As part of the Federal Trade Commission’s (FTC) recently updated Safeguards Rule, financial institutions such as auto dealerships, will be required to follow new guidelines for developing, implementing, and maintaining information security programs.
While the original due date required that the covered institutions comply with the amendments by December 2022, there has been a six-month extension. Reports detailed that smaller institutions might have had a challenging time meeting the original December deadline from factors such as a lack of qualified experts needed to implement the information security programs and difficulties obtaining proper equipment resulting from supply chain disruptions.
Covered institutions will be required to comply by the new deadline: June 09, 2023.
The FTC first created the Safeguards Rule in 2003 for the purpose of protecting consumer information. However, as technology has advanced significantly since its inception, the Safeguards Rule was updated in 2021 with amendments to account for core data security principles that any FTC covered entity needs to implement.
One of the most notable changes made was a requirement for employee training programs and third-party audits to verify whether a vendor complies with these guidelines.
To properly comply with the Safeguards Rule, the following elements must be included into an information security program, as described by Section 314.4:
Under the Safeguards Rule, covered institutions will be required to oversee their vendors. By following best practices for third-party risk management and following the vendor risk lifecycle, the process can be more easily streamlined.
| Safeguards Rule Requirement | Vendor Risk Management Lifecycle Activities | Lifecycle Stage |
| 1. Select and keep service providers that maintain appropriate safeguards for customer information; |
|
|
| 2. By contract, require your service providers to implement and maintain such safeguards; and |
|
|
| 3. Assess your service providers on an ongoing basis based on the level of risk they bring to your organization and the continued adequacy of their safeguards |
|
|
By implementing best practices for third-party risk management and following the steps of the vendor risk lifecycle, your team can start off on the right foot for complying with the requirements set out by the Safeguards Rule.
Remember: It’s important to ensure that your processes are easily repeatable, so that your team can repeat the process and assess every vendor and third-party provider that they use in the future. This includes using a standardized risk questionnaire, performing thorough due diligence, and documenting any issues that arise during the assessments.
Third-party risk management activities such as ongoing monitoring and assessments are more than just regulatory requirements. They are critical to protecting your institution from any risks that emerge during the vendor relationship.
Financial institutions covered by the FTC will need to take the proper steps and ensure that they comply with the amendments to the Safeguards Rule by June 2023. As part of these amendments, institutions will need to follow third-party risk management best practices for assessing their vendors, identifying potential risks, and developing controls that are capable of protecting their private information and customer data. While third-party risk management can be difficult and expensive, especially for smaller organizations, having a sufficient and repeatable process is essential to protect against vendor risks and severe threats.