Though the Safeguards Rule was originally created for financial institutions, the FTC made several amendments recently that expand the rule’s requirements to more industries. The Safeguards Rule updates broaden the definition of what is considered a financial institution entity to include any business that processes financial transactions, brings buyers and sellers together for financial transactions, or otherwise holds non-public financial information.
The changes went into effect in December and will be enforced in June. Affected entities must develop, implement and maintain a comprehensive security program to keep their customers’ data secure including:
- Designate a qualified individual to oversee their information security program. Someone must be trained in information security, receive continuing security education, and be in charge of ensuring the organization is fully executing their information security plan. This can be an internal employee or your MSSP (Managed Security Services Provider).
- Complete and document a risk assessment. A risk assessment includes a technical scan and a questionnaire designed to reveal security vulnerabilities. By law, this needs to be completed annually. However, with the rapid advancement of cyber threats and the increased accountability of securing your data by these updates, best practices are to complete a risk assessment quarterly.
- Limit and monitor who can access sensitive customer information. We are well past the days that all employees should have all-access to and within your network, especially customer data systems. An MSP can help you plan and implement access profiles for your employees that ensure each person only has access to the specific IT processes, systems, and data they need to complete their job and to minimize unnecessary exposure vulnerabilities.
- Encrypt all sensitive information. Medical records, financial account data (credit card numbers, bank account numbers, etc), social security information, and even email addresses, phone numbers, state ID information, and birthdays can be used by bad actors to exploit your customers. As a host of that sensitive information, you are required to take steps to secure it.
- Train your personnel. Security Awareness training for your employees is not only required by this law, but is also required to obtain and retain cyber liability, crime, and other insurance. Security Awareness training can reduce your organization’s cyber risks by as much as 70%.
- Implement multi-factor authentication for any individual accessing customer information. This is a standard general cyber security practice at this point for employee access to any part of your IT network, but this update requires 2FA for customer data and processing access.
- Develop an incident response plan. If (when?) you are compromised by a cyber attack, you need to have a PRACTICED plan in place for response. The step-by-step plan needs to be updated and reviewed annually (at least) by your leadership team, IT owner and partner, and your insurance agent.
- Review security practices of service providers. This law requires you to ensure any companies you are doing business with, specifically with any that have access to your sensitive customer data, are secure and compliant. This may look like requiring that vendors state in their contractors that they are adhering to the Safeguards Rule as well as security frameworks like CIS or NIST.
Pearl Solutions Group is an experienced Managed Security Services Provider (MSSP) who can help you assess, strategize, and implement all of the requirements of the Safeguards Rule updates. We follow the National Institute of Standards and Technology (NIST) framework and align your cybersecurity plan with corporate objectives to meet compliance standards. Get started with a free risk assessment.