Skip to content
Search
Get A Demo
Sign Up Free
    Get A Demo
    Sign Up Free

      FTC Safeguards Rule Compliance

      The Federal Trade Commission (FTC) Safeguards Rule, or Standards for Safeguarding Customer Information, was updated in early 2022 to require all non-banking financial institutions – such as mortgage brokers, auto dealerships, and others – develop, implement, and maintain a comprehensive cybersecurity system to keep customer information safe. The Safeguards Rule amendments require organizations within scope of compliance to implement technology for audit trails and to monitor all unauthorized activity. The purpose of the Safeguards Rule, like most FTC regulations, is consumer protection and data security. The original Safeguards Rule took effect in 2003; however, the 2021 amendment ensures that institutions are keeping pace with current technology to keep consumers’ financial information safe.

      Try XDR free for 30 days
      Industry Healthcare screenshot

      Who Is Affected By The FTC Safeguards Rule?

      The FTC defines a financial institution as “any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956.” According to the FTC, financial institutions are not subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA).

      What’s new to the inclusion of financial services is the concept of finders: companies that bring together buyers and sellers to negotiate and complete the transaction.
      Industry Financial screenshot
      Any organization storing financial information for its customers is affected. Industries include:
      • Accountants & professional tax preparers
      • Automotive dealerships that lease vehicles
      • Career counselors of individuals in financial industries
      • Check printers
      • Check-cashing businesses
      • Courier services
      • Credit reporting agencies.
      • Investment advisory company
      • Mortgage brokers
      • Nonbank lenders
      • Payday lenders
      • Personal property or real estate appraisers
      • Real estate settlement services
      • Retailers that extend their own credit
      • Wire transfer businesses

      How Blumira Helps With FTC Compliance

      See our compliance checklist for guidance on how to implement a comprehensive security system to meet FTC requirements.

      FTC Requirement for Audit Trails

      The FTC believes logging user activity is a crucial component of information security because in the event of a security event it allows financial institutions to understand what was accessed and when. Audit trails are chronological logs that show who has accessed an information system and what activities the user engaged in during a given period. Financial institutions are expected to use logging to “monitor” active users and reconstruct past events.

      Blumira provides small and medium-sized businesses with an easy and fast all-in-one SIEM solution that combines logging with detection and response. Small teams can deploy the solution within hours to help satisfy FTC requirements. Blumira provides:

      • Up to one year of log data retention (audit trails), with immediate availability to help with investigation and incident response.
      • Unauthorized activity monitoring to help identify attacker behavior with real-time automated detection under 50 seconds and guided playbooks to help you respond to threats faster.
      • Access to our security team to help with guided response, available 24/7 for urgent priority issues.
      Incident Response Plan

      Part of your response plan should include using data and insights from your SIEM to help figure out what went wrong. Blumira built-in playbooks surface all relevant data in our findings, which can speed up the incident response process by ensuring that all of the data is in one place. 

       
      Customer Information Access Controls
      Once integrated with your systems, Blumira automatically logs user access and when their access levels change to give you insight into your current access activity and controls.
      Data Encryption

      While this requirement is about encrypting your customers and organization’s data, Blumira encrypts all log data collected from your systems while it’s in the platform and in transit from your systems. Using Blumira, you can also look for and eliminate legacy protocols in your traffic to further reduce data security risks.
      Penetration Testing & Vulnerability Assessments

      Testing your Blumira SIEM on a regular basis will help you pass your annual penetration testing with flying colors by verifying your technology can detect attacker behaviors. Blumira detects behavior on a penetration test that most SIEMs will not, such as AS-REP Roasting.

      FTC Compliance Updates at a Glance

      The Safeguards Rule amendments require organizations within scope of compliance to implement technology for audit trails and to monitor all unauthorized activity.The revised deadline for complying with some of the updated requirements of the Safeguards Rule went into effect on June 9, 2023, with penalties at $45k per violation.

      • Part 1: Required Policies

        Part 1: Required Policies

        Designated Qualified Individual – An individual on the IT/security team who oversees the information security program. 

        Incident Response Plan – Your written incident response plan details a series of actions that the security team must take in the event of a cyber incident.

        Customer Information Access Controls, Disposal Plan & Change Management – Information access controls restrict who can make changes and creates an audit trail of all changes to help detect unauthorized access. 

        Oversee Service Providers & Apps – Review the applications you use and vendors that you share data with. If they are also handling financial data, they too must comply with all of these safeguards.

      • Part 2: Reports & Documentation

        Part 2: Reports & Documentation

        Data & Systems Inventory – The FTC requires you to have an inventory of all data you have stored and the systems they’re on, including customer records, financial records where they are stored, and all the software that they touch.

        Risk Assessment – This process will vary for every organization, but at a high level it involves identifying threats to an environment, both internal and external, to the security, confidentiality, and integrity of customer information. This written risk assessment must include criteria for evaluating those risks and threats.

        Information Security Program – Use this checklist to build out your information security program. Developing one is an ongoing process that requires an understanding and consideration of the different facets of security described here, documented all together in one program.

        Report To Your Board of Directors – Your Qualified Individual must give an update to your Board of Directors (or another governing body such as a Senior Officer if there isn’t a board) on a regular basis, at least once a year.

      • Part 3: Technical Requirements

        Part 3: Technical Requirements

        Data Encryption – Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.

        Multi-Factor Authentication – Enable multi-factor authentication on all systems that employees and contractors log into. MFA is an easy way to add another layer of verification of a user’s identity and prevent the success of attacks like phishing, stolen credentials, and account takeovers

        Penetration Testing & Vulnerability Assessments – Penetration testing, vulnerability assessments and continuous monitoring all help to detect both actual and attempted attacks. Continuous monitoring is an excellent way to test your environment. 

        Monitor and Log Authorized & Suspicious Activity – Implement a solution to monitor when authorized users are accessing customer information on your system and to detect unauthorized or suspicious access.

      • Part 4: Training Requirements

        Part 4: Training Requirements

        Employee Security Awareness Training – Provide your people with security awareness training and schedule regular refreshers.

        Training & Security Updates For Security Personnel – Provide specialized training for employees, affiliates, or service providers who are hands-on with your information security program and verify that they’re monitoring the latest word on emerging threats and countermeasures.

      Part 1: Required Policies

      Designated Qualified Individual – An individual on the IT/security team who oversees the information security program. 

      Incident Response Plan – Your written incident response plan details a series of actions that the security team must take in the event of a cyber incident.

      Customer Information Access Controls, Disposal Plan & Change Management – Information access controls restrict who can make changes and creates an audit trail of all changes to help detect unauthorized access. 

      Oversee Service Providers & Apps – Review the applications you use and vendors that you share data with. If they are also handling financial data, they too must comply with all of these safeguards.

      Part 2: Reports & Documentation

      Data & Systems Inventory – The FTC requires you to have an inventory of all data you have stored and the systems they’re on, including customer records, financial records where they are stored, and all the software that they touch.

      Risk Assessment – This process will vary for every organization, but at a high level it involves identifying threats to an environment, both internal and external, to the security, confidentiality, and integrity of customer information. This written risk assessment must include criteria for evaluating those risks and threats.

      Information Security Program – Use this checklist to build out your information security program. Developing one is an ongoing process that requires an understanding and consideration of the different facets of security described here, documented all together in one program.

      Report To Your Board of Directors – Your Qualified Individual must give an update to your Board of Directors (or another governing body such as a Senior Officer if there isn’t a board) on a regular basis, at least once a year.

      Part 3: Technical Requirements

      Data Encryption – Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.

      Multi-Factor Authentication – Enable multi-factor authentication on all systems that employees and contractors log into. MFA is an easy way to add another layer of verification of a user’s identity and prevent the success of attacks like phishing, stolen credentials, and account takeovers

      Penetration Testing & Vulnerability Assessments – Penetration testing, vulnerability assessments and continuous monitoring all help to detect both actual and attempted attacks. Continuous monitoring is an excellent way to test your environment. 

      Monitor and Log Authorized & Suspicious Activity – Implement a solution to monitor when authorized users are accessing customer information on your system and to detect unauthorized or suspicious access.

      Part 4: Training Requirements

      Employee Security Awareness Training – Provide your people with security awareness training and schedule regular refreshers.

      Training & Security Updates For Security Personnel – Provide specialized training for employees, affiliates, or service providers who are hands-on with your information security program and verify that they’re monitoring the latest word on emerging threats and countermeasures.

      Blumira Features to Satisfy FTC Requirements

      Blumira provides small and medium-sized businesses with an easy and fast all-in-one SIEM solution that combines logging with detection and response. Small teams can deploy the solution within hours to help satisfy FTC requirements.

      Legacy Infrastructure
      Log Retention Up to one year of log data retention (audit trails), with immediate availability to help with investigation and incident response
      search-eye-line
      Activity Monitoring Unauthorized activity monitoring to help identify attacker behavior with real-time automated detection under 50 seconds and guided playbooks to help you respond to threats faster
      SOC Team
      SecOps Support Access to our security team to help with guided response, available 24/7 for urgent priority issues

      Get Started for Free

      Experience the Blumira Free SIEM, with automated detection and response and compliance reports for 3 cloud connectors, forever.

      Sign Up