MAJOR INFORMATION SECURITY DEADLINE FOR FTC COMPLIANCE
Time has run out for your business to comply with changes in the Federal Trade Commission (FTC) Standards for Safeguarding Customer Information! As of June 9th, 2023 all brokers, lenders, and agents have to correctly implement the changes outlined in the security safeguards amendment of the 2003 Rule to protect their customers’ data. Failure to do so makes your business vulnerable from $10,000 to $100,000 per consent order violation.
Acting now is vital for the financial health of your business. Working with a highly experienced and reputable IT business is absolutely crucial to protect your business. Safeguarding clients’ data is one of the most valuable services you can provide to your clients. Give your clients added confidence by ensuring their data is secure by choosing an IT business with years of experience in the ever-changing security standards and risks faced in today’s world.
Fortify IT Solutions will take the pressure off you and will ensure your information security program meets the nine security requirements to be developed, implemented, and maintained as outlined in the Safeguards Rule that goes into effect this June 9, 2023
These nine requirements are:
1. Designate a qualified individual responsible for overseeing and implementing your business’s information security program and enforcing your information. The Qualified Individual may be an employee of your business, an affiliate, or a service provider. Unless your company has a top-notch IT security specialist in-house, it is risky to take on this responsibility.
2. The information security program is based on a written risk assessment. This assessment must include the criteria for evaluating and assessing potential threats to client information.
3. Design and implement security measures to control the risks you identify through risk assessments. Required measures include:
*Implementing and periodically reviewing access controls.
*Authenticate and permit access only to authorized users to protect against unauthorized customer information acquisition.
*Limit authorized users’ access only to customer information that they need to perform their duties and functions or, in the case of customers, to access their information.
*Identify and keep an updated list of your data, personnel, devices, systems, and facilities.
*Encryption of all customer information on your system and when being transmitted.
*Adopt secure development practices for in-house developed applications utilized by your company for transmitting, accessing, or storing customer information.
*Have procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store customer information.
*Implement multi-factor authentication for any individual accessing any information system.
*Develop, implement, and maintain procedures for the secure disposal of customer information as required by law.
*Periodic review of your data retention policy to minimize the unnecessary retention of data.
*Adopt procedures for change management.
*Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access.
4. Regularly test the effectiveness of your business’s safeguards, essential controls, systems, and procedures to detect actual and attempted attacks on or intrusions into information systems.Vulnerability assessments are needed at least every six months and whenever there are material changes to your operations and when circumstances you know or have reason to know may have a material impact on your information security program.
5. Implement policies and procedures for properly training all personnel to keep data secure. It only takes one employee to breach sensitive client information that can have catastrophic financial damages to your company and tarnish your reputation. Providing new personnel with security training and regular security awareness training of all personnel is vital to keep up to date with the growing number of threats businesses are faced with today.
6. Oversee all service providers by selecting and retaining providers capable of maintaining appropriate safeguards for customer information. Periodically assess your service providers for the risk they present and to ensure the protections they have in place are adequate and up to all requirements.
7. Evaluate and adjust your information security program to keep it up to date as new threats emerge.
8. Establish a written incident response plan that is required to respond promptly, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control.
Incident response plans shall address the following:
*The goals of the incident response plan.
*The internal processes for responding to a security event.
*The definition of clear roles, responsibilities, and levels of decision-making authority.
*External and internal communications and information sharing.
*Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls.
*Documentation and reporting regarding security events and related incident response activities.
*The evaluation and revision as necessary of the incident response plan following a security event.
9. Your Qualified Individual must report regularly and at least annually to your board of directors or equivalent governing body in writing. If no such board of directors or equivalent governing body exists, such a report shall be timely presented to a senior officer responsible for your information security program.
The report shall include the following information:
*The overall status of your information security program and your compliance with the information security program.
*Materials related to the information security program, addressing issues such as risk assessment, risk management, control decisions, service provider arrangements, results of testing, security events or violations, and management’s responses with recommendations for changes in the information security program.