Rublon

Secure Remote Access

By

Last updated on April 23, 2024

The Federal Trade Commission (FTC) announced a significant update to the FTC Safeguards Rule. The changes aim to improve the protection of customer information by financial organizations. Along with the updated rule comes a guide that outlines the most significant changes and new cybersecurity requirements. Organizations must meet the new FTC Safeguards Rule requirements by June 9, 2023. On November 15, 2022, the initial deadline of December 9, 2022, was extended by six months.

What is the FTC Safeguards Rule?

The FTC Safeguards Rule is a revised Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) that requires financial institutions under the FTC jurisdiction to secure private consumer data. Importantly, organizations covered by the rule must ensure that their affiliates and service providers also appropriately secure consumer data and meet the FTC standards.

Which Organizations Does the FTC Safeguards Rule Affect?

The FTC Safeguards Rule applies to all organizations broadly defined as financial institutions. This also includes many non-bank financial institutions and non-financial institutions that do financial transactions, including but not limited to:

  • mortgage brokers
  • mortgage lenders
  • travel agencies
  • credit counselors
  • wire transferors
  • financial advisors
  • investment advisors that aren’t required to register with the SEC
  • travel agencies
  • entities acting as finders
  • retailers with a credit card
  • career counselors
  • check cashers
  • check printers
  • finance companies
  • payday loan lenders
  • tax preparers
  • collection agencies
  • account servicers
  • personal property appraisers
  • real estate appraisers
  • finance career counselors
  • car dealerships
  • and more.

What Are The New FTC Safeguards Rule Cybersecurity Requirements?

1. Designate a qualified individual responsible for implementing and supervising an information security program.
2. Conduct written risk assessments.*
3. Plan and implement safeguards to protect against risks identified through the risk assessment.
4. Conduct penetration tests and vulnerability assessments.*
5. Train your staff and oversee security providers.
6. Create a written incident response plan.*
7. Submit annual reports to the governing body.*

* Financial institutions that maintain customer information concerning fewer than 5000 consumers are exempt from this requirement.

Image showing the new FTC Safeguards Rule requirements, including the implementation of Multi-Factor Authentication (MFA)

1. Designate a qualified individual responsible for implementing and supervising an information security program.

  • The qualified individual can be your employee or work for an affiliate or service provider.
  • The information security program must be written and correspond to your business’ size, complexity, and nature.
  • The information security program must cover how to ensure the security and confidentiality of customer information, how to protect against potential cyber threats, and how to protect against unauthorized access.
  • You must update the information security program with every change in the threat landscape and the company’s resources.

2. Conduct written risk assessments.*

  • You must conduct an expanded risk assessment to identify potential internal and external security risks and cyber threats.
  • The risk assessment must be written and include criteria for evaluating foreseeable risks and threats.
  • You must perform periodic reassessments to reexamine risks to customer information’s security, confidentiality, and integrity.

3. Plan and implement safeguards to protect against risks identified through the risk assessment.

  • Implement and periodically reassess access controls.
  • Conduct a periodic inventory of data and keep a list of all resources.
  • Encrypt customer information stored on your system and in transit.
  • Evaluate the security of your company’s and third-party apps.
  • Implement Multi-Factor Authentication (MFA) for anyone accessing customer information on the system.
  • Securely dispose of customer information no later than two years after your most recent use of it to serve the customer.
  • Evaluate changes to your information system and network so that they do not undermine existing security measures.
  • Maintain an activity log to monitor authorized and potential unauthorized access.

4. Conduct penetration tests and vulnerability assessments.*

  • Conduct annual penetration testing.
  • Conduct a vulnerability assessment every six months.
  • You can continuously monitor your system instead of conducting periodic penetration testing and vulnerability assessments.

5. Train your staff and oversee security providers.

  • Provide your employees with security awareness training and verify that training requirements have been met.
  • Monitor your service providers by ensuring that they hold the competencies to maintain appropriate safeguards and that your contract details the security expectations and ways to monitor your service provider’s work.

6. Create a written incident response plan.*

  • The incident response plan must cover the goals of the plan, including all internal processes for responding to security incidents and a clear definition of roles and responsibilities.
  • The plan must describe the means to exchange information both within the organization itself and outside the organization and contain a list of requirements to remediate every identified weakness in information systems. 
  • The incident response plan must outline how to document and report security incidents and give clear instructions on evaluating and revising the plan after a security incident.

7. Submit annual reports to the governing body.*

  • The qualified individual must submit annual reports to the Board of Directors or another governing body in your organization.
  • The report must include an assessment of the company’s compliance with its information security program and cover all topics pertaining to the program.

The FTC Safeguards Rule Now Requires MFA

The most important new FTC Safeguards Rule requirement is that financial institutions must implement Multi-Factor Authentication (MFA) for anyone accessing customer information on their system.

The FTC rule on MFA applies to all companies regardless of size and must be in place by June 9, 2023.

Multi-Factor Authentication (MFA) must use at least two of the following three factors:

  • Knowledge Factor (something you know, e.g., a password)
  • Possession Factor (something you have, e.g., a security key)
  • Inherence Factor (something you are, e.g., a fingerprint)

How Rublon Can Help

Rublon is a sophisticated Multi-Factor Authentication (MFA) solution that helps companies improve their security posture and meet the regulatory requirements of their respective industries. Rublon Multi-Factor Authentication protects VPNs, Remote Desktop Services (RDS), cloud applications, and other services, ensuring top security in alignment with cutting-edge cybersecurity trends.

Easy to use and fast to deploy, Rublon enables you with robust Adaptive MFA in a matter of hours or days, and not months. Some of our customers got their first MFA prompts after a few minutes. While MFA may seem intimidating to deploy and maintain at first glance, Rublon makes Multi-Factor Authentication a breeze thanks to fast and secure authentication methods such as Mobile Push and WebAuthn/U2F Security Key.

Get Free Rublon Trial

Try our Free 30-Day Rublon Trial and see for yourself how easy it is to enter the world of Multi-Factor Authentication.