FTC Safeguards & Your Financial Services Firm
Who’s on first?
Have you ever heard that old comedy routine? It’s funny to listen to comedians create confusion with wordplay, but it’s not so funny when you’re trying to figure out something like the brand-new FTC Safeguards Rule that kicked into effect on June 9, 2023.
I’ve discovered that there’s confusion regarding who it applies to and what changes may need to be made to a security program. So, let’s talk about the new regulation and let’s help you figure find a path forward for your organization’s data security.
If you’re a small organization, you may be thinking that you’re not covered by these new guidelines. But there’s two misconceptions I’d like to cover regarding size.
MISCONCEPTION 1: If I service less than 5,000 consumers, I don’t have to comply with the rule.
FTC does have an exemption for businesses that have fewer than 5,000 clients, BUT this exemption is not talking about the number of consumers an organization currently services. FTC defines this exemption only for businesses that store less than 5,000 customer records.
So, let’s say you’re a small lender who only touches 200 people in a month. BUT you’ve been in business for 10 years and have 10,000 people on file (here think non-public information such as credit cards, birth dates, social security numbers, etc.). Guess what? You’ll still be required to comply FULLY with the FTC Safeguards. The 5,000 number is the total number of consumers on your list, not the number of active consumers at any given time.
MAJOR TAKEAWAY: The FTC Safeguard is about 5,000 or more consumers total...not annually, not monthly.
MISCONCEPTION 2: Okay, so my organization has fewer than 5,000 consumers on file. That means I don’t have to comply with FTC Safeguards.
This is definitely not the case. The FTC Safeguards Rule has fewer guidelines for organizations who have less than 5,000 consumers in their database, but that does not mean the Safeguards are completely inapplicable.
The FTC still expects smaller businesses to comply with 7 elements of their framework.
So, let’s take a look at 7 elements of the FTC Safeguards that can help you take your wealth management firm to a higher security level. These elements include:
· Element 1: Organizations must designate a qualified individual to run their security program. This could be someone on your staff, or the person or organization that runs your IT. Just because an organization is small doesn’t mean they are exempt from security.
· Element 2: Security must be evaluated on a regular basis to look for internal and external security holes and to evaluate the state of security and assess any controls in place to address those risks.
· Element 3: Organizations must put controls in place to address security holes. Knowing about the gaps in your security isn’t good enough. At a minimum, organizations will be expected to have a written security program that addresses security gaps identified from a risk assessment.
· Element 4: Organizations must regularly monitor security effectiveness. FTC Safeguards expects organizations to regularly test or monitor the effectiveness of the safeguards they have in place. Since hackers are constantly devising ways to break through security, businesses will need to continually test against the security measures they have in place.
· Element 5: Organizations must have policies and procedures to help personnel adhere to their security program as well as written policies and procedures around securing their consumer data.
· Element 6: Organizations will have to adhere to standards for protecting the confidentiality, integrity and security of their consumer data. This means organizations must ensure their security controls adhere to the FTC’s standards in terms of protecting data.
· Element 7: And, of course, organizations need to ensure continual improvement of their program based on regular testing. They will then be expected to make adjustments to their security program as needed.
MAJOR TAKEAWAY: You may feel like your wealth management firm doesn’t fall under the Safeguards, but using these elements can help you take your security to a higher level and with hackers getting more sophisticated by the day, that’s a very very good thing.
But what if you don’t store data at all? Maybe you use a third party to store your information.
Well, guess what?
Whether data is stored onsite or in the cloud, it needs to adhere to similar security standards. So, even if your data is being hosted by a third party off site, you are still responsible for it.
MAJOR TAKEAWAY: It’s not about WHERE your data is stored. The responsibility lies with the organization that owns the data.
SO, WHAT’S THE BOTTOM LINE?
The FTC Safeguards will affect the majority of U.S. businesses in some manner, and even if it’s just an issue of having clients who fall under it, you’ll want to be prepared. That means that even if you aren’t explicitly covered, this is a good baseline security framework to follow to make sure your wealth management firm is not the lowest hanging fruit.
HOW CAN I HELP?
I know cybersecurity. I know how to help wealth management firms like yours. I know the FTC Safeguards.
Why should you play a game of “Who’s on first?” with the future of your wealth management firm when you can make one phone call and get help?
Let me answer your questions and give you peace of mind. I can also tell you about how a virtual Chief Security Officer (vCSO) can take your wealth management firm to the next level