How Do Businesses Comply with the FTC Safeguards Rule?
Jan 7, 2024

How Do Businesses Comply with the FTC Safeguards Rule?

What is the FTC Safeguards Rule?

The Federal Trade Commission (FTC) created the “Safeguards Rule” to ensure that businesses protect the security of customer information. The Safeguards Rule applies to non-banking financial institutions including mortgage brokers, accounting firms, credit unions, and more.

To comply with the Safeguards Rule, a business must implement a program that:

  • Ensures the security and confidentiality of customer information
  • Protects against anticipated threats or hazards to the security or integrity of customer information
  • Protects against unauthorized access to information that could result in substantial harm or inconvenience to any customer

Why do Cyber Criminals Target Small Businesses?

We live in a new world where cyber crime is a profitable business. Software automation and Artificial Intelligence (AI) has made it easy for hackers to attack small businesses at scale. Small businesses with lax security protocols are juicy targets for cyber criminals.

The FTC Safeguards Rule requires small businesses like Car Dealerships to defend the data privacy of their customers.

Small Business Cyber Security Stats

To further our point, here are a few cybersecurity statistics about small business in the past few years:

  • 1 in 5 businesses were victims of a cyber attack in 2021 (BDC)
  • 61% of SMBs were the target of a Cyberattack in 2021 (Verizon)
  • 95% of cybersecurity incidents at SMBs cost between $826 and $653,587 (Verizon)
  • 75% of SMBs could not continue operating if they were hit with ransomware (Small Business Playbook)
75% of SMBs could not continue operating if they were hit with ransomware. (Small Business Playbook)


How Can Your Business Become Compliant With The Safeguards Rule Asap?

The Safeguards Rule details nine elements that businesses must include in their IT security program.

Let’s take a look at the basic steps that businesses need to focus on:

1. Put someone in charge. This can be an employee or service provider. It’s your company’s responsibility to make sure that the Qualified Individual understands the security risks and can communicate them to the Board.

2. Conduct a cyber risk assessment. You can’t make an effective IT security program until you know what information you have and where it’s stored. Write your risk assessment down and include criteria for evaluating risks and threats. The Safeguards Rule requires you to assess employee accounts, data storage, network threats, and software vulnerabilities throughout your business. (We can do this for you at Iceberg Cyber!)

3. Regularly monitor and test the effectiveness of your safeguards. Test your procedures for detecting actual and attempted attacks. Implement continuous monitoring of your system to make sure you adapt with the changing threat landscape. Hackers adapt every day to make money by stealing from you. Stay one step ahead of them or face the consequences. Hackers only have to get lucky once.

4. Implement basic cyber hygiene. Encrypt your client data, put in place routine data backups, and use Multi-Factor Authentication for all accounts.These are simple steps that your Managed Service Provider can help you with. For more info, check out our blog post here.

5. Report to your Board of Directors. The FTC Safeguards Rule makes cybersecurity a key business concern for your Directors. They will be liable for negligence and non-compliance. What should the report address? Include an overall assessment of your business's compliance with its IT security program. Cover specific topics related to the program like the risk assessment, service provider arrangements, and recommendations for changes in the information security program. This is a team sport.


Three Key Takeaways for Businesses About the Safeguards Rule

1. Time is running out to achieve compliance

The updated Safeguards Rule has been in full effect since June of 2023. This means businesses need to begin working now to be ready in time. If your business does not have the internal bandwidth or resources to achieve compliance, you need to engage with an expert cybersecurity services provider

2. Virtually all data is covered by this rule

The FTC has a very broad definition of data as covered by the updated Safeguards Rule. This includes data provided directly by customers to obtain products or services, any data that is customer-related, and data resulting from or in conjunction with a transaction. Hardly any data are excluded

3. Boards of directors will have to be engaged

The new Rule requires regular reports to company boards including the overall status of the business's information security program, the business's current level of compliance with Safeguards Rule, the most recent risk assessment, any new management and control decisions, service provider arrangements, test results, information on security events or violations (and management’s responses thereto), and recommendations for changes


What Are The Penalties for Non-Compliance?

According to the FTC, penalties for non-compliance can be “extensive and expensive”. They take consumer privacy very seriously. Non-compliance consequences can include:

  • Lengthy oversight periods or disabling access to information systems.
  • FTC monetary fines that can cost an organization $100,000, and individuals in leadership can be fined up to $10,000.
  • Negligence can result in prison time of up to five years


FTC Safeguards requires periodic cyber risk monitoring

How Can Businesses Get Compliant?

For many businesses in the United States, complying with the updated Safeguards Rule may seem like a daunting challenge.

Here are a few tips for how to get started:

Don’t Stand Alone

IT Managed Service Providers (MSP) are experts in IT and cyber security. They can demystify the complex world of cyber crime and protect the assets most critical to your strategic business objectives and operations. Talk to the experts and don’t stand alone. Here at Iceberg Cyber, we are here to help. Simply get in touch with us to find out how we can make your business compliant.

Start with a risk assessment

Get a cyber risk assessment and validate your current state, identify any existing gaps and vulnerabilities which are creating exposure to risk, and prioritize actionable recommendations based on ease of implementation and criticality to reduce risk quickly and effectively.

Complete a data and system inventory

The risk assessment for your business, along with the risk assessment for the vendors you work with, are contingent upon a complete understanding and inventory of your assets, data and data flows.


Additional Resources

For more information on the FTC Safeguards Rule: