On November 15, the FTC announced that covered financial institutions now have until June 9, 2023, to comply with certain updated Safeguards Rule requirements. The Commission issued this extension based on reports, including a letter from the SBA’s Office of Advocacy, that a shortage of qualified personnel to implement financial institutions’ information security programs and supply chain issues could delay security system upgrades.
As previously covered by InfoBytes, in October 2021, the FTC issued a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. Among other things, the final rule added specific criteria financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, must undertake when conducting a risk assessment and implementing an information security program. Among other requirements, these include implementing provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response. The final rule also added measures to ensure employee training and service provider oversight are effective and expanded the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule). While many provisions of the Safeguards Rule became effective 30 days after publication in the Federal Register, certain other provisions, including requirements applicable to covered financial institutions, were set to take effect December 9, 2022.