What Are the Primary Requirement Changes?
The updates made by the FTC require “a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”
For private funds, the updated Safeguards Rule requires specific security controls and accountability measures for consumer information.
- Multi-factor authentication (MFA). MFA or some other compensating control will be required for anyone who accesses a system that stores customer data.
- Data encryption. Data encryption or some other compensating control will be required for all customer data when stored or in transit.
- Updated retention procedures. Record retention procedures will need to be updated for all customer information. It’s important to consider how adjusting retention procedures may impact business continuity in the event of a disaster or breach.
- Required reporting. A report regarding security posture and incidence response is to be made, at the minimum annually, to the board of directors or senior officers of private funds that have customer data for more than 5,000 consumers.
Even if a private fund already has policies such as these in place, they should take the time to review them to ensure compliance.
Who Do the Revised Requirements Apply To?
The revision applies to a wide range of “financial institutions,” such as investment advisers, mortgage brokers, and nonbank lenders that do not meet the criteria for exclusion from the definition of “investment company” under sections 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (“ICA”). The intention of the FTC’s Safeguards Rule is to include a wider range of businesses than before, even encompassing check cashers, collection agencies, “pay-day” lenders, and wire transferors.
How Should the Changes Be Implemented?
If an organization lacks the qualified personnel to make the changes in-house, it may need an outside managed services provider. One of the changes required by the updated Safeguards Rule is the appointment of a “Qualified Individual” (whether in-house or as a service provider) to provide oversight and implementation of the adjustments to the organization’s security stance. Their responsibilities will include:
- Periodic risk assessment of customer data
- Implementation of safeguards for minimizing risk
- Systems monitoring
- Employee training
- Oversight of third-party vendor selection and access
- Continual evaluation and adjustment of policies
- Written reporting (for organizations that hold data on an excess of 5,000 consumers)
What Are the Security Requirements?
The updated Safeguards Rule contains eight new security requirements for private funds:
- The organization must implement and monitor access controls based on the “least privilege” principle.
- The organization must inventory and classify its systems and data based on the level of potential risk.
- The organization must encrypt all customer information (or some other compensating control) while stored or in transit.
- The organization must adopt secure development practices for its in-house applications.
- The organization must use MFA (or some other compensating control) for any and all end-user access to systems that contain customer information.
- The organization must follow appropriate data retention procedures in harmony with current laws and/or regulations.
- The organization must adopt procedures for change management.
- The organization must monitor access in order to detect unauthorized access to and use or handling of customer information.
Making Sure You Comply
Compliance auditing your organization’s current policies and developing a comprehensive data governance strategy are the first steps to implementing the changed requirements and ensuring compliance before the go-live date. Some of the steps involved include:
- Review current data and systems standards and policies
- Consider the risks to those data and systems
- Document how controls can mitigate those risks
- Implement the disposal of sensitive consumer data that is no longer required
- Conduct employee training programs to ensure staff does not present an unnecessary risk
If certain required technical measures are feasible to implement (an example would be the required encryption), then your organization will need to develop alternatives that will comply with the new regulations.
Robust Networks has professional staff members standing by to provide consultation and IT outsourcing services that will ensure your organization’s compliance before December 9, 2022. To learn how your organization can meet the new requirements, reach out to Robust Networks today.