Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ManagementTechnologies & SolutionsSecurity Leadership and ManagementSecurity & Business ResilienceBanking/Finance/Insurance

What new regulation from the FTC means for businesses

By Boris Khazin
Federal Trade Commission building

Image via Unsplash

March 24, 2023

Regulatory bodies often release changes to their rules that widen the umbrella for the types of businesses that fall under their domain. While certain companies may have been exempt before, it’s always important to be ready should the changes redefine who qualifies. An apt example is last year’s Final Rule modifications by the Federal Trade Commission (FTC) to their Standards for Safeguarding Customer Information (Safeguards Rule). To keep pace with current technology, the FTC amended its Safeguards Rule, adding five main changes.

The most pertinent additions include an expanded definition of “financial institution” and new accountability rules requiring periodic reports to a company’s board of directors. The FTC’s changes to its Safeguards Rule seek to enforce stricter data security requirements amid increased cybercrime and mounting outcry from the public for greater protection of their sensitive information. The revised Safeguards Rule and its various provisions will be effective and financial institutions must prepare themselves accordingly.

What is the FTC Safeguards Rule?

The FTC is a federal agency that strives to protect consumers from fraudulent, misleading and prejudicial business practices by enforcing more than seventy federal laws. Should the FTC determine that an organization engaged in deceptive practices – such as a confusing privacy policy or a lack of reasonable security measures – which resulted in a data security incident, it will take appropriate action against them. Various rules propagated under its authority include the Health Breach Notification Rule (HBN Rule), the Children’s Online Privacy Protection Act (COPPA) and the Safeguards Rule.

Although the Safeguards Rule took effect in 2003, the recent revisions provide more concrete guidelines. The Safeguards Rule aims to ensure that entities covered by the Rule keep – as the name implies – safeguards to protect the security of customer information. Moreover, financial institutions must develop, implement and maintain an information security program with administrative, technical and physical defenses. Additionally, the FTC requires the security program to be in writing and suitable to the size and complexity of the business in question, the nature and scope of its activities and the sensitivity of its customers’ information.

The two most relevant changes to the Safeguards Rule

One of the key revisions to the Safeguards Rule is that it expanded the definition of “financial institution” to include entities engaged in actions the Federal Reserve Board determines to be related to financial activities. The new use of “financial institution” may be broader than how the term gets used in common parlance, so be sure to research if your organization qualifies.

According to Section 314.1(b) of the Safeguards Rule, a financial institution is any entity that participates in an activity that is “financial in nature” or any of the activities described in section 4(k) of the Bank Holding Company Act of 1956. Section 314.2(h) of the Safeguards Rule lists several examples, such as mortgage lenders, finance companies, collection agencies and tax preparation firms, to name a few. Note that many of these new additions – like payday lenders – were not included when the Safeguards Rule took effect in 2003, originally. The FTC’s change also adds “finders,” or companies that bring together buyers and sellers of a product or service, to the list of financial intuitions.

The second noteworthy modification to the Safeguards Rule is the new accountability provisions which require a qualified individual to report to their company’s board of directors or governing body. This person's report must include an overall assessment of the organization’s compliance with its established information security program and contain specific topics such as risk assessment, test results and recommended changes to enhance effectiveness. Likewise, the report must be in writing and performed regularly or at least annually.

The underlying implication of this change is that the qualified individual will take responsibility for ensuring that everything adheres to the business’s program; should a breach occur that jeopardizes customers’ information, they could be at fault.

Information security program: Best policies, practices and solutions

Whether a company was just added to the FTC’s list of financial institutions or was already under its preview, various cybersecurity policies, practices and solutions can protect their client's data and minimize the risk of non-compliance. First, create a security policy and a business continuity plan. Some good habits are to diligently follow security updates and patches, encrypt all sensitive data, use anonymous data whenever possible and implement physical security measures like restricted access and fire suppression.

Be sure to perform risk assessments as often as possible, including backup, data recovery and incident response tests. Likewise, businesses should deploy solutions and tools like security monitoring, network security devices and anti-malware/antivirus software. As for the people in a company, education is the best defense against cyberattacks. Employees should also undergo training on the latest risks.

Prioritizing partnership

Though some companies might have the technical capabilities to establish an information security program in house, others do not have that same luxury. Financial businesses must reach out to a security consultant company to comply with the Safeguards Rule and remain within the good graces of the FTC. When researching, look for a partner with extensive engineering expertise and experience designing software solutions. Similarly, check out what organizations they have assisted in the past – do they align with your company’s profile? Lastly, a security strategy must be foundational, not an afterthought, so leverage a third party with the same mindset.

KEYWORDS: cybersecurity data privacy data protection financial service security FTC regulations information security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Boris khazin
Boris Khazin is Global Head of Digital Risk Management/Governance, Risk and Compliance at EPAM Systems. Khazin has more than 20 years of management, consulting and product development experience in the financial services and fintech sectors. During his tenure at EPAM, he has led several GRC, business intelligence, enterprise analytics and organizational capability/maturity assessments to help clients identify, define and prioritize frameworks that guide them toward a desired future state. From this, he has developed a keen understanding of opportunities and challenges that arise when organizations adapt to change.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • smartphone-app-development-freepik.jpg

    Why mobile app developers need to prioritize user data privacy and security — and what they can do to ensure it

    See More
  • risk-management-freepik

    Elevating governance, risk and compliance throughout the software development life cycle with digital risk management

    See More
  • Partially closed laptop with pink screen

    AI-enabled data collection and the regulatory landscape

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products

Events

View AllSubmit An Event
  • July 17, 2025

    Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

    From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing