FTC Guidelines & How we can help.

FTC Guidelines Rule 2023

The FTC Guidelines are for all business that are considered a financial institution.

The deadline for compliance is
June 9, 2023.

What makes you a Financial institution?

Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.


Your company may be considered a financial institution if it's one these.

Mortgage lenders, mortgage brokers, motor vehicle dealers, payday lenders, finance companies, account servicers, check cashing companies, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.

Regardless of size, if the type of company you have is listed you must comply with the following FTC Safeguards by July 9, 2023. Below these are the guidelines for companies with under 5000 customer records. Below that is the list of guidelines you for companies with over 5000 customer records. This is also not an exhaustive list, there may be other types of businesses.

You must designate a qualified individual to implement and supervise your company’s information security program. It can be an employee or a service provider. They do not require a title, degree or certificate.

The way we help is by becoming your company's dedicated information security person.

You must design and implement safeguards to control the risks identified through a risk assessment. This includes implementing and periodically reviewing access controls, knowing the data you have and where it is (how it’s stored, transmitted and collected).

The way we help is by running a risk assessment on your network to see how things can be improved. That's not all, we must go through all your programs you use and determine the risk factor of every program.

You must encrypt customer information on your system and when it’s in transit. If it can’t be secured with encryption you must secure it with effective alternative controls approved by the qualified individual that was designated to supervise the program.

The way we help is by making sure you have BitLocker enabled and making sure if you do access programs remotely it is with a Secure VPN. Any other software you use we will verify everything is secured by the vendor.

You must implement a procedure to evaluate the security of the apps you use or develop.

We will ask your vendors and in house developers about the security of their programs.

You must implement 2fa for anyone accessing customer information on your system.

In 2023 every program you use should have 2FA enabled. We will make sure all of your software is secured and has 2FA enabled

You must dispose of customer information securely. Delete 2 years after your most recent use of the information unless you have a legitimate business need or legal requirement to hold onto this information or if disposal isn’t feasible.

This isn't something we help with, but you should know about it.

You must monitor your service providers. The contracts you sign with them must spell out the security expectations with built-in ways to monitor your service provider’s work and provide a periodic assessment of their suitability for the job.

Our contracts are written out exactly how we will help your company and we allow you to look at our systems within reason to verify everything is working how it should.

You must anticipate and evaluate changes in your information system or network. This means you must evaluate whenever you add something new to your network such as a server or system containing customer information.

By having us plan your next server install we can verify no issues will arise when implementing your newest addition to the network.

You must maintain a log of authorized users’ activity and keep an eye out for unauthorized access of customer information on your system and detect unauthorized access.

By running SIEM software tied to a SOC we can make sure unauthorized access is not granted by having notifications sent to our email any time there is anything suspicious on your network. This tied with our SentinelOne EDR makes your network a pain to try and maintain persistence in. By using the top of the line software we make sure your network is very hard to remain undetected in.

You must train your staff. We would implement security training for your employees to learn how to spot the risks and report them.

We would sign everybody in your company up with our security protections videos to make sure everybody in your company is aware of the latest threats such as phishing and other attacks.

You must keep your information security program current. Whenever you change operations, change what you learn from a risk assessment, emerging threats, personnel changes, and changes necessitated by the other circumstances that may have an impact on your security program.

Any time there is an important change such as a new employee you will need to reach out to us so we can send them the security training and get them setup with other software to verify they are secure. If you are confident with setting them up with 2FA it's not necessary to have us set everything up for them.

Companies with 5000+ Customer Records

You must regularly monitor and test the effectiveness of your safeguards. You must do that or conduct annual penetration testing as well as vulnerability assessments every 6 months. You must also test whenever there is a change in your operations or business arrangements whenever it impacts the information security program.

We will follow up every 6 months and verify everything is still the same or make changes if anything has been affected by a breach or attack. If there is a new user we will be sure to set them up with the computer security training.

You must conduct a risk assessment. Internal and external risks must be assessed for security, confidentiality and integrity of customer information. This is how customer information could be disclosed without authorization, mistrusted, altered or destroyed.

We will go through a risk assessment of all programs and systems to determine the risk.

You must create a written incident response plan. This is a plan you use whenever there is unauthorized access or misuse of information stored on your system or maintained in physical form. You must cover the goals of the plan, internal processes your company will activate in response to a security event. Clear roles, responsibilities, and levels of decision-making authority. Communications and information sharing both inside and outside your company. Processes to fix any identified weaknesses in your systems and controls. Procedures for documenting and reporting security events and your company’s response. And port mortem of what happened and revision your incident response plan and information security program based on what happened and what was learned.

We will help you create a plan with clear roles and what to do in the case of an infection. We will come up with an incident response plan and an information security program.

You must require your qualified individual to report to your board or directors. They must report in writing regularly at least annually to the board. If you do not have a board, they must report to a senior officer responsible for your information security program. The report must address the overall assessment of the company’s compliance with the information security program. It will cover specific topics related to the program. Risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded and recommendations for changes to the information security program.

We will report to you yearly or whenever interval your company requires. We will go over the risk assessment, risk management and controls in place.