ftc-safeguardsAre you ready?

In June 2023 the new FTC Safeguards Rule goes into effect.  If you don’t have a complete security program that addresses the security and confidentiality of consumer information through your organization’s processes, controls and people, you may be out of compliance with the new regulations.

Why should you even care?

Because you’re putting your business at risk.

The FTC Safeguards will become the gold standard for most businesses starting in June. If you aren’t adhering to a minimum security standard around this new normal, you’re going to be the low-hanging fruit for hackers and the target of cyberattacks.

Do you want to know the truly sad fact about cyber-attacks?  Most of them are preventable. Yes, that’s right.  MOST CYBERATTACKS ARE PREVENTALBE.

Even if you are not required to comply with the new FTC guidelines, you might want to consider fulfilling them because they can help you prepare for and prevent cyberattacks.

Here are the 9 security elements needed to comply with the new FTC Safeguards requirements:

  1. Designate a Qualified Individual. You will be required to have someone you consider qualified in charge of overseeing/implementing information security program. This can be an employee, affiliate, or service provider of the client. The issue here is there are more security job openings than qualified people to fill them. You might want to consider a vCSO—virtual Chief Security Officer—to help address gaps in your security program.
  2. Perform and document risk assessment. Risk assessments are a critical piece to a healthy security program. Until you understand your security risks and the steps your organization is taking to minimize them, you may be carrying more risks on your client data than you might expect.
  3. Apply security controls. You will be expected to implement security controls to protect your sensitive data.
  4. Validate controls. In addition, you will be expected to show that the security controls you have in place are actually working. Third-party security assessments will help identify any controls that are not working the way your team expects. A general rule of thumb is to receive a third-party assessment on a quarterly basis to evaluate your security.
  5. Develop Training/Auditing Program. You will be expected to provide continuing cybersecurity education to your employees and have an easy way to demonstrate that your training was completed by all team members.
  6. Monitor Service Providers. You will need to evaluate other vendors that interface or work on your network to make sure they are abiding by your security standards. You may consider evaluating them by ensuring they are also obtaining third-party assessments of their networks.
  7. Develop Continuous Improvement Cadence. The FTC guidelines expect your team to continuously evaluate the state of your security. Your team should be communicating to leadership where current concerns are and how those concerns may be addressed—whether by additional security tools, changes in processes or behaviors within your organization to address ever changing security concerns.
  8. Document An Incident Response Plan. You will be expected to have planned out how you respond to a data breach or cyberattack. Who will do what? What will the cadence be? The answer to these questions will be crucial in the event of an incident.
  9. Provide Annual Reporting to Senior Leadership. As a leader in the organization, you should expect a readout of your security on an annual basis. The qualified individual guiding your program should present to you a complete readout of your organization’s security: where the problems are, what improvements have been made, and where the program is headed.

Want to adhere to these FTC Safeguards guidelines, but not sure where to start?

A good first step is to evaluate where your security program is at. Consider a third-party security assessment of your network.