Reclassified Businesses Can MeetFTC Safeguards Rule at Affordable Monthly Rate
Businesses have been reclassified as “financial services” by the Federal Trade Commission and need to meet information security compliance by June 9, 2023 or be subject to fines and penalties.
Businesses that must now meet FTC Safeguard Rules are:
- Income Tax Preparation Firms
- Motor Vehicle Dealers
- Mortgage Lenders
- Payday Lenders
- Finance Companies
- Mortgage Brokers
- Check Cashiers
- Wire Transferors
- Collection Agencies
- Credit Counselor and other Financial Advisors
- Non-Federally Insured Credit Union and
- Investment Advisors – not required to register with the SEC
As cyber-attacks continue to increase, the FTC wants businesses to increase their protection of individual financial information.
The new information security compliance requirements go beyond “perimeter” protection and now require businesses to take on building and maintaining an information security (cybersecurity) and compliance program.
“Cybersecurity and compliance go together like a lock and key. You need best practices and good cyber hygiene. You must have both working together across the organization to protect customer information and the FTC has recognized this,” stated Robert Felps, CEO of CyberCompass
Not meeting a compliance requirement could result in up to $43,000 per violation.
Many small businesses are facing a daunting challenge to meet FTC Safeguards Rules. It is estimated that meeting compliance using current resources without expertise and automation could cost over $250,000 in work hours. For example, required penetration testing could run between $4,000 and $100,000 alone.
Key FTC Safeguard Rules include:
- Conduct a written risk assessment, including details about risk criteria and how your information security program will address and mitigate risks.
- Create written information security plan (WISP) including goals, communications plan, processes, and roles/responsibilities.
- Designate or hire a “qualified individual” to oversee your information security program (Information security officer and compliance officer).
- Conduct and document a data and system inventory of all the information your organization collects, stores, and transmits.
- Implement technical and physical access controls.
- Ensure encryption of all customer information in transit and at rest and have documented retention and disposal procedures for customer information.
- Implement multi-factor authentication (MFA) for all systems containing sensitive customer information.
- Establish change management procedures for modifying information systems.
- Implement policies, procedures, and controls to monitor and log activity.
- Perform annual penetration testing, twice-yearly vulnerability assessments, and periodic vendor risk assessments.
- Provide annual reports to the Board of Directors on compliance and the organization’s cyber hygiene status.
CyberCompass recently launched its FTC Compliance as a Service (CaaS) solution that includes expertise and automation at one-third the cost to do it yourself, starting at $2,499 a month.
Organizations with less than 5,000 customers must still meet many requirements. CyberCompass is offering access to our proprietary automation and implementation guidance, Navigator Package, starting at only $1,499 a month.
CyberCompass is a cyber risk management consulting and software firm. We navigate organizations through the complexity of cybersecurity and compliance at one-third the cost of full-time employees or other firms. We design, create, implement, and maintain information security and compliance programs. We provide consulting services and a cloud-based workflow automation platform to save our clients over 65% of the time to become and remain cybersecure and compliant. We provide expertise and support for the following standards and regulations – CCPA, CIS-20/18, CMMC 2.0, CPA, CPRA, CTDPA, FTC Safeguard Rules, GDPR, HIPAA, ISO-27001, NIST SP 800-171, NY DFS Reg 500, SOC 2, TCPA, TPN, UCPA, VCDPA