The FTC recently announced a final rule updating its GLBA Safeguards Rule to “strengthen the data security safeguards” of consumer financial information. The FTC reported that it was making these changes in response to widespread data breaches and cyberattacks.  As we reported in our sister blog, the changes will mean that a broad range of non-banking financial institutions may need to make updates to their data security policies and procedures. The new requirements go into effect in November 2022.

The final rule adds specificity to the existing rule’s requirements around data security measures. The update specifies several measures entities need to have in place. This includes having access controls, authentication and encryption as part of the organization’s overall information security program. It also requires them to have a single qualified individual to oversee their information security program. The update adds a requirement of periodic reports to boards of directors, having a written risk assessment and incident response plan, as well as conducting periodic assessments of service providers.

The update also expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”– companies that bring together buyers and sellers of a product or service – within the scope of the Rule.

Putting It Into Practice:  Covered non-banking financial institutions should review their current data security measures to ensure they address the new specifics outlined in the update to the Safeguards Rule. These include access authentication, a person in charge of security measures, and service provider assessments.