top of page
  • Deborah

On October 27, 2021, the Federal Trade Commission (FTC) published its Final Rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule) containing modifications to the existing Rule including the following provisions:


  1. More detailed guidance on developing and implementing specific aspects of an overall information security program, such as access controls, authentication, and encryption

  2. Guidance to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies and the designation of a single Qualified Individual to be responsible for the information security program

  3. Exemptions for financial institutions that collect information from less than 5,000 customers from certain requirements such as a written risk assessment and incident response plan

  4. Expanded definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board (FSB) determines to be incidental to financial activities, in particular, companies that act as “finders”, “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate”


The Safeguard Rule requires financial institutions under FTC’s jurisdiction to have measures in place to keep customer information secure. A supplemental notice of proposed rulemaking was also published on October 27, requesting public comment on a proposal for a requirement that financial institutions report security events to the FTC. The request for comments includes:

  • Appropriate deadline for reporting security events after discovery

  • Whether all security events should require notification or whether notification should be required only under certain circumstances

  • Whether such reports should be made public

  • Whether events involving encrypted information should be included in the requirement

  • Whether the requirement should allow law enforcement agencies to prevent or delay notification if notification would affect law enforcement investigation


Recent Posts

See All

Information, Communication Technology (ICT) systems, generally includes all hardware, software, applications and systems that combined enable people and organizations to communicate digitally. ICT enc

25 January 2023 - Comments requested on Financial Conduct Authority (FCA) proposed Sustainability Disclosure Requirements (SDR) and investment labels. 6 February 2023 - Comment period closes for the u

Last November, 2022 the Bank for International Settlements (BIS) and the International Organization of Securities Commissions (IOSCO) published their Level 3 assessment of cyber resilience on 37 Finan

bottom of page