The Federal Trade Commission has given “financial institutions” and their cybersecurity providers until June 9, 2023, to be compliant with their new Safeguards Rule. In this rule, many retailers that weren’t considered to be financial institutions now are.
We go over who needs to be complaint with these new rules, what to include in your written security strategy, and the best way to remain complaint going forward.
Do These New Compliance Requirements Affect Your Business?
The FTC Safeguards Rule requires all financial institutions to follow their new compliance strategies. This has made some business owners believe that since they’re not an investment agency, or even a financial institution, they don’t need to worry about the deadline. That’s not the case. The term “financial institution” is used rather loosely for this requirement. There are many businesses and industries that will need to comply by June 9, including:
- Credit unions
- Investment advisers
- Tax preparers
- Auto dealerships
- Payday lenders
- Check cashers
- Collection agencies
- Credit counselors
- Wire transfer services
- Retailers issuing their own store credit cards
- Home appraisers
- Travel agencies
- Mortgage brokers
- Estate settlement planners
- And more
Because these regulations are so new and affect so many different businesses, the best thing you can do is consult with a cybersecurity expert to determine if your business needs to be concerned with the new Safeguards Rule. A cybersecurity expert could be a managed services provider, an IT consultant, or even a cybersecurity provider. Any one of these professionals should be able to guide you in the right direction.
Is it time to prepare for compliance with a new IT provider? Start here.
What Does the FTC Safeguards Rule Include?
The FTC Safeguards Rule includes compliance requirements that both large and small businesses need to follow, beginning June 9, 2023. Some of the factors that companies need to be aware of include:
A Qualified Individual
Many small companies don’t have a dedicated person that is responsible for their cybersecurity protocols. Everyone is responsible, but no one is keeping track. Going forward, though, all businesses must appoint a Qualified Individual who supervises compliance and cybersecurity. This cybersecurity point person will report to your board of directors at least once a year with information on your security program, compliance, assessments, incident reports, improvement recommendations, and more.
A Qualified Individual can be an employee of the company, a third-party vendor, or an affiliate. A qualified cybersecurity provider like EIS Consulting can serve as the Qualified Individual while being your IT team. This means that EIS will handle all that goes into maintaining your compliance requirements, keeping your IT stress-free.
Written Security Strategy
Word-of-mouth security strategies will no longer fly with the FTC. All affected companies must have a written security strategy that features plans for different elements, including:
- An inventory of your data
- A list of where the data is stored
- An assessment of current systems for handling customer data
- An assessment of protocols for handling customer data
- An up-to-date record that names all employees who have access to customer data
- Data encryption
- Records of authorized user activity
- Monitoring system for unusual user access
- Review of any programs and apps that collect or transmit data
- Review of compliance systems
- Training programs for phishing attacks and data breaches
- Strategies to destroy data upon customer request, when the data is no longer needed, or data that has not been used in over 2 years
The FTC Safeguards Rule also requires:
- Continuous testing, changes, and risk assessments for security programs
- A document incident response plan and a review of the plan after every incident
- Assessment of service providers
- Annual penetration tests
- Multifactor authentication (MFA)
How Can a Cybersecurity Provider Help You Stay in Compliance?
So how can you be ready for June 9?
By writing out a detailed cybersecurity plan that includes all of the items we’ve listed above, by testing your plans frequently and documenting the results, by reporting any security events, by performing annual penetration testing, and more.
Or, by working with a cybersecurity provider.
EIS Consulting Group is experienced in helping companies just like yours meet compliance requirements and industry standards, as well as developing robust cybersecurity strategies.
We can help you prepare for June 9 by providing you with:
- A written security plan
- MFA tools
- An oversight service
- A virtual Chief Information Security Officer (CISO)
By appointing EIS as your Qualified Individual, you can avoid fines, protect customer data and work to keep out cybercriminals.
Don’t wait until the last minute to get your compliance ducks in a row. Working with EIS Consulting today, no matter your industry, can have you prepared well ahead of time.