Compliance
FTC Safeguards Rule: What Auto Dealers Need to Know in 2025
The FTC Safeguards Rule amendments are now fully in effect. Auto dealerships that handle customer financial data must maintain a formal written information security program, designate a qualified individual, conduct annual penetration testing, and report to their board.
Thanks to the ever-growing number of reported cyberattacks, the need for regulatory compliance is crucial across all industries. In the financial sector, businesses face a growing burden in staying compliant with more regulatory and reporting requirements to manage their cybersecurity risks. Non-compliance is not optional. 47 million.
If you own or manage a business in the financial sector, the Federal Trade Commission (FTC) Safeguards Rule is among the regulations you must meet. This article discusses the FTC Safeguards Rule, its key requirements, and how to comply with it, including how SOC 2 compliance can help you meet the FTC guidelines.
What Is the FTC Safeguards Rule?
The FTC Safeguards Rule was enacted in 1999 and based on the Gramm-Leach-Bliley Act (GLBA). It aimed at safeguarding consumers by protecting their personally identifiable information from misuse. The Safeguards Rule took effect in 2003 and was later amended in 2021 to ensure it keeps pace with technology advances.
The amended rules are clearer, more prescriptive, and more specific about what financial institutions must do when handling, processing, storing, and securing customers' confidential data.
Which Businesses Are Covered by the FTC Safeguards Rule?
The FTC Safeguards Rule primarily applies to financial institutions, defined as those that engage in significant financial activities or activities incidental to financial activities. These businesses include payday lenders, mortgage lenders, mortgage brokers, finance companies, collection agencies, tax preparation firms, investment advisors, and credit unions. Generally, these companies are not mandated to register with the SEC.
Covered financial institutions must build, set up, and maintain information security programs with physical, technical, and administrative guidelines designed to safeguard customer information.
How to Comply with the FTC Safeguards Rule.
A financial institution can only comply with the Safeguards Rule if its information security program includes the nine critical elements of the compliance standard.
1. Security Officer. Your financial institution should designate a qualified individual to oversee the information security program. The individual can be an employee or a managed IT services provider and should maintain accountability for your FTC Safeguards Rule compliance stance. This individual will also be answerable from a liability perspective should something go wrong.
2. Risk Assessments. Creating an information security program without auditing what you have and where you have stored it is not advisable. Risk assessments are needed to pinpoint foreseeable internal and external threats to customer information confidentiality, integrity, and security. The written risk assessment must incorporate criteria for evaluating your risks and threats.
3. Design Safeguards for Controlling Your Risks. A critical element of the Safeguards Rule is designing and setting up measures for controlling risks identified during your risk assessment.
Your financial institution must set up and review access controls periodically, know what data you have and where it is stored, encrypt customer information both in your system and in transit, set up procedures for access to proprietary and third-party apps used to access or transmit customer data, set up multi-factor authentication for anyone with access to customer information, dispose of customer data securely no later than two years from your most recent use, and keep a log of authorized user activity while monitoring for unauthorized system access.
4. Monitor and Test Your Safeguards Regularly. You should regularly test your threat detection procedures through continuous system monitoring, annual penetration testing, and vulnerability assessments. Testing your information security system's resilience during business changes is also important. A managed services provider can help manage this process.
5. Employee Training. A financial institution's IT security program is only as strong as its least vigilant employee. Employees are your last line of defense against cyberattacks, making it essential to train them to spot threats. Including information security training in your overall IT security program enables your employees to identify emerging threats and countermeasures.
6. Assess Your Service Providers. Robust information security is undermined if third-party service providers have weak cybersecurity measures. Monitor service providers closely, only engage those with adequate safeguards, and ensure your service-level agreements outline your security expectations.
7. Keep Your IT Security Program Current. Information security is constantly evolving. At some point you will need to change your operational setup, personnel, how you conduct risk assessments, and more. Your information security framework should be flexible enough to accommodate these periodic changes.
8. Create a Response Plan. Facing a cyberattack is a matter of when, not if.
4(h) of the FTC Safeguards Rule specifies that a financial institution's recovery plan should cover the goals of the disaster response and recovery plan, the internal processes that come into play in response to security events, roles and responsibilities and levels of decision-making, information sharing with relevant stakeholders, procedures for mitigating weaknesses that led to the security event, and the process of documenting and reporting the security event.
9. Reporting to Your Company's Board. The individual appointed to oversee the information security program is required to report to your financial institution's Board of Directors in writing at least annually. The report must include an assessment of the organization's information security posture and cover topics related to the program.
FTC Safeguards Rule vs. SOC 2 Compliance.
People often confuse the FTC Safeguards Rule and SOC 2 compliance. While both frameworks aim to protect sensitive information and data, they are different. The FTC Safeguards Rule is a set of regulations created specifically to safeguard customer information held by financial institutions.
SOC 2 compliance is a standard created by the American Institute of Certified Public Accountants (AICPA) to ensure that service providers are securely managing data and protecting the privacy of their clients. SOC 2 compliance involves an independent audit of the service provider's controls over customer data security, availability, processing integrity, confidentiality, and privacy.
SOC 2 compliance can help your financial institution show that it has set up appropriate controls to protect sensitive information and can identify areas for improvement. However, while SOC 2 compliance can help show compliance with certain aspects of the FTC Safeguards Rule, it may not be enough to meet all of the Rule's requirements.
Your financial institution needs a qualified MSP partner to ensure it meets all applicable requirements.
Get Help with FTC Safeguards Rule Compliance.
Complying with FTC guidelines can be complicated, and staying apprised of regulatory changes to maintain your compliance status adds another layer of complexity. The team at Cyber One Solutions has a proven track record of helping businesses build their information security programs. Contact us today to learn more about how we can help you navigate the compliance landscape.