FTC Safeguards Rule: What MSPs Need to Know
Have you been hearing channel chatter about the FTC Safeguards Rule?
That’s because MSPs are learning that this regulation could have a big impact on their business.
In this article, we’ll answer a couple of important questions that MSPs have been asking us:
- Do my clients fall under this rule?
- What are examples of “covered entities”?
- Do the FTC Safeguards requirements apply directly to my MSP?
- How do I stay compliant with the FTC Safeguards Rule?
- What Does My MSP Need to Document?
- Can I get help with FTC Safeguards compliance?
Do My MSP Clients Fall Under This Rule?
According to Section 314.1(b) of the Rule:
Any entity if it’s engaged in an activity that is financial in nature or is incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).
It’s important to know that the Rule defines financial institutions in a way that’s broader than what most people expect. The definition is actually based on the types of transactions an organization has with their customers, not their classification in, say, a business directory.
Examples of Covered Entities
Here are the thirteen example entities listed within the Rule:
- A retailer that extends credit by issuing its own credit card directly to consumers.
- An automobile dealership that leases automobiles on a non-operating basis for longer than 90 days.
- A personal property or real estate appraiser.
- A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting, or audit departments of any company.
- A business that prints and sells checks for consumers, either as its sole business or as one of its product lines.
- A business that regularly wires money to and from consumers.
- A check cashing business because money is exchanged.
- An accountant or other tax preparation service, completing income tax returns.
- A travel agency with related financial services.
- An entity that provides real estate settlement services.
- A mortgage broker because they transact loans.
- An investment advisory company and a credit counseling service.
- A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions they negotiate and consummate.
Do These Rules Apply to My MSP Directly?
Remember that any business that offers financing could be subject to this rule if their program involves collecting personally-identifiable financial information. This includes your MSP if you offer hardware financing that involves running a credit check or collecting banking information.
You will also be expected to adhere to FTC Safeguards if you handle or have access to the financial data that your clients collect and store. An example of this type of situation is one in which an MSP is running their own data center.
As an MSP providing services to clients that make you a “covered entity” you are also expected to have your own security squared away. (You are part of the vendor supply chain that your clients are expected to vet and verify.) Your own program should meet the FTC’s definition of a “reasonable cybersecurity program”.
How Do I Stay Compliant Under the FTC Safeguards Rule?
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. As you can imagine, it shares a lot with the NIST (National Institute of Standards and Technology) framework. The objectives of the program are:
- to ensure the security and confidentiality of customer information;
- to protect against anticipated threats or hazards to the security or integrity of that information; and
- to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.
What this largely means to the MSP is to support this a governed documentation process will be instrumental.
What Does an MSP Need to Document?
As of right now, the minimum documentation suggested for FTC Safeguards compliance are as follows:
- Written Information Security Policy (WISP) considering the following:
- Access Control Policy and Procedures
- Authentication and Authorization Policy and Procedures
- Change Management Policy and Procedures
- System Monitoring and Auditing Policy and Procedures
- Privacy and Confidentiality Policy
- Security Risk Assessments Policy and Procedures
- Acceptable Use Policy
- Security Awareness Training Policy
- Data Governance Policy and Procedures
- Incident Response Plan
What Else Does an MSP Need to Do With Their Client?
There are a few additional requirements to consider. While you might cover these in the above documentation, certain use cases may require additional documents.
- Qualified Individual designation, roles, and responsibilities
- In cases where the MSP is serving as the Qualified Individual, they will need to document the client’s internal officer who maintains final accountability for cybersecurity
- Proof of adherence to the monitoring requirement; either 24/7/365 monitoring or records of the required system scans and penetration tests
Can I Get Help with FTC Safeguards and Other Regulations?
There’s no need to navigate FTC Safeguards — or any other regulation — alone. ComplianceScorecard.com gives MSPs the resources they need to avoid fines, protect their clients, and offer impeccable IT service delivery.
Join our peer group to connect with compliance experts like ComplianceScorecard.com CEO Tim Golden. Together with like-minded business owners, you’ll benefit from the shared know how and experiences of MSPs from around the country.
If you’re looking to simplify documentation, we have what you need in that department as well. Our compliance platform – Compliance Scorecard, has been attracting a significant number of MSPs who see the value in ensuring their clients' security and meeting regulatory requirements, to see for themselves how it takes the struggle out of compliance.
Compliance Scorecard helps with governing, creating policies and being compliant both within your organization and with rules and regulations your business must adhere to. With Compliance Scorecard you can find the right templates, track versions, create reviewer and approver roles, submit for adoption, and provide visibility to legal counsel and auditors. If you’re ready to see a demo or try Compliance Scorecard out for yourself, click here to get started!
If you would like to learn more visit: FTC Safeguards Rule: What Your Business Needs to Know
ComplianceScorecard.com Keeping Your Risk In Check!