FTC Safeguards Rule Checklist

“ Section 314.4 of the Safeguards Rule identifies nine elements that your company’s information security program must include. Let’s take those elements step by step. Designate a Qualified Individual to implement and supervise your company’s information security program Conduct a risk assessment Design and implement safeguards to control the risks identified through your risk assessment . This is defined by the following actions: Implement and periodically review access controls Know what you have and where you have it Encrypt customer information on your system and when it’s in transit Assess your apps Implement multi-factor authentication for anyone accessing customer information on your system Dispose of customer information securely Anticipate and evaluate changes to your information system or network Maintain a log of authorized users’ activity and keep an eye out for unauthorized access Regularly monitor and test the effectiveness of your safeguards Train your staff Monitor your service providers Keep your information security program current Create a written incident response plan Require your Qualified Individual to report to your Board of Directors.”

FTC Safeguards Rule Compliance Services

The Federal Trade Commission (FTC) Safeguards Rule requires non-banking financial institutions to develop, implement and maintain an information security program with safeguards designed to protect customer information.

What is the FTC Safeguards Rule Update?

While the FTC Safeguards Rule isn’t new (It was originally released in 2003.), it did receive substantial updates in 2021. These updates were designed to help covered organizations keep up with the rapid evolution of modern technology. The original deadline for FTC Safeguards Rule compliance was December 9, 2022. However, the final deadline was extended by six months in the latest FTC Safeguards Rule update, and moved to June 9 2023.

What Does the New FTC Safeguards Rule Require?

According to the FTC’s Safeguards Rule Information Page:

“The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”

How do you know if your business is a financial institution subject to the Safeguards Rule? First, consider that the Rule defines “financial institution” in a way that’s broader than how people may use that phrase in conversation. Furthermore, what matters are the types of activities your business undertakes, not how you or others categorize your company.”

Simply put, if you are an organization that handles customer financial data, but aren’t a bank, you are probably covered by the FTC Safeguards Rule and must show compliance to avoid business disruption and fines.

Explore Cyber and Data Resilience

Cyber Risk Assessments

CCPA Compliance Assessment

Data Mapping for GDPR, CCPA and Privacy Regulations

Cyber Risk Retainer

Penetration Testing Services

Loading component...

Get a Quote

24X7 Hotline

Meet FTC Safeguards Rule Compliance Requirements and Increase Cyber Resilience with a Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Kroll retainers not only include mandatory compliance services like risk assessments and penetration testing, but also meets practical security needs like cloud security, tabletop exercises, and in the event of an incident, prioritized support.

Start Now

How Can Kroll Help?

Kroll has built the foundation and experience needed to handle any size of engagement, including for the world’s top companies in industries from media and entertainment to critical infrastructure.

We’ve developed a seasoned in-house team dedicated to providing you with the structure and management background needed to scale and adapt your FTC Safeguards Rule compliance program based on your business drivers.

Kroll also boasts a unique advantage: the insights provided by our world-class incident response practice, which feed our certified cyber experts the information they need to test against the exploits attackers are executing today.

Kroll understands that every organization has its own unique needs. This is why Kroll offers three different FTC Safeguards bundles, achieving the “right sized” offering for every organization that needs to satisfy the requirements.

Kroll’s “Right Sized” FTC Safeguards Rule Compliance Bundles

Kroll’s FTC Safeguards Rule bundles are built to take the pain and confusion out of this new set of requirements. By offering three different levels of engagement, Kroll enables covered organizations to achieve compliance with a package that fits their needs.

If your organization handles customer financial information, then you are likely to be covered under the FTC Safeguards Rule. Thanks to Kroll’s extensive background in compliance and financial engagements along with our deep expertise in cybersecurity and IT compliance frameworks, we have the scalable solution for your organization.

Loading component...

The Support Bundle

The Guide Bundle

The Manage Bundle

For organizations that choose to achieve compliance with FTC Safeguards requirements in-house but require some support.

Includes:

Rapid risk assessment
Incident response plan review
External penetration test

For organizations that require additional guidance and services to comply with FTC Safeguards requirements.

Includes:

Cyber risk assessment
External penetration test
Incident response plan review
Vendor risk management program

For organizations that require substantial guidance and managed services to comply with FTC Safeguards requirements.

Includes Guide Bundle Services and:

Oversight by an experienced vCISO over requirements such as,
- encryption
- asset inventory
- access control

Policy and procedure development
Security Culture as a Service (SCaaS)
Internal vulnerability scan

Loading component...

What Our Team Brings to the Table

100,000+ Hours of Security Testing and Assessment Work Every Year

Kroll has extensive experience with industry and compliance standards such as NIST, GDPR, CCPA, CMMC, and many others.

100+ Security Certifications across Privacy, Offensive Security, Cloud and Hybrid Systems

Our team brings the depth and breadth of expertise needed to tackle complex challenges across a variety of financial services' needs.

3,000+ Incident Response Cases Handled Worldwide Every Year

Kroll's DNA as incident response leader expands our assessments beyond compliance mandates but on actionable remediation based on frontline threat intelligence.

Loading component...

FTC Safeguards Rule Compliance

Now that you have determined that your organization is covered by the FTC Safeguards Rule requirements, you may wonder what is required to comply. Without going into all the details, we distilled the FTC Safeguards down to what serves as a handy checklist for what covered organizations need to have in place.

Loading component...

Connect With Us

Samuel P. Jacobs

Managing DirectorCyber and Data ResilienceWashington DC

samuel.jacobs@kroll.com +1 202 649 1264

Loading component...

Explore Solutions

Cyber and Data Resilience

Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.

Learn More

Threat Exposure Management

Kroll’s field-proven cyber security assessment and testing solutions help identify, evaluate and prioritize risks to people, data, operations and technologies worldwide.

Learn More

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Learn More

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

Learn More

Cyber Risk Retainer

Learn More

Red Team Security Services

Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.

Learn More

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Learn More

Cyber Governance and Strategy

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.

Learn More

Loading component...

Let's solve for the future

Yes, I would like to receive periodic event invitations, reports and news from Kroll.

FTC Safeguards Rule Compliance Services

What is the FTC Safeguards Rule Update?

What Does the New FTC Safeguards Rule Require?

Loading component...

Meet FTC Safeguards Rule Compliance Requirements and Increase Cyber Resilience with a Cyber Risk Retainer

How Can Kroll Help?

Kroll’s “Right Sized” FTC Safeguards Rule Compliance Bundles

Loading component...

The Support Bundle

The Guide Bundle

The Manage Bundle

Loading component...

Loading component...

FTC Safeguards Rule Compliance

Loading component...

Loading component...

Loading component...

Let's solve for the future

We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.

Loading component...

Loading component...

Loading component...

What is the FTC Safeguards Rule Update?

What Does the New FTC Safeguards Rule Require?

Kroll’s “Right Sized” FTC Safeguards Rule Compliance Bundles

The Support Bundle

The Guide Bundle

The Manage Bundle

FTC Safeguards Rule Compliance

Let's solve for the future

We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.

Loading component...

Loading component...

FTC Safeguards Rule Compliance Services

What is the FTC Safeguards Rule Update?

What Does the New FTC Safeguards Rule Require?

Loading component...

Meet FTC Safeguards Rule Compliance Requirements and Increase Cyber Resilience with a Cyber Risk Retainer

How Can Kroll Help?

Kroll’s “Right Sized” FTC Safeguards Rule Compliance Bundles

Loading component...

The Support Bundle

The Guide Bundle

The Manage Bundle

Loading component...

Loading component...

FTC Safeguards Rule Compliance

What Your Business Needs to Know

FTC Safeguards Rule Checklist

Loading component...

Loading component...

Loading component...

Let's solve for the future

We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.

Loading component...

Loading component...

Loading component...

What is the FTC Safeguards Rule Update?

What Does the New FTC Safeguards Rule Require?

Kroll’s “Right Sized” FTC Safeguards Rule Compliance Bundles

The Support Bundle

The Guide Bundle

The Manage Bundle

FTC Safeguards Rule Compliance

What Your Business Needs to Know

FTC Safeguards Rule Checklist

Let's solve for the future

We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.

Loading component...

Loading component...