On December 9, 2021, the Federal Trade Commission (FTC) published their revised Standards for Safeguarding Customer Information (16 CFR Part 314) in accordance with the Gramm-Leach-Bliley Act (GLBA). This updated rule exists to improve how financial institutions regulated by the FTC develop and implement their information security programs.
Who does the rule apply to?
While there is not an exact list of financial institutions who are subject to the rule, generally speaking, it would apply to financial institutions who:
- Engage in "activities that are financial in nature" per 12 USC 1843(k); and
- Are not "subject to the enforcement authority of another regulator" (e.g., FDIC, FRB, NCUA, OCC, state banking regulators, etc.).
The rule provides several examples of the kinds of financial institutions who would be subject to the rule, including, but not limited to:
|
|
If you are unsure whether the rule applies to you, consult with your organization's legal advisors.
What does the rule require?
In keeping with the previous version, the revised rule continues to require the development, implementation, and maintenance of an information security program. The difference is that section 314.4 now prescribes specific elements to be included as part of the program.
|
Section |
Requirements Summary |
|
314.4(a) |
A single qualified individual must be designated to oversee, implement, and enforce the information security program. |
|
314.4(b) |
A written risk assessment must be developed which includes the identification of threats and an assessment of the sufficiency of controls. |
|
314.4(c) |
Specific controls must be implemented, including:
|
|
314.4(d) |
Controls must be validated through ongoing monitoring - or - regular penetration tests and vulnerability assessments. |
|
314.4(e) |
Personnel training, education, and upskilling must be provided. |
|
314.4(f) |
Selection and oversight of service providers and their security practices must be performed. |
|
314.4(g) |
The program must be updated regularly. |
|
314.4(h) |
A written incident response plan must be developed. |
|
314.4(i) |
An annual report must be provided to the Board, or similar governing body. |
When is the rule effective?
Parts of the rule are effective as of January 10, 2022. However, the sections with new requirements are not effective until June 9, 2023. Download our FTC Safeguards Resource and Tandem Mapping to see the specific sections of the rule which will go into effect in June 2023.
Basically, anything effective in January is part of the FTC's previous version of the rule and you should already be doing those things. The rest of the items which become effective in June 2023 are considered security best practices and may already be part of your program. The FTC encourages financial institutions to "compare their existing programs to the revised Rule, and address any gaps."
Are there any exemptions?
Actually, yes. Certain provisions in the rule do not apply to financial institutions which maintain information for fewer than 5,000 consumers, including 314.4 (b)(1), (d)(2), (h), and (i).
The exemptions are interesting for three reasons:
- Historically, there have not been exemptions in GLBA standards. However, the FTC believes they are suitable here because the exempted provisions "may be less necessary in situations where the overall volume of retained data is low."
- The FTC uses the term "consumers" instead of "customers." A consumer is "an individual who obtains or has obtained a financial product or service from you." This includes both present and historical relationships. It also includes individuals who provide personal information to you for the purpose of obtaining a loan or credit, regardless of whether the financing is extended. Be sure to consider the right definition when determining if you are exempt or not.
- The exempted sections are still considered security best practices. The exempted requirements include data identification, classification, and asset management; penetration testing and vulnerability assessments; the development of a written incident response plan; and annual reports to the Board. While the effort to reduce regulatory burden is clear, it is curious to see these components of a security program excluded.
How will the rule be enforced?
Unlike the members of the FFIEC, the FTC "does not have the ability to examine each financial institution and work with that institution to ensure that their information security is appropriate." As a result, the FTC anticipates the rule will be enforced in two ways:
- Through increased accountability. The newly required annual report to the Board is designed to ensure "the governing body of the financial institution is engaged with and informed about the state of the financial institution's information security program." This can ultimately help ensure the program is "being maintained appropriately and given the necessary resources."
- During enforcement action reviews. According to the rule, "every aspect of an information security program is based on the judgment of a financial institution and its staff" and decisions about the program "will be subject to review in any enforcement action."
Are there any resources which can help?
To help financial institutions understand this new rule, Tandem has created a downloadable PDF resource. This document provides a side-by-side comparison of the regulatory language with our opinion to help you simplify and interpret the rule, as you prepare for the deadlines.
In addition, the resource provides information about how the requirements are addressed in Tandem, an online suite of products designed to work with you in the development of your information security program. Some of our products which go hand-in-hand with this new rule include Risk Assessment, Policies, Vendor Management, Phishing, and Incident Management.
If you need assistance with the development and maintenance of your information security program, check out our full suite of products at Tandem.App.
UPDATE: The effective date was updated from December 9, 2022 to June 9, 2023, per the FTC's Delay of Effective Date.
