In today’s interconnected world, where data is the driving force behind businesses and cyber threats are constantly evolving with the advancement of technology, safeguarding customer information has become more critical than ever before. Recognizing this, the Federal Trade Commission (FTC) has introduced amendments to the Safeguards Rule to enhance data security and protect customer privacy.
So what exactly is the Safeguards Rule?
The Safeguards Rule, established by the Federal Trade Commission (FTC) in 1999 under the Gramm-Leach-Bliley Act (GLBA), is a federal regulation initially designed for financial institutions to ensure the security and confidentiality of customer information held by financial institutions.
Since its establishment, the FTC has made several amendments to the Safeguards Rule. Starting from June 9th, 2023, it is no longer limited to financial institutions but also applies to businesses of all sizes that regularly transfer money to and from consumers. These businesses will be required to comply with the requirements, which in turn impacted MSPs in how they protect their clients’ data.
Who is Required to Take Action?
- Mortgage Brokers
- Automobile Dealerships
- Tax Preparation Firms
- Travel Agencies
- Real Estate Appraisers
- Payday Lenders
And many more businesses. Click here to see more.
The Core Requirements & How They Impact MSPs
Here are the eight elements that a company’s information security program must include according to the Safeguards Rule:
Appoint a Qualified Security Person
A qualified employee or an external party must be appointed to implement and supervise a company’s information security program, which in this case would be an MSP. As MSPs handle sensitive information on behalf of their clients, this team or individual has sufficient training and knowledge in information security, receives ongoing security education to stay up-to-date, and ensures that teams execute the information security plan correctly from end to end.
Conduct Risk Assessments & Control Identified Risks
Before creating an efficient information security program, it is crucial to have a comprehensive understanding of the data possessed and its storage locations. That’s where a risk assessment comes in. This assessment determines potential internal and external threats and risks to customer information, which is required on an ongoing basis to recognize any new emerging threats.
By implementing cybersecurity solutions like Guardz, MSPs and businesses can conduct ongoing risk assessments to identify potential vulnerabilities and risks associated with customer data. This involves assessing their systems and external surface as well as evaluating the security practices of their third-party vendors and service providers.
Safeguards required to control identified risks from the assessment:
- Limited access to sensitive customer information
- Encryption of sensitive customer information in transit or at rest
- Frequent inventory of data
- Evaluation of own or third-party apps
- Implementation of multifactor authentication (MFA)
- Secure disposal of customer data
- Monitoring authorized user activity
- Evaluation of changes to network or data
Conduct Periodic Assessments
MSPs must ensure that they continuously monitor and test their information security program. This includes regularly monitoring the network for vulnerabilities or unauthorized access attempts, conducting penetration testing to identify weaknesses, and performing security assessments to ensure compliance with the Safeguards Rule. Also, MSPs must proactively detect and address security vulnerabilities by maintaining a robust monitoring and testing framework.
Implement Employee Awareness Training
MSPs have a responsibility to educate their employees and their clients’ employees to promote a culture of security within the organizations they serve. By providing employees with the knowledge and skills to identify and respond to security incidents, MSPs contribute to a more robust overall security posture and help protect sensitive information from potential breaches or unauthorized access.
Monitor Service Providers
This requirement of monitoring service providers directly impacts MSPs as they are the service provider who often relies on third-party service providers to deliver various services to their clients. Therefore, it is important for MSPs to have the necessary skills and experience to implement and maintain appropriate safeguards for clients’ data and systems.
To make MSPs’ lives more seamless, adopting a holistic cybersecurity solution like Guardz, which covers the top attack vectors such as emails, cloud apps, browsers, devices, external exposure, and employee culture, as well as provides cyber insurance in a single platform, MSPs will only need to monitor one provider instead of many simultaneously. By consolidating security efforts with a single provider, MSPs can more effectively oversee and ensure compliance with security expectations for their clients.
Keep Your Information Security Program Current.
Maintaining an up-to-date information security program that adapts to the ever-changing landscape of threats and circumstances is essential. MSPs must communicate and collaborate with their clients to keep their information security programs up-to-date. This involves sharing insights gained from ongoing risk assessments, staying informed about client operations changes, and providing recommendations for necessary adjustments to security measures.
Develop an Incident Response Plan
MSPs are responsible for creating a comprehensive incident response plan that outlines the specific steps to be taken during a security incident. This includes defining procedures for containing the incident, minimizing its impact, and restoring normal operations as quickly as possible. If required, the plan should also address the necessary notifications to affected parties, such as clients, regulatory bodies, and law enforcement. The incident response plan should be tested and updated to ensure its effectiveness in addressing various types of security incidents.
With the approaching date of June 9th, it is crucial for FTC-compliant businesses that hold customer data to prioritize the implementation of robust security controls in accordance with the Safeguards Rule. By adhering to these measures, MSPs and businesses can ensure the protection and confidentiality of customer information, mitigating the risk of data breaches, unauthorized access as well as compliance with the Rule.