IT Examiner School - Oct 2023

Internal Use Only

Regulations & Guidance – Non-Depository

16 CFR Part 314 of the FTC Rules and Regulations – “Standards for Safeguarding Customer Information”

• The “Safeguards Rule”, which took effect in 2003, is designed to ensure that covered entities maintain safeguards to protect the security of customer information • It applies to financial institutions subject to FTC jurisdiction and that aren’t subject to enforcement authority of another regulator under Section 505 of the Gramm ‐ Leach ‐ Bliley Act, 15 U.S.C. § 6805. • In December 2021, the FTC amended the Safeguards Rule to keep pace with current technology.

Source: https://www.ftc.gov/business ‐ guidance/resources/ftc ‐ safeguards ‐ rule ‐ what ‐ your ‐ business ‐ needs ‐ know

13

Internal Use Only

Regulations & Guidance – Non-Depository Section 314.4 of the Safeguards Rule identifies 9 elements that a company’s ISP must include: • Designate a qualified individual to implement & supervise the InfoSec program • Conduct a risk assessment • Design & implement safeguards to control risk identified by the risk assessment • Regularly monitor & test the effectiveness of those controls • Train staff

• Monitor Service Providers • Keep the program current • Create a written Incident Response Plan • Require the qualified individual to report to the Board

14