ftc-safeguards-leadershipIf your organization handles financial information and you don’t have appropriate security leadership, June 2023 is going to present you with a huge headache.

Starting in June 2023, the new FTC Safeguards Rule goes into effect.  That means new regulations that your organization will need to comply with or face the consequences. Without a fully developed security program that addresses the security and confidentiality of consumer information through your organization’s processes, controls and people, you may be hard-pressed to comply with the new regulations.

Maybe you’re not concerned because you don’t think that you fall within FTC Safeguards.  But did you know that the FTC has recently expanded who is required to abide by their newly published rule? The definition of financial institution has expanded to encompass many businesses previously not defined as such.

For more information on whether your organization falls within the FTC purview, here is a more detailed explanation.

If you do fall within the FTC Safeguard’s definition of a covered entity, there are several security leadership components you will need to consider:

  • Someone to evaluate your security control to make sure you’re adhering to the FTC guidelines on specific security controls.
    • You’ll need to show that those controls are effective at securing the consumer information you store.
    • To do this, you’ll need to test the limits of your controls, which often means performing regular third-party assessments of your network.
    • These could be as simple as security audits, but more commonly third-party penetration testing to evaluate the effectiveness of the controls you have in place.
  • An incident response plan
    • The FTC expects that you will have a plan to respond to a data breach or incident if one occurs.
    • This entails running through the gamut of scenarios that may commonly happen in an organization like yours.
    • They will be particularly interested that you are able to address concerns with consumer data leaks or exposures.
    • Most organizations seek security leadership to handle maintaining and testing incident response plans and procedures. Plan testing typically happens at least annually.
    • Security policies— your organization will need to show evidence of maintained security policies that show how it protects its data. These policies will need to shed light on how security controls, processes and training adhere to the company’s mission to protect sensitive consumer information. A chief security officer or virtual chief security officer (vCSO) typically would oversee these policies.
  • Employee Security Training
    • The FTC will require that employees are trained on how you expect them to secure information.
    • This means training that fits policies, procedures and processes within your unique environment.
    • A security officer will typically own making sure that training fulfills your company’s needs.
    • While many topics are one-size-fits-all, you will want to show evidence that any process-related security concerns are addressed with supplemental training.
  • A Complete Security Program
    • The FTC is looking for you to have more than simply a firewall and phishing training.
    • They are looking for evidence of a complete security program.
    • This means an adaptive program that is capable of changing as security concerns change.
    • To run a successful security program, organizations need leadership. Someone who understands your unique problems and is able to provide vision on how to address your unique challenges. A chief security officer commonly fills this leadership role.

But even if you are not covered by FTC Safeguards today, you might consider elevating your security program.

No, the government will not come after you with fines, but SOMEONE in your data supply chain will be affected by these new FTC rules.  Guess what?  They’ll be looking for their business partners to also adhere to a basic standard like the new FTC rules.

The FTC Safeguards rules are not temporary.  They’re not a passing fad that you can ignore. These regulations are the new normal of what you should be doing as a responsible business leader.

So, what can you do?

The solution is actually easier than you might imagine: A virtual Chief Security Officer (vCSO).

The best path forward for growing concerns over data security is to engage a virtual Chief Security Officer (vCSO). This resource will help make sure your entire business—your processes, policies, people, and technology—fit within a minimum-security standard.

Even beyond those benefits, a vCSO offers your organization leadership and clarity. Technology plays a vital role in your business.  If you aren’t protecting your data, you’re asking for a data breach or business-shuttering ransomware attack.

A vCSO will help you address the concerns.

Not sure where to go from here, consider a third-party assessment to see where your security stands.