FTC Proposes adding Detailed Cybersecurity Requirements to Safeguards Rule

Cybersecurity Requirements to Safeguards Rule

On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”).  Most significantly, the FTC proposes to add more detailed cybersecurity requirements to the Safeguards Rule. The rule governs the information security programs financial institutions must implement to protect customer data.

The FTC is also proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders.”  Finally, the FTC is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.

Proposed Revisions to the Safeguards Rule’s Cybersecurity Program Requirements

The Safeguards Rule establishes requirements for the information security programs of all financial institutions subject to FTC jurisdiction.  The Rule, which first went into effect in 2003, requires financial institutions to develop, implement, and maintain a comprehensive information security program.  As drafted, the Safeguards Rule has few prescriptive requirements, but directs financial institutions to take reasonable steps to protect customer information.

The FTC’s proposed revisions would add substantially more detail to these requirements.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposed changes is:

“to better protect consumers and provide more certainty for business.”

The new requirements are primarily based on the cybersecurity regulations issued by New York Department of Financial Services (“NYSDFS”), and the insurance data security model law issued by the National Association of Insurance Commissioners.

Cybersecurity Requirements to Safeguards Rule Proposed changes include:

  • Revising the requirement to designate an “employee or employees to coordinate [the] information security program” to require designation of a single individual, referred to as a Chief Information Security Officer (“CISO”), as responsible for overseeing and implementing the program;
  • Adding requirements to financial institutions’ risk assessments, including that the assessment must be written, describe how the information security program will address the identified risks, and be performed periodically;
  • Requiring financial institutions to implement access controls on information systems, as well as restrict access to physical locations containing customer information only to authorized individuals;
  • Requiring customer information to be encrypted, both in transit and at rest;
  • Requiring implementation of multi-factor authentication for any individual accessing customer information;
  • Requiring information systems to include audit trails designed to detect and respond to security events;
  • Requiring financial institutions to develop procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes;
  • Requiring financial institutions to develop procedures for change management;
  • Requiring financial institutions to implement policies and procedures “to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users;”
  • Requiring regular testing and continuous monitoring of relevant key controls, systems and procedures;
  • Requiring that financial institutions implement appropriate training and education, including verifying that key security personnel take steps to maintain current cybersecurity knowledge, and utilize qualified security personnel;
  • Expanding the requirement to oversee service providers to require financial institutions to periodically assess such service providers based on the information security risk they present;
  • Requiring that financial institutions establish incident response plans; and
  • Requiring that the financial institution’s CISO report at least annually to the institution’s board of directors on issues related to the information security program.

Source: FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules