When the Federal Trade Commission (FTC) amended the Safeguards Rule (16 CFR Part 314) in 2021, some of the new provisions were set to become effective December 9, 2022 (16 CFR 314.5). In light of economic disturbances from the COVID-19 pandemic that exacerbated supply chain issues and caused delays in the availability of information security systems, as well as a shortage of qualified information security workers to implement such systems, the FTC has announced they will extend this deadline until June 9, 2023.
The Safeguards Rule provisions impacted by this six-month extension include requirements that financial institutions:
- designate a qualified individual to oversee, implement and enforce their information security program
- develop a written risk assessment
- implement access controls, with multi-factor authentication, so only authorized users can access customer information, and limit such access to the information a user needs to perform their job
- encrypt all customer information
- implement continuous monitoring of information systems, or periodic penetration testing and vulnerability assessments
- provide information security training to personnel
- write an incident response plan
- periodically assess the security risks presented by service providers
Please contact counsel to understand how these new rules and the deadline extension affect you.