FTC Safeguards Rule: What It Means for Covered Entities and How MSPs Can Help
The clock is ticking on the implementation of the new FTC Safeguards Rule. The June 9, 2023 deadline has already been pushed back from the original date of December 9, 2022. If organizations have not already begun tackling the new requirements, it is unlikely they could meet them in time at this point. However, organizations with a relationship with an MSP may be close to compliance already and just need to fill in a few gaps.
A Little History
In October 2021 the Federal Trade Commission amended the "Standards for Safeguarding Customer Information", commonly referred to as the "Safeguards Rule". The original rule traces its origins back to the Gramm-Leach-Bliley Act (GLBA) of 1999. We are all familiar with the privacy notices we receive each year from the banks, credit unions, and other financial institutions we deal with. We can thank GLBA for that. Additionally, GLBA required covered entities to protect customer information in relatively vague terms:
"each agency…shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards."
(1) to insure the security and confidentiality of customer
records and information;
(2) to protect against any anticipated threats or hazards
to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of
such records or information which could result in substantial
harm or inconvenience to any customer
Broadly speaking, GLBA also defines covered entities as Federal Banks, Savings Institutions, FDIC Insured State banks, NCUA member Credit Unions, SEC registered Brokers, Investment companies, Investment Advisors, and Insurance Companies.
The New Rule
The new FTC Safeguards Rule greatly expands the covered entities of GLBA and provides much more detail regarding the specific safeguards covered entities must implement.
The rule defines a financial institution as "any institution the business of which is engaging in an activity that is financial in nature…" and "An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities.."
Within the new rule itself the following examples are cited specifically as covered entities:
More specifically, those entities include, but are not limited to:
mortgage lenders
“pay day” lenders
finance companies
mortgage brokers
account servicers
check cashers
wire transferors
travel agencies operated in connection with financial services
collection agencies
credit counselors and other financial advisors
tax preparation firms
non-federally insured credit unions
investment advisors that are not required to register with the Securities and Exchange Commission
entities acting as finders
A retailer that extends credit by issuing its own credit card directly to consumers
The rule further expands additional examples of covered entities:
An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days
A personal property or real estate appraiser
A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution
A business that prints and sells checks for consumers, either as its sole business or as one of its product lines, is a financial institution
It is likely that an MSP will have several clients that fall into one or more these categories. When the law takes effect on June 9, all of these clients will need to be compliant with the new rule. So what does the new rule actually require of covered entities?
Within the rule, Section 314.4 of the FTC Safeguards rule requires covered entities to:
Designate a Qualified Individual to oversee their information security program. (Can be a an external contractor or vCISO)
Designated Qualified Individual is required to report, in writing, at least annually to the board of directors.*
Develop a written risk assessment*
Limit and monitor who can access sensitive customer information
Perform continuous monitoring or periodic penetration testing and vulnerability assessments*
Encrypt all sensitive information
Provide Security Awareness Training to staff and train security personnel adequately
Develop a written incident response plan*
Periodically assess the security practices of service providers
Implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information.
*Covered Entities with fewer than 5000 customers are exempted from these requirements
For many of the new covered entities these will be new requirements. The list may seem daunting to many. However, the rule recognizes that one size does not fit all. The Rule states that the in developing the Information Security Plan:
“You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”
How can MSPs help?
For existing customers of an MSP, many of the requirements are already being met. For instance, the MSP may be providing penetration testing and vulnerability scanning as part of their service offering. Likewise, the MSP may be providing security awareness training for staff and, as the de facto security team, maintaining their own staff's training. However, the key to compliance is providing evidence. This is done through proper process, documentation, and audit practices. In order to keep the client in compliance the MSP must make sure that proper documentation of policies, processes, and procedures is being kept. More importantly, the client and the MSP must make sure that those procedures are being followed through a formal auditing process.
As with other regulations, the FTC Safeguards rule provides a great opportunity take on a necessary strategic role with the client. If the client has not performed a risk assessment recently or developed an incident response plan, this makes a great project for the MSP to perform. Likewise, if the client does not have an appropriate internal resource to act as the "qualified individual" the MSP can fulfill that role. This presents the opportunity for the MSP to get in front of the owners or the board of directors regularly to review the overall security posture of the organization.
Meanwhile, the MSP must always be looking in the mirror to make sure that their own practices meet the requirements imposed upon their clients. Today's MSP is integral to the workflow of their clients. In managing their cloud infrastructure, performing their backups, and monitoring their security the MSP maintains a shared responsibility that makes the client's overall compliance dependent upon the practices and procedures of the MSP. The best way for MSPs to ensure their own compliance is to adopt and maintain a structured cyber security framework.
OTX Roundtable GRC
The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here.