The Federal Trade Commission (FTC) has announced sweeping updates to a set of existing requirements, called the Safeguards Rule, which aim to ensure that financial institutions secure consumer data.
The Safeguards Rule, established 19 years ago, mandates that financial institutions develop information security programs to better protect the collection, storage and transmission of sensitive data - including customers' bank account and social security information. Under the FTC’s modifications, announced on Wednesday, the criteria for these programs is fleshed out in more detail, and the rule now extends to non-banking financial institutions, such as mortgage brokers. An FTC spokesperson said that these changes are part of the FTC’s periodic review of its rules, in order to ensure they “keep up to date with technological and other changes in the marketplace.”
“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”
As part of the recent changes, the FTC has detailed how financial institutions can develop and implement the required information security programs, by pointing to the specific criteria that needs to be in place. As part of this criteria, for instance, organizations need to make sure they limit who can access consumer data and utilize encryption to secure the data. Another change will hold financial institutions more accountable in securing consumer data, with the FTC now requiring each organization to designate a “qualified” individual to oversee the program and give periodic reports on the program to a board of directors. Financial companies are now also required to explain their information-sharing practices - including the technical and physical safeguards used to collect, store and distribute data.
In another significant change, the Safeguards Rule will be extended to include non-banking financial institutions that are “engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” These institutions, such as mortgage brokers, motor vehicle dealers and payday lenders, are now required to create their own security programs under the new rule. At the same time, FTC has also exempted financial institutions that collect less customer data - specifically those that collect data from less than 5,000 consumers - from certain requirements, such as written risk assessments, incident response plans or the annual reporting to a board of directors.
"Financial services organizations hold valuable, monetizeable data for millions of consumers."
The FTC voted 3-2 to adopt the Safeguards Rule updates, with some commissioners expressing concerns about a lack of data demonstrating that the changes would actually translate into better protections for consumer data.
“The new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions,” according to a joint statement by commissioners Noah Joshua Phillips and Christine Wilson, who opposed the updates.
Moving forward, the FTC is looking for further comments on making additional changes to the rule that would require financial institutions to report certain data breaches, and other security incidents, to the commission.
The Safeguards Rule was first mandated by Congress under the Gramm Leach Bliley Act, which provides a framework for data security regulations for financial institutions, such as giving customers information on privacy practices or their ability to opt out of certain data collection processes. In 2019, the FTC started to collect feedback on proposed changes to the Safeguards Rule. This week’s updates are the result of the input received since then, with the aim of bringing the rules up to speed on an industry rocked by security incidents, from business email compromise to malware attacks.
In 2020, the financial services sector was the top attacked industry, with cybercriminals utilizing malware like Ramnit, Trickbot and Qakbot to target financial organizations. Researchers with IBM X-Force said earlier this year that they observed the finance industry experiencing the highest number of server access attacks - primarily related to a Citrix vulnerability (CVE-2019-19781) - in comparison to other industries in 2020.
Nick Rossmann, global threat intelligence lead with IBM X-Force, said that cybercriminals view financial organizations as a "goldmine," which is why the finance and insurance sector has been the most attacked industry since 2016, and made up 23 percent of all attacks that IBM X-Force observed in 2020.
Financial services organizations hold valuable, monetizeable data for millions of consumers," said Rossmann. "Not only can attackers gain direct access to a consumer's accounts, but they can likely get ahold of financial information that is used across multiple financial accounts, opening pathways to compromise other financial institutions and their customers.