Test existing security controls with consistent and ongoing penetration testing to meet the FTC's Revised Safeguards Rule and stay ahead of evolving security threats with FTC penetration testing.
Overview of FTC Safeguards Rule
The Federal Trade Commission (FTC) "Standards for Safeguarding Customer Information" (commonly referred to as Safeguards Rule) is a set of requirements issued under Section 501(a) of the Gramm-leach-Bliley Act (GLBA) which requires financial institutions (now to include dealerships) to implement and maintain a comprehensive and documented information security program. Issued to protect consumer information and mitigate identity theft, privacy violations, and misuse of confidential data, the Safeguards Rule was issued in 2002 and officially took effect on May 23rd, 2003.
By now all financial institutions and dealerships have become familiar with the requirements of the Federal Trade Commission (FTC) "Standards for Safeguarding Customer Information" (Safeguards Rule) which requires organizations to develop, implement, and maintain a comprehensive written information security program. But due by December 9, 2022, the Revised Safeguards Rule will require organizations to revise their information security programs and implement new compliance measures.
FTC Safeguards Rule Revisions
December 9, 2022 - Required Revisions Take Effect
Effective December 9, 2022, financial institutions (including dealerships) are required to revise their information security programs and implement new security measures including annual periodic penetration testing or continuous monitoring of information systems to remain compliant.
The new requirements include:
- The designation of a "Qualified Individual" to oversee information security and implement specific technical measures.
- Preparation of a series of written documents, including:
- A written security risk assessment
- A written information security program (revised to include new requirements)
- A written incident response plan
- Written reports to the board of directors or equivalent regarding information security
- Implementation of specific IT technical requirements, including:
- Encryption
- Multifactor authentication
- Systems monitoring, penetration testing, and vulnerability assessments.
- Implementation of specific procedural requirements, including the development and ongoing monitoring of:
- Access controls to customer information
- Inventory of systems that handle customer information
- Secure software development and utilization practices
- Disposal procedures for customer information
- Change management procedures
- Employee training and management
- Security awareness training that is updated when necessary to reflect and educate employees on current risks facing the organization.
- Periodic review of service providers' security practices
Note: Organizations must take steps throughout 2022 and in advance of this date to comply by this deadline.
Next Steps to Compliance
Our team of testers are certified processionals, ready to help you uncover exploitable security vulnerabilities and meet FTC Safeguards Rule requirements. At the end of your project, we will deliver a comprehensive report of our findings, including remediation recommendations. We even offer remediation re-testing for FREE for up to six findings, within six months of project completion. Schedule a call with our team to discuss your unique security needs.
