FAQ – Safeguards Rule Amendments

January 18, 2023 BY MQMR Blogger

Question: What are the amendments to the Safeguards Rule, do they apply to my company, and when do they go into effect?
Answer: The Safeguards Rule requires financial institutions (including mortgage lenders and brokers) to develop, implement, and maintain an information security program to protect customer financial information.  In October 2021, the Federal Trade Commission (FTC) approved amendments to the Safeguards Rule in order to ensure the Rule keeps pace with current technology and addresses current risks. 
The amendments require financial institutions to maintain a more detailed and comprehensive information security program. The amendments also provide greater clarity including specificity in regard to elements required for an information security program and additional definitions of terms like “multi-factor authentication,” “penetration testing,” and “security event”.
While some provisions went into effect in January 2022, other sections of the rule were set to go into effect on December 9, 2022. The FTC recently voted to extend the December 2022 effective date to June 9, 2023.  The provisions of the updated rule specifically affected by the six-month extension include:
1.     designating a “qualified individual” to oversee the information security program and reporting to the Board in writing on the program at least annually;
2.     developing a written risk assessment that includes:

a.    criteria for the evaluation and categorization of identified security risks or threats;

b.   criteria for the assessment of the confidentiality, integrity, and availability of information, including the adequacy of the existing controls in the context of the identified risks or threats; and

c.    requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks;

3.     limiting and monitoring who can access sensitive customer information through various safeguards;
4.     encrypting all sensitive information held or transmitted;
5.     training security personnel;
6.     developing an incident response plan;
7.     periodically assessing the security practices of service providers; and
8.    implementing multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
Despite the six-month extension, companies should not delay in addressing the new requirements as they will take time to develop and implement. 
The FTC published a guide, FTC Safeguards Rule: What Your Business Needs to Know, which is a useful resource for complying with the Safeguards Rule.