FTC Safeguards Rule 2023

The FTC Guidelines are for all business that are considered a financial institution. The deadline for compliance was June 9, 2023.

What makes you a Financial institution?

Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.

Your company may be considered a financial institution if it's one these.

  • Tax Preparation Firms
  • Motor Vehicle Dealers
  • Mortgage lenders
  • Financial Advisors
  • Mortgage Brokers
  • Payday Lenders
  • Finance Companies
  • Account Servicers
  • Check Cashing Companies
  • Credit Counselors
  • Investment Advisors

Regardless of size, if the type of company you have is listed above you may have to comply with the following FTC Safeguards by July 9, 2023.

Schedule a Meeting Today!

Here are the guidelines for companies with under 5000 customer records.

You must designate a qualified individual to implement and supervise your company’s information security program. It can be an employee or a service provider. They do not require a title, degree or certificate.

The way we help is by becoming your company's dedicated information security person.

You must implement a procedure to evaluate the security of the apps you use or develop.

We will consult with your vendors and in-house developers to evaluate the security measures implemented within their programs.

You must maintain a log of authorized users’ activity and keep an eye out for unauthorized access of customer information on your system and detect unauthorized access.

By leveraging Managed Detection and Response (MDR) software integrated with a Security Operations Center (SOC), we ensure that any suspicious activity on your network triggers immediate notifications, providing real-time alerts. Combined with our SentinelOne Endpoint Detection and Response (EDR) solution, this creates a robust defense that makes it exceptionally challenging for unauthorized actors to maintain persistence within your network. Utilizing industry-leading software, we prioritize making your network highly secure and difficult for malicious activities to go undetected.

You must train your staff. We would implement security training for your employees to learn how to spot the risks and report them.

We would sign everybody in your company up with our Security Awareness Training to make sure everybody in your company is aware of the latest threats such as phishing and other attacks.

You must implement 2fa for anyone accessing customer information on your system.

In 2025 every program you use should have 2FA enabled. We will make sure all of your software is secured and has 2FA enabled

You must dispose of customer information securely. Delete 2 years after your most recent use of the information unless you have a legitimate business need or legal requirement to hold onto this information or if disposal isn’t feasible.

This isn't something we help with, but you should know about it.

You must design and implement safeguards to control the risks identified through a risk assessment. This includes implementing and periodically reviewing access controls, knowing the data you have and where it is (how it’s stored, transmitted and collected).

The way we help is by running a risk assessment on your network to see how things can be improved. That's not all, we must go through all your programs you use and determine the risk factor of every program.

You must encrypt customer information on your system and when it’s in transit. If it can’t be secured with encryption you must secure it with effective alternative controls approved by the qualified individual that was designated to supervise the program.

The way we help is by making sure you have BitLocker enabled and making sure if you do access programs remotely it is with a Secure VPN. Any other software you use we will verify everything is secured by the vendor.

You must anticipate and evaluate changes in your information system or network. This means you must evaluate whenever you add something new to your network such as a server or system containing customer information.

By having us plan your next server install we can verify no issues will arise when implementing your newest addition to the network.

You must monitor your service providers. The contracts you sign with them must spell out the security expectations with built-in ways to monitor your service provider’s work and provide a periodic assessment of their suitability for the job.

Our contracts are written out exactly how we will help your company and we allow you to look at our systems within reason to verify everything is working how it should.

You must keep your information security program current. Whenever you change operations, change what you learn from a risk assessment, emerging threats, personnel changes, and changes necessitated by the other circumstances that may have an impact on your security program.

Any time there is an important change such as a new employee you will need to reach out to us so we can send them the security training and get them setup with other software to verify they are secure. If you are confident with setting them up with 2FA it's not necessary to have us set everything up for them.

Companies with 5000+ Customer Records

You must regularly monitor and test the effectiveness of your safeguards. You must do that or conduct annual penetration testing as well as vulnerability assessments every 6 months. You must also test whenever there is a change in your operations or business arrangements whenever it impacts the information security program.

We will run penetration tests every 6 months as well as vulnerability assessments. We will follow up every 6 months and verify everything is still the same or make changes if anything has been affected by a breach or attack. If there is a new user we will be sure to set them up with the computer security training.

You must conduct a risk assessment. Internal and external risks must be assessed for security, confidentiality and integrity of customer information. This is how customer information could be disclosed without authorization, mistrusted, altered or destroyed.

We will go through a risk assessment of all programs and systems to determine the risk.

You must create a written incident response plan. This is a plan you use whenever there is unauthorized access or misuse of information stored on your system or maintained in physical form. You must cover the goals of the plan, internal processes your company will activate in response to a security event. Clear roles, responsibilities, and levels of decision-making authority. Communications and information sharing both inside and outside your company. Processes to fix any identified weaknesses in your systems and controls. Procedures for documenting and reporting security events and your company’s response. And port mortem of what happened and revision your incident response plan and information security program based on what happened and what was learned.

We will help you create a plan with clear roles and what to do in the case of an infection. We will come up with an incident response plan and an information security program.

You must require your qualified individual to report to your board or directors. They must report in writing regularly at least annually to the board. If you do not have a board, they must report to a senior officer responsible for your information security program. The report must address the overall assessment of the company’s compliance with the information security program. It will cover specific topics related to the program. Risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded and recommendations for changes to the information security program.

We will report to you yearly or whenever interval your company requires. We will go over the risk assessment, risk management and controls in place.

Skip to content