Accountants Navigating the FTC Safeguards Rule

As the compliance deadline of June 9, 2023 approaches, accountants must ensure they’re adhering to the Federal Trade Commission (FTC) Safeguards Rule. This can be a daunting task, but there are ways you can streamline the process. In this article, we’ll discuss the nine requirements of the Safeguards Rule and provide tips for compliance.

What is the purpose of the FTC Safeguards Rule?

The FTC Safeguards Rule was put in place to protect consumer financial information. The rule initially was set in 2002, without any strict compliance deadlines or requirements. 

Originally, it was more of a “Here’s what you should do” vs. now the “You are required by law to adhere to these rules.”

Who does the FTC Safeguards Rule apply to?

The Federal Trade Commission (FTC) Safeguards Rule is a critical regulation that applies to financial institutions and businesses handling customer information. Under the Gramm-Leach-Bliley Act (GLBA), the Safeguards Rule requires these organizations to develop, implement, and maintain a comprehensive information security program to protect the privacy and security of customer data. 

The Safeguards Rule applies to a wide range of entities that qualify as financial institutions. These include banks, credit unions, mortgage lenders, insurance companies, investment companies, and payday lenders. 

Additionally, non-banking institutions that offer financial products or services to consumers, such as tax preparers, financial advisors, loan brokers, and debt collectors, are also subject to the Safeguards Rule. 

Moreover, businesses that receive customer information from financial institutions, like credit reporting agencies or third-party service providers, must comply with the rule as well. This could include contractors that allow financing of their projects through third parties. 

The rule of thumb: If you collect financial information about your clients in any capacity, the FTC Safeguards Rule applies to you.

This rule ensures that organizations that collect, store, process, or transmit sensitive customer information maintain a robust security framework to protect against unauthorized access, use, or disclosure of such data.

FTC Safeguards Rule requirements

Again, there are nine requirements of the FTC Safeguards Rule. You can review these in more depth below. 

Requirement 1: Designate a qualified individual/provider

To ensure the effective management of your company’s information security program, you must designate a qualified provider responsible for its implementation and supervision. This person should have the necessary knowledge and experience in information security. A good barometer of qualification is being able to point to real-world experience in executing an information security program (ISP). Because there is a high risk of failure, avoid designating someone who would be executing their first ISP on your company.

Tip for accountant compliance: Carefully select a qualified provider, considering their technical expertise and commitment to maintaining the security of your company’s information. Check for certifications and awards. This piece has a trickle-down impact on the rest of the eight requirements.

Requirement 2: Conduct a risk assessment

A thorough risk analysis is essential for identifying potential vulnerabilities in your information security program. This assessment should include an evaluation of risks in each relevant area of your business operations. Have the qualified individual/provider list out potential items to check along the way. A provider with a checklist for compliance is a good start. Nothing is one size fits all, but you want to know that they know what they are doing.

Tip for accountant compliance: Regularly conduct risk assessments and involve the qualified provider in the process to ensure you address all potential vulnerabilities.

Requirement 3: Implement safeguards

Once your provider identifies potential risks, design and implement safeguards to control them. Tailor these safeguards to your business’s specific needs, and update them regularly to address new risks. Purchase necessary software, and security, and make changes in accordance to the regulations as well as best practices.

Tip for accountant compliance: Consult with your qualified provider to develop appropriate safeguards and ensure they are effectively controlling the identified risks.

Requirement 4: Monitor and test safeguards

To guarantee the effectiveness of your safeguards,  regularly monitor and test those safeguards. This will help ensure that they are functioning properly and addressing the risks identified during the risk assessment process. The FTC requires items like intrusion detection systems (IDS) and remote monitoring and management (RMM) software to continuously monitor what is happening on the cyber front of your business.

Tip for accountant compliance: Automate monthly reports to your email so you can always have a reminder to look at what is happening.

Requirement 5: Train your staff

Staff training is crucial for the success of your information security program. Your employees should be aware of your firm’s security policies/procedures and understand their role in protecting sensitive information.

Tip for accountant compliance: Implement regular staff training sessions and ensure to involve the qualified provider in the development and delivery of the training materials.

Requirement 6: Monitor your service providers

Ensure that your service providers also maintain the appropriate safeguards to protect your sensitive information. Regularly monitoring their compliance with the Safeguards Rule is essential. Ask to view their ISP and have details on how they protect your data. Many breaches come from third-party vendors, so vetting them is as important as vetting your employees.

Tip for accountant compliance: Establish a system to monitor your service providers’ compliance with the Safeguards Rule and involve your qualified provider in the process.

Requirement 7: Keep your information security program current

To maintain compliance with the FTC Safeguards Rule, keep your information security program current. This involves regularly reviewing and updating your policies, procedures, and safeguards to address new risks and industry developments. A good rule of thumb is updating when there are material changes in the organization. This can be new server, management, and software protection packages.

Tip for accountant compliance: Schedule periodic reviews of your information security program with the involvement of your qualified provider to ensure it remains current and effective.

Requirement 8: Create a written incident response plan

A written incident response plan is essential for addressing potential security breaches. This plan should outline the steps to take in the event of a security incident and should be readily accessible to all employees. Being proactive and knowing what to do before a breach occurs will be crucial in the emotional event if there is a cyber incident. Include your insurance, law enforcement, and your qualified provider.

Tip for accountant compliance: Develop a comprehensive incident response plan and ensure to involve your qualified provider in its creation and implementation

Requirement 9: Report to your board of directors

Require the qualified provider to report regularly to your company’s Board of Directors on the status of your information security program. This ensures that you inform the board of any potential risks or compliance issues and can provide guidance on necessary actions.

Tip for accountant compliance: Establish a reporting schedule for your qualified provider to present updates on the information security program to the Board of Directors, promoting transparency and accountability.

Ensuring compliance with the FTC Safeguards Rule

Complying with the FTC Safeguards Rule may seem overwhelming, but by following the nine requirements outlined in this article and checking for certifications (like a CCISO, Safeguards Certified Technology Provider, or HIPAA Compliant) can aid your due diligence. 

By designating a qualified provider, conducting risk assessments, implementing and monitoring safeguards, training staff, and keeping your information security program current, you can protect your sensitive information and adhere to the regulations.

To assist you in achieving compliance, download the definitive guide to Easy FTC Safeguards Compliance here.

These views are made solely by the author.

This is not intended as legal advice; for more information, please click here.