top of page
  • Writer's pictureDeborah

On October 27, 2021, the Federal Trade Commission (FTC) published its Final Rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule) containing modifications to the existing Rule including the following provisions:

  1. More detailed guidance on developing and implementing specific aspects of an overall information security program, such as access controls, authentication, and encryption

  2. Guidance to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies and the designation of a single Qualified Individual to be responsible for the information security program

  3. Exemptions for financial institutions that collect information from less than 5,000 customers from certain requirements such as a written risk assessment and incident response plan

  4. Expanded definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board (FSB) determines to be incidental to financial activities, in particular, companies that act as “finders”, “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate”

The Safeguard Rule requires financial institutions under FTC’s jurisdiction to have measures in place to keep customer information secure. A supplemental notice of proposed rulemaking was also published on October 27, requesting public comment on a proposal for a requirement that financial institutions report security events to the FTC. The request for comments includes:

  • Appropriate deadline for reporting security events after discovery

  • Whether all security events should require notification or whether notification should be required only under certain circumstances

  • Whether such reports should be made public

  • Whether events involving encrypted information should be included in the requirement

  • Whether the requirement should allow law enforcement agencies to prevent or delay notification if notification would affect law enforcement investigation

Recent Posts

See All

Product Corner - VAs : Quèsaco

Virtual Assets (VAs) or crypto assets refer to : “any digital representation of value that can be digitally traded, transferred or used for payment. It does not include digital representation of fiat

Upcoming Regulatory Deadlines to Watch

10 Aug 2023 - Deadline to submit comments to FCA Guidance Consultation (GC23/1) on crypto asset financial promotions. 5 Sep 2023 - Effective date of SEC Cybersecurity Risk Management, Strategy, Govern


bottom of page