The Final Safeguard Rule amends the current rule in five main ways: In addition to these updates, the FTC is also seeking comment on whether further changes should be made to the security rule to require affected financial institutions to report certain data breaches and other security events to the Commission. The FTC has therefore issued an additional notice on the development of proposed rules. The public has 60 days to comment on the announcement after it is published in the Federal Register. Expanded definition of ”financial institution”. The final rule extends the definition of ”financial institution” to entities involved in activities that the Federal Reserve Board considers ancillary to financial activities and harmonizes the FTC`s safeguard rule with the hedging rules of other federal agencies. In particular, this change brings ”Finder” (i.e., companies that bring together buyers and sellers of a product or service) as part of the final rule. Unlike previous rules and guidelines issued by federal financial regulators, the FTC`s new safeguard rule includes specific criteria for the protections that financial institutions must implement as part of their information security program. For example, the new protection rule requires financial institutions to implement multi-factor authentication for people accessing networks containing customer information. This is an important step in the development of data security regulations at the federal level.
In the past, similar rules only provided general guidance to regulated companies and no specific technical requirements. In this respect, the new safeguard rule should allow covered financial institutions to clarify their obligations to protect consumers` financial information. The new safeguard rule will take effect within 30 days of its publication in the Federal Register. However, the important requirements of the rule will be delayed by one year. Requirements delayed by one year include qualified individual designation; written risk assessments; annual penetration tests and semi-annual vulnerability assessments; regular assessment of service providers; and a written incident response plan. The other requirements, which come into effect within 30 days of their publication, largely reflect the requirements of the existing backup rule. Therefore, it is unlikely that financial institutions will have obligations until the above requirements come into effect in a year. On the 27th.
In October 2021, the Federal Trade Commission (FTC) announced a recently updated rule under the Gramm-Leach-Bliley Act (GLBA) that would require financial institutions to strengthen their data security measures to protect consumers` financial information. The recently updated Standards for Safeguarding Information (Safeguards Rule) amends the FTC`s 2002 safeguard rule and responds to significant data security incidents and cyberattacks in the consumer financial services industry. Security programs. The final rule sets out the criteria that financial institutions must include in their risk assessments and states that these assessments must be made in writing. Under the current security rule, these financial institutions are required to develop, implement and maintain a written, comprehensive and well-designed information security program with appropriate administrative, technical and physical safeguards with respect to customer information. The final safeguard rule represents a significant shift to more prescriptive information security requirements, which the FTC has been working on for years. Certain provisions of the Final Safeguard Rule, including those relating to the implementation of safeguards, the conduct of a written risk assessment, the appointment of a qualified person, and the conduct of continuous monitoring or annual penetration testing, come into force one year after the date of publication of the final rule in the Federal Register; The other provisions shall enter into force 30 days after their publication. The FTC is also proposing to make certain changes to the privacy rule, which will also be adopted under the GLBA. The data protection rule implements restrictions on the exchange of information in GLBA exclusively with regard to motor vehicle dealers. The Dodd-Frank Act transferred most of the regulatory authority to implement these provisions to the Consumer Financial Protection Bureau (”BPFC”), which does so under Regulation P (Consumer Financial Information Privacy).
Extending the definition of ”financial institution” to companies involved in activities that the Federal Reserve Board deems ancillary to financial activities. The final security rule now applies to ”finders”, i.e. companies that bring together buyers and sellers of a product or service. Since the security rule applies only to relationships and transactions intended ”for personal, family or household purposes”, the search for services that involve consumer transactions for customers (i.e. of consumers with whom a financial institution has an ongoing relationship) will now fall under the security rule. This amendment will also align the hedging rule with the hedging rules of other federal organizations that include activities related to financial activities in their definition of a financial institution. Including more detailed requirements for the development and establishment of an information security program. The current rule requires financial institutions to conduct a risk assessment and develop and implement safeguards to address identified risks. The final safeguard rule requires that such a risk assessment be drafted and that these safeguards relate to the following: Last week, the Federal Trade Commission (the ”FTC”) issued a final rule amending the customer information protection standards (commonly referred to as the ”safeguard rule”) enacted under the Gramm-Leach-Bliley Act (”GLBA”).
The final rule on safeguards, approved by FTC commissioners along party lines, will require financial institutions to make significant changes to their information security programs. The FTC issued a notice of proposed rule development, proposing these changes in 2019. Of particular note is the second amendment, which aims to improve the accountability of financial institutions. It requires the appointment of a single qualified person to oversee the institution`s data security program. In addition, it requires regular reporting to boards of directors or governing bodies. While there is no regular report to the board of directors that was previously required under the safeguards rule, it has become a best practice not only for financial institutions, but also for businesses in general. Highlights of the new safeguards rule include: These changes to the safeguards rule make it imperative that all financial institutions not only ensure that an effective data security program is in place, but also that data security and consumer information protection are an enterprise-wide effort and culture, and that the Board of Directors actively participate. These measures closely follow recent regulations from state financial regulators such as NY DFS, which issued its own cybersecurity ordinance in 2017.
Like the new safeguard rule, New York`s DFS cybersecurity regulation requires relevant financial institutions to implement specific cybersecurity controls such as encryption of data in transit and at rest, as well as multi-factor authentication. In a press release of 27. In October 2021, the FTC determined that the safeguards rule had been mandated by Congress under the Gramm-Leach-Bliley Act of 1999. The changes were in part the result of public contributions requested by the FTC since 2019. It will be important for directors to understand and insist on developing, implementing and promoting a safety culture within the organization that is supported by appropriate resources and integrated in all areas of activity and functions, and accountable within the organization, to the board of directors and the ultimate beneficiaries of the organization. The Board of Directors or a committee of the Board should oversee the process, ensure that management effectively implements the objectives, and hold senior management accountable for program implementation and failure to do so. By including several related definitions and examples, including ”financial institution”, in the safeguards rule itself, rather than by reference to the consumer financial information privacy rule published under the GLBA (commonly referred to as the ”confidentiality rule”). This will make the security rule more autonomous and allow readers to understand its requirements without having to refer to the privacy rule. The filing of these cases and the reasons for the liability claim, as well as the adoption of the second amendment to the security rule, suggest that administrators need to be even more careful when it comes to data security. In the future, understanding and managing the company`s data security efforts will not only be the best practices, but will also be required by law for many organizations. .