The Federal Trade Commission
Understanding the New FTC Safeguards Rule: A Guide for Insurance Agencies

The Federal Trade Commission (FTC) has amended its Safeguards Rule, ushering in a new era of stringent cybersecurity requirements for insurance agencies starting today, June 9th, 2023.  

In an age where data breaches and cyber-attacks are becoming increasingly prevalent, these changes are crucial for safeguarding sensitive customer information. Let’s break down the key aspects of this rule and its alignment with other existing regulations. 

Key Requirements of the FTC Safeguards Rule

  1. Designating a Qualified Individual (Rule 314.4(a))

It’s vital to appoint a qualified individual responsible for overseeing your organization’s written information security plan. This individual must have proper training in information security, partake in continuing education, and ensure the organization’s compliance with cybersecurity protocols. 

  1. Conducting a Risk Assessment (Rule 314.4(b))

The Rule mandates comprehensive risk assessments involving technical scans and questionnaires to uncover security vulnerabilities. While annual reviews are a requirement, it’s best to conduct these assessments quarterly or monthly for businesses handling sensitive information. 

  1. Implementing Security Controls (Rule 314.4(c))

Limit and monitor access to sensitive customer data. This involves encrypting sensitive information and deploying multifactor authentication to strengthen security barriers. 

  1. Testing and Monitoring Safeguards (Rule 314.4(d))

Continuous testing and recovery operations across your business are essential to ensuring security and business continuity. 

  1. Training Staff in Cybersecurity (Rule 314.4(e))

Develop comprehensive employee awareness training programs. Not only is this crucial for legal compliance, but it’s also pivotal for securing insurance coverage on cyber liability and crime policies. 

  1. Monitoring Service Providers (Rule 314.4(f))

Ensure your vendors adhere to the Safeguards Rule and established security frameworks like CIS or NIST. 

  1. Establishing an Incident Response Plan (Rule 314.4(h))

Have a well-prepared incident response plan to tackle security breaches effectively. 

  1. Reporting Cybersecurity Data and Progress Annually (Rule 314.4(i))

Maintain transparency and accountability through annual reporting of cybersecurity data and progress. 

  1. Evaluating and Adjusting Your Cybersecurity Program (Rule 314.4(g))

Continually assess and update your cybersecurity program to address new threats and vulnerabilities. 


Agencies can face exorbitant fines of up to $100,000 per violation for non-compliance. Beyond the immediate financial setback, non-compliance can also lead to crippling business disruptions, and audits. Moreover, agencies may face legal action if data might have been compromised. 

Alignment with Other Regulations

The FTC Safeguards Rule mirrors New York’s Department of Financial Services 23 NYCRR 500 law and NAIC’s Model Laws in several aspects. These regulations collectively advocate for comprehensive cybersecurity programs to protect sensitive customer information. 

Like the Safeguards Rule, both 23 NYCRR 500 and NAIC Model Laws, which are already implemented in 22 states, focus on risk assessments, implementing security controls, employee training, and incident response planning.  

A Partner in Navigating the Cybersecurity Compliance Landscape

As an agency owner, if the daunting compliance landscape has you concerned, I am extending a hand of partnership. Let’s transform this challenge into a golden opportunity for your agency to not only meet these regulations but excel through them. This is personal for me – I’m committed to ensuring that agencies don’t face these challenges alone. We’ll work side by side to safeguard your agency’s legacy and build a thriving future. 

But don’t just take my word for it. Our exceptional services resonate with those we have had the honor to serve and partner with – Motiva is proud to be highly recommended by the Big “I” NY. As your unwavering ally, we bring to the table: 

  • Tailored Guidance: Navigate the intricacies of compliance with our specialized guidance tailored for your agency. 
  • Comprehensive Risk Assessments: Fortify your defenses with our exhaustive risk assessments, ensuring no vulnerability goes unnoticed. 
  • Expert Training Programs: Equip your team with the knowledge and skills they need to be cybersecurity guardians through our expert training programs. 
  • Cutting-Edge Tools and Resources: Secure your client’s data with our state-of-the-art MDR, security tools, and resources. 
  • Dedicated Support: Ensure your agency’s continual compliance with our round-the-clock support. 

Reach out and take the first step towards securing a thriving future for your agency. Give me a call at 646-374-1820 or email me at