| 
Ben Giumarra
The FTC has issued a proposed new set of cybersecurity regulations based heavily on New York state’s cybersecurity regulations created in 2017. While there has been a frenzy to address cybersecurity risk with rulemaking at the state level, this is the first significant attempt to put in place standard federal requirements that could apply across the nation. If adopted, this would cause significant disruption to entities subject to the FTC’s jurisdiction, just as the New York requirements disrupted entities operating in that state.
The proposed rules would technically come in the form of amendments to the “Safeguards Rule” of the Gramm-Leach Bliley Act (GLBA) but will completely replace almost all meaningful parts of the existing rule. They would directly impact all mortgage lenders and other financial institutions under its jurisdiction. It is unclear what impact this would have on banks and credit unions, whose prudential regulators retain the authority to enforce their own version of the Safeguards Rule but have so far not proposed any updates of their own.
The FTC’s proposed rule is a dramatic step towards stronger and more specific cybersecurity standards. The current standards are highly flexible or extremely weak, depending on your perspective. Critics argue that cybersecurity risks and technology are evolving too rapidly to be adequately addressed by such specific standards, and that they will soon become irrelevant and unworkable. They argue that this will encourage a “check box mentality” instead of the thoughtful, risk-based approach to data security that will be needed to best protect consumers’ private data. On the other hand, others have applauded the FTC for establishing clear requirements that institutions can follow, and that regulators can effectively monitor and enforce.
Proposed Amendments Present Serious Challenges
As a little more background, the Safeguards Rule comes from the GLBA. Established in 2003, it requires that all financial institutions subject to FTC jurisdiction, including finance companies and mortgage lenders, establish a comprehensive information security program. This program must be in writing and generally include administrative, technical and physical safeguards that are appropriate for the size, complexity and nature of the institution. There are also requirements related to risk assessments, testing, staff accountability and vendor management.
The proposed amendments keep the basic requirement to have a security program but go much further in putting stronger and more detailed requirements in place.
Encryption of customer information is required, both during delivery and when stored.
Multifactor authentication would be required for any individual accessing customer information. Although there is a process for exceptions to be made this requirement, if read literally, would seem almost impossible to completely comply with.
On top of the multifactor authentication, an institution would need controls to limit access of customer information to authorized persons, and methods by which unauthorized access could be detected. How many persons at your institution have access to a system with customer information, such as a loan origination system? Does your system have controls to prevent them from seeing records except those that they are authorized to view? I believe that will be a challenge for many companies.
Information systems would need to include audit trails, which would help detect and respond to security issues. In other words, your system would need an “audit mode” that would display who accessed such data and when.
Small and Mid-Sized Firms Will Be Shocked
There are a number of other specific requirements: requiring procedures for disposal of customer data that is no longer needed; regular testing and monitoring of key controls and procedures; risks assessments must be written and meet other specific requirements; training for personnel; increased oversight of vendors; establishing an incident response plan; a written security report on an annual basis; and more.
All of this would of course need to be documented, and hopefully in such a manner that your institution can demonstrate compliance without closing down for a week just to gather all necessary information. There are exceptions to some parts of the proposed rule for institutions storing records of fewer than 5,000 consumers. The exceptions are mostly to requirements for certain things to be in writing which, ironically, would help an institution with the concern for documentation to demonstrate compliance.
The requirements, although tough, probably sound familiar to larger institutions. But these could come as a shock to small and mid-size companies, especially those that don’t have a strong chief information security officer.
While it’s impossible to say for sure, this rule could take effect as quickly as January 2020. The FTC has been working on this since August 2016, and any final rule would become effective six months after a final version is published. But if the FTC is convinced to make significant changes to the proposed rule by comments in the next couple of months, this process could take much longer.
Ben Giumarra is the director of legal and regulatory affairs at Embrace Home Loans. He may be reached at bgiumarra@embracehomeloans.com.
