FTC COMPLIANCE DONE FOR YOU
Get A FREE No-Obligation Technology and FTC Assessment

NEW AMENDMENTS TO THE FEDERAL TRADE COMMISSION LAW

In November 2023, New York updated its cybersecurity law, FTC 23 NYCRR 500, affecting all financial firms in the state, and those financial companies nationwide with customers from New York.
With the April 15th compliance deadline near, it’s important to understand and apply these new changes.

What do you need to comply with?

The amendments have expanded the number of, and scope of cybersecurity requirements for compliance. Each part of the Federal Trade Commission’s Safeguards Rule has been further defined and specified with additional details. The expanded implementation necessities regarding each section’s cyber requirement have been noted below.

BEFORE:

Designate an Employee to Coordinate Information Security Program (Rule 314.4(a))

Conducting a Risk Assessment (Rule 314.4(b))
  • Risk assess considerations of each relevant area of operations including employee training and management, and information systems, detecting, preventing and responding to attacks, intrusions, or other systems failures.

 

Design and Implement Information Safeguards to Control Risks Identified through Risk Assessment Regularly (Rule 314.4(c))

Reasonable and Actionable Steps to Select and Retain Service Providers to Maintain Safeguards (Rule 314.4(d))
  • Including requiring services providers by contract to implement and maintain such safeguards.

 

Evaluate Information Security Program and Adjust based on Testing (Rule 314.4(e))
  • Including any time a material change to operations or business arrangements affects on your information security program.
AFTER NEW REQUIREMENTS AS OF JUNE 2023

Over NINTY new full definitions added to the Safeguards with explanations detailed.

Designating a Qualified Individual (Rule 314.4(a))
  • Appoint a qualified individual to oversee and implement the information security program.
  • Qualified individual must have information security training, partake in continuing education, and ensure organization’s compliance
  • If using a service provider or affiliate, ensure they maintain a program meeting these standards.
  • Senior personnel must oversee the Qualified Individual.

 

Conducting a Risk Assessment (Rule 314.4(b))
  • Conduct written risk assessments to identify and control risks to customer information.
  • Include criteria for evaluating security risks and assessing existing controls.
  • Periodically reevaluate risks and update risk assessments.
  • Recommends at minimum yearly, but ideally quarterly or even monthly.

 

Implementing Security Controls (Rule 314.4(c))
  • Implement controls to manage identified risks.
  • Use encryption for customer information in transit and at rest, or employ alternative controls if encryption is infeasible.
  • Restrict access to authorized users only.
  • Adopt secure development practices for in-house and external applications.
  • Require multi-factor authentication for system access.
  • Develop procedures for secure data disposal and minimize data retention.

 

Testing and Monitoring Safeguards (Rule 314.4(d))
  • Regularly test and monitor the effectiveness of safeguards.
  • Conduct annual penetration testing and bi-annual vulnerability assessments.

 

Training Staff in Cybersecurity (Rule 314.4(e))
  • Provide security awareness training to personnel.
  • Employ qualified information security personnel.
  • Ensure information security personnel are up-to-date with security threats.
 
Monitoring Service Providers (Rule 314.4(f))
  • Select service providers capable of maintaining appropriate safeguards.
  • Require service providers to maintain safeguards contractually.
  • Regularly assess service providers based on risk and safeguards’ adequacy.
  • Based on NIST cybersecurity standard

 

Evaluating and Adjusting Your Cybersecurity Program (Rule 314.4(g))
  • Regularly evaluate and adjust the information security program based on test results, operational changes, risk assessment outcomes, or other relevant factors.
  • Review at minimum annually.

 

Establishing an Incident Response Plan (Rule 314.4(h))
  • Establish a written plan for responding to security events.
  • Include goals, response processes, roles, communication strategies, and remediation requirements.
  • Regularly review and update the incident response plan, at minimum annually.

 

Reporting Cybersecurity Data and Progress Annually (Rule 314.4(i))
  • The Qualified Individual must report annually to the board of directors or a senior officer.
  • The report should include the status of the information security program and address key issues like risk management, service provider arrangements, and security events.

 

FTC COMPLIANCE DONE FOR YOU

Let us handle all of the paperwork and implementation that will bring your company into Full FTC Compliance, alongside technical optimization so you run more smoothly than ever before.

 

Hand off the stress and frustration of FTC Compliance to an expert Cybersecurity and Compliance Team that works specifically with companies like yours and understands your unique day to day business operations and technical needs.


Start with a FREE No-Nonsense Technology and FTC Compliance Assessment to gain the knowledge of where you stand and what you need. You also need one for certifying proof of FTC Compliance so it’s two birds with one stone – knowledge and power.

 

Claim your FREE No-Nonsense Technology and FTC Compliance Asssessment by CLICKING HERE.

5 BIGGEST CHANGES

TO FTC LAW

Multi Factor Authentication

  • Utilize MFA for local access to laptops and computers
  • Remote access, Office 365 and More
  • App or Token Based MFA preferred, Text-Based is no longer secure or recommended.

Endpoint Security

  • Endpoint security is a cybersecurity approach that focuses on protecting individual devices, such as computers, smartphones, and servers, from various cyber threats like malware and unauthorized access.
  • It encompasses a combination of measures such firewalls, and intrusion detection systems to secure these devices and safeguard an organization's data and network integrity.

Asset Management and Application Control

  • Must be able to track owner, location, sensitivity, support expiration date, and recovery time objectives for EACH asset (laptop, phone, pc)
  • Regularly update and validate the asset inventory
  • Policy for secure disposal of nonpublic information
  • Have in place the ability to scan and detect malicious applications and prevent them from being installed to systems.

Penetration Testing

  • By simulating real-world cyberattacks, it provides a critical means for agencies to discover and rectify security weaknesses, ultimately improving overall security posture, reducing the risk of breaches, and safeguarding sensitive data and customer trust.

PROOF OF CYBERSECURITY IMPLEMENTATION

  • Certifies entity complied during prior calendar year
  • Must provide data and documentation to accurately demonstrate compliance in the form of reports, certifications or otherwise
  • Signed by CISO (Chief Information Security Officer) and CEO responsible
PENALTIES

Companies can face exorbitant fines of up to $100,000 per violation for non-compliance. Beyond the immediate financial setback, non-compliance can also lead to crippling business disruptions, and audits. Moreover, companies may face legal action if data might have been compromised.

Entities must now also report to DFS where they are NOT in compliance

ALIGNMENTS WITH OTHER REGULATIONS:

The FTC Safeguards Rule mirrors New York’s Department of Financial Services 23 NYCRR 500 law and NAIC’s Model Laws in several aspects. These regulations collectively advocate for comprehensive cybersecurity programs to protect sensitive customer information.
 
Like the Safeguards Rule, both 23 NYCRR 500 and NAIC Model Laws, which are already implemented in 22 states, focus on risk assessments, implementing security controls, employee training, and incident response planning.

Our Free Compliance Assessment Will Give You The
Answers You Want, The Certainty You Need.

This Assessment will provide verification from a Qualified Third Party on your FTC Compliance posture, whether or not your current IT company is doing everything they should be, and if your business is at serious risk for hacker attacks, data loss and extended downtime, as well as how to solve these issues.

Walter Contreras, registered FTC instructor, Cybersecurity expert, and CEO of Motiva Networks understands how the world’s digital transformation is impacting small to medium sized businesses. With over 25 years of experience in information technology and cybersecurity, his vision is clear – safeguarding and strengthening the digital backbone of business owners.

Walter Contreras photo