovered risk. This is to be done often, to keep up with the constant advancements in cyber threats.
We all know the Tortoise and the Hare fable, and there’s a metaphor brewing in the Safeguards Rule when it comes to onus and consistency. Lawmakers worldwide are walking a tightrope in drafting balanced regulations—rules that both mandate industry standards and place the onus on businesses defend data proactively.
Especially for longstanding Safeguard Rule comply-ees, it’s vital to maintain a consistent pace when it comes to data protection and security strategies. While the December 9 deadline is fast approaching, it’s not the finish line. The work never ends, and with every grueling risk assessment comes insightful findings that will fortify your security posture.
Be the tortoise: Lay a foundation of consistency and proactiveness in your infosec program. When the hare discovers vulnerabilities to customer data, or suffers a data breach in the future, the tortoise will already be miles ahead.
Cybersecurity is a marathon, not a sprint. Whether you're a tortoise or a hare, we're all running this race together, and we all have a lot at stake.
Using AES 256-bit access control keys, non-banking financial institutions can protect data at rest and in motion to meet the requirements stated in the FTC Safeguards Rule. Using the Trusted Data Format, Virtru applies an encrypted wrapper around data at the object level to protect it wherever it lives, for the entirety of its lifespan.
By protecting data on a granular level, financial organizations have the unique ability to keep detailed audits on encrypted data at rest or in motion via email, file sharing, or SaaS apps. Using the Virtru Control Center, you have the ability to evaluate data access controls, grant or revoke access at any time, and control what recipients can do with data shared to them. This comes in handy during times when organizations are obligated to destroy data after a certain period of time.
When it comes to the next step for your infosec program, play the long game by consolidating your data safeguards. Contact our team for a demo today.
Contact us to learn more about our partnership opportunities.