The Federal Trade Commission (FTC) has recently extended the deadline for compliance with some provisions of their updated Safeguards Rule a full six months. While some of the regulations are already in effect, other requirements are due on June 9, 2023, instead of the previously announced deadline of December 9, 2022. But what does that mean for your business?
While the extension obviously provides more time for companies struggling to meet the initial deadline, it's still going to be a very tight timeline for many businesses. Six months is not a lot of time, especially considering the steeper compliance requirements that will be imposed next year. Meeting those higher standards in half a year will be a race against the clock.
Intelligent Technical Solutions (ITS) is an IT support company with years of experience helping businesses in the financial and auto industries meet their compliance goals. In this article, we'll help you understand everything you need to know about the deadline extension and what you need to do to make the most out of it. To do that, we'll explore the following topics:
- Why is the FTC Extending the Deadline?
- Which Provisions Have an Extended Deadline?
- Which Provisions are Not Covered by the Extended Deadline?
- What Your Business Needs to Do in the Next Six Months
- How Outsourcing Can Help Your Business Maximize the Extension
Why is the FTC Extending the Deadline?
.png?width=778&height=260&name=Smaller%20Blog%20Template%20(13).png)
The FTC referred to the extension as a "welcome relief" to companies struggling to meet the initial deadline. That's because as December 9 drew close, many companies still struggled to comply. It's a testament to just how steep the new requirements are.
According to the Commission, the reason for the deadline extension was based on reports, including a letter from the Small Business Administration's Office of Advocacy, regarding a shortage of qualified personnel to implement information security programs. Also, there were reports of supply chain issues leading to delays in obtaining the necessary equipment for upgrading security systems.
Which FTC Safeguards Rule Provisions Have an Extended Deadline?
Many of the provisions that have been delayed address the biggest challenges to compliance, namely the shortage of skilled personnel and supply chain issues.
The following requirements are the provisions included in the deadline extension and should take effect on June 9, 2023:
- Designate a Qualified Individual to Oversee Information Security Program
- Develop a Written Risk Assessment
- Limit and Monitor Who can Access Sensitive Customer Information
- Encrypt All Sensitive Information
- Train Security Personnel
- Develop an Incident Response Plan
- Periodically Assess the Security Practices of Service Providers
- Implement Multi-Factor Authentication or Another Method with Equivalent Protection for Any Individual Accessing Customer Information
Which Provisions are Not Covered by the Extended Deadline?
It's important to remember that many provisions are closely tied to each other. That means some of the provisions that don't fall under the extension might be difficult to accomplish without first completing the ones that have been delayed. With that in mind, we can assume that the following provisions should at least be partially in effect by the initial December 9, 2022, deadline:
- Create Data and Systems Inventory
- Audit Security of In-House and Third-Party Apps
- Dispose of Customer Information Securely
- Monitor and Log User Activity
- Have Regular Vulnerability Scans and Penetration Tests
- Conduct Security Awareness Training for Staff
- Keep All Information Security Systems Current
What Your Business Needs to Do in the Next Six Months
While the extension offers some breathing room, you shouldn't take it as a reason to delay compliance. Six months is very little time to meet the new requirements. In addition, there are still provisions that aren't included in the deadline extension that should already be in place. If they aren't yet, then you should get those done first.
The next that should be at the top of your list includes one of the toughest requirements: finding a "qualified individual" to implement the new rules throughout the organization. That has proven to be a challenge for many organizations for good reason. People with the right skill set are scarce and expensive to hire on staff.
However, once you can designate a qualified individual to oversee your security program, it will be easier to move forward and check off other requirements from your list.
How Outsourcing Can Help You Maximize the Deadline Extension
.png?width=778&height=260&name=Smaller%20Blog%20Template%20(14).png)
Implementing advanced security measures and finding qualified people for the job are difficult tasks. And, as we mentioned before, six months is not a lot of time. Thankfully, the Commission allows you to outsource those tasks to a third party, like a managed security service provider (MSSP).
Outsourcing can help alleviate the high buy-in cost of training and hiring your own security personnel. MSSPs also have vCIOs, or virtual Chief Information Officers, who can take responsibility for the strategic planning and overall management of your company's cybersecurity. They can advise you and lead you in the right direction, or they can serve as your designated expert to oversee your security program.
In addition, some service providers offer a full-stack cybersecurity package that can help you meet many, if not most, of the Safeguard Rule's new compliance requirements. That means you will not have to source the systems from different vendors, making the process run faster and relatively smoother.
All of that can give you a better chance at meeting the June 9, 2023, deadline.
Ready to Meet the New FTC Compliance Requirements in June?
The extended deadline is welcome news if you are still struggling to comply with the new Safeguards Rule. However, you shouldn't be complacent. Six months is not a lot of time as far as compliance is concerned. Not to mention, there are provisions that are not included in the extension that needs to take effect by the initial December deadline.
If you want to make the most out of the deadline extension, the first thing you need to do is to find a qualified individual to help oversee your new security program. You can train or hire your own in-house or outsource the task to a service provider. The next is to find a vendor that can offer all of the cybersecurity tools and services you will need under one roof. That will help ease the process and help you achieve your compliance goals on schedule.
ITS is an IT support company that has been providing businesses in the auto and financial industries with reliable managed IT and managed cybersecurity services for over a decade. Learn more about the FTC Safeguard Rules by checking out the following articles:
- FTC Safeguards Rule for Auto Dealers: Everything You Need to Know
- Non-Compliance with FTC Safeguards Rule: What Auto Dealerships Need to Know
- What is FTC Safeguards Rule and What Does it Mean for Your Business?
