FTC Safeguards Rule: Essential Guide for Business Compliance

With the updated Federal Trade Commission (FTC) Safeguards Rule in effect as of May 2024, you may be wondering: How will your firm find the extra time to check all the boxes necessary for FTC compliance? Are there any shortcuts? It’s a fair question, given all of the other demands on financial institutions, MSPs, and other service providers. 

FTC Safeguards Rule

As a quick refresher, the updated Federal Trade Commission Safeguards Rule is legislation designed to protect the availability, confidentiality, and integrity of customer data. This impacts nearly any business that handles or maintains nonpublic personal information.  

Assuming your business touches this kind of data, you may benefit from a cybersecurity provider with the capacity to support you in your compliance efforts—as either an active participant or as an advisor. (Tip: If you don’t have a clue about whether you need to worry about the FTC Safeguards Rule, your service provider can probably answer your questions about that as well.) 

8 Avenues of Support 

Here are 8 ways a cybersecurity partner can support your journey to FTC Safeguards Rule compliance: 

1. Act as a trusted liaison for all cybersecurity operations. This includes working with the designated client security officer or owner in the security solution planning, setup and operation, and coordinating communications and reporting as appropriate with that designee. 
2. Partner with risk consultants to fix system vulnerabilities. Your cybersecurity team should be able to work with your preferred information security risk consultancy or recommend a qualified provider to perform periodic risk assessments of your environment. Based on that information, your cybersecurity provider can add value by working with that respective firm to remediate any in-scope vulnerabilities. 
3. Proactively prevent threat access. Your cybersecurity partner needs to be continuously monitoring for access rights escalation/modification, unknown or undefined network devices, and applicable data encryption and data exfiltration activities. One benefit of using a SOC-as-a-Service is the opportunity to receive real-time threat detection as well as historical/trend analysis to ensure any potential threats are identified proactively. Additionally, the right SOC team will follow strict processes for change management, multi-factor system access, and secure data destruction of expired logs. 
4. Test and report on the effectiveness of safeguards. Make sure your cybersecurity provider participates operationally in both planned and unannounced client testing activity, and validates the effectiveness of the safeguards. Reporting can then be made available to measure the consistency and effectiveness of the systems and processes in place. 
5. Elevate security awareness. Comprehensive information security and awareness training is an integral part of any serious effort to safeguard data. Your training program should cover periodic and scheduled activities, as well as detailed compliance reporting. 
6. Measure security compliance. Ask your provider to help you continually measure and improve your safeguards while monitoring your compliance with information security policies and procedures. 
7. Identify threats and remediate incidents. This includes containing, eradicating, recovering, and documenting threats as they are identified. If a significant or extended outage occurs, your cybersecurity provider should be able to support your Incident Response plans and policies as an active participant throughout the incident lifecycle. 
8. Improve transparency with stakeholders. Your cybersecurity partner can provide system reporting and service activity details to the designated security officer for periodic board reporting. 

At Ostra, we enable our partners and clients to execute many Safeguard Rule requirements by directly supporting them and other service providers. If you have questions about navigating compliance, please reach out to our team today.