What is the FTC Safeguards Rule?

The U.S. Federal Trade Commission (FTC) recently revised the Safeguards Rule, which requires non-banking financial institutions to develop, deploy and maintain a comprehensive security program to keep customer financial data safe. Due to the growing number of data breaches and evolving security threats, organizations need to advance their security programs to protect the confidentiality of customer information and protect customer data from cyber threats, like ransomware.

What organizations are affected by the FTC rule?

The FTC defines a financial intuition as any organization that handles customer financial data and handles transactions that use personal consumer information. All will be impacted by the revised FTC Safeguards Rule. Some examples include:

  • Mortgage lenders
  • Mortgage brokers
  • Payday lenders
  • Finance companies
  • Account servicers
  • Automobile dealerships
  • Wire transferors
  • Collection agencies
  • Tax preparation firms
  • Credit counselors and other financial advisors
  • Retailers that issue their own credit cards
  • Non-federally insured credit unions
  • Personal property or real estate appraisers
  • Travel agencies in connection with financial services
  • Investment advisors not required to register with the SEC

What is an Information Security Program?

Section 314.4 of the Safeguards Rule identifies nine elements that your company’s information security program must include according to the FTC. Let’s break these down:

Designate a Qualified Individual to implement and supervise your company’s information security program.

This can be an employee of your company or can be member of a Service Provider, like an MSSP or eXtended Service Provider (XSP). Regardless of who is in charge, they must have a good understanding of your business and security standards that need to be adhered to.

Conduct a risk assessment.

The most important step to formulating a security program is to take inventory of the information your company has and how it’s currently stored. By conducting an assessment, like a cybersecurity maturity or gap and risk assessment, you can understand the level of risk your business is at of a security incident. Does your business have multifactor authentication implemented to ensure that only trusted individuals have access to sensitive data? How often does your business change passwords? How is responsible for watching and responding to security alerts? These are all important questions your team needs to have answers to.

Encrypt customer information on your system, especially when it’s in transit.

If the information cannot be encrypted, secure sensitive customer data using alternative controls.

Monitor and test the effectiveness of your safeguards.

Penetration testing and vulnerability assessments take you from the hypothetical to the actual through exploitation and evidence, giving you tangible information on specific threats. There are two different types of tests:

Vulnerability Assessments

Vulnerability assessments discover which vulnerabilities are present in your environment but do not differentiate between flaws that can be exploited to cause damage and those that cannot. Vulnerability assessments are used to alert clients to preexisting flaws in their systems and where they are located.


Penetration tests, or pentests, attempt to exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible. This service also identifies which flaws pose a threat to the application and measure the severity of risk. They are meant to show how damaging a flaw could be in a real attack rather than find every flaw in a system.

Train your staff.

Often the most vulnerable elements in a company’s corporate security program is its own people, as criminals are getting craftier in exploiting employees’ trusting nature in order to breach organizations. Security training identifies some of the very latest security issues, educates good people to be cautious people, and helps reinforce the need to closely follow policies.

Monitor your service providers.

Select service providers with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job. It is important that your service provider is just as security conscious as you and holds themselves accountable to the amount of risk they may be exposing you to and how they can mitigate it.

Revisit your information security program.

Cyber threats are constantly changing, so routine risks assessments and keeping up with emerging threats is crucial to keep your security program effective. The best programs are flexible and respond to new threats.

Create an incident response plan.

An incident response (IR) plan is a structured set of instructions that guide organizations and help them detect, respond to, and recover from security incidents. IR plans typically address cyberattacks, data breaches, ransomware, and service outages. Every business should have an incident response plan in place because it is not a matter of if your organization will suffer from a security breach, but when.

Require your Qualified Individual to report to your Board of Directors. 

Your Qualified Individual must report in writing regularly – at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program.

What should the report address? First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program, like risk assessments, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in your cybersecurity program.

Improve your cybersecurity posture with Entara

Entara offers complete, integrated IT and cybersecurity solutions personalized to a company’s needs. We provide comprehensive cybersecurity and technology services to elevate our clients’ security stacks and prevent devastating cyberattacks. Our recommendations are based on thousands of hours of real-world experience helping companies across industries recover from ransomware and other cyber threats.  Connect with us to learn more about how our team of experts can help you become compliant with the FTC Safeguard Rule, teach your employees how to safely work remotely, and reduce your organization’s vulnerability to cyber threats.

Scroll to Top