A guide to the FTC Safeguards Rule’s FTC MFA requirement

According to the FTC’s latest update to the Gramm-Leach-Billey Act (GLBA), many organizations now face new compliance requirements, including the FTC MFA requirement.

In an effort to protect sensitive consumer data and curtail rampant data compromises, the FTC recently revised the requirements detailed in the Safeguards Rule, a subset of GLBA. Under these new guidelines, every financial services organization must implement multi-factor authentication (MFA) to verify user identities and limit access to sensitive data.

Yet, many organizations may not know these new MFA requirements apply to them. The FTC’s definition of a financial institution is more inclusive than some organizations expect, and no one wants to discover they’re noncompliant through a hefty fine or lawsuit. With the June 9th deadline in the rearview, now is the time to make a plan to introduce MFA in your organization.

So, is your organization compliant? Here’s everything you need to know about the latest FTC guidelines.

What is the FTC Safeguards Rule?

The FTC Standard for Safeguarding Customer Information — or Safeguards Rule — is a compliance regulation passed in 2003 that expands on the requirements outlined in GLBA. Specifically, the Safeguards Rule details how financial institutions must create and maintain an information security program. These programs must be designed to secure company data — including nonpublic personal information — from both external and internal threats.

In 2021, the FTC amended the Safeguards Rule to provide organizations further guidance on how to keep data secure. Now, an FTC-compliant data security program includes a new feature: identity and access management support with MFA.

Who does the FTC Safeguards Rule apply to?

The FTC guidelines state that the Safeguards Rule applies to any financial institution. However, the FTC’s classification of a financial institution is surprisingly broad, comprising any organization that engages directly or incidentally in financial activities.

By that definition, nearly every business that maintains and stores customer financial data for Americans must abide by at least some elements of the Safeguards Rule. In some cases, that may even include international organizations that work with American customers.

Who are “financial institutions”?

Beyond the expected financial institutions like banks and credit unions, these are some of the organizations the FTC considers financial institutions:

• Retailers that issue store credit cards

• Car dealerships that lease vehicles

• Property and real estate appraisers

• Career counselors that support individuals working in finance

• Collections agencies

• Credit counselors, financial advisors, and investment bankers

• Businesses that consistently wire money to, from, or for consumers

• Accountants and tax preparers

• Check cashing services

• Travel agencies that work with financial service organizations to provide financing

• Mortgage brokers and lenders

• “Finder” companies that connect buyers with sellers for any transaction

• Educational institutions that accept financial aid funds

Regardless of the organization’s size or number of customer data records, every organization that manages consumer financial data must implement MFA capabilities by June 9th.

Your FTC Safeguards Rule update compliance checklist

Naturally, the spirit of the Safeguards Rule is to help organizations address the root causes of risk within complex IT systems. To accomplish that, an organization’s IT and data security strategy must embody three objectives:

1. Securing customers’ nonpublic, personally identifiable information (PII)

2. Designing and implementing security controls to prevent and mitigate cyber threats

3. Limiting and monitoring access to systems that store PII

With these objectives in mind, the Safeguards Rule contains multiple components organizations must include in their information security program to comply with GLBA.

Assign a qualified individual to manage your security program

First, every organization needs an experienced cybersecurity professional who “owns” its security program. This person is responsible for implementing, maintaining, and championing the security program. One primary part of their job is providing at least one annual report to a Board of Directors or senior leadership that assesses compliance success and risks within the security program.

Assess risks within the organization

Equally important, organizations must conduct a comprehensive risk assessment before they create their information security program. This formal written assessment will detail all potential internal or external risks and threats to consumer data, as well as the criteria used to assess those risks.

Over time, risks and threats will change. Under the Safeguards Rule, organizations must periodically reassess their security posture. The goal is to continuously amend their security program, controls, and incident response plan to mitigate threats.

Develop and implement security controls

In addition, putting solid security controls in place also helps organizations reduce the likelihood of a data compromise. The Safeguards Rule requires organizations to have controls that support multiple security functions, including:

• Data management and storage, where organizations need a detailed inventory of data collected, stored, and transmitted across the entire IT infrastructure

• Access management, where organizations define which users are authorized to access which resources and maintain an ongoing activity log to monitor access behavior

• Data encryption, where organizations maintain confidentiality for data at rest and in transit

• Data retention and disposal, where organizations design policies and timelines to securely store and automatically destroy customer data

• Third-party application management, where organizations regularly evaluate what information they’re sharing with vendors and whether it’s necessary to share that data

• Identity verification, where organizations maintain granular MFA capabilities to validate user identities and verify access to organization resources using at least two authentication factors

Monitor and test controls

Furthermore, controls are only useful if they successfully mitigate threats. With today’s rapidly evolving threat environment, organizations need to constantly stress test. Crucially, they must fine-tune their controls to keep their organization secure and compliant.

Alongside continuous monitoring, organizations should introduce regular vulnerability scanning and penetration testing to confirm that their controls are effective.

Create an incident response strategy

What’s more, the Safeguards Act requires every organization to maintain a written plan for response and recovery from a security incident. This document must address:

• The goals of your response plan

• Defined roles, responsibilities, and a chain of command for decision-making

• Internal processes to activate during an incident, including processes around how to address security gaps and how to communicate or share information with stakeholders

• Procedures dictating how to document and report security incidents

• Updates following each security incident, including a post-mortem assessment of each incident and the organization’s response

Train and monitor staff and vendors

Lastly, everyone who handles your organization’s sensitive data must be adequately trained to recognize risks, mitigate the impacts of security incidents, and respond appropriately. Regular training helps keep both internal teams and external vendors aware of risks and prepared to respond to emergencies.

Monitoring behavior and consistently assessing ability to prevent or mitigate risk can also help teams identify where to provide additional training.

What you need to know about meeting the new FTC MFA requirement

Today, for most organizations, the biggest change to the Safeguards Rule is the new FTC MFA requirement. This amendment demonstrates how zero trust architecture—which follows the guiding principle of “never trust, always verify”—is becoming essential for effective data security.

Undeniably, unauthorized access to sensitive data poses a significant threat to customer PII. And that’s true whether access happens through stolen credentials, insider threats, or other security gaps. Logically, enacting and enforcing the principle of least privilege is one step in limiting access to sensitive data. But now, organizations must go a step further. By introducing MFA, organizations can verify and validate user identities for every user and every access attempt. This ensures that only authorized users can access certain systems.

For instance, how organizations set up their MFA solution makes a big difference when it comes to mitigating risk. The FTC suggests leveraging phishing-resistant MFA methods to maximize security. For example, risk-based contextual controls, authentication apps, and hardware keys are often more secure than SMS codes or push notifications.