February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

Federal Trade Commission Updates Cybersecurity “Safeguards Rule” for Financial Institutions

Last week, in the culmination of a process that began in 2016, the Federal Trade Commission (FTC) issued a Final Rule to update the Safeguards Rule promulgated under the Gramm-Leach-Bliley Act. The Safeguards Rule applies to financial institutions, including non-banking companies “significantly engaged” in providing financial products or services such as mortgage brokers, automotive dealers, and payday lenders, requiring those institutions to develop and implement comprehensive security to keep their customers’ information safe.

Cyberattacks and other threats to consumer data have increased over the course of the COVID-19 pandemic, escalating regulatory scrutiny and business risks. These new changes to the Safeguards Rule largely focus on clarifying expectations for financial institutions, including:

  • More detailed requirements. The Final Rule creates clearer expectations with more detailed requirements for how financial institutions should develop and establish their information security programs, such as setting clearer requirements for employee training, establishing that risk assessments must be set forth in writing, and increasing safeguards through data encryption and authentication.

  • Qualified Individual. In order to increase accountability, the Final Rule designates one key person (to be known as the Qualified Individual) at each financial institution to be responsible for overseeing and enforcing the information security program.

  • Board reporting. Financial institutions must schedule periodic reports on the information security programs to their board of directors or governing bodies, in hopes that the programs will receive the support and resources necessary for successful maintenance.

  • Change in scope. The Final Rule expands the definition of financial institutions to include “finders”—companies that bring together the buyers and sellers of a good or service, in a move that makes the definition of financial institution more analogous to that in the Bank Company Holding Act. In addition, some financial institutions that collect information on fewer than 5,000 consumers are exempted from written risk assessment, incident response plan, and board reporting requirements.

Financial institutions regulated by the GLBA should familiarize themselves with the updated Safeguards Rule and evaluate their information security policies, focusing on ensuring they are compliant with the new requirements. The FTC also announced it is soliciting comments regarding reporting of data security incidents, signaling the possibility of additional changes in the near future.

© 2023 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume XI, Number 305

About this Author

Caitlin Throne Law Clerk Dinsmore Law Firm
Law Clerk

Caitlin focuses her practice on corporate law. Her prior experience includes working with private equity clients to evaluate market performance and potential acquisitions. She earned her J.D. from The Ohio State University Moritz College of Law.


  • The Ohio State University Moritz College of Law  (J.D., magna cum laude, 2021)

    • Ohio State Law Journal, executive editor

    • Three CALI Awards for Excellence, including Debtor and Creditor Law

  • Carleton College  (B.A., cum laude, 2015)...

Kurt R. Hunt, Dinsmore Shohl, Regulatory Compliance Attorney, Corporate Transactions Lawyer, Ohio,

Kurt focuses his practice on telecommunications and public utilities law, advising clients on general corporate and administrative issues, regulatory compliance, transactions, privacy obligations, and intellectual property matters. He is also an experienced litigator, and routinely represents clients in state and federal courts, as well as before administrative agencies and public utility commissions.

Knowing that public utilities operate inside a highly-regulated and specialized environment, Kurt is adept at tailoring his approach to fit each...

(513) 977-8101
Christian Gonzales, banking, corporate and securities lawyer, Dinsmore law firm

Christian advises clients on various aspects of banking, corporate and securities law, including mergers and acquisitions, securities offerings, business formation, regulatory compliance, and general corporate governance matters. 

Christian has extensive experience servicing the financial sector clients ranging from multi-billion dollar financial institutions to community banks and thrifts. Christian assists financial institutions in strategic growth, M&A transactions and other critical situations, and he has a broad range of experience in...