Cybersecurity services and solutions to protect customer data and maintain FTC Safeguards Rule compliance.
Is Your Company Compliant to The New FTC Rule Changes?
Changes to an important Federal Trade Commission (FTC) Rule shine a light at the information security practices of mortgage brokers, lenders, and agents. Protecting customer information is at the core of the FTC Standards for Safeguarding Customer Information – aka the Safeguards Rule. The FTC amended the 2003 Rule in 2021 to keep pace with current technology. The revised Rule provides updated, concrete guidance for businesses and requires companies covered by the Rule to implement important security measures to keep customer data secure.
Here’s what you need to know…….
Is My Company Required To Comply With The Safeguards Rule?
According to Section 314.1(b), a mortgage brokers, lenders, and agents is considered a financial institution. The Act goes on to say that “a mortgage broker is a financial institution because brokering loans is a financial activity.”
What Actions Should We Take To Be Compliant?
The Safeguards Rule requires your company to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards designed to protect your customers’ information. Brokers that don’t comply by June 9, 2023 face up to $46,517 per consent order violation. The FTC can take an expansive view of a violation, depending on the circumstances, particularly if there are issues involving multiple customer records.
The three main objectives of your information security plan are:
- Ensuring the security and confidentiality of customer information;
- Protecting against anticipated threats or hazards to the security or integrity of that information; and
- Protecting against unauthorized access to that information that could substantially harm or inconvenience to any customer.
Customer information refers to any record containing nonpublic personal information about a financial institution or customer, whether in paper, electronic, or another form, that you or your affiliates handle or maintain.
The size and complexity of your company, the nature and scope of your activities, and the type of data and information you collect will determine what must be included in your information security program.
Nine Elements Of The Safeguards Rule
The Safeguards Rule identifies nine elements that your company’s information security program must include. Goliath Cyber has services and solutions to help with all or any combination of your company’s needs to ensure compliance.
The components of the Rule and Goliath Cyber’s solution to meet the requirements involve:
1. Designating a qualified Individual to implement and supervise your company’s information security program. The Qualified Individual can be an employee of your company, or a senior team member can work with an affiliate or service provider like Goliath Cyber.
2. Conducting a Risk Assessment. Your risk assessment must be written and include criteria for evaluating those risks and threats. Because the risks to information constantly morph and mutate, the Safeguards Rule requires companies to conduct periodic reassessment’s as operations change, and new threats emerge. Goliath Cyber can conduct the initial and periodic assessment’s to ensure compliance.
3. Designing and implementing safeguards to control risks identified through your risk assessment. Requirements include:
- Reviewing access controls
- Conducting a periodic inventory of data, noting where it’s collected, stored, or transmitted
- Keeping an accurate list of all systems, devices, platforms, and personnel
- Design your safeguards to respond with resilience
- Encrypting customer information on your system and when it’s in transit
- Assessing the security of apps that store, access, or transmit customer information, including third-party apps and implementing procedures for evaluating their security
- Implementing multi-factor authentication for anyone accessing customer information on your system
- Disposing of customer information securely
- Anticipating and evaluating changes to your information system or network
- Maintaining a log of authorized users’ activity and keeping an eye out for unauthorized access.
Our experts provide Cyber Advisory services along with being your Managed Security Services Partner (MSSP). We’ll be your team to help keep your company in compliance, so you can focus on running your business.
4. Regularly monitoring and testing the effectiveness of your safeguards either through continuous monitoring of your system or annual penetration testing, as well as vulnerability assessments. When your organization takes the opportunity to see your security posture through the eyes of your most significant threat, you prevent them from taking over your infrastructure. Goliath Cyber helps you discover exploitable flaws in your security through our vulnerability scanning, assessment, ransomware simulation, and penetration testing options.
5. Training your staff. Your company’s security program is only as effective as its least vigilant staff member, and Goliath Cyber can help train your team to spot risks and safeguard customer data.
6. Monitoring your service providers. Your contracts must spell out your security expectations, build ways to monitor your service provider’s work and provide periodic reassessments of their suitability for the job. Goliath Cyber will work with your company to cover all the bases, so your contracts are compliant.
7. Keeping your information security program current. Security requirements change, and security programs must be flexible enough to accommodate necessary modifications. Goliath Cyber offers our Cyber Advisory services to ensure you are staying on top of any changes and requirements needed.
8. Creating a written incident response plan that includes:
- Internal processes your company will activate in response to a security event
- Clearly defined roles, responsibilities, and levels of decision-making authority
- How communications and information are shared inside and outside the company
- The process to fix identified weaknesses in your systems and controls
- Procedures for documenting and reporting security events and your response
- How an incident will be reviewed, and how you’ll revise your incident response plan and information security program based on what was discovered
Goliath Cybers Advisory Services can help build and maintain this plan as you grow while also offering Incident Response Management if an Incident should arise.
9. Requiring your Qualified Individual to report to your Board of Directors or governing body in writing, at least annually. If your company doesn’t have a Board or equivalent, the report must go to a senior officer responsible for your information security program.
The report should address:
- An overall assessment of your company’s compliance with its information security program.
- Specific topics related to the program such as risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.
Goliath Cyber’s Advisory Services can help navigate this requirement and take on as much of this role as needed.
Don’t Wait To Protect Your Company And Your Customers From Cybercrime.
The importance of cybersecurity goes beyond the Rule. Cyber incidents like ransomware or data breaches can cause bring a mortgage broker’s computers offline, making business-as-usual impossible. If a customer’s data is breached, they could be at risk for identity theft and other scams.
You can learn more about the Safeguards Rule and general guidance on data security on the FTC’s website. Reach out to Goliath Cyber with your compliance questions and learn how our comprehensive Services, Solutions and Expert Team can protect your business.
We are offering a free Cyber workshop for mortgage brokers, lenders, and agents as a starting point.